From: Security UPDATE [Security_UPDATE@list.win2000mag.net]
Sent: Thursday, June 01, 2000 2:00 AM
To: GlennEverhart@FIRSTUSA.COM
Subject: Security UPDATE, May 31, 2000
**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter
brought to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/
**********************************************************
This week's issue sponsored by
BindView Corporation
http://www.bindview.com/securitysuite.html
VeriSign - The Internet Trust Company
http://www.verisign.com/cgi-bin/go.cgi?a=n016107860151000
(Below SECURITY ROUNDUP)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
May 31, 2000 - In this issue:
1. IN FOCUS
- Think You're Safe from Sniffing?
2. SECURITY RISKS
- Windows Computer Browser Denial of Service
- Master Browser Denial of Service
- WebShield SMTP Buffer Overflow Condition
- Buffer Overflows in PDGSoft Shopping Cart
- Mailsite Buffer Overflow
3. ANNOUNCEMENTS
- Discover Windows 2000 Magazine
- Microsoft Tech-Ed 2000 WebCast
4. SECURITY ROUNDUP
- News: Beware of Killer Resumes
- News: Microsoft Delays Outlook Security Update
5. NEW AND IMPROVED
- PC Security
- Collaboration to Deliver Subscription Services to Hotmail Users
6. SECURITY TOOLKIT
- Book Highlight: Virus Proof: The Ultimate Guide to Protecting
Your System
- Tip: Microsoft's Online Security Papers
- Windows 2000 Security: Creating a Custom Password-Reset MMC
7. HOT THREADS
- Windows 2000 Magazine Online Forums
User Passwords
- Win2KSecAdvice Mailing List
Windows DoS Code (jolt2.c)
- HowTo Mailing List
Using a Logon Script to Update Virus Signature Files
Windows NT 4.0 System Policy
~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~
Get secure with BindView. BindView is not only committed to keeping
your enterprise secure with award winning IT risk management solutions
for Windows 2000, NT, NetWare, Microsoft Exchange, SAP and UNIX, but is
dedicated to keeping you on the cutting edge of security issues.
Subscribe to our bi-monthly security newsletter containing editorials
and hotlinks to hot security news. We also offer a Web site maintained
by RAZOR, BindView's team of security experts. Find out what BindView
can offer you by checking out our main Web site's new dedicated
security area at http://www.bindview.com/securitysuite.html.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim
Langone (Western Advertising Sales Manager) at 800-593-8268 or
jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
Do you use Ethernet switches to help protect network traffic from
prying eyes? For a long time, switches have been a tactic against
snoops. A switched network separates traffic so that a user on one
segment can't easily sniff traffic on another segment. To sniff traffic
on a switched network, a user must either place a sniffer on the actual
target segment or get machines on the target segment to send traffic
through your network segment or your system. Instructing a remote
machine to forward packets your way used to be difficult; you had to
somehow change the remote host's gateway. Not an easy task, unless you
have a copy of arpredirect.
Arpredirect is an Address Resolution Protocol (ARP) poisoning tool.
The tool can instruct a remote system to change its gateway address by
sending the host the appropriate ARP packets. For example, an intruder
can use arpredirect to instruct a remote host to forward all packets to
the intruder's IP address. The intruder can analyze or save the
packets, then forward them to their final destination without the
remote user's knowledge.
Dug Song originally developed the arpredirect tool in December 1999.
The tool is part of his dsniff package, which is available at Song's
Web site (http://naughty.monkey.org/~dugsong/dsniff). I had forgotten
about arpredirect until I recently read an article by Stuart McClure
and Joel Shambray in a competing publication. The two men point out
that we need to be aware of arpredirect and the entire dsniff package
because it can be dangerous in the wrong hands.
In a nutshell, dsniff is the Swiss army knife of privacy invasion.
