Security UPDATE, September 25, 2002

The recently released draft of the US government's plan for cyberspace security calls for all computer users (home, government, business) to do more to secure systems. But does it take into account the most obvious problem?

ITPro Today

September 24, 2002

13 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com

THIS ISSUE SPONSORED BY

"Tee-Off" at MEC with Sybari Software
http://www.sybari.com/wn0902

Get the Most ROI Out of Your Patch Software
http://www.stbernard.com/products/targetpages/win2kN-ue.asp
(below IN FOCUS)

SPONSOR: "TEE-OFF" AT MEC WITH SYBARI SOFTWARE

An out-of-the-box, suite solution for virus protection may not be the value you bargained for . . . visit Sybari's booth (#300) at MEC and learn how with Antigen you can deploy up to six of the leading virus scan engine technologies, as well as advanced file and content filtering features including subject line, sender, and domain filtering, delivering the most comprehensive virus scanning on the market today. At MEC play THE SYBARI OPEN and enter to win one of three valuable prizes each day. Not going to MEC? Attend an Antigen web demo by October 31st and get a free Sybari t-shirt. Register at
http://www.sybari.com/wn0902

September 25, 2002—In this issue:

1. IN FOCUS

  • National Cyberspace Security: It's Time to Regulate Manufacturers

2. SECURITY RISKS

  • Multiple Vulnerabilities in Microsoft VM

  • Multiple Vulnerabilities in Microsoft RDP

3. ANNOUNCEMENTS

  • Planning on Getting Certified? Make Sure to Pick Up Our New eBook!

  • Mark Minasi and Paul Thurrott Are Bringing Their Security Expertise to You!

4. SECURITY ROUNDUP

  • Feature: Product of the Year

  • Feature: Best Security Products

  • Feature: A Look at Win.NET Server Security

5. HOT RELEASES (ADVERTISEMENTS)

  • SPI Dynamics

  • FREE Network Security Web Seminars

  • FREE Security Assessment Tool

6. SECURITY TOOLKIT

  • Virus Center

  • FAQ: How Can I Prevent Microsoft Internet Explorer (IE) From Caching Secure Sockets Layer (SSL) Pages?

7. NEW AND IMPROVED

  • Software to Catch Hackers

  • Metadata Management for Law Firms

  • Submit Top Product Ideas

8. HOT THREADS

  • Windows & .NET Magazine Online Forums

  • Featured Thread: Threat from Within

  • HowTo Mailing List

  • Featured Thread: Failed Trust

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • NATIONAL CYBERSPACE SECURITY: IT'S TIME TO REGULATE MANUFACTURERS


Last week, the US government unveiled a newly drafted strategy to secure cyberspace. The strategy calls for home-based users to voluntarily learn more about security and for all computer users (home, government, business) to do more to secure systems. A 65-page document outlining the strategy is available at the URL below.
http://www.whitehouse.gov/pcipb/

According to the President's Critical Infrastructure Protection Board Web site, the plan was drafted after "town hall meetings were held around the country, and fifty-three clusters of key questions were published to spark public debate. Even more input is needed. The public has 60 days to offer further input."

I've received press releases from several technology companies that support the strategy. But based on news reports I've read, other businesses and individuals have complained about the plan. Their objections include that the plan isn't comprehensive enough, that it targets government and home users more closely than businesses, and that it might cost businesses too much to implement when profits are down in an ailing economy. I want to discuss what the plan emphasizes—and more importantly—what it doesn't emphasize.

According to "The Washington Post," Bruce Schneier, chief technology officer (CTO) of Counterpane Internet Security, said, "You really have to ask why CEOs would bother to follow any of these recommendations, particularly at a time when most companies' earnings are down 20 percent. The fact is, companies aren't rewarded for altruism; they're rewarded by the strength of their stock price."
http://www.washingtonpost.com/wp-dyn/articles/A35812-2002Sep18.html

One notable security industry figure, Allan Paller, research director of the SysAdmin, Audit, Network, and Security (SANS) Institute, seems to have forgotten that we live in a democratic society. According to "The Washington Post" story, "[Paller] believes the 60-day public comment period will help to show who has worked hardest to weaken the plan." Paller said, "The whiners will now have a spotlight shone on them."

So will most businesses respond to the plan, and are all its critics trying to weaken it? Many of us believe that the problem with security in cyberspace resides largely in faulty software. You've sent email messages to me stating that view, and I've written about my own concerns (see the first URL below). In "eWEEK," Wyatt Starnes, CEO and cofounder of security vendor Tripwire, echoes that sentiment in his response to the draft strategy: "I'd like to see them make software companies take responsibility for the reliability of their products."
http://www.secadministrator.com/articles/index.cfm?articleid=23161
http://www.eweek.com/article2/0,3959,547303,00.asp

Perhaps if software companies were liable by law for their products' lack of security, we wouldn't need such a weighty plan to secure cyberspace. We know that regulation works reasonably well in other industries.

