From: Robert Hoffman [rfhoffman@yahoo.com]
Sent: Wednesday, September 08, 1999 6:41 PM
To: croll@tsavo.zko.dec.com; GlennEverhart@FirstUSA.com
Subject: Apologist or voice of reason? Who can tell?

 Fwd: WinNTMag Security UPDATE September 8, 1999

--- "<securityupdate@list.winntmag.com>"
<securityupdate@list.winntmag.com> wrote:
> Date: Wed, 8 Sep 1999 15:45:21 -0600
> To: WNT Mag Security UPDATE
>  <securityupdate@list.winntmag.com>
> From: "<securityupdate@list.winntmag.com>"
>  <securityupdate@list.winntmag.com>
> Subject: WinNTMag Security UPDATE September 8, 1999
> 
>
**********************************************************
> WINDOWS NT MAGAZINE SECURITY UPDATE 
> The weekly Windows NT security update newsletter    
>  
> http://www.winntmag.com/Security/ 
>
**********************************************************
> 
> This week's issue sponsored by
> Ripple Tech
> http://www.rippletech.com/nws_security 
> 
> EngageNT - User Management 
> http://www.engagent.com/products.asp
> 
>
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
> September 8, 1999 - In this issue:
> 
> 1. FROM THE EDITOR
> 
> 2. HOT OFF THE PRESS
>      - Back Door in Microsoft OSs?
>      - Hackers Succeed in Attacking Windows 2000
>      - New Fix for IE ActiveX Problem
> 
> 3. ANNOUNCEMENTS
>      - Windows NT Magazine Presents New
> Newsletter--IIS Administrator!
> 
> 4. NEW AND IMPROVED
>      - Software Protects Internet Privacy 
>      - Take Full Control of Your NT System
> 
> 5. HOT RELEASES
>      - VeriSign - The Internet Trust Company
>      - BindView Development's NOSadmin for Windows
> NT
> 
> 5. PICKS OF THE WEEK
>      - Book Highlight: Risky Business: Protect Your
> Business From Being 
> Stalked, Conned, or Blackmailed on the Web
>      - Hot Thread: Policies Not Working when User
> Logs In
>      - Shareware: BFTelnet
>      - Tip: Using Showacls and XCACLS to Adjust
> Permissions
> 
> ~~~~~~~~~~ SPONSOR: RIPPLETECH ~~~~~~~~~~
> RippleTech LogCaster is a suite of network services
> dedicated to the 
> real-time monitoring of Windows NT event logs,
> TCP/IP servers and 
> devices, Windows NT system services and critical
> applications. 
> RippleTech LogCaster will monitor the Windows NT
> Event Log and allow 
> immediate reaction to events such as, multiple audit
> failures, which 
> could indicate a security breach. It can also
> monitor security specific 
> NT Services such as, firewall services, RippleTech
> LogCaster services, 
> etc., and alert you if the services fail. 
> RippleTech LogCaster also 
> ensures uptime of TCP-based devices on your network
> and alert you if a 
> firewall server, dial-up server and any other type
> of device may be 
> down.
>    http://www.rippletech.com/nws_security
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Want to sponsor UPDATE? Contact Vicki Peterson
> (Western and 
> International Advertising Sales Manager) at
> 877-217-1826 or 
> vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern
> Advertising Sales 
> Manager) at 877-217-1823 or ttatewik@winntmag.com.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Hello everyone,
> 
> You might already be aware of a new report that
> alleges there are back
> doors in Microsoft's OSs. In the report, Andrew
> Fernandes detailed his
> discovery of two cryptographic keys within the
> Windows Oss: KEY and 
> _NSAKEY. It is this second key and its name that
> touched off a frenzy 
> of allegations and debate.
>    In a nutshell, Microsoft OSs have a subsystem
> called the CryptoAPI 
> that helps provide cryptographic services for the
> OSs. Developers can 
> use the CryptoAPI to create their own Cryptographic
> Service Providers 
> (CSPs); Microsoft uses the two keys to sign those
> CSPs. According to 
> Microsoft, the first key is a primary key and the
> second is a secondary 
> (backup) key in case an intruder compromises the
> primary key.
>    However, Microsoft's explanation for the second
> key isn't pacifying
> Everyone. More than one cryptography aficionado has
> pointed out that usually a mechanism exists to
> revoke compromised keys; 
> however, no such revocation mechanism exists within
> the CryptoAPI. This 
> lack of protection has raised suspicions within the
> security community.
>    I watched and read various online forums and
> mailing lists as person 
> after person lashed out at Microsoft. Many people
> are centering their 
> thoughts on the second key's name: _NSAKEY. Some
> people apparently 
> think the name alone is enough to convict Microsoft
> of putting a back 
> door into Windows. So, let me clear the air a little
> on this matter.