The package ships with a handful of powerful tools, including urlsnarf,
webspy, mailsnarf, and the dsniff tool. Urlsnarf grabs every URL that
passes across the wire and stores it for later examination. Webspy can
grab URLs off the wire and open the URL in your local browser window so
you can follow along and view what a remote user is seeing on his or
her Web browser. Mailsnarf is just as nasty as webspy--it can sniff
SMTP-related packets off the wire and reassemble entire email messages
into a common format that popular mail clients can read. The dsniff
tool is one of the most powerful password grabbers I've seen. It can
snag passwords off the wire from many different protocols, including
FTP, Telnet, Web, POP3, IMAP, LDAP, Citrix ICA, pcAnywhere, SMB, Oracle
SQL*Net, and numerous others.
Even though the tools found in the dsniff package are written for
UNIX platforms, you still need to be aware that these tools exist
because they could be used against your Windows-based networks. Song's
package is incredibly powerful, whether used with good or bad intent.
The tools point out a well-known problem with networks in general:
malicious users can easily sniff clear text from packets to glean
sensitive data. Although blocking ARP redirects and monitoring ARP
traffic and tables can help protect against tools like arpredirect,
those tactics are certainly not cure-alls. They help prevent packets
from becoming misdirected, but most data still travels in clear text
over your networks, which means localized intruders can glean sensitive
data with packet-sniffing tools. To better protect your data, you must
encrypt it at some level before sending it out on the wire, and you
must use sniffer-detecting tools to help stop the snoops.
The decision about which tactics to use for data protection depends
on your data and your organization, so I can't give you much more
advice on the matter. Just be aware that ARP poisoning and data
sniffing are real problems that you need to guard against. Until next
time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* WINDOWS COMPUTER BROWSER DENIAL OF SERVICE
Under the Common Internet File System (CIFS) protocol, every domain on
a Windows subnet has a Master Browser and can also have one or more
backup browsers. A malicious user can deny service on network browsers
by sending those systems a ResetBrowser command (called a frame)
because you can't configure a browser to ignore ResetBrowser frames.
Microsoft has issued a patch for the problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-4.htm
* MASTER BROWSER DENIAL OF SERVICE
A user can send a large number of bogus HostAnnouncement frames
(commands) to a Master Browser, where the subsequent replication
traffic between the Master Browser and any backup browsers can consume
a large amount of network bandwidth and cause other problems as well.
Microsoft has issued a patch for the problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/winnt4-5.htm
* WEBSHIELD SMTP BUFFER OVERFLOW CONDITION
By telneting to a machine that runs the WebShield SMTP management
agent, a person can access current server configuration information. In
addition, an unchecked buffer exists that can let code pass to the
service for execution. If a user sends 208 bytes or more with one of
the configuration parameters, the service crashes, overwriting the
stack. NAI is aware of the problem; however, no fix is available yet.
In the meantime, run the WebShield SMTP service under a restricted
account or disable the service.
http://www.ntsecurity.net/go/load.asp?iD=/security/webshield1.htm
* BUFFER OVERFLOWS IN PDGSOFT SHOPPING CART
PDGSoft's shopping cart ships with two executables that contain
unchecked buffers that let an intruder inject code for execution on the
server. The two executables are redirect.exe and changepw.exe and are
accessible via the Web. PDGSoft has issued patches for all versions of
the shopping cart software.
http://www.ntsecurity.net/go/load.asp?iD=/security/pdgsoft1.htm
* MAILSITE BUFFER OVERFLOW
Rockcliffe Mailsite lets remote users access POP3 accounts to read
email via the Web. The service, which listens on port 90, contains a
buffer overflow condition that lets an attacker execute arbitrary code
on the server. Rockcliffe has released a patch to correct the problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/mailsite2.htm
3. ========== ANNOUNCEMENTS ==========
* DISCOVER WINDOWS 2000 MAGAZINE
Subscribe to the single best source of independent, hands-on, practical
information for people who make their living deploying and maintaining
Windows 2000 and Windows NT. Every issue contains extensive advice and
tips so that you can do your job better today while you prepare for
tomorrow's technology developments.
http://www.win2000mag.com/sub.cfm?=00inxupd
* MICROSOFT TECH-ED 2000 WEBCAST
The Microsoft Tech-Ed 2000 WebCast, June 5 through 8, is for developers
and IT professionals who need the technical content being presented at
Microsoft Tech-Ed 2000 but can’t attend. You can view a total of 38
sessions for only $99. There will be a Q&A session with the WebCast
audience after each of the 18 live sessions, including live Q&A with
Bill Gates and Bob Muglia after their keynotes. Register today at
http://msdn.microsoft.com/events/tewebcast/default.asp.
