Security UPDATE, May 22, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Plan for Infrastructure Security
http://www.ibm.com/e-business/playtowin/n20

VeriSign—The Value of Trust
http://www.verisign.com/cgi-bin/go.cgi?a=n204087360057000
(below IN FOCUS)


SPONSOR: PLAN FOR INFRASTRUCTURE SECURITY

A flexible, reliable infrastructure is a fully integrated infrastructure. With your copy of "e-business Infrastructure Integration: Practical Approaches," you'll learn how properly constructed e-business infrastructure solutions can work for you across business units and across operations to make your organization faster, more flexible, immediately responsive, and highly competitive. IBM has the knowledge, experience, and global resources to help you implement a solution tailored to your company's needs. Let us help you get started building a seamlessly integrated infrastructure for your organization by signing up today to receive your complimentary white paper at
http://www.ibm.com/e-business/playtowin/n20


May 22, 2002—In this issue:

1. IN FOCUS

  • Biometric Security: Fingerprints Don't Always Suffice

2. SECURITY RISKS

  • Multiple Problems with IE
  • Authorization Problem in nCipher's MSCAPI CSP Install Wizard 5.50

3. ANNOUNCEMENTS

  • Meeting IT Security Benchmarks Through Effective IT Audits, August 8-9, 2002, Washington, DC
  • Attend Black Hat Briefings & Training, July 29 - August 1, 2002, Las Vegas

4. SECURITY ROUNDUP

  • News: Online Personal Privacy Act Closer to Becoming Law
  • News: Microsoft Remedy Hearings: Security by Obscurity, Parts I and II
  • Feature: Secure Messaging and Exchange

5. SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Restrict User Access to the Control Panel Internet Options or Internet Tools Applet Without Using Policies?

6. NEW AND IMPROVED

  • Realtime Protection Against Security Breaches
  • Updated Security Suite

7. HOT THREADS

  • Windows & .NET Magazine Online Forums
    • Featured Thread: The Difference Between Required Encryption and Maximum Strength Encryption
  • HowTo Mailing List
    • Featured Thread: IIS 5.0 Banner Query

8. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • BIOMETRIC SECURITY: FINGERPRINTS DON'T ALWAYS SUFFICE

  • Does your company use fingerprint-scanning authentication technology? If so, that technology might not be enough to guard the authentication process for your particular network environment because, as you know, the finger doesn't have to be attached to the body. For that matter, the finger doesn't even need to be a real finger. A recent news story from The Register (see the URL below) is a good case in point. In the story "Gummi bears defeat fingerprint sensors," reporter John Leyden describes how Japanese mathematician Tsutomu Matsumoto used gelatin and a plastic mold to reproduce a portion of a finger, including its fingerprint, and defeated 11 different fingerprint-authentication systems in four of five attempts. Taking the process further, Matsumoto lifted a fingerprint from a glass, transferred the print to a rigid flat surface, and used a mold to create a fake gelatin finger. According to the report, the finger fooled scanners about 80 percent of the time.
    http://www.theregister.co.uk/content/55/25300.html

    To receive a copy of a paper Matsumoto wrote detailing the preceding endeavors, send him an email message to [email protected] and request a copy. Although that paper isn't available on the Web site, you'll find a presentation in which Matsumoto discusses biometrics and shows some photographs of the process of creating a fake finger. You can download a copy of the PDF file (about 1.2MB) at the URL below.
    http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf

    Bruce Schneier, founder and chief technology officer CTO of Counterpane Internet Security, publishes the newsletter Crypto-Gram. In the May 15 edition (see the URL below), Schneier offers more detail and commentary about Matsumoto's process. According to Schneier, "There's both a specific and a general moral to take away from this result. Matsumoto is not a professional fake-finger scientist; he's a mathematician. He didn't use expensive equipment or a specialized laboratory. He used $10 of ingredients you could buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And he defeated eleven different commercial fingerprint readers, with both optical and capacitive sensors, and some with 'live finger detection' features." Schneier urges us to consider how much more dedicated attackers could do. Schneier warns, "All the fingerprint companies have claimed for years that this kind of thing is impossible. When they read Matsumoto's results, they're going to claim that \[Matsumoto's methods\] don't really work, or that they don't apply to them, or that they've fixed the problem. Think twice before believing them."
    http://www.counterpane.com/crypto-gram-0205.html#5

    Following the fake finger story, Crypto-Gram offered a link to a news report about paying for merchandise with nothing more than a fingerprint. According to an April 27 article in the Seattle Post-Intelligencer (see the URL below), the West Seattle Thriftway store offers customers a fingerprint-only payment system. The system ties customers' fingerprints directly to their credit cards, checking accounts, and benefit cards and lets them pay for merchandise by simply placing their index finger on a scanner during checkout.
    http://seattlepi.nwsource.com/local/68217_thumb27.shtml

    Someone could theoretically use Matsumoto's technique to create a thin "skin" with someone else's fingerprint, lay it over his or her index finger, and go on a shopping spree at someone else's expense. The article about the fingerprint checkout system could mislead uneducated consumers. According to the store owner, the new payment system is foolproof: "People no longer have to worry that their cards will be lost or stolen and then used to run up hefty charges. Stores and credit card issuers will likewise avoid the losses associated with identity theft." Yeah, right. If nothing else, the Matsumoto experiments should keep us all from being lulled into a false sense of security.

    The West Seattle Thriftway might have used something a bit more secure for its biometric payment system. Several other options (e.g., facial-recognition units) offer more security. Visionics (see the URL below) makes a facial-recognition unit that you can use for network authentication. The company's FaceIt product works as a single sign-on (SSO) tool and as a continuous authentication system. Users are authenticated initially, then reauthenticated as they continue to use the system. This approach helps prevent anyone but the authenticated user from using the authenticated resources. FaceIt uses any video camera that supports Microsoft Video for Windows. The product runs on Windows platforms, Linux, Sun OS, and SGI Irix systems, and the company offers software development kits (SDKs) for custom application development.
    http://www.visionics.com/faceit

    BioID makes a facial-recognition product also called BioID. The product uses a combination of facial features, voice patterns, and lip movement to identify a person. BioID uses a standard USB-based video camera and microphone to perform its authentication process. You can learn more about the product at the company's Web site (see the URL below).
    http://www.bioid.com

    If you're interested in other types of biometric security, such as hand-geometry, iris, retina, voice, and signature scanners, a great place to start is the International Biometric Group Web site (see the first URL below). The site offers information about most types of biometric security available today and links to many vendor sites. The following quick reference by security type (see the second through eighth URLs below) will get you started.

    • http://www.biometricgroup.com
    • http://www.finger-scan.com/finger-scan_vendors.htm
    • http://www.facial-scan.com/facial-scan_vendors_and_links.htm
    • http://www.iris-scan.com/iris_recognition_vendors.htm
    • http://www.retina-scan.com/retina_scan_vendors_and_products.htm
    • http://www.hand-scan.com/hand_scan_vendors.htm
    • http://www.voice-scan.com/vendors.htm
    • http://www.signature-scan.com/signature_scan_vendors.htm

    In last week's Security UPDATE commentary, I discussed Instant Messaging (IM) software. A different article in The Register, "EDS bans IM" (see the URL below), discusses how the computer arm of the British government has banned IM because of its inherent security risks, particularly the way IM products let network traffic bypass certain security systems designed to protect networks. For example, IM software can deliver email and transfer files that bypass virus-scanning software and infect your network. The article offers further evidence that you should weigh the risks of IM before you allow its use in your environment.
    http://www.theregister.co.uk/content/55/25185.html


    SPONSOR: VERISIGN—THE VALUE OF TRUST

    Get the strongest server security—128-bit SSL encryption!
    Download VeriSign's FREE guide, "Securing Your Web Site for Business" and learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here!
    http://www.verisign.com/cgi-bin/go.cgi?a=n204087360057000


    2. SECURITY RISKS
    (contributed by Ken Pfeil, [email protected])

  • Multiple problems with IE

  • Microsoft reported six vulnerabilities in Microsoft Internet Explorer (IE). The first is a cross-site scripting problem, the second and third relate to information disclosure, the fourth is a zone-spoofing problem, and the last two relate to malformed headers in downloadable files. Microsoft has released a cumulative patch to correct the problems. For complete details about these problems and a link to the patch, please visit the URL below.
    http://www.secadministrator.com/articles/index.cfm?articleid=25246

  • Authorization Vulnerability in nCipher's MSCAPI CSP Install Wizard 5.50

  • When a user creates an Operator Card Set with nCipher's MSCAPI CSP Install Wizard 5.50, the nCipher CSP key generation behaves as the user requests. When the user selects Cardset Protect from the Install Wizard but doesn't create a new Operator Card Set, the wizard incorrectly sets up the nCipher CSPs to use module protection for all keys that the user subsequently creates. Then, rather than a combination of the Operator Card Set and module, the module alone protects application keys that the nCipher CSP generates. An attacker who gains control of any nCipher module that the user has programmed into the key's security world can gain unauthorized access to this key because the nCipher module doesn't require any further smart card authorization. nCipher has released an advisory that recommends the corrective action a user should take.
    http://www.secadministrator.com/articles/index.cfm?aarticleID=25245

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • MEETING IT SECURITY BENCHMARKS THROUGH EFFECTIVE IT AUDITS, AUGUST 8-9, 2002, WASHINGTON, DC

  • Have your IT security solutions kept pace with evolving threats? Until you conduct a thorough IT security audit, you won't know until after a breach has occurred. To help you achieve the most Return on Investment (ROI) on your security investment, ITRA is proud to present a step-by-step practical guide to auditing your enterprise's IT security. For more information, call 800-280-8440 or visit:
    http://www.frallc.com

  • ATTEND BLACK HAT BRIEFINGS & TRAINING, JULY 29-AUGUST 1, 2002, LAS VEGAS

  • Black Hat Briefings is the world's premier technical security event, featuring 8 tracks and 12 training sessions, with lots of Windows topics coverage, full support by Microsoft, and a keynote by Richard Clarke. See for yourself what the buzz is all about. Register today!
    http://www.blackhat.com

    4. SECURITY ROUNDUP

  • NEWS: Online Personal Privacy Act Closer to Becoming Law

  • The Senate Commerce Committee approved bill (S.2201), "Online Personal Privacy Act," which would require online entities to stop collecting personal information from users unless the users specifically agree to such information collection either before or during the collection process. After users agree to the information collection, the agreement would remain in effect until the users change their consent.
    http://www.secadministrator.com/articles/index.cfm?articleid=25247

  • NEWS: Microsoft Remedy Hearings: Security by Obscurity, PartS I and II

  • If you didn't read Paul Thurrott's WinInfo Daily UPDATE Short Takes on May 10, you missed some interesting information. As Microsoft Group Vice President Jim Allchin responded to a question about the security exception in the proposed settlement with the US Department of Justice (DOJ), he essentially said that the company must be permitted to withhold information that would compromise Windows security (you know, like interoperability information). "The more creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses to disable or destroy those mechanisms," Allchin said.

    Samba developers had been looking forward to a mid-2002 Microsoft code release that would give them the information they need to work with the company's latest networking protocol, the Common Internet File System (CIFS). However, Microsoft forbids using the code in any projects covered by the GNU General Public License (GPL), which is exactly what Samba uses.
    http://www.secadministrator.com/articles/index.cfm?articleid=25172

  • FEATURE: Secure Messaging and Exchange

  • Microsoft Exchange Server implements secure messaging through the Advanced Security subsystem. This subsystem supports two key functions: signing (i.e., digital signatures for message nonrepudiation) and encryption/decryption. In fact, Exchange's infrastructure and services play a supporting role in secure messaging; the Exchange client (e.g., Microsoft Outlook, Outlook Express) plays the main role. For secure messaging to work, you need a supporting infrastructure, Exchange services, and client extensions that implement support for digital signing and encryption.
    http://www.secadministrator.com/articles/index.cfm?articleid=25165

    5. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: How can I restrict user access TO the Control Panel Internet Options or Internet Tools applet without using policies?

  • ( contributed by John Savill, http://www.windows2000faq.com )

    A. If you use NTFS, you can use the file system's built-in permissions to restrict access to the Control Panel Internet Options or Internet Tools applet by performing the following steps:

    1. Open Windows Explorer.
    2. Navigate to \%systemroot%\system32 (e.g., c:\windows\system32).
    3. Right-click inetcpl.cpl and select Properties from the context menu.
    4. Select the Security tab.
    5. Adjust the user and group permissions as appropriate, and ensure that the SYSTEM group has Full Control.

    You can also use the standard command-line permission utility cacls.exe to set these permissions. However, be aware that when you use either method to restrict access, another administrator will have a difficult time determining the permissions you've set. Therefore, using policies is the preferred method for restricting access.

    6. NEW AND IMPROVED
    (contributed by Judy Drennen, [email protected])

  • REALTIME PROTECTION AGAINST SECURITY BREACHES

  • GFI's LANguard Security Event Log Monitor (S.E.L.M.) is a realtime product that protects against internal and external security breaches. The product monitors Security logs for Windows 2000 and Windows NT servers and workstations, then consolidates them into a central log for analysis. LANguard S.E.L.M. costs $495. Contact GFI at 888-243-4329 or [email protected]
    http://www.gfi.com

  • UPDATED SECURITY SUITE

  • Greatis Software released RegRun Security Suite 3.1, an updated utility that maintains and controls PC stability while protecting against dangerous viruses and Trojan horses. RegRun Security Suite 3.1 runs on Windows XP, Windows 2000, Windows NT, Windows NT, and Windows 9x, and costs from $19.95 to $49.95 for a single-user license. Contact Greatis at 206-202-4216 or [email protected]
    http://www.greatis.com

    7. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

  • Featured Thread: The Difference Between Required Encryption and Maximum Strength Encryption

  • (Twenty-one messages in this thread)

    Robert writes that when you set up a VPN client in Windows XP, in the Properties section you see a tab labeled Security. If you select Advanced (Custom Setting) on this tab, you enable the Setting button. If you click Setting, the process displays another window. At the top of this window, you see a section labeled Data Encryption, with a drop-down menu, in which you find four settings—including Required Encryption and Maximum Strength Encryption. Robert wants to know the difference between Required Encryption and Maximum Strength Encryption. Read the responses or lend a hand at the following URL.
    http://www.secadministrator.com/forums/thread.cfm?thread_id=104764

  • HOWTO MAILING LIST

  • http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

  • Featured Thread: IIS 5.0 Banner Query

  • (Five messages in this thread)

    A reader wants to know how to change the banner in Microsoft Internet Information Services (IIS) 5.0 so that the server no longer reports itself to users as an IIS 5.0 server. Is there an easy way to make such a change without using hexadecimal editors to edit associated .dll files? Read the responses or lend a hand at the following URL.
    http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205c&l=howto&p=971

    8. CONTACT US
    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish