********************
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
http://www.secadministrator.com
********************
~~~~ THIS ISSUE SPONSORED BY ~~~~
IBM Infrastructure
http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBc0AF
Lieberman & Associates
http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBd0AG
(below SECURITY RISKS)
~~~~~~~~~~~~~~~~~~~~
~~~~ SPONSOR: IBM Infrastructure ~~~~
Not worried about hackers? You should be. Because they can put your
e-business out of business. If your customers don't feel comfortable
dealing with you online, they'll work with someone else. With IBM
infrastructure, you'll have the security your company needs to operate
effectively and to keep your clients comfortable. Your networks and
servers are the backbone of your company. It's time you treated them
that way. In today's ever-changing e-environment, keeping network
security tight is something that can't be ignored. So is keeping your
clients happy. Find out more from our latest security white paper
today.
Download at: http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBc0AF
********************
September 26, 2001--In this issue:
1. IN FOCUS
- Nimda Opens Potential for Subsequent Back Doors
2. SECURITY RISKS
- Relative Path Vulnerability in PI-Soft SpoonFTP
- Cisco ICDN SSL Vulnerability
3. ANNOUNCEMENTS
- Check Out the New WebSphere Professional Site!
- MCP TechMentor--November 20 Through 22, 2001, London
4. INSTANT POLL
- Results of Previous Poll: Code Red Worms
- Instant Poll: Nimda Worm
5. SECURITY ROUNDUP
- News: Microsoft Offers Advice on Nimda Worm
- Review: Netpulse 2000
- Review: Desktop Firewalls
6. HOT RELEASE (ADVERTISEMENT)
- Sponsored by VeriSign - The Internet Trust Company
7. SECURITY TOOLKIT
- Book Highlight: Know Your Enemy: Revealing the Security Tools,
Tactics, and Motives of the Black-Hat Community
- Virus Center
- Virus Alert: W32/Vote
- Virus Alert: W32/Nimda
- FAQ: What Is the Internet Explorer 6.0 Unsafe-File List?
8. NEW AND IMPROVED
- Firewall and VPN Appliance
- Prevent Unauthorized Intrusion
9. HOT THREADS
- Windows 2000 Magazine Online Forums
- Featured Thread: FTP Blank Folder Name
- HowTo Mailing List:
- Featured Thread: Tools for Trust Relationships
10. CONTACT US
See this section for a list of ways to contact us.
~~~~~~~~~~~~~~~~~~~~
1. ==== COMMENTARY ====
Hello everyone,
Have you recovered from the Nimda worm yet? As you know, the worm
spread rapidly, and computer users felt its effects far more heavily
across the Internet than they felt the Code Red worm and its subsequent
variations. To add insult to injury, Nimda leaves an infected system
wide open to anyone who wants to connect--it maps shares and enables
the Guest account and makes the account a member of the Administrators
group.
Just about every security-related company has released advice, tools,
and updates that help remove and prevent the Nimda infection. But as
Greg Francis pointed out on our Win2KsecAdvice mailing list on Monday
(see URL below), the Computer Emergency Response Team (CERT) is one of
the few entities recommending that users perform a clean install of the
OS to recover from infection.
http://63.88.172.96/listserv/win2ks-l.asp?a2=ind0109d&l=win2ksecadvice&P=94
CERT's recommendation stems from the fact that infected systems make
their IP addresses known by trying to infect other systems, and wily
intruders know this. So during the time when Nimda infected a system,
anyone could have connected to that system and inserted back doors or
obtained proprietary data from the network. If you don't have detailed
system-auditing in place that tracks all changes so that you can
reverse them, you might be wise to completely reinstall the OS to be
certain you've reinstated some level of network integrity. You might
also want to consider changing usernames and passwords.
Reinstalling OSs and reassigning resources can be a difficult job,
especially if the system is a domain controller (DC) or Active
Directory (AD) server. It's far easier and cheaper to perform regular
system maintenance and stay on top of the latest patches and
configuration recommendations so that worms such as Nimda don't infect
your systems.
Microsoft has a great Web page (see URL below) full of tools,
checklists, and updates that help you make your systems more secure.