4. ========== SECURITY ROUNDUP ==========
* NEWS: BEWARE OF KILLER RESUMES
A new worm based on the Melissa strain is circulating the Internet. The
worm spreads in files attached to email messages with the subject
"Resume--Janet Simons." According to Symantec, the attachment is a Word
97 document that arrives with any of several file names, including
explorer.doc, resume.doc, resume1.doc, and normal.doc. The file
contains a destructive macro virus that deletes files on the system and
spreads the worm via email.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=146&TB=news
* NEWS: MICROSOFT DELAYS OUTLOOK SECURITY UPDATE
Microsoft delayed the release of its Outlook 2000 and Outlook 98
Security Update so it can add new functionality that lets
administrators better control the update's new features. Administrators
can make different configurations available depending on a user's
profile. For example, administrators can define which file types a user
can receive, execute, or save to disk. In addition, customizable
dialogs warn the user when access attempts are made against the address
book. Microsoft has not stated when the update will be available, but
speculators estimate that it will be available this week.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=145&TB=news
~~~~ SPONSOR: VERISIGN - THE INTERNET TRUST COMPANY ~~~~
Running a server farm? If you're managing multiple servers in your
organization, securing all of them can quickly become complicated. But
now, you can learn how to simplify security administration through a
single point of management - with a valuable new guide from VeriSign.
Request the FREE Guide "Securing Intranet and Extranet Servers" at:
http://www.verisign.com/cgi-bin/go.cgi?a=n016107860151000
5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* PC SECURITY
Ensure Technologies announced XyLoc Professional, a wireless PC
security solution that recognizes users based on their proximity to the
PC. The user wears a badge to communicate securely with proximity-
detection hardware and software that resides on each PC. XyLoc unlocks
the PC only after identifying the user. When the user walks away from
the PC, XyLoc Professional secures the PC until that user returns or
another authorized user approaches.
XyLoc Professional runs on Windows 2000, Windows NT, and Windows 9x
systems. For pricing, contact Ensure Technologies, 734-668-8800.
http://www.ensuretech.com/
* COLLABORATION TO DELIVER SUBSCRIPTION SERVICES TO HOTMAIL USERS
McAfee announced that it signed a 2-year agreement with Microsoft to
provide Clinic Services to MSN Hotmail users. Under terms of the
agreement, McAfee will provide virus-scanning software to automatically
scan all email attachments for Hotmail's 58 million users. McAfee will
also offer Hotmail users the existing features of McAfee Clinic
Services, including online virus scanning, ActiveShield 24x7 antivirus
protection, PC maintenance utilities, and other McAfee.com services as
they become available. For more information, contact McAfee at 408-572-
1500 or http://www.mcafee.com.
6. ========== SECURITY TOOLKIT ==========
BOOK HIGHLIGHT: VIRUS PROOF: THE ULTIMATE GUIDE TO PROTECTING YOUR
SYSTEM
By Prima Development
Online Price: $27.95
Softcover; 288 pages
Published by Prima Publishing, April 2000
ISBN 0761527478
Like biological viruses, computer viruses can spread quickly and are
often difficult to get rid of without causing damage. "Virus Proof: The
Ultimate Guide to Protecting Your System" provides key steps you should
take to protect your system from these destructive viruses. You'll
learn what common viruses do, how they spread, and how to recover lost
data. To order this book, go to
http://www.fatbrain.com/shop/info/0761527478?from=win2000mag
or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772.
