Security UPDATE--Nmap and XP SP2; Phishin' Phrenzy Continues--August 25, 2004

==== This Issue Sponsored By ====

Get a Free Authenex A-Key(TM) Security Token

http://www.authenex.com/campaign/campaign.asp?scid=307

Windows Scripting Solutions

http://www.winscriptingsolutions.com/rd.cfm?code=fsep264xup

1. In Focus: Nmap and XP SP2; Phishin' Phrenzy Continues

2. Security News and Features

- Recent Security Vulnerabilities

- News: MD5 and SHA-1 Come Under Fire

- News: XP Pro SP2 Delayed for Automatic Updates; German Security Firm Announces Vulnerability in SP2

- Feature: SURBLs: The Upside of Sharing Spam

3. Security Matters Blog

- New Windows XP SP2 Mailing List

4. Instant Poll

5. Security Toolkit

- FAQ

- Featured Thread

6. New and Improved

- Better Network Scanning

- Protect User Privacy On- and Offline

==== Sponsor: Get a Free Authenex A-Key(TM) Security Token ====

The key to complete authentication and encryption security, the new Authenex A-Key offers multiple methods of authentication through USB interface or One-Time Password. The A-Key uses our ASAS(TM) server for strong Two-Factor authentication for network access and can be leveraged by our entire suite of e-security applications, including: Web Access Control, Endpoint Encryption to protect either files or the entire hard drive, Secure File Exchange, and Storage for Digital Certificates. One A-Key is all you need.

Click now for a FREE eval A-Key.

http://www.authenex.com/campaign/campaign.asp?scid=307

==== 1. In Focus: Nmap and XP SP2; Phishin' Phrenzy Continues ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

If you're one of the countless network administrators who use the hugely popular Network Mapper (Nmap) network exploration and auditing tool, then you might already know that it doesn't work on Windows XP Service Pack 2 (SP2). The reason is that in SP2, Microsoft changed the way raw sockets (which are used by Nmap) operate. According to a message posted by Nmap author, Fyodor, on his Insecure.org Web site, someone from Microsoft stated that Microsoft changed raw socket operation because "the only apps using \[raw sockets\] on XP were people writing attack tools."

http://seclists.org/lists/nmap-hackers/2004/Jul-Sep/0002.html

Michael Howard, security program manager on the XP team, posted an interesting entry ("A little more info on raw sockets and Windows XP SP2," at the first URL below) to his blog that excerpts a portion of the Microsoft document "Changes to Functionality in Microsoft Windows XP SP2." The Microsoft document (at the second URL below) points out that "The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:

" - TCP data cannot be sent over raw sockets, UDP datagrams with invalid source addresses cannot be sent over raw sockets.

- The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped."

http://blogs.msdn.com/michael_howard/archive/2004/08/12/213611.aspx

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx

Fyodor is looking for a way around the problem, and a solution might have already been found by the time you read this newsletter. If you recall, Windows 95 doesn't support raw sockets either and Nmap runs on that platform, so there's a good chance that a workaround is possible for XP SP2.

You can read more about or download Nmap at the Insecure.org Web site (at the first URL below). A Microsoft Security Tools Web page links directly to Nmap (at the second URL below).

http://www.insecure.org/nmap/index.html

http://www.microsoft.com/serviceproviders/security/tools.asp

On another note, have you had enough phishing yet? The Anti-Phishing Working Group has recently released a report that offers insight into phishing attacks and trends, and apparently the piranha are still swarming.

According to the report, 1422 unique phishing scam attempts were reported in June. Citibank was the most targeted company, experiencing some 492 scams against its customers. The next three most-targeted companies were eBay, U.S. Bank, and PayPal. In May, the number of unique scam attempts was 1107; in April, the number was 475; and in those two months, the same four companies' customers were the most targeted. One reason might be that those companies are very popular.

