Security UPDATE, October 1, 2003

====================

==== This Issue Sponsored By ====

Sybari Software http://www.sybari.com/eo0925

NetIQ http://www.netiq.com/f/form/form.asp?id=2381&origin=NS_SecUpdate_100103

====================

1. In Focus: Passive Vulnerability Scanning

2. Security Risks - Denial of Service in SpeakFreely for Windows - Denial of Service in wzdftpd FTP Server for Windows - Mondosoft's MondoSearch File-Creation Vulnerability

3. Announcements - Attend Windows & .NET Magazine Connections, Win a Free Vacation - Check Out Our 2 New Web Seminars!

4. Security Roundup - News: Report: Microsoft Monoculture Is a National Security Risk - News: Sophos Acquires ActiveState - News: California Cracks Down Hard on Spammers

5. Instant Poll - Results of Previous Poll: DRM Use - New Instant Poll: Firewall and IDS Use

6. Security Toolkit - Virus Center - FAQ: How Can I Use Microsoft Internet Explorer (IE) to Pass a Username and Password to an FTP Site? - Featured Thread: Auditing Software for Windows 2000?

7. Event - The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!

8. New and Improved - Authenticate Using Steel-Belted Appliance - Secure Your Web Portal - Tell Us About a Hot Product and Get a T-Shirt

9. Contact Us See this section for a list of ways to contact us.

====================

==== Sponsor: Sybari Software ==== Sybari Delivers Enterprise Anti-Spam! We've led the market on innovative virus protection for Microsoft messaging and collaboration platforms! And now we've applied the same proven, comprehensive expert technology in Antigen to protecting your enterprise from anti-spam. Register today at http://www.sybari.com/eo0925 to find out how Sybari can guarantee the 100% percent uptime of your messaging servers and keep your inbox Spam free! Register by October 15th and you could win a $250.00 American Express Gift Card!

====================

==== 1. In Focus: Passive Vulnerability Scanning ==== by Mark Joseph Edwards, News Editor, [email protected]

Last week, I wrote about Intrusion Detection Systems (IDSs) and about a couple of reports that evaluate some (but not all) of the more popular IDSs. IDSs are valuable tools for your network, as are firewalls, vulnerability scanners, packet sniffers and analyzers, port scanners, network mapping tools, and so on.

I recently learned about a new tool called a Passive Vulnerability Scanner (PVS). A PVS is a hybrid tool that combines the sniffing capabilities of a packet sniffer and analyzer with the capabilities of an active vulnerability scanner and an IDS.

As you know, a packet analyzer and sniffer promiscuously captures packets from the network so that you can analyze them; an active vulnerability scanner probes systems and devices to detect known vulnerabilities; and an IDS detects possible intrusion attempts as traffic moves over your network. A PVS can do all of those things, with a slight twist in the way it works. But a PVS isn't a replacement for those types of tools--instead, it's complementary.

You place a PVS on the network in a position in which it can monitor the traffic coming from various network segments, just like a network sniffer. The PVS then sniffs the traffic in real time and analyzes it by comparing it with a set of rules, like a vulnerability scanner does. Broken rules trip triggers that alert the PVS administrator to possible security problems on the network.

For example, you might have an environment in which none of the network systems should be running FTP servers and only certain systems should be running Web servers. If anyone from inside or outside your network initiates inbound FTP access to one of your systems, the PVS will alert you. Likewise, if the PVS detects Web traffic to a system that shouldn't be running Web services, the PVS will alert you. These sorts of detections are typical of IDSs, but the PVS can take the analysis further.

When detecting Web traffic in this example, the PVS can analyze the packets to try to determine what type of Web server software is in use. If it's an outdated version of Microsoft IIS or Apache, the PVS will alert the administrator that the system is running a vulnerable software package. The administrator becomes aware of the problem immediately without having to run a periodic vulnerability scan on individual systems to detect problems.

In one more example, someone could place a server in your demilitarized zone (DMZ) without your approval or knowledge. With a PVS in place, you might become aware of that action sooner than you would have otherwise because the PVS monitors traffic and doesn't depend on network device audits or on vulnerability scans or agent software running on individual systems. PVSs are independently deployed, centrally manageable, and scan for problems by looking at network traffic.