Consider that Microsoft currently controls 80 percent of the desktop market, not to mention the server market space. Doesn't it make sense that if software vendors, including Microsoft, were legally obligated to roll out the most secure products possible—or face stiff consequences—more than 80 percent of the computers on the planet would be more secure (and less of a risk to any country's national security)? Why are companies in the computer industry still exempt from liability?

Although the government is taking an admirable path to better computer security, it doesn't seem to notice the more obvious problem of an unregulated and not-liable software industry. Why impose restrictions on home users, government, and general business users while neglecting the manufacturers of faulty software? Wouldn't it be equally effective to consider regulating software manufacturers—or am I missing some relevant points?

If you agree that we need to regulate software manufacturers, it's time to contact your government representatives and urge them to institute strong software regulation. (You can find contact information for your representatives at the URL below.)

http://clerk.house.gov/members/index.php

SPONSOR: GET THE MOST ROI OUT OF YOUR PATCH SOFTWARE

Network security is an invaluable asset. What is the risk to your company if a hacker exploits an unknown weakness? UpdateEXPERT is a patch validation and remediation tool that scans networks for missing hotfixes, and FIXES discovered weaknesses for increased protection. Supporting Windows NT4/2000/XP, SQL Server, Exchange Server, IE, Outlook and other critical applications, UpdateEXPERT features an exclusive patch database that has been tested for deployment interdependencies. Scan, validate, and install updates remotely without a required client agent.

FREE 15-day live trial and Whitepaper!


http://www.stbernard.com/products/targetpages/win2kN-ue.asp

2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])

  • Multiple Vulnerabilities in Microsoft VM


Three new vulnerabilities exist in Microsoft Virtual Machine (VM), the most serious of which can give an attacker complete control over the vulnerable system. The first vulnerability exposes a flaw in the way the Java Database Connectivity (JDBC) classes evaluate a request to load and execute a DLL on the user's system. The second vulnerability also involves the JDBC classes and exposes certain functions in the classes that don't correctly validate the handles provided as input. The third vulnerability involves a class that provides XML support for Java applications. The vendor, Microsoft, has released Security Bulletin MS02-052 (Flaw in Microsoft VM JBDC Classes Could Allow Code Execution) to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin. For a detailed explanation of the risks and a link to the patch, be sure to visit our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=26735

  • Multiple Vulnerabilities in Microsoft RDP


Two vulnerabilities exist in Microsoft RDP. The first is an information-disclosure vulnerability that forwards unencrypted checksums of plaintext data under Windows XP and Windows 2000. An attacker can use these checksums to conduct a cryptographic attack to recover session traffic. The second vulnerability is a Denial of Service (DoS) condition in XP's Remote Desktop service when this service uses RDP. By sending specially malformed packets to the service (which by default runs on TCP port 3389), an attacker can crash the vulnerable system. The vendor, Microsoft, has released Security Bulletin MS02-051 (Cryptographic Flaw in RDP Protocol can Lead to Information Disclosure) to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin. For a detailed explanation of the risks and a link to the patch, be sure to visit our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=26734

3. ANNOUNCEMENTS
(brought to you by Windows & .NET Magazine and its partners)

  • PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!


"The Insider's Guide to IT Certification" eBook is hot off the presses and contains everything you need to know to help you save time and money while preparing for certification exams from Microsoft, Cisco Systems, and CompTIA and have a successful career in IT. Get your copy of the Insider's Guide today!
http://winnet.bookaisle.com/ebookcover.asp?ebookid=13475

  • MARK MINASI AND PAUL THURROTT ARE BRINGING THEIR SECURITY EXPERTISE TO YOU!


Windows & .NET Magazine Network Road Show 2002 is coming this October to New York, Chicago, Denver, and San Francisco! Industry experts Mark Minasi and Paul Thurrott will show you how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and Trend Micro. Registration is free, but space is limited so sign up now!
http://www.winnetmag.com/seminars/roadshow

4. SECURITY ROUNDUP

  • FEATURE: Product of the Year


In a competition in which the winner was determined by write-in vote only, our Windows & .NET Magazine readers chose BindView's bv-Control for Windows as the product of the year. BindView's bv-Control is a proactive security management solution. The company's flagship product family effectively secures, automates, and lowers the cost of managing Windows .NET Server (Win.NET Server) 2003, Enterprise Edition servers and directories, Windows 2000, and Windows NT. To read more about it, visit our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=26308

  • FEATURE: Best Security Products


We've completed the poll in which readers cast votes for their favorite security software! Categories of products include antivirus software for clients, servers, wireless networks, and Microsoft Exchange; digital encryption/signature signing software; firewalls; intrusion detection software; password-auditing software; security scanners; third-party authentication software; application security software; and security information management software. To see the results, visit our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=26315