The Web page contains six checklists, three security updates, and nine
tools. The checklists cover Windows NT, Microsoft IIS, and DC
configurations; the security updates are for Microsoft Office and
Outlook. The tools on the Web site are incredibly useful. I won't
describe each one because you can learn about them at the Web page, but
here are the available tools: IIS Lockdown, Microsoft Personal Security
Advisory, Cleaner for Code Red II, Improved Cipher Security Tool,
Qchain, Security Screen Savers, Windows 2000 Internet Server Security
Tool, Security Planning Tool for IIS, and HFNetChk. Be sure to take a
look at these resources.
http://www.microsoft.com/technet/security/tools/tools.asp
As I mentioned last week, Microsoft announced that it has a beta
version of HFNetChk 3.2 available for those who want to try the tool
before Microsoft releases it (very soon). HFNetChk lets you inspect
which hotfixes and patches are installed on any system. The tool works
with an XML-based database that Microsoft provides and maintains. You
can learn about the current version of HFNetChk in Paula Sharick's
review on our Web site (see first URL below), and you can try the beta
(see second URL below). Log on with the username HFNetChk and a
password of FooBar. But be aware that if Microsoft releases HFNetChk
3.2 this week, the beta will become unavailable. In that event, use the
third URL below to obtain the release version.
http://www.secadministrator.com/articles/index.cfm?articleid=22369
http://www.betaplace.com
http://www.microsoft.com/technet/security/tools/hfnetchk.asp
Because HFNetChk inspects system files based on an XML database, you
can create XML databases to use with HFNetChk that perform other types
of system checks (e.g., checking for the current strain of Nimda
infection). Russ Cooper, operator of the NTBugTraq Web site and mailing
list, has made an XML file available for HFNetChk that checks a system
for Nimda infection. You can learn about Cooper's tool at the URL
below. If you already have a copy of HFNetChk, use Cooper's XML
database right away by using the following command:
HFNETCHK -x
http://www.ntbugtraq.com/nimdachk.asp
Because Nimda leaves a system wide open, an attacker can use HFNetChk
to determine what other security vulnerabilities an infected system
might have. Be sure to apply all crucial system updates. You can find a
list of updates for Windows 2000 systems at the first URL below and the
Microsoft Post-Service Pack 6a (SP6a) Security Rollup Package for
Windows NT at the second URL below.
http://www.microsoft.com/windows2000/downloads/critical/default.asp
http://support.microsoft.com/support/kb/articles/Q299/4/44.asp
Many sites that are immune to Nimda infection are experiencing network
problems from the worm because of the large amount of traffic that
infected sites generate. Worms such as Code Red and Nimda show us that
lax security on one network quickly becomes the detriment of another
network. These worms also show us that users remain unaware of the
extreme need to stay on top of security matters daily.
Microsoft has a solution for IIS users that overlook security hotfixes.
As you probably learned when you read Tim Huckaby's commentary from the
September 25 issue of IIS Administrator UPDATE, the upcoming Microsoft
Internet Information Services (IIS) 6.0 is a complete paradigm shift;
it provides an infrastructure that installs security hotfixes by
default. IIS 6.0 also lets you download hotfixes and apply them
automatically as they become available. You can also find the article
on our Security Administrator Web site (see URL below). Until next
time, have a great week.
http://www.secadministrator.com/articles/index.cfm?articleid=22673
Sincerely,
Mark Joseph Edwards, News Editor, mark@ntsecurity.net
2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, ken@win2000mag.com)
* RELATIVE PATH VULNERABILITY IN PI-SOFT SPOONFTP
Joe Testa reported that a vulnerability in Pi-Soft SpoonFTP
1.1 lets an attacker use relative paths to break out of an FTP
root directory. The vendor, Pi-Soft Consulting, has released version
1.1.0.1 to fix this problem.
http://www.secadministrator.com/articles/index.cfm?articleid=22549
* CISCO ICDN SSL VULNERABILITY
Cisco Systems reported that a vulnerability in its Internet
Content Distribution Network (ICDN) can result in authorized access
over Secure Sockets Layer (SSL) through cached credentials. The company
has issued a notice regarding this vulnerability and recommends that
users of ICDN 2.0 upgrade to 2.0.1 through usual support channels.
