Security UPDATE, August 27, 2003

Security UPDATE, August 27, 2003 Windows & .NET Magazine Security UPDATE--August 27, 2003 ===============

==== This Issue Sponsored By ==== Windows Scripting Solutions


1. In Focus: BlackHat Briefings Reflect Industry Changes 2. Security Risks - System-Compromise Vulnerability in Microsoft MDAC - Multiple Vulnerabilities in Microsoft IE 3. Announcements - Attend Black Hat Briefings & Training Federal! - Need Help Managing Your Storage Investment? 4. Security Roundup - News: Welchia/Nachi Worm: Vigilante or Poor Disguise? - News: Worms and Viruses, Oh My - Feature: Disaster Prevention: Preparing for the Worst 5. Security Toolkit - Virus Center - Virus Alert: Sobig.F - FAQ: How Do I Assign Unique Local Administrator Passwords? 6. Event - New--Mobile & Wireless Road Show! 7. New and Improved - Train Employees on Security Best Practices - Protect Web Applications and Infrastructure - Submit Top Product Ideas 8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Need Help Cleaning Femad.B Virus - HowTo Mailing List: - Featured Thread: Blocking Ping Traffic 9. Contact Us See this section for a list of ways to contact us.


==== Sponsor: Windows Scripting Solutions ==== Windows Scripting Solutions for the Systems Administrator You might not be a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions, the monthly print publication that helps you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. Try a sample issue today at:


==== 1. In Focus: BlackHat Briefings Reflect Industry Changes ==== by guest columnist Mark Burnett, [email protected] The security industry evolves constantly, and this year's BlackHat Briefings in Las Vegas (July 28 through 31) reflects the changes. The BlackHat Briefings is a security conference that addresses the technical and legal concerns security professionals face and focuses on the newest emerging threats and risks. "We are seeing a shift towards the policy and legal issues," said conference administrator Ping Look. "We are also seeing more awareness and participation from the higher education sector, \[among\] those attending and \[among\] those speaking." The briefings consisted of 10 tracks, among them a new track dedicated to policy, law, and society. The new track included such sessions as "Criminal Copyright Infringement and Warez Trading" and "Introduction to Corporate Information Security Law." Also new this year was a series of panels discussing IT security trends, including the handling of security vulnerabilities. As usual, BlackHat was full of presentations detailing the newest constantly evolving threats, many of which target authentication systems and core networking infrastructure. Kevin Mitnick, author of "The Art of Deception," (John Wiley & Sons, 2002) said, "It's always going to be a cat and mouse game; there are constantly new security technologies but people are still getting past them." The number of threats has increased, but for IT and security professionals, the recommendations are still basically the same: Keep up with OS patches, use strong passwords, configure your firewall properly, and educate users. "The challenge is education," said Vincent Weafer, senior director of Symantec Security Response. "How do you create awareness across the organization?" Weafer added that corporate security spreads beyond the corporate networks: "Home security impacts corporate security; we need to do a better job reaching home users." Weafer emphasized Symantec's change in strategy toward consolidation to deal with the increasing number of security threats: "It is driving changes inside the corporation, forcing \[everyone involved\] to bring standalone systems together." The conference topics expanded beyond technical threats to address related issues, including cyberterrorism, attacks on anonymity systems, and the legal concerns involved in vulnerability research and disclosure. "There is more interest in these issues," said Jennifer Granick of the Center for Internet and Society at Stanford Law School, "These issues are starting to matter to more people in their day-to-day lives." Granick's presentation, "The Law of 'Sploits," tackled the US Digital Millennium Copyright Act (DMCA) and its effect on researching and publishing security vulnerabilities. In her presentation, she addressed the problem with which we all struggle: "The same information that allows more wide-spread exploitation of vulnerabilities is required to correct those vulnerabilities." According to Granick, "The law is grappling with these issues; the law recognizes that \[releasing security vulnerability information\] is important but also recognizes there is potential harm." Despite the expanding coverage of topics at BlackHat, some things never change: Security researcher David Litchfield of Next Generation Security Software (NGSSoftware) released his usual 0-day exploits; Tim Mullen, CIO and chief software architect for, released his new Terminal Services password brute-force tool, TSGrinder; and Simple Nomad released two new anonymity tools, Ncrypt and Ncovert. BlackHat produces five briefing and training events each year, and attendance at the Las Vegas event has grown from the 110 people who attended the first conference in 1997 to more than 1700 this year. For information about upcoming BlackHat Briefings, visit the Web site at the URL below.


==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected] System-Compromise Vulnerability in Microsoft MDAC Aaron C. Newman of Application Security discovered a new vulnerability in Microsoft Data Access Components (MDAC) that can result in the compromise of a vulnerable computer. This vulnerability is the result of a flaw in a specific MDAC component that handles broadcast requests. By responding to a request with a specially crafted packet, an attacker can create a buffer overflow. Microsoft has released Security Bulletin MS03-033 (Unchecked Buffer in MDAC Function Could Enable System Compromise) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. Multiple Vulnerabilities in Microsoft IE Yu-Arai of Little eArth Corporation (LAC), eEye Digital Security, and Greg Jones from KPMG UK discovered two new vulnerabilities in Microsoft Internet Explorer (IE), the most serious of which can result in the execution of arbitrary code on the vulnerable computer. These two new vulnerabilities are related to IE's cross-domain security model and IE's failure to properly determine an object type that a Web server returns. Microsoft has released Security Bulletin MS03-032 (Cumulative Patch for Internet Explorer) to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin. ==== Virus Update from Panda Software ==== Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control. Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today! ==== 3. Announcements ==== (from Windows & .NET Magazine and its partners) Attend Black Hat Briefings & Training Federal! Running September 29-30, 2003 (Training) and October 1-2, 2003 (Briefings) in Tysons Corner, VA, this is the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! Includes 6 tracks, 12 training sessions, top speakers, and sponsors. Lots of Windows stuff. Early-bird registration ends September 6, so register today! Need Help Managing Your Storage Investment? Planning and managing your storage deployment can be costly and complex. Check out Windows & .NET Magazine's Storage Administration Web site for the latest advice, news, and tips to help you make the most of your storage investment. You'll find problem-solving articles, eye-opening white papers, a technical forum, and much more! ==== 4. Security Roundup ==== News: Welchia/Nachi Worm: Vigilante or Poor Disguise? A new worm is on the loose, one that exploits the remote procedure call (RPC)/Distributed COM (DCOM) security problem. The worm, Welchia/Nachi, attempts to infiltrate a system and force it to install Microsoft's RPC/DCOM patch, which amounts to vigilantism. But is the worm really trying to protect users? News: Worms and Viruses, Oh My Two new computer attacks are wreaking havoc with PC users, clogging email systems and overwhelming corporate networks. The first, which oddly enough seeks to undo the damage from the infamous MSBlaster worm, is Welchia/Nachi; it aggressively looks for new hosts that MSBlaster has infected, then downloads and installs the Microsoft patch that fixes the vulnerability. The second, SoBig.F and its variants, is a virus and is more malicious. This virus infects users through email, searches for email addresses on the users' systems, then sends itself through email messages to each of those email addresses. Feature: Disaster Prevention: Preparing for the Worst Many people break the subject of high availability into two parts--disaster prevention and disaster recovery--and discuss the topic as if every step in a high-availability solution fits neatly into one arena or the other. However, as this author planned her article and tried to determine which activities constitute disaster prevention and which constitute disaster recovery, she found that the line between the two isn't a neat one. She also realized that to distinguish between disaster prevention and disaster recovery, you need a clear definition of "disaster" for your organization. Use the best practices in Kalen Delaney's article to help protect your systems. ==== 5. Security Toolkit ==== Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. Virus Alert: Sobig.F Sobig.F is a worm that spreads through email and across shared network drives. When Sobig.F spreads through email, it arrives as a message with variable characteristics and contains an attached file that usually has a .pif extension. When the worm spreads across shared network drives, it attempts to copy itself to those drives to which the local computer has access. Learn more about the worm at the URL below: FAQ: How Do I Assign Unique Local Administrator Passwords? contributed by Jan De Clercq You might want to check out Foghorn Security's Local Account Password Manager (LAPM), a tool that gives every workstation a unique administrator password and centralizes the administration related to this operation. You can download a fully functional, nonexpiring demo version of LAPM from The demo version has a built-in host limit of 35 machines. For a description of how the tool works and what you can expect, read the rest of this FAQ at the URL below: ==== 6. Event ==== New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! ==== 7. New and Improved ==== by Sue Cooper, [email protected] Train Employees on Security Best Practices Software By Bay announced the Web-based Information Security Education (WISE) training program, a series of interactive, self-paced courses to increase knowledge about ongoing internal and external security breaches and attacks and how to defend against them. Based on the International Organization for Standardization (ISO) 17799 information security best practices standards, the course provides training ranging from general security awareness and security management to detailed technical training. Introductory pricing for each course is $99. Contact Software By Bay at 866-973-8324, 973-257-1205, or [email protected] Protect Web Applications and Infrastructure MagniFire WebSystems announced its flagship program, TrafficShield, which protects Web applications and the infrastructure behind them from both known and unknown attacks. Its true-positive security logic for Web applications ensures that any customer interaction not specifically known to be legal is blocked immediately. The hardened appliance automatically creates an accurate granular security policy of every legal user interaction with the Web site, denying everything else. TrafficShield is currently installed in major financial institutions worldwide. The price is $25,000 per appliance. Contact MagniFire WebSystems at 212-909-2772 or [email protected] Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected] 8. ==== Hot Thread ==== Windows & .NET Magazine Online Forums Featured Thread: Need Help Cleaning Femad.B Virus (Three messages in this thread) A user writes that he ran McAfee and Grisoft's AVG antivirus software on his system and found that the Femad.B Trojan horse had infected the msdos.exe file, but he can't seem to clean the virus. He's searched for the virus information but to no avail. He tried to delete the infected msdos.exe file, but his Windows XP system reboots when he merely highlights the file to delete it! Lend a hand or read the responses: HowTo Mailing List Featured Thread: Blocking Ping Traffic (Two messages in this thread) A user wants to know how he can block Internet Control Message Protocol (ICMP) ping traffic from reaching his system. Lend a hand or read the responses: ==== Sponsored Links ==== Ultrabac FREE live trial-Backup & Disaster Recovery software w/ encryption CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support MailFrontier Eliminate spam once and for all. MailFrontier Anti-Spam Gateway.


==== 9. Contact Us ==== About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.