If you're interested in more detail about trends in phishing, including which industry sectors are attacked most, the life span of spoofed sites, and more, then you can download a copy of the latest report in PDF format from the Anti-Phishing Working Group's Web site.

http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf

==== Sponsor: Windows Scripting Solutions ====

Try a Sample Issue of Windows Scripting Solutions

Windows Scripting Solutions is the monthly newsletter from Windows & .NET Magazine that shows you how to automate time-consuming, administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Click here!

http://www.winscriptingsolutions.com/rd.cfm?code=fsep264xup

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.winnetmag.com/departments/departmentid/752/752.html

News: MD5 and SHA-1 Come Under Fire

by Randy Franklin Smith, guest news editor

The two most popular hashing algorithms in use today came under fire at Crypto 2004 in Santa Barbara, California last week when researchers published ways to greatly reduce the complexity of cracking the algorithims. Unlike encryption algorithms such as Data Encryption Standard (DES) that take two inputs (an encryption key and clear text), generate an output the same length as the input clear text, and can be reversed (i.e., decrypted), hashing is a one-way function that takes just one input (a variable number of bytes) and generates a fixed-length (16 bytes for MD5, 20 bytes for Secure Hash Algorithm-1--SHA-1) digest of the message. MD5 and SHA-1 are widely used for integrity checking, digital signatures, and protection of stored passwords, among other things. Although the attack methods described were characterized as valid and independently verified, significant computing power is required to figure out the input data that generates a given hash. Still, we might see the beginning of a search for a new hash algorithm that's fast but also secure against today's computing power.

News: XP Pro SP2 Delayed for Automatic Updates; German Security Firm Announces Vulnerability in SP2

by Randy Franklin Smith, guest news editor

Windows XP Sevice Pack 2 (SP2) became available for download on August 10 and available for deployment via Microsoft Software Update Services (SUS) on August 16. On August 18, Microsoft added SP2 to the Automatic Updates service--but only for Windows XP Home Edition, not for Windows XP Professional Edition. Microsoft delayed XP Pro in deference to corporate customers that wanted additional time to test and prepare for SP2's impact. The new date is reportedly today--August 25. The obvious question is "How many and which corporations are using Automatic Updates, as opposed to SUS or Microsoft Systems Management Server (SMS), to deploy patches to their users' workstations?" Evidently many, including IBM, which has reportedly issued a memo instructing its employees to hold off installing SP2. As mentioned in last week's Security UPDATE, Microsoft has released a tool to block SP2 from being installed by PCs running Automatic Updates and Windows Updates. Further complicating the already chaotic release of SP2 was the publication by heise Security of a flaw in SP2 that reportedly lets Windows be tricked into running untrusted code. You can read more about this flaw at

http://www.heise.de/security/artikel/50051

Feature: SURBLs: The Upside of Sharing Spam

A few years ago, simple subject, sender, or IP address filters were sufficient to battle spam. But as the arms race between spammers and the rest of us continues to escalate, collaborative solutions are becoming the top choice for the front lines. Spam URL Realtime Block Lists (SURBL) work by collaboratively tracking URLs in spam messages. Read more about them in Paul Robichaux's article at

http://www.winnetmag.com/article/articleid/43660/43660.html

==== Announcements ====

(from Windows & .NET Magazine and its partners)

Do You Find Monitoring Windows Servers a Daunting Task?

In this free eBook, we'll examine four main types of monitoring crucial to any network: performance, capacity, availability, and security. For each area, you'll find out the most important events and conditions to monitor to maximize performance, manage capacity, ensure availability, and stay on top of security. Download this free eBook today!

http://www.WindowsITlibrary.com/ebooks/monitoringwindowsservers/Index.cfm?code=0823emailannc

Achieving Service Management May Be Your Destination, but Do You Have the Road Map That Will Take You There?

During this expert panel discussion, you'll get real-world perspectives about how to make the move from the traditional systems-management practice of monitoring individual IT elements to mapping the interdependencies and managing the elements as a single complete service. Register now for this free Web seminar!

http://www.winnetmag.com/seminars/serviceroadmap/index.cfm?code=0823emailannc

==== 3. Security Matters Blog ====

by Mark Joseph Edwards, http://www.winnetmag.com/securitymatters

Check out these recent entries in the Security Matters blog:

New Windows XP SP2 Mailing List

PatchManagement.org has launched a mailing list to discuss Windows XP Service Pack 2 (SP2) installation issues, application compatibility, Windows Firewall, and more.

==== 4. Instant Poll ====

Current Instant Poll

The current Instant Poll question is, "Have you experienced any problems with Windows XP Service Pack 2 (SP2)?" Go to the Security Web page and submit your vote for

- Yes, some of our software is now broken

- Yes, problems with installation of third-party applications

- Yes, problems with installation of SP2 itself

- Yes, more than one of the problems mentioned above

- No

http://www.winnetmag.com/windowssecurity

Editor's note: We've leaving this Instant Poll question posted on our Web site to give you all more time to install XP XP2 and submit your vote. If you've already voted on this question, please don't vote again.

==== 5. Security Toolkit ====

FAQ: How can I prevent nonadministrative users from creating top-level public folders in Exchange 2000 Server?

by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A: Exchange Server 2003 doesn't let nonadministrators create top-level public folders. To modify Exchange 2000 so that nonadministrative users can't create top-level folders, perform these steps:

1. Enable the Exchange organization's Security tab, as explained in the FAQ "How can I enable the Security tab at the Exchange organization level?" ( http://www.winnetmag.com/article/articleid/42869/42869.html )

2. Start the Exchange System Manager (ESM) utility.

3. Right-click the organization and select Properties.

4. Select the Security tab.

5. Under Name, select the "Everyone" entry.

6. In the Permissions section, clear the "Create top level public folder" check box under the Allow column.

7. Click OK.

If you don't plan to add Exchange 2000 servers and you have the Exchange 2003 installation media, an alternative method is to run the Exchange 2003 command

setup /forestprep

Be aware that if you use this method, adding another Exchange 2000 server in the future will re-enable all users' ability to create top-level folders.

http://www.winnetmag.com/article/articleid/43323/43323.html

Featured Thread: Disabling File and Printer Sharing in an Enterprise Environment

(1 message in this thread)

A forum user writes that some users in his Active Directory (AD) environment have disabled and removed File and Printer Sharing for Microsoft Networks from their computers. He wonders what effect this action will have on his overall management of those computers in his AD environment and whether the action will affect the application of Group Policy Objects (GPOs) that he sets for his domain. He gets a "computer not found" error when trying to run the Microsoft Baseline Security Analyzer (MBSA) on those PCs. To lend a hand, go to

http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=124724

==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

New Web Seminar! Email Security and Compliance for Financial Services: What You Need to Know to Safeguard Your Organization

Are you a financial services company bogged down with email management? In this free Web seminar, learn how to make a case to purchase a reliable email security management solution to help you enforce email security, safeguard the privacy of your messages, and reduce potential liability or risk associated with email communications. Register now!

http://www.winnetmag.com/seminars/postiniantispamsolution/index.cfm?code=0823emailannc

==== 6. New and Improved ====

by Renee Munshi, [email protected]

Better Network Scanning

eEye Digital Security announced the introduction of Retina Network Security Scanner 5.0, which identifies security vulnerabilities within enterprise networks. Retina 5.0 introduces enhanced asset discovery, expanded reporting, improved OS detection, and a new UI. A new Discovery Scan mode helps enterprises identify all the assets in their networks, and an integrated workflow approach guides users through the discovery, audit, remediation, and reporting of network vulnerabilities. For more information about Retina 5.0, go to

http://www.eeye.com

Protect User Privacy On- and Offline

ManageBytes Software released PrivacyWatcher, which erases lists of recently used or accessed files and documents from Windows, Microsoft Internet Explorer (IE), the Opera browser, Microsoft Office, Adobe Photoshop, Adobe Reader, Visual Basic (VB), and other programs. PrivacyWatcher comes with scripting support, so you can set it up to automatically clean certain files, folders, or registry entries. Other features are desktop lockout, which prevents unauthorized access to a computer; secure file deletion (which makes "undeleting" impossible); and 448-bit Blowfish encryption for selected files. PrivacyWatcher costs $24.95. A free demo version is available for evaluation at

http://www.managebytes.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

Argent

Comparison Paper: The Argent Guardian Easily Beats Out MOM

http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

==== Contact Our Sponsors ====

Primary Sponsor:

Authenex, Inc. -- http:// www.authenex.com -- 1-877-AUTHENEX