Security UPDATE, April 23, 2003

Subject: Security UPDATE, April 23, 2003


Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems.



HP OpenView for Windows Test Drive

Windows & .NET Magazine Email Newsletters (below IN FOCUS)


~~~~ SPONSOR: HP OPENVIEW FOR WINDOWS TEST DRIVE ~~~~ Monitor the availability and performance of your corporate website -- FREE for 30 days, using powerful HP OpenView management software for Windows. Simulate activity. Monitor complex transactions. Meet business demands. Manage web services. Click here. ~~~~~~~~~~~~~~~~~~~~

April 23, 2003--In this issue:

1. IN FOCUS - Harder Times for Security Researchers?

2. SECURITY RISKS - Buffer Overflow in Windows Kernel Message Handling - Buffer Overflow in Snort IDS - Macromedia Flash Player Might Expose Cookies

3. ANNOUNCEMENTS - Sample Our Security Administrator Newsletter! - Microsoft TechEd 2003, June 1-6, 2003, Dallas, TX

4. SECURITY ROUNDUP - News: Microsoft's Plans to Simplify Secure Computing - Feature: Surviving IT Audits - News: ISS and Foundstone Enter Security Appliance Market

5. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Remove the Hiberfil.sys File from My System?

6. NEW AND IMPROVED - Install Preconfigured Security Appliance - Create and Manage Best-Practice Security Policies - Submit Top Product Ideas

7. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: VPN or Terminal Services?

8. CONTACT US See this section for a list of ways to contact us.




(contributed by Mark Joseph Edwards, News Editor, [email protected])


Three recent events might significantly affect security researchers. The first event occurred at the RSA 2003 Conference in San Francisco. Richard Salgado, Department of Justice (DOJ) senior counsel for the computer crime unit, gave a talk in which he warned users who deploy honeypots about potential criminal liabilities.

According to a "SecurityFocus" report, Salgado discussed the potential legal ramifications of operating a honeypot. Under the US Federal Wiretap Act, your use of a honeypot to monitor your network traffic might constitute interception of communications. Salgado outlined a few points that shed some light on the law.

According to Salgado, three legal exemptions might apply to some honeypot configurations. One exemption might apply if a party being monitored consents to the monitoring. Another might apply if a victim invites law enforcement to intercept communications. A third might apply if the honeypot operator clearly eavesdrops on communications to protect his or her services and property.

The DOJ recommends that to use the first potential exception, the honeypot operator might display a banner warning users that the system is monitored. The second potential exemption is self-explanatory. The third is probably the most viable. However, Delgado said he sees a potential legal problem in that instance because the purpose of a honeypot is to lure attackers. He noted that it's unusual to claim that one is protecting services and property when one sets up a system specifically to draw attacks. Clearly, honeypots are meant to protect networks--not the computers that run the honeypot software. In some ways, a honeypot is similar to a man trap in a secure installation: An attacker breaks through the first door of the man trap, then can't gain access through the second door. Meanwhile, the first door has closed, and the attacker is trapped and caught. Aren't honeypots much like man traps?

The second event of potential significance to security researchers involves the Digital Millennium Copyright Act (DMCA). Recently, lawyers acting on behalf of particular vendors used the act to silence security researchers about a particular matter that involved, if I interpret correctly, reverse engineering. "The Register" reported that presenters canceled a talk slated for the recent InterZ0ne security conference after lawyers threatened to litigate if the presentation took place.

Apparently, researchers Billy Hoffman and Virgil Griffith would have detailed problems with the Blackboard Transaction System that many colleges use to manage student accounts and electronic commerce transactions. The system uses student ID cards as the vehicle for transactions. The two researchers were about to offer source code and design plans that would let someone emulate or create Blackboard reader systems.

The third event that might affect security researchers relates again to honeypots. Niels Provos developed the Honeyd program, which I've discussed in a previous Security UPDATE commentary (see the first URL below). Provos is a German national based in Michigan--and Act 328 of 1931 of the Michigan Penal Code includes a clause (see the second URL below) that states that a person "shall not assemble, develop, manufacture, possess, deliver, offer to deliver ... \[an unlawful telecommunications device that is intended to be to used to\] ... conceal the existence or place of origin or destination of any telecommunications service."

Because Honeyd emulates a network of computers and can emulate different OSs, the program conceals the source of communication. A fuzzy line of interpretation in the law leaves Provos vulnerable to prosecution (see the first URL below). Provos chose to move his Honeyd software out of the country to a server in the Netherlands (see the second URL below). Access to the software now requires that users answer three questions about their location, nationality, and local laws before they're given access to the site. But an attorney at the Electronic Frontier Foundation (EFF) says even that move might not be enough (see the third URL below).

Apparently, new state laws along with relatively new federal laws put security practitioners in a precarious situation. Such people might want to rethink how they operate and report their findings.

Increasing caution is required to avoid unnecessary confrontations. Something as simple as running a honeypot could now bring legal trouble--perhaps even intruders' lawsuits against you--if you don't handle matters correctly regarding state and federal laws. Read the stories to learn more details, and consult with your legal advisers to ensure that you're operating legally in this shifting landscape.