Versions of ICDN prior to 2.0 are not affected because these releases
don't use the vulnerable RSA BSAFE SSL-J library.
http://www.secadministrator.com/articles/index.cfm?articleid=22550
********************
~~~~ SPONSOR: LIEBERMAN & ASSOCIATES ~~~~
GOING TO THE MICROSOFT EXCHANGE CONFERENCE (mec2001)?
Visit Lieberman and Associates at booth 627 next week for hands-on
demos of:
* SERVICE ACCOUNT MANAGER
* USER MANAGER PRO
* TASK SCHEDULER PRO
* SERVER-TO-SERVER PASSWORD SYNCHRONIZER
* LAN SERVER TO NT/2000 MIGRATION WIZARD
* INTENSIVE CARE UTILITIES FOR WINDOWS NT
Go to our web site to learn more or contact us for more details.
FREE TRIALS: http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBd0AG
EMAIL: sales@lanicu.com
Phone: 310-550-8575
~~~~~~~~~~~~~~~~~~~~
3. ==== ANNOUNCEMENTS ====
* CHECK OUT THE NEW WEBSPHERE PROFESSIONAL SITE!
Look to this great new site for invaluable resources, such as our V4
Portal, which brings you fast, in-depth information about V4, the
WebSphere Road Map that will help you get started, DocFinder for help
finding IBM WebSphere reference materials, and forums for your
questions and comments. While there, sign up for FREE email newsletters
with news you can use!
http://www.webspherepro.com
* MCP TECHMENTOR--NOVEMBER 20 Through 22, 2001, LONDON
MCP TechMentor provides network and certification training for
Windows professionals with technical workshops, preparation sessions,
and professional development advice specifically designed to make the
most of your Windows 2000 education experience. Visit the Web site at
http://www.techmentor.co.uk for more details, or call +44 (0) 1483
469088.
4. ==== INSTANT POLL ====
* RESULTS OF PREVIOUS POLL: CODE RED WORMS
The voting has closed in Windows 2000 Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Has
your system become infected by the Code Red Worms?" Here are the
results (+/-2 percent) from the 1900 votes:
- 23% Yes
- 72% No
- 5% Not sure
* INSTANT POLL: NIMDA WORM
The current Instant Poll question is, "How has the Nimda worm
affected your organization?" Go to the Security Administrator Channel
home page and submit your vote for a) Significantly--we've lost days
disinfecting systems, b) Somewhat, c) Hardly at all, or d) Not at all.
http://www.secadministrator.com
5. ==== SECURITY ROUNDUP ====
* NEWS: MICROSOFT OFFERS ADVICE ON NIMDA WORM
Microsoft has posted specific information regarding the Nimda worm
that details several actions users should take against infected
systems. The document includes a list of patches and procedures that
users should apply to prevent similar problems in the future.
http://www.microsoft.com/technet/security/topics/nimda.asp
* REVIEW: NETPULSE 2000
Labcal Technologies' NetPulse 2000 is a management tool that helps
you assess the fundamental security of your systems and apply
prepackaged or custom security solutions. The product, which operates
in Windows 2000 and Windows NT 4.0 environments, targets well-
documented security problems. Although this functionality isn't
groundbreaking, Labcal's approach is unique. By designing NetPulse so
administrators with basic knowledge can secure their systems with
minimal effort, the company has geared NetPulse directly toward small
and midsized organizations. However, NetPulse can also operate in large
environments. Learn all about it in Sean Porter's review on our Web
site!
http://www.secadministrator.com/articles/index.cfm?articleid=21863
* REVIEW: DESKTOP FIREWALLS
Desktop firewalls serve a purpose similar to that of a safe in your
home. Your home's doors have locks, which are your primary means of
intrusion prevention. However, you might also install a safe within
your home because locked doors aren't foolproof deterrents. For the
most part, you'll spend less money to install and maintain desktop
firewalls than you'll spend to recover from an intrusion. The October
2001 issue of Windows 2000 Magazine features a Buyer's Guide that
provides an overview of available desktop firewall solutions. You can
also find the guide in a PDF file on our Web site. Be sure to check it
out!
http://www.secadministrator.com/articles/index.cfm?articleid=22241
6. ==== HOT RELEASE (ADVERTISEMENT) ====
* SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and
you'll learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your corporate intranets
and authenticate your Web sites. 128-bit SSL is serious security for
your online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094449760013000
7. ==== SECURITY TOOLKIT ====
* BOOK HIGHLIGHT: KNOW YOUR ENEMY: REVEALING THE SECURITY TOOLS,
TACTICS, AND MOTIVES OF THE BLACK-HAT COMMUNITY
By Lance Spitzer, Honeynet Project
List Price: $39.99
Fatbrain Online Price: $31.99
Softcover; 368 pages
Published by Addison Wesley Longman, September 2001
ISBN 0201746131
For more information or to purchase this book, go to
http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBe0AH
and enter WIN2000MAG as the discount code when you order the book.
