Security UPDATE, February 26, 2003

Subject: Security UPDATE, February 26, 2003

********************

Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Tivoli. Intelligent Management Software Solutions. http://www-3.ibm.com/software/tivoli/resource-center/index.jsp?section=guides

ALERT: Outsmart SQL Injection Attackers http://www.spidynamics.com/mktg/sqlinjection26 (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: TIVOLI. INTELLIGENT MANAGEMENT SOFTWARE SOLUTIONS. ~~~~ To compete in today's environment, companies need to provide access to more information than before. The challenge is to effectively manage user identities & access through the lifecycle. Learn how Tivoli identity management software can help get users, systems, and applications online fast: http://www-3.ibm.com/software/tivoli/resource-center/index.jsp?section=guides ~~~~~~~~~~~~~~~~~~~~

February 26, 2003--In this issue:

1. IN FOCUS - Tracking Security Threats and Trends

2. SECURITY RISKS - Three Buffer Overflows in Oracle Database Server - WebDAV Vulnerability in Oracle 9i

3. ANNOUNCEMENTS - Join the HP & Microsoft Network Storage Solutions Road Show! - Our Active Directory Web Seminar Is in Just 3 Weeks!

4. SECURITY ROUNDUP - News: Windows XP Wide Open Using Win2K CD-ROM - Feature: Getting to the Root of Slammer - Feature: Coding Defensively

5. HOT RELEASE (ADVERTISEMENT) - Best Practices for Designing Secure Active Directory

6. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Prevent Windows Media Player (WMP) from Processing HTML Scripts Contained in Media Files?

7. NEW AND IMPROVED - Secure Your IM Communications - Take Control of Your Users' Authentication Credentials - Submit Top Product Ideas

8. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: MAC Address Security

9. CONTACT US See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, [email protected])

* TRACKING SECURITY THREATS AND TRENDS

Are you aware of the networks that track events and trends related to specific threats and ongoing attacks? You can participate in these threat-analysis networks, and in return, they offer information that can help you become aware of potential threats to your own network, sometimes well in advance of any actual attack.

Several networks (e.g., DShield.org, myNetWatchman, Symantec's DeepSight Analyzer, Internet Security Systems'--ISS's--X-Force Threat Analysis Service--XFTAS) collect security information and offer it to the public in the form of a worldwide security trend monitoring report. These networks receive input from a wide array of users' networks around the globe, all contributing information into a central repository. Intrusion Detection Systems (IDSs) and firewall logs running on the participating local networks provide the information.

Each threat-analysis network provides client-side software that gathers log information, parses it into a common format, and transmits the data back to a central repository. DShield.org client software works with more than three dozen various types of IDS and firewall systems; myNetWatchman client software and Symantec's DeepSight Analyzer service client software work with about two dozen IDS and firewall systems each.

DShield.org is by far the most open of the networks. Anyone can visit the related Web site and immediately view both graphical and text-based reports that show current threat trends and historic data. For example, when you visit the Web site home page, you'll find a prominent graphical map of the world with pie charts for various continents. The pie charts give a quick view of threat trends based on aggregate information that shows which ports are being probed most often. Next to the graphic is a brief list of the port numbers and the services typically associated with those ports. http://www.dshield.org

When I visited the DShield.org Web site Monday morning, I saw that port 1434, which is related to Microsoft SQL Server, is still among the top targets. This information might mean that the Slammer/Sapphire worm is still trying to spread around the Internet.

One interesting feature of DShield.org is that you can obtain graphic and text-based data files of threat trends to incorporate into your own Web pages. The data shows the current most frequently probed ports as well as the IP addresses that are conducting the most probing. This can provide information about current trends at a glance. DShield.org operates in association with the SysAdmin, Audit, Network, Security (SANS) Institute, which hosts the Internet Storm Center. The Internet Storm Center offers additional information, such as threat-analysis reports. http://isc.sans.org

myNetWatchman is a free public service without any membership requirements. The myNetWatchman Web site home page is basic and doesn't provide the extensive information that DShield.org provides, but it's useful in conjunction with the other threat-analysis information networks. http://www.mynetwatchman.com

Symantec's DeepSight Analyzer is a free service, but only participants who provide IDS and firewall logs can view aggregate information that the service provides. The service's Web site home page has a basic display of threat counts, but no further useful details for visitors. To learn more about the service, visit the Web site, and consider joining the network if it supports your particular IDS or firewall. Symantec also offers a paid service, DeepSight Threat Management System, which offers alert and notification information tailored to your IT infrastructure. http://analyzer.securityfocus.com http://enterprisesecurity.symantec.com/products/products.cfm?productid=158

ISS's XFTAS is a paid annual service similar to the Symantec paid offering. Customers receive access to helpful security-related information and can personalize their accounts to obtain the information they need. https://gtoc.iss.net

Joining one or more of these networks can increase your ability to keep your network secure, which leads to a better Return on Investment (ROI) for your overall security budget (and might even increase productivity and free up time and money for other security resources). If your budget allows, consider subscribing to the paid services that ISS and Symantec offer. If you can't afford such security resources right now, know that you can participate in DShield.org and myNetWatchman by investing some of your time.

Please take a moment to respond to the current Security Administrator Instant Poll question, "Do you participate in an 'early warning' network that gathers forensic information from firewall and Intrusion Detection System (IDS) logs?" at the URL below. If you know about additional threat-analysis networks, send me an email message about them. http://www.secadministrator.com

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: ALERT: OUTSMART SQL INJECTION ATTACKERS ~~~~ Learn How a Hacker Launches a SQL Injection Attack - Step-by-Step! It's as simple as placing additional SQL commands into an input box on a web form which gives hackers complete access to all your backend data! Firewalls and IDS will not stop SQL Injection attempts because they are NOT seen as intrusions. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://www.spidynamics.com/mktg/sqlinjection26 ~~~~~~~~~~~~~~~~~~~~

SECURITY RISKS

(contributed by Ken Pfeil, [email protected])

* THREE BUFFER OVERFLOWS IN ORACLE DATABASE SERVER Three vulnerabilities in Oracle Database Server can result in remote compromise of a vulnerable server. These vulnerabilities stem from an overflow in the database server's authentication process, a remotely exploitable buffer-overflow flaw in the TO_TIMESTAMP_TZ function, and a remotely exploitable buffer-overflow vulnerability in the TZ_OFFSET function. More details are available at the three URLs below. Oracle has released a bulletin regarding these matters. http://www.secadministrator.com/articles/index.cfm?articleid=38073 http://www.secadministrator.com/articles/index.cfm?articleid=38075 http://www.secadministrator.com/articles/index.cfm?articleid=38076

* WEBDAV VULNERABILITY IN ORACLE 9i A vulnerability in Oracle9i Application Server can result in remote compromise of the vulnerable server. This vulnerability stems from a flaw in the implementation of WWW Distributed Authoring and Versioning (WebDAV) on the server. By crafting a specially formed format string and sending it to the Web server, an attacker can overwrite addresses with arbitrary values, thereby granting the attacker control of the server. Oracle has released a bulletin regarding this problem. http://www.secadministrator.com/articles/index.cfm?articleid=38074

ANNOUNCEMENTS

(brought to you by Windows & .NET Magazine and its partners)

* JOIN THE HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW! Now is the time to start thinking of storage as a strategic weapon in your IT arsenal. Come to our 10-city Network Storage Solutions Road Show, and learn how existing and future storage solutions can save your company money--and make your job easier! There is no fee for this event, but space is limited. Register today! http://www.winnetmag.com/roadshows/nas

* OUR ACTIVE DIRECTORY WEB SEMINAR IS IN JUST 3 WEEKS! Join us as Precise SRM shows you how to leverage Active Directory to assess storage usage, reclaim wasted disk space, and control storage growth. You'll learn how to use AD to save countless hours managing server growth, get back up to half of your server space right away, and even reduce storage growth and backups by 30 percent or more! There is no charge for this event, but space is limited, so register today! http://www.winnetmag.com/seminars/activedirectory

SECURITY ROUNDUP

* NEWS: WINDOWS XP WIDE OPEN USING WIN2K CD-ROM An interesting glitch has turned up in Windows XP. According to a report published in a newsletter ("Brian's Buzz on Windows") from Briansbuzz.com, an intruder can access an XP system without restriction by simply using a Windows 2000 CD-ROM to launch a Recovery Console. http://www.secadministrator.com/articles/index.cfm?articleid=38072

* FEATURE: GETTING TO THE ROOT OF SLAMMER A commentary by Brian Moran has generated a wide range of heated opinions. In his SQL Server UPDATE commentary, Brian criticized DBAs for failing to apply the hotfix that would have shut down the SQL Slammer/Sapphire worm ("After the Slammer"). Brian then apologized to DBAs for oversimplifying the Slammer/Sapphire situation and laying all the blame on their shoulders ("SQL Server DBAs Deserve an Apology"). Brian also asked SQL Server UPDATE readers to share what they think Microsoft can and should do to help us maintain secure systems. Read the article to learn what readers had to say. http://www.secadministrator.com/articles/index.cfm?articleid=38086

* FEATURE: CODING DEFENSIVELY Michael Otey talks with many application developers who think that security isn't their concern. In their view, Microsoft and the security, network, or database administrator are responsible for security--in other words, someone else. Developers with this mentality think it's enough to get the database application running, but that attitude doesn't fly in today's world of Web applications. http://www.secadministrator.com/articles/index.cfm?articleid=37813

HOT RELEASE (ADVERTISEMENT)

* BEST PRACTICES FOR DESIGNING SECURE ACTIVE DIRECTORY Download this free technical white paper now from Windows & .NET Magazine's White Paper Central. Brought to you courtesy of Aelita Software. http://www.aelita.com/winnetmag020403

SECURITY TOOLKIT

* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT WINDOWS MEDIA PLAYER (WMP) FROM PROCESSING HTML SCRIPTS CONTAINED IN MEDIA FILES? ( contributed by John Savill, http://www.windows2000faq.com )

A. Microsoft Security Bulletin MS02-032 ("26 June 2002 Cumulative Patch for Windows Media Player") identifies several version-specific patches to secure WMP against script attacks. To manually disable WMP's HTML-processing feature, perform the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences subkey. 3. From the Edit menu, select New, DWORD Value. 4. Enter a name of PlayerScriptCommandsEnabled, then press Enter. 5. Double-click the new value, set it to 0 to prevent WMP from processing HTML scripts in media files, then click OK. 6. Close the registry editor. 7. Restart WMP.

NEW AND IMPROVED

(contributed by Sue Cooper, [email protected])

* SECURE YOUR IM COMMUNICATIONS Akonix Systems released Akonix L7 Enterprise 2.0, software to manage and secure public Instant Messaging (IM) communications between your employees, partners, and customers. You can enforce corporate policies, protect against viruses, eliminate known security loopholes, keep internal messages secure, and report on IM employee usage. Logging and archiving features help you meet government and industry compliance regulations. Pricing is on a subscription basis and starts at $2250 per year for up to 50 users. Contact Akonix Systems at 619-814-2330 and [email protected]. http://www.akonix.com

* TAKE CONTROL OF YOUR USERS' AUTHENTICATION CREDENTIALS Datakey announced Datakey Axis, a turnkey solution that lets you consolidate all user-authentication credentials (passwords, certificates, shared secrets, biometric templates) onto one smart card and automates policy, credential, and desktop management in a centralized management center. Datakey Axis lets you enforce strong password policies and transparently push updated credentials to users' smart cards as they log on to the network, without their knowledge. Datakey Axis will be available in April 2003. Contact Datakey at 952-890-6850 and [email protected]. http://www.datakey.com

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

HOT THREAD

* WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums

Featured Thread: MAC Address Security (Three messages in this thread)

A user wants to know whether he can prevent access to a network through an adapter's media access control (MAC) address. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=54631

CONTACT US

Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- [email protected]

* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- [email protected]

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- [email protected]

* WANT TO SPONSOR SECURITY UPDATE? [email protected]

********************

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.