I only know of one PVS system available at the moment: Tenable Network Security's NeVO, which runs on the Red Hat Linux and FreeBSD UNIX platforms. Although NeVO doesn't run on Windows platforms, it's compatible with Windows networks. It can detect anomalies on Windows and UNIX networks, and because its logs are generated in a Nessus-style format, you can use any Nessus client, such as the Windows-based Nessus client, to access them. (Nessus is an active vulnerability scanner; for more information, go to http://www.nessus.org .)

You can learn more about NeVO at the first URL below. You'll also find a more detailed explanation of the PVS and NeVO, "Passive Vulnerability Scanning, Introduction to NeVO," in PDF format at the second URL below. http://www.tenablesecurity.com/nevo.html http://www.tenablesecurity.com/docs/passive_scanning_tenable.pdf

Tenable offers a 30-day demo of the product. If you try a copy on your network, send me an email message to let me know what you think of the PVS concept and how well it works for you in your environment.

====================

==== Sponsor: NetIQ ==== Security White Paper Tired of constantly firefighting? You need a more proactive and effective means of managing your vulnerable security systems for policy and compliance. Get the answers you need now! Download a free white paper from NetIQ on "Proactive Security Policy Enforcement: A Practical Approach for the Enterprise." You'll discover why policy enforcement is so important, how to manage the process and how to implement a practical approach to enterprise security policy compliance. http://www.netiq.com/f/form/form.asp?id=2381&origin=NS_SecUpdate_100103

====================

==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected]

Denial of Service in SpeakFreely for Windows Luigi Auriemma discovered that a vulnerability in Speak Freely for Windows can result in a Denial of Service (DoS) condition. Sending multiple spoofed packets (more than 160 packets of 2 bytes or more each) results in the termination of the program, with an error message such as, "Cannot create transmit socket for host (x.x.x.x), error 10055. No buffer space is available." SpeakFreely's developer has been notified. http://secadministrator.com/articles/index.cfm?articleid=40352 Denial of Service in wzdftpd FTP Server for Windows Moran Zavdi discovered that a vulnerability in wzdftpd FTP server for Windows can result in a Denial of Service (DoS) condition. Sending a CRLF sequence at logon causes an unhandled exception at the server. The wzdftpd developer has released a patch for this vulnerability. http://secadministrator.com/articles/index.cfm?articleid=40351 Mondosoft's MondoSearch File-Creation Vulnerability Jens H. Christensen discovered that a vulnerability in Mondosoft's MondoSearch can result in the execution of arbitrary code on the vulnerable computer. One of the default installation files, msmsetup.exe, contains a vulnerability that lets malicious users create files with user-specified content on the Web server or anywhere that the executing user (typically IUSR_xxx) has write access. For details about this vulnerability, see the discoverer's Web site. Mondosoft has released a patch for this vulnerability. http://secadministrator.com/articles/index.cfm?articleid=40350

====================

==== Sponsor: Virus Update from Panda Software ==== Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control. http://www.secadministrator.com/Panda/Index.cfm

Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today! http://www.pandasecurity.com/virusfree2

====================

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Attend Windows & .NET Magazine Connections, Win a Free Vacation How secure is your network? Are Windows Server 2003's improved security features worth the migration effort? Want to stop spam? Learn the answers to these questions and more at Windows & .NET Magazine Connections. Register today and receive access to concurrently running Exchange Connections. http://www.winconnections.com

Check Out Our 2 New Web Seminars! "Plan, Migrate, Manage: Shifting Seamlessly from NT4 to Windows 2003" will help you discover tips and tricks to maximize planning, administration, and performance. "The Secret Costs of Spam ... What You Don't Know Can Hurt You" will show you how to quantify costs and find antispam solutions. Register today! http://www.winnetmag.com/seminars

==== 4. Security Roundup ====

News: Report: Microsoft Monoculture Is a National Security Risk A damning report written by security experts and sponsored by Microsoft's competitors concludes that the "monoculture" created by the software giant's dominance is a national security risk. The report was released at a meeting of the Computer & Communications Industry Association (CCIA). http://secadministrator.com/articles/index.cfm?articleid=40340

News: Sophos Acquires ActiveState Antivirus software maker Sophos announced that it has acquired ActiveState, a Canadian-based maker of spam-filtering and development tools. Sophos will acquire ActiveState and all of the company's stock for $23 million. http://secadministrator.com/articles/index.cfm?articleid=40344

News: California Cracks Down Hard on Spammers California Governor Gray Davis signed legislation that prohibits advertisers from sending unsolicited email and said the law contains no loopholes that can be used to thwart it. http://secadministrator.com/articles/index.cfm?articleid=40345

====================

==== Hot Release: Thawte ==== Get Thawte's New Step-by-Step SSL Guide for MSIIS In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on your MSIIS web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now: http://ad.doubleclick.net/clk;6247051;8447236;k

====================

==== 5. Instant Poll ====

Results of Previous Poll: DRM Use The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Is your company using or planning to use Digital Rights Management (DRM)?" Here are the results from the 88 votes. - 2% We have a DRM application in production - 5% We're experimenting with DRM - 18% We see some possible applications for DRM but aren't working with it yet - 75% We aren't interested in DRM

New Instant Poll: Firewall and IDS Use The next Instant Poll question is, "Does your company use firewalls and Intrusion Detection Systems (IDSs) to protect the infrastructure?" Go to the Security Administrator Channel home page and submit your vote for - Yes, we use both firewalls and IDSs - No, we only use firewalls - Not sure http://www.secadministrator.com

==== 6. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

FAQ: How Can I Use Microsoft Internet Explorer (IE) to Pass a Username and Password to an FTP Site? contributed by John Savill, http://www.windows2000faq.com If you access an FTP site that doesn't allow anonymous access, you must provide a username and password. To access an FTP site anonymously from IE, use the syntax

ftp://ftp.

To pass a username and password, the syntax is

ftp://:@ftp.

For example, to access the Internet Software Consortium (ISC) FTP site with a username and password, you might type

ftp://john:[email protected]@ftp.isc.org

where "john" is the username and "[email protected]" is the password.

Similarly, to pass just a username, you can use the syntax

ftp://@ftp.

Featured Thread: Auditing Software for Windows 2000? (3 messages in this thread) Brycea writes that he has a small network of 25 users with five servers and Windows 2000 Server running Active Directory (AD) in native mode. He has one server available to the outside world that runs Microsoft IIS for FTP and the Web. The FTP server has been on the internal network with openings on the firewall for ports 21 and 80, but Brycea recently upgraded to a firewall that has an optional demilitarized zone (DMZ) port and he'd like to move the FTP server onto a DMZ. He'd like to know the best practices for using a DMZ for an AD network on its own subnet. Lend a hand or read the responses: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=63521

==== 7. Event ====

The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta! Learn more about the wireless and mobility solutions that are available today, plus discover how going wireless can offer low risk, proven performance, and compatibility with existing and emerging industry standards. Register now for this free, 12-city event! http://www.winnetmag.com/roadshows/wireless

==== 8. New and Improved ==== by Sue Cooper, [email protected]

Authenticate Using Steel-Belted Appliance Network Engines introduced Steel-Belted Radius Enterprise Edition Appliance 2.0 to deploy remote and wireless LAN (WLAN) access control and security on a network. The appliance combines Network Engines' rack-mountable hardware with Funk Software's Steel-Belted Radius Enterprise Edition 4.5 and an embedded, hardened version of Windows 2000 Professional. The appliance now supports two-factor authentication products, which ensures that only authorized users have access to your network. Steel-Belted Radius Enterprise Edition Appliance 2.0 is available from TidalWire, a Network Engines company. For more information, contact TidalWire at 877-638-8277 or [email protected] http://www.networkengines.com

Secure Your Web Portal Entrust announced Entrust TruePass 7.0, a Web security solution that delivers bidirectional, end-to-end security for your organization's online information. Users can submit sensitive information as encrypted and digitally signed XML or HTML data, or as secure file attachments. The Web server can return secured real-time updates, approvals, and instructions to the users, eliminating the need for paper-based processes. The application provides centralized, role-based password policies, digital ID management in cross-certified environments, certificate revocation list (CRL) checking on third-party certificates, and diagnostic tools. Contact Entrust at 888-690-2424 or [email protected] http://www.entrust.com

Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

===================

==== Sponsored Links ====

CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/tryit/w2k.html

Microsoft Attend a Microsoft(R) Office System Launch Event – Get a FREE Eval Kit http://ad.doubleclick.net/clk;6233617;8214395;l?http://click.atdmt.com/DDB/go/msg02800036ddb/direct/01/

===================

==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup

__________________________________________________________ Copyright 2003, Penton Media, Inc.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish