Security UPDATE, June 4, 2003

==== This Issue Sponsored By ====

TNT Software http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB07mN0Ag

Panda Software http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BAft0AT

1. In Focus: Cybercrime; Microsoft Hotfix; Eliminating Spam

2. Security Risks - Multiple Vulnerabilities in Microsoft IIS - DoS in Microsoft WMS for Win2K and NT - Buffer Overrun in AnalogX Proxy Server for Windows - Remote Compromise Vulnerability in BadBlue Personal File Sharing Program

3. Announcements - Cast Your Vote in Our Annual Readers' Choice Awards! - Windows & .NET Magazine Connections: Fall Dates Announced

4. Security Roundup - News: Magazine Announces Best of Show Finalists - News: TrustZone Added to ARM Processor Architecture - News: HP Releases New Systems with Chip-Based Security

5. Security Toolkit - Virus Center - FAQ: Why Can't Some of Our Users Change Their Passwords?

6. Event - Security 2003 Road Show

7. New and Improved - Set a Trap for Intruders - Protect AD from Rogue Administrators - Submit Top Product Ideas

8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Security Rights for Laptop Users

9. Contact Us See this section for a list of ways to contact us.

==== Sponsor: TNT Software ====

Experience the Benefits of Real Time Monitoring Poring over event records after the fact? Are undetected DoS attacks a constant threat? Could unauthorized webmasters take artistic liberties to your homepage without you knowing about it? There is an affordable solution. ELM Enterprise Manager monitors your security perimeter and alerts you by page, email, or instant message in time to take prompt action. Download your FREE full featured 30 Day evaluation copy NOW and start experiencing the benefits for real time monitoring. http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB07mN0Ag

==== 1. In Focus: Cybercrime; Microsoft Hotfix; Eliminating Spam ==== by Mark Joseph Edwards, News Editor, [email protected]

The Computer Security Institute (CSI) released the "2003 Computer Crime and Security Survey," its eighth annual report conducted in association with the FBI. The report shows that despite shifts in trends, cybercrime remains a serious problem, as you well know.

Highlights from the report show that financial losses from security breaches have dropped by about 56 percent. Last year, respondents reported losses of about $455,848,000; this year, respondents reported losses of about $201,797,340. However, though financial losses dropped, roughly the same number of incidents occurred.

The report indicates a huge drop in losses from financial fraud, the most costly security problem. Last year, losses totaled $116 million; this year, losses totaled about $9.1 million. The largest losses came through the theft of proprietary information, with respondents reporting an average loss of about $2.7 million. For the second most costly security problem, however, Denial of Service (DoS) attacks, losses increased about 250 percent--to more than $65.6 million.

According to CSI Director Chris Keating, "The trends the CSI/FBI survey has highlighted over the years are disturbing. \[Cybercrimes\] and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks; furthermore, such incidents can result in serious damages ... Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly adequate staffing and training of information security practitioners in both the private sector and government." If you want to see the complete survey results, you can obtain a copy by submitting a request form at the CSI Web site. http://www.gocsi.com/forms/fbi/pdf.html

Microsoft Hotfix Speaking of cyber attacks, you're probably aware that Microsoft has released a new security bulletin, MS03-019 (Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution). According to Microsoft, the problem affects Windows 2000 and Windows NT systems. The company initially rated the problem's severity as "moderate," noting that the DoS would lead to the server rebooting itself.

However, Mark Maiffret of eEye Digital Security pointed out that according to his company's tests as well as the tests that vulnerability discoverer Brett Moore conducted, the problem is far more serious than Microsoft first indicated. The tests show that the problem isn't simply a Denial of Service (DoS) issue. According to Maiffret, "If you're running Windows Media Services on IIS, attackers can spawn a remote shell command prompt on your vulnerable system." Microsoft has modified the vulnerability rating to "important" and re-released its related security bulletin. Administrators should patch their systems soon as possible to avoid having an intruder running rampant through a remote command shell.

Eliminating Spam Because I've mentioned junk mail recently, I want to share a couple of my experiences in "taking out the trash." I run a mail server with a good built-in filtering subsystem. Typically, I receive anywhere from several hundred messages per day (weekdays) to 50 messages per day (weekend days). On average, my basic filters can eliminate at the gateway about 30 percent of the junk mail that I receive. But that's simply not effective enough.

I've found that if I relay my email messages through a server running a Bayesian filtering system, I can eliminate more than 95 percent of the junk mail once destined for my Inbox. For details about Bayesian filtering, visit Paul Graham's Web site, on which you'll find several excellent articles. http://www.paulgraham.com/articles.html

Several Bayesian filtering systems are commercially available today. However, because many of you are under serious budget constraints, you might need a shareware solution. The shareware filtering solution I use now is SpamAssassin, which many of you already know and use. Although SpamAssassin was developed for Linux platforms (see the first URL below), you can install it on Win32-based systems. (You can also integrate it into Microsoft Outlook, Lotus Notes, and Novell GroupWise.) For details about how to use SpamAssassin on Win32 platforms, see the second URL below. Because Windows users typically prefer a GUI interface to handle configuration, check into the Windows-based GUI configuration interface for SpamAssassin (see the third URL below). SpamAssassin can probably also be integrated to work with Microsoft Exchange Server, but I haven't come across exact details. If you can direct me to such information, please send me an email message. http://www.spamassassin.org http://www.openhandhome.com/howtosa.html http://www.openhandhome.com/saconf.html

SpamAssassin has many slick features, such as automatic learning for whitelist creation. As with all junk-mail filtering software, you'll have to tweak the parameters to suit your mail influx. After a few days of use, you should be able to filter out 95 percent or more of the junk mail you receive. So if you need a cheap way to deal with junk mail and you have time to spend on such a project, be sure to check out SpamAssassin.

==== Sponsor: Panda Software ====

YOU DESERVE FREE PROTECTION AT HOME! Tired of spending up to $50 on AV and firewall licenses every year for each machine in your home? Qualify on our industry perks program and never pay again! (Cover all of your home machines too - for free.). You'll get Panda Software's professional AV + firewall, the one that catches More Viruses, Faster(tm), even on machines you thought were protected! (Limited time, US-only program for qualified entrants only.) Click here now: http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BAft0AT

==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected]

Multiple Vulnerabilities in Microsoft IIS SPI Dynamics and NSFOCUS discovered four new vulnerabilities in Microsoft IIS 5.1, IIS 5.0, and IIS 4.0, the most serious of which can result in the execution of arbitrary code on the vulnerable system. A cross-site scripting vulnerability affecting IIS 5.1, IIS 5.0, and IIS 4.0 involves an error message about the redirection of a requested URL. IIS 5.0's incorrect validation of requests for certain types of Web pages, known as server-side includes, results in a buffer overrun. A flaw in the way IIS 5.0 and IIS 4.0 allocate memory requests when constructing headers to be returned to a Web client results in a Denial of Service (DoS) vulnerability. IIS 5.1 and IIS 5.0's incorrect handling of an error condition when they receive an overly long Web Distributed Authoring and Versioning (WebDAV) request also results in a DoS vulnerability. Microsoft has released Security Bulletin MS03-018 (Cumulative Patch for Internet Information Service) to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39122

DoS in Microsoft WMS for Win2K and NT Brett Moore discovered a new vulnerability in Microsoft Windows Media Services (WMS) for Windows 2000 and Windows NT that can result in a Denial of Service (DoS) condition. This vulnerability stems from a flaw in the way nsiislog.dll processes incoming requests. An attacker can exploit this vulnerability by sending specially formed communications to the server that cause Microsoft IIS to stop responding to Internet requests. Microsoft has released Security Bulletin MS03-019 (Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39123

Buffer Overrun in AnalogX Proxy Server for Windows K. K. Mookhey discovered a vulnerability in AnalogX Proxy 4.13 and earlier that can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a buffer-overflow condition. AnalogX has released version 4.14, which isn't vulnerable to this condition. http://www.secadministrator.com/articles/index.cfm?articleid=39121

Remote Compromise Vulnerability in BadBlue Personal File Sharing Program Matt Murphy discovered a vulnerability in BadBlue Web Based File Sharing Program Personal Edition 1.7 through 2.2 that can let an attacker gain full administrative control of the vulnerable system. This vulnerability is partially the result of the software performing two security checks (i.e., binary replacement of the first two characters in the requested file extension and the requirement that requests to access .hts files be submitted by 127.0.0.1 and contain a proper 'Referer' header) in the wrong order. BadBlue has released version 2.3, which isn't vulnerable to this condition. http://www.secadministrator.com/articles/index.cfm?articleid=39092

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Cast Your Vote in Our Annual Readers' Choice Awards! Which companies and products are the best on the market? Tell us by nominating your favorites in the annual Windows & .NET Magazine Readers' Choice Awards survey. Click here! http://www.winnetmag.com/readerschoice

Windows & .NET Magazine Connections: Fall Dates Announced Jump-start your fall 2003 training plans by securing your seat for Windows & .NET Magazine Connections Fall, scheduled for November 2 through 6, 2003, in Orlando, Florida. Register now to receive the lowest possible registration fee. Call 800-505-1201 or 203-268-3204 for more information. http://www.devconnections.com

==== 4. Security Roundup ====

News: Magazine Announces Best of Show Finalists Windows & .NET Magazine announced the finalists of the Best of Show Awards for TechEd 2003, which is being held June 1 through June 6 in Dallas. The field included more than 211 entries in seven categories. The Best of Show judges, who are technical editors for Windows & .NET Magazine, will choose the winners during TechEd 2003. Windows & .NET Magazine will announce the winners at a private function on Wednesday, June 4. The list of winners will be publicly available on Thursday, June 5. http://www.secadministrator.com/articles/index.cfm?articleid=39086

News: TrustZone Added to ARM Processor Architecture British chipmaker ARM announced its new TrustZone technology, which the company will add to its ARM processor architecture to provide a secure foundation for OSs and applications such as Palm OS, Symbian OS, Linux, Windows CE, and Java. http://www.secadministrator.com/articles/index.cfm?articleid=39108

News: HP Releases New Systems with Chip-Based Security Hewlett-Packard (HP) has released its new ProtectTools Embedded Security chip in its line of D530 series motherboards for business computers. The new chip, called Trusted Platform Module (TPM), operates independently of other system components such as the processor, memory, and OS. According to HP, TPM will enhance file and folder encryption in Microsoft OSs. http://www.secadministrator.com/articles/index.cfm?articleid=39095

Hot Release Research in Motion * BlackBerry Security White Paper for Microsoft Exchange Download this free technical white paper now from Windows & .NET Magazine's White Paper Central. Brought to you courtesy of Research in Motion. http://ad.doubleclick.net/clk;5580710;7402808;g?http://www.blackberry.com/select/server_wp/index.shtml?CPID=AF22037

==== 5. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

FAQ: Why Can't Some of Our Users Change Their Passwords? (contributed by Jan De Clercq, [email protected])

A. Sometimes users receive the error message "You do not have permission to change your password." Upon investigation, you might find that only the Administrator account could change the password. Windows NT 4.0 displays this error message if both of the following items are selected in the User Manager for Domains utility: "User Must Change Password at Next Logon" in the user account properties and "User must log on in order to change password" in the account policies. The administrator can resolve this problem by resetting the user account's password or by clearing the "User must log on in order to change password" option. By default, NT Server 4.0 doesn't have the "User must log on in order to change password" option selected. For more information about these particular configuration settings, read the explanation on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=25024

==== 6. Event ====

Security 2003 Road Show Join Mark Minasi and Paul Thurrott as they deliver sound security advice at our popular Security 2003 Road Show event. http://www.winnetmag.com/roadshows/security2003

==== 7. New and Improved ==== by Sue Cooper, [email protected]

Set a Trap for Intruders NETSEC released SPECTER 7.0, honeypot software that now supports Windows XP and can simulate 14 different OSs. New features include automated online updates of the application's decoy content and vulnerability database, which constantly changes the honeypot, making it nearly impossible for an attacker to detect. SPECTER now creates executable programs that leave hidden marks on the attacker's computer. Law enforcement officials can use the marks as evidence for legal proceedings and security incident reconstructors can use them to reconstruct an incident. SPECTER 7.0 runs on Windows XP/2000. NETSEC offers SPECTER 7.0 as a free upgrade to SPECTER 6.x and SPECTER 5.x users. Prices start at $899 for initial purchases. Contact NETSEC on the Web. http://www.specter.com

Protect AD from Rogue Administrators NetPro Computing announced DirectoryLockdown 2.0, a security solution to mitigate Active Directory (AD) attacks. The software monitors the Configuration and Schema Naming Contexts (NCs) of AD for unauthorized changes. If it detects modifications made to NC replicas, the software notifies you immediately and disables replication to and from the domain controller (DC), completely shutting it down. DirectoryLockdown 2.0 includes a recovery utility that lets you quickly restore the DC. DirectoryLockdown 2.0 is available with NetPro's Secure Active Directory Lifecycle Suite or as a standalone product. Contact NetPro at 602-346-3600 or on the Web. http://www.netpro.com

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

==== 8. Hot Thread ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: Security Rights for Laptop Users (Two messages in this thread)

A user writes that for security reasons his company wants to restrict laptop users to the Power User and User groups. The problem he encounters with that setup is that sometimes he sends users programs that require Administrator rights to install. How he can accomplish the software installations without granting the users Administrator access or giving them the Administrator password? Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58902

==== Sponsored Links ====

FaxBack Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial) http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BAb30AK

==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]