* VIRUS CENTER
Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
http://www.secadministrator.com/panda
Virus Alert: W32/Vote
A new virus, W32/Vote, is circulating on the Internet. The virus
comes in the form of an email with the message subject of "FW: Peace
Between America and Islam!" The body of message reads, "Is it a war
against America or Islam? Let's vote to live in peace!" The message
also contains a file attachment named wtc.exe, which installs a copy of
the virus on the system when the user runs the file. The file then
modifies the registry to run the virus each time the user boots the
system.
http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusid=1111
Virus Alert: W32/Nimda
Nimda is a worm that affects Outlook, Internet Explorer (IE), and
Microsoft IIS. The worm leaves an infected system wide open to attack
and can spread in four ways: Web servers, Web clients, email clients,
and disk files.
http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusid=1110
* FAQ: WHAT IS THE INTERNET EXPLORER 6.0 UNSAFE-FILE LIST?
( contributed by John Savill, http://www.windows2000faq.com )
A. Internet Explorer (IE) 6.0 contains a hard-coded list of unsafe file
types in the shdocvw.dll file. IE 6.0 uses the unsafe-file list to
prevent you from accidentally opening a file type that might cause
problems on your computer. The complete list of file types is available
on our Web site at the URL below.
http://www.secadministrator.com/articles/index.cfm?articleid=22493
8. ==== NEW AND IMPROVED ====
(contributed by Scott Firestone, IV, products@win2000mag.com)
* FIREWALL AND VPN APPLIANCE
Symantec released a new version of its VelociRaptor firewall and VPN
appliance, which comes in three models. You'll find the 500 model
suitable for protecting networks that have as many as 50 nodes. The 700
model features an unlimited node license and can protect networks with
speeds as fast as a T3. The 1000 model also features an unlimited node
license that users can employ for securing Ethernet-speed networks. For
pricing, contact Symantec at 408-517-8000 or 800-745-6054.
http://www.symantec.com
* PREVENT UNAUTHORIZED INTRUSION
Smith Micro Systems released CheckIt Firewall, a PC firewall that
prevents unauthorized Internet intrusion while controlling outbound
communication of personal or sensitive data. You can customize the
firewall for specific applications and trusted IP addresses, ports, or
protocols. Also, you can specify different security rules for different
times. The CheckIt Firewall runs on Windows 2000, Windows NT, Windows
Me, and Windows 9x systems and costs $39.95. Contact Smith Micro
Systems at 949-362-5800.
http://www.smithmicro.com
9. ==== HOT THREADS ====
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
http://www.win2000mag.net/forums
Featured Thread: FTP Blank Folder Name
(Three messages in this thread)
Robert has a blank folder that someone created in his public FTP site.
He can't delete this folder from a command prompt or Internet Explorer
(IE), and the Recovery Console won't let him access the folder. Read
more about the question and the responses or lend a hand at the
following URL:
http://www.win2000mag.net/forums/rd.cfm?app=64&id=78747
* HOWTO MAILING LIST
http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
Featured Thread: Tools for Trust Relationships
(Four messages in this thread)
This user is looking for a tool to help him monitor trust relationships
between domains. Do you know of a tool that can help? Read the responses
or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0109c&l=howto&p=483
10. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- mark@ntsecurity.net
* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey@win2000mag.com; please
mention the newsletter name in the subject line.
* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
* PRODUCT NEWS -- products@win2000mag.com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate@win2000mag.com.
* WANT TO SPONSOR SECURITY UPDATE? emedia_opps@win2000mag.com
********************
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
http://www.win2000mag.net/email
|-+-+-+-+-+-+-+-+-+-|
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
Received on Thu Sep 27 12:31 CDT 2001