>    First, programmers can define variables using any
> naming
> convention, and just because someone at Microsoft
> used the name _NSAKEY 
> doesn't mean that the company delivered the key to
> the National 
> Security Agency (NSA). Granted, the name leaves room
> for suspicion, but 
> it's hardly convicting evidence. Second, a
> cryptographic key alone does 
> not constitute a genuine back door, because you
> can't use the key by 
> itself to access a Windows OS. Granted, the key can
> be an essential 
> tool for cracking system security, but again, it's
> useless without a 
> way into the system. I fail to see how the existence
> of the second key 
> can be deemed a genuine back door. In comparison,
> tools exist to 
> recover lost administrator passwords, so should this
> potential also be 
> considered a back door? I think not.
>    Microsoft's source code is not in the public
> domain, so it's 
> incredibly difficult to discover what undocumented
> functionality might 
> reside under the hood. Even Microsoft's developers
> aren't aware of 
> everything in an OS, because source code access at
> Microsoft is heavily 
> compartmentalized. As an example, a related
> discovery last year showed 
> that Windows 2000 (Win2K) has not only two, but
> three cryptographic 
> keys for use by the CryptoAPI. But when that
> information was released 
> at a 1998 cryptography convention, a Microsoft
> employee in attendance 
> displayed surprise at the revelation, having no
> knowledge of the third 
> key, even though he directly took part in developing
> Win2K's CryptoAPI.  
> So what's the moral here? We simply have to trust
> vendors that don't 
> provide source code for peer review. That's a tough
> item to accept, but 
> at this point I know of no other choice.
>    Although the _NSAKEY name is suspicious, and I'm
> now required to 
> trust Microsoft when it says it hasn't shared the
> key with anyone 
> outside of Microsoft, I think a bigger issue
> Fernandes discovered is 
> the fact that a user can easily replace the key.
> Fernandes made that 
> point by releasing a utility that can replace the
> second key.
>    So what are the implications with this part of
> his discovery? Well, 
> several security reports have stated that an
> intruder can Trojan
> an OS, so what's to stop a Trojan from overwriting
> the second key, 
> loading a new CSP, signing the new CSP with the
> newly replaced second 
> key, and using that CSP to further subvert network
> security? The answer 
> is diligent security practices--the same practices
> you'd use to prevent 
> a Trojan from altering or stealing your SAM database
> or other sensitive 
> system information. If you don't already employ
> technology to monitor 
> and guard your system files and Registry
> information, you should 
> consider adding that type of functionality. Consider
> using a tool such 
> as Tripwire for NT (http://www.tripwiresecurity.com)
> to help monitor 
> your system for unauthorized changes. I reviewed
> Tripwire for NT and 
> found it to be a great add-on. Look for my review of
> Tripwire in the 
> November 1999 issue of Windows NT Magazine. 
>   Keep in mind that if does Trojan your system, you
> have more than just 
> a vulnerable backup cryptography key to worry about.
> Until next time, 
> have a great week.
> 
> Sincerely,
> Mark Joseph Edwards, News Editor
> mark@ntsecurity.net
> 
> ========== HOT OFF THE PRESS =========
> (contributed by Mark Joseph Edwards,
> http://www.ntsecurity.net)
> 
> * BACK DOOR IN MICROSOFT OSs?
> Andrew Fernandes released a startling report
> alleging that all 
> Microsoft OSs, from Windows 95 OSR2 onward, have a
> back door that could 
> let an intruder, namely the National Security Agency
> (NSA), load 
> unauthorized security services that might compromise
> the entire system.
>    You might recall that at last year's Crypto '98
> conference, Nicko 
> van Someren stated that he had discovered two
> cryptographic keys in 
> Microsoft's CrytpoAPI. Microsoft uses the keys to
> sign Cryptographic 
> Service Providers (CSPs). The signing helps ensure
> that CSPs adhere to 
> US export laws regarding strong encryption.
>    Using van Someren's findings, Fernandes began
> looking for 
> information regarding the keys. Fernandes got his
> break with
> the release of Service Pack 5 (SP5).
>    According to his report, Fernandes said that when
> Microsoft released
> SP5, it failed to remove certain debug symbols
> before releasing the 
> product to the general public. These symbols let him
> gather information 
> about the two keys.
>    Upon inspection, Fernandes discovered that the
> first key is labeled 
> KEY, and the second key is labeled _NSAKEY. The
> second key's label
> led Fernandes to make certain assumptions about its
> origin and intended 
> use. In his report, Fernandes claims the second key
> must be for use by 
> the NSA to subvert the OS security.