~~~~ SPONSOR: WINDOWS & .NET MAGAZINE EMAIL NEWSLETTERS ~~~~ IF YOU LIKE THIS NEWSLETTER . . . Then be sure to check out our other email newsletters on a variety of topics ranging from security to Web site administration. Visit our email subscription center today! ~~~~~~~~~~~~~~~~~~~~



(contributed by Ken Pfeil, [email protected])

* BUFFER OVERFLOW IN WINDOWS KERNEL MESSAGE HANDLING Oded Horovitz of Entercept Security Technologies discovered a vulnerability in Windows XP, Windows 2000, and Windows NT 4.0 that could result in the execution of arbitrary code on the vulnerable system. This vulnerability results from a flaw in how the Windows kernel passes error messages to a debugger. A potential attacker could exploit this vulnerability and take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system. According to Microsoft, for this attack to be successful, an attacker must be able to log on interactively to the system either from the console or through a terminal session. Microsoft has released Security Bulletin MS03-013 (Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges) to address this vulnerability.

* BUFFER OVERFLOW IN SNORT IDS Snort Intrusion Detection System (IDS) includes a "stream4 preprocessor" module that reassembles packets before inspecting them. The module contains a buffer-overflow condition that can let a remote attacker execute arbitrary commands on a system that runs Snort or launch a Denial of Service (DoS) attack against Snort. In either case, the vulnerability can let intruders evade IDS detection. The vendor has released Snort 2.0 to correct the problem.

* MACROMEDIA FLASH PLAYER MIGHT EXPOSE COOKIES A problem with Macromedia Flash Player's advertisement-tracking feature can expose user cookies. The clickTAG parameter that Flash Player supports lets HTML pages define the click-through destination URL for a related advertisement. A malicious user can use the clickTAG parameter to insert scripting code that might execute if the Flash advertisement doesn't validate URLs before passing them to the "ActionScript getURL" function. Macromedia issued a statement of clarification for those who implement Flash advertisements.



(brought to you by Windows & .NET Magazine and its partners)

* SAMPLE OUR SECURITY ADMINISTRATOR NEWSLETTER! If you spend the better part of your day dealing with security concerns such as controlling user access, viruses, and tightening your network's permeability, then you can benefit from the type of information we publish each month in Security Administrator. Every issue shows you how to protect your enterprise with informative, in-depth articles, timely tips, and practical advice. Sample our most recent issue today!

* MICROSOFT TECHED 2003, JUNE 1-6, 2003, DALLAS, TX Realize your potential at TechEd 2003, Microsoft's premier technical conference. Includes the latest in-depth sessions on the entire .NET developer-language family. Register by April 25 and save $400!



* NEWS: MICROSOFT'S PLANS TO SIMPLIFY SECURE COMPUTING Speaking at the RSA Conference 2003, Mike Nash, Microsoft corporate vice president of the Secure Business Unit, announced tools and technologies the company plans to release during the next 12 months. Microsoft designed the tools and technologies to address four key areas of customer concern: simpler centralized patch management, information protection, secure development tools and Web services, and secure network access.

* FEATURE: SURVIVING IT AUDITS Properly executed IT audits can add tactical and strategic value to your company. You might not have influence over the goal or the reasons behind the audit, but with some basic planning and the right procedures, you can turn the process into an internal system check to increase the overall effectiveness of your IT group.

* NEWS: ISS AND FOUNDSTONE ENTER SECURITY APPLIANCE MARKET Internet Security Systems (ISS) announced a new line of security appliances as part of its Dynamic Threat Protection enterprise security platform. ISS said the appliances protect against all forms of attack with minimal user intervention. Foundstone announced its new Foundstone FS1000 Appliance, which provides comprehensive network mapping including wireless access points. The appliance can perform in-depth vulnerability analysis of OSs, network devices, databases, Web application security problems, and more.



* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

* FAQ: How Can I Remove the Hiberfil.sys File from My System? ( contributed by John Savill, )

A. When you hibernate your computer, Windows saves the contents of the system's memory to the hiberfil.sys file. As a result, the size of the hiberfil.sys file will always equal the amount of physical memory in your system. If you don't use the hibernate feature and want to recapture the space that Windows uses for the hiberfil.sys file, perform the following steps: 1. Start the Control Panel Power Options applet. 2. Select the Hibernate tab, clear the "Enable hibernation" check box, then click OK; although you might think otherwise, selecting Never under the "System hibernates" option on the Power Schemes tab doesn't delete the hiberfil.sys file.

Windows will remove the "System hibernates" option from the Power Schemes tab and delete the hiberfil.sys file.



(contributed by Sue Cooper, [email protected])

* INSTALL PRECONFIGURED SECURITY APPLIANCE SecurityMetrics introduced the SecurityMetrics Appliance, a Plug and Play (PnP) solution that provides intrusion detection, intrusion prevention, vulnerability assessment, and an optional firewall module. The appliance is preconfigured for your network by SecurityMetrics engineers and is designed to let you enable or disable modules with the click of a button. It automatically updates the latest vulnerability assessment tools, Intrusion Detection System (IDS) attack signatures, and program enhancements every night; you also can manually update the system anytime. The appliance can address attacks from external intruders, your internal equipment, or your network users. The SecurityMetrics Appliance has a browser-based management interface that lets you tune the system to remove false positives. Contact SecurityMetrics at 877-311-4400, 801-724-9600, or [email protected]

* CREATE AND MANAGE BEST-PRACTICE SECURITY POLICIES NetVision announced the Integrated Security Policy Management system 4.0, a Java-based suite of four integrated products with Active Directory (AD) support. The first product, NVMonitor, provides realtime intrusion prevention that detects and stops attacks on your enterprise. NVAssess inspects your servers, directories, applications, and services for vulnerabilities and automatically corrects problems. NVIdentity offers cross-platform identity management, including realtime user account and password synchronization across directories and applications, automated user provisioning, and role-based access controls. NVPolicy Resource Center is a Web-based policy development and deployment framework that automatically delivers policies to your employees and distribution and acceptance. The Integrated Security Policy Management system 4.0 will be available in May. Contact NetVision at 877-828-9180 or [email protected] * SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]




Featured Thread: VPN or Terminal Services? (Nine messages in this thread)

An administrator runs a Windows-based network. A number of users, including the boss, have asked him to set up a way for them to work from home over their new broadband Internet connections. They want him to establish a VPN, but because he has no control over the users' home PCs, he doesn't think he should permit a VPN. He's considering publishing Windows 2000 Server Terminal Services through the firewall, but he has doubts about security. In that scenario, the network would be isolated from users' home PCs, but Terminal Services could be a point of vulnerability. Is it possible to achieve satisfactory security with Terminal Services over the Internet? Lend a hand or read the responses:



Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- [email protected]

* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)


* PRODUCT NEWS -- [email protected]



******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.


Thank you for reading Security UPDATE.

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.