* TIP: MICROSOFT'S ONLINE SECURITY PAPERS
(contributed by mark@ntsecurity.net)
Many people still aren't familiar with Windows 2000-related security.
To help get up to speed, Microsoft has made lots of information
available online. For example, in one streaming media presentation,
Microsoft's Darol Timberlake discusses various Win2K security
enhancements, such as Kerberos, the new Encrypting File System (EFS),
the IP Security (IPSec) protocol, group policies, and security
templates. You can find Timberlake's presentation at the first URL
listed below.
In addition, Microsoft's Web site has dozens of papers that give
users in-depth information and deployment procedures for Windows 2000
Security Services, including security management using the Microsoft
Security Configuration Tool Set and support for IPSec, EFS, public key
infrastructure (PKI), smart cards, and Kerberos. You can find this
supplemental reading at the second URL listed below.
http://support.microsoft.com/servicedesks/webcasts/wc040600/WC040600.asp?fr=1
http://www.microsoft.com/windows2000/library/technologies/security/default.asp
* WINDOWS 2000 SECURITY: CREATING A CUSTOM PASSWORD-RESET MMC
In a previous column, Randy Franklin Smith explained how to give your
Help desk staff the authority to handle forgotten passwords without
giving them sweeping administrative privileges. But what if your
company wants to delegate password-reset authority or a similar task to
users other than the Help desk staff? By creating a custom Microsoft
Management Console (MMC), you can provide designated users with a
simplified, streamlined interface for quickly handling these password
resets. In his latest column, Randy outlines how to create such a
customized MMC.
http://www.ntsecurity.net/go/win2ksec.asp
7. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).
May 25, 2000, 09:02 A.M.
User Passwords
In our NT domain with a PDC and BDC, when Windows 98 workstations
attempt to change their domain passwords, they get an error: "Unable to
change the password for the following reason: Access has been denied."
In User Manager, we have allowed users to change their passwords. We
are on SP6a. Any thoughts?
Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=104735.
* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.
Windows DoS Code (jolt2.c)
Here is the proof-of-concept code for the * Windows denial-of-service
attack described by BindView's Razor Team, in reference to Microsoft
bulletin MS00-029. This code will cause CPU utilization to go to 100
percent.
http://www.ntsecurity.net/go/w.asp?A2=IND0005d&L=WIN2KSECADVICE&P=1228
Follow this link to read all threads for May, Week 4:
http://www.ntsecurity.net/go/w.asp?A1=ind0005d&L=win2ksecadvice
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week.
1. Using a Logon Script to Update Virus Signature Files
I am trying to use a logon script that will update our virus signature
files on each computer. I downloaded the update from Norton and would
like to run this update when a user logs on, but I do not want it to
prompt the user at all. Does anyone know a switch that I can use to
disable the prompts? Or am I going about this all wrong?
http://www.ntsecurity.net/go/l.asp?A2=IND0005d&L=HOWTO&P=3417
2. Windows NT 4.0 System Policy
We have policies in effect in our domain. I need to make another policy
file only take effect for one PC. This policy includes group user and
computer policies. Can I do this?
http://www.ntsecurity.net/go/l.asp?A2=IND0005d&L=HOWTO&P=6868
Follow this link to read all threads for May, Week 4:
http://www.ntsecurity.net/go/l.asp?A1=ind0005d&L=howto
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice, including Win2K Pro, Exchange Server, thin-
client, training and certification, SQL Server, IIS administration,
XML, application service providers, and more. Subscribe to our other
FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Thank you for reading Security UPDATE.
SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.
UNSUBSCRIBE
To unsubscribe, send an email to U-A3.15.44654@list.win2000mag.net. Or
click http://go.win2000mag.net:80/UM/U.ASP?A3.15.44654 and you will be
removed from the list. Thank you!
If you have questions or problems with your UPDATE subscription, please
contact
securityupdate@win2000mag.com.
___________________________________________________________
Copyright 2000, Windows 2000 Magazine