  • NEWS: A Look at Win.NET Server Security


As part of a continuing look at the more intriguing new features in Windows .NET Server (Win.NET Server) 2003, Paul Thurrott examines some of the OS's security improvements. The timing for such improvements is crucial: Microsoft has issued 48 security bulletins this year and is on track to beat last year's record of 60 bulletins. Paul comments, "What a wonderful accomplishment."
http://www.secadministrator.com/articles/index.cfm?articleid=26721

5. HOT RELEASES (ADVERTISEMENTS)

  • SPI DYNAMICS


ALERT! - Cross-Site Scripting Holes in Web Applications
Cross-site scripting vulnerabilities in web applications allow hackers to compromise confidential information, steal cookies and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper
http://www.spidynamics.com/mktg/xss7

  • FREE NETWORK SECURITY WEB SEMINARS


Want to bullet-proof your networks against malicious code? Register now for one or more web seminars and gain the experience from the world's leading virus experts. Seating is limited, register today to ensure your spot!
http://www.sophos.com/products/training/webseminars/index.html#new

  • FREE SECURITY ASSESSMENT TOOL


Aelita InTrust(tm) closes the gap between policy and IT infrastructure, simplifying your regulatory compliance efforts. HIPAA? Gramm-Leach-Bliley? BS7799/ISO17799? Let Aelita provide your compliance solution. Start with our FREE security assessment tool: Aelita InTrust Audit Advisor!
http://www.aelita.com/wnet0925

6. SECURITY TOOLKIT

  • VIRUS CENTER


Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

  • FAQ: HOW CAN I PREVENT MICROSOFT INTERNET EXPLORER (IE) FROM CACHING SECURE SOCKETS LAYER (SSL) PAGES?


( contributed by John Savill, http://www.windows2000faq.com )

A. By default, IE caches all pages, regardless of whether the pages are secure (e.g., HTTP Secure—HTTPS—pages, which use SSL). If you don't want IE to cache these secure pages, you can perform the following steps for each user:

  1. Start a registry editor (e.g., regedit.exe).

  2. Navigate to the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings registry subkey.

  3. From the Edit menu, select New, DWORD Value.

  4. Enter a name of DisableCachingOfSSLPages, then press Enter.

  5. Double-click the new value, set it to 1 to disable caching of SSL pages, then click OK.

  6. Close the registry editor.

  7. Log off and log on for the change to take effect.

7. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])

  • SOFTWARE TO CATCH HACKERS


FutureWare released HackerTracker, software that scans a Web server's standard World Wide Web Consortium (W3C) Extended Format log files to identify attacks. You can use the intruder's IP address to block further access at the server, at a front-end router, or at a firewall, as well as to contact the intermediate ISPs who handle intruder's traffic for their tracking and security efforts. HackerTracker runs on Windows XP, Windows 2000, Windows NT, and Windows 9x and costs $59 for a single-user registration. Contact FutureWare at 714-446-0765.
http://www.futurewaredc.com/hackertracker

  • METADATA MANAGEMENT FOR LAW FIRMS


SoftWise released Out-of-Sight 2.0, a metadata management utility enhanced to let law firms reduce risks and avoid potential embarrassments by managing the metadata in electronically distributed documents. The utility lets users remove unwanted metadata from Microsoft Excel XP, Excel 2000, and Excel 97 in addition to Word, and it lets administrators manage and establish standards using a simple GUI interface. Out-of-Sight integrates with Microsoft Outlook XP and Outlook 2000. A 30-day evaluation copy of Out-of-Sight 2.0 is available from the Web site, or call 718-876-9776 for a free evaluation.
http://www.softwise.net

  • SUBMIT TOP PRODUCT IDEAS


Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS


http://www.winnetmag.com/forums

  • Featured Thread: Threat from Within


(Seven messages in this thread)

Dannyboy writes that a member of his staff has been sniffing around the network by connecting to printers by their IP address, connecting to other users' machines, and trying to schedule tasks. He wants to know whether this can be prevented. He thinks that all permissions on his servers are tight, so the user can't view sensitive information. He wants to know how other administrators would treat this situation and deal with the user. Also, is there any security software that can monitor an employee's actions on a Windows 2000 Professional machine? Read the responses or lend a hand at:
http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=45970

  • HOWTO MAILING LIST


  • Featured Thread: Failed Trust


(One message in this thread)

Dimitry writes that he has a Windows 2000-based domain server. When he adds a Windows NT 4.0 Workstation to the domain, no one from the domain can access that PC. When they try to do so, they receive the message, "The trust between this workstation and the primary domain failed." Read the responses or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?A2=IND0209C&L=HOWTO&P=305

9. CONTACT US
Here's how to reach us with your comments and questions:

(please mention the newsletter name in the subject line)

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email

Thank you for reading Security UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like