>    Microsoft fiercely denied the allegations point
> by point, saying the
> second key is a backup key in case a problem arises
> with the first key.
> However, one British-based security professional
> argued that building 
> in a second key makes no sense unless there is a
> revocation method for 
> the first key, and as far as he can tell, no such
> revocation method is
> available.
>    In addition to his report, Fernandes released a
> program that 
> replaces the _NSAKEY with a user's own key,
> effectively disabling the 
> intended use of the original second key.
>    Fernandes' paper is available online at
> Cryptonym, and Microsoft has
> posted a detailed response on its Web site.
>    http://www.cryptonym.com/hottopics/msft-nsa.html
>   
>
http://www.microsoft.com/security/bulletins/backdoor.asp
> 
> * HACKERS SUCCEED IN ATTACKING WINDOWS 2000
> You might recall that Microsoft launched a new Web
> site to give hackers 
> a chance to penetrate Windows 2000 (Win2K) security.
> Last week, a group 
> of hackers succeeded in disrupting access to parts
> of that Web site.
>    By sending what are sometimes referred to as
> poison packets, the
> hackers successfully caused a partial
> denial-of-service attack against 
> the new OS. The poisoned packets were structured in
> a way that
> caused Win2K to think the packets were very large,
> when in fact the
> packets were rather small.
>    George Davey, a participant in the recent hack,
> said the method 
> involved the Active Server Pages (ASP) component of
> Internet 
> Information Server (IIS). Davey said that when
> tested against his own 
> installation of Win2K, the attack rendered IIS
> unusable; even a system 
> restart wouldn't correct the damage. He had to
> reinstall IIS to 
> overcome the problem.
>    Although the success of the attack did not grant
> the hackers any
> elevated access to the OS, Microsoft said the attack
> served to alert
> the company to an area of the OS that needs
> attention.
>    http://www.windows2000test.com
> 
> * NEW FIX FOR IE ACTIVEX PROBLEM
> In the September 1 edition of Security UPDATE, we
> reported a problem 
> with Internet Explorer (IE), discovered by Georgi
> Gununski, where an 
> ActiveX object could allow file creation and
> modification. At the time 
> of our report, no fix was available from Microsoft.
> However, Microsoft 
> has since released a patch for the problem. which
> you can find on its 
> FTP site.
>    Be sure to read Microsoft Support Online article
> Q240308 and 
> Microsoft's FAQ pertaining to the problem.
>   
>
ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix
>   
>
http://www.microsoft.com/security/bulletins/MS99-032faq.asp
>   
>
http://support.microsoft.com/support/kb/articles/q240/3/08.asp
> 
> ========== ANNOUNCEMENTS ==========
> 
> * WINDOWS NT MAGAZINE PRESENTS A NEW NEWSLETTER--IIS
> ADMINISTRATOR! 
> Windows NT Magazine's new monthly print
> newsletter--IIS Administrator--
> focuses on Microsoft's Internet Information Server
> (IIS) tools and 
> technical solutions. Each issue will delve into
> topics such as IIS and 
> the Registry, e-commerce, remote management with
> HTML, multihosting, 
> service packs, and much more. IIS Administrator is a
> must for anyone 
> working with IIS. Subscribe today and don't miss a
> single issue!   
>    http://www.winntmag.com/sub.cfm?code=NI99IISXUP
> 
> ~~~~ SPONSOR: ENGAGENT - USER MANAGEMENT ~~~~
> Do you want to know where your users have full
> control permissions in 
> your NT network or which directories the marketing
> department has 
> access? Do you want to create a report on stale user
> accounts or remove 
> user accounts in seconds, including all their
> resources? You can do all 
> this if you download the two administration tools
> Network ServaNT & 
> User ManagemeNT Professional today from 
> http://www.engagent.com/products.asp.
> Buy one and receive a 75% discount off the second
> tool.
> 
> ========== NEW AND IMPROVED ==========
> (contributed by Judy Drennen, products@winntmag.com)
> 
> * SOFTWARE PROTECTS INTERNET PRIVACY
> Webroot Software released Private Bookmarks 3.0,
> innovative software 
> that stores a user's favorite Web sites, passwords,
> and names in an 
> encrypted, password-protected program. Private
> Bookmarks contains 
> import and export functions to move existing
> bookmarked Web sites 
> between Internet Explorer and Netscape to the
> private protected list. 
> The software adds or removes a bookmark to or from
> the private list 
> with point-and-click functionality and offers a
> pull-down menu 
> interface similar to familiar Windows programs. 
>    Private Bookmarks runs on Windows NT and Windows
> 9x systems and 
> costs $29.95. For more information, contact Webroot
> Software, 303-554-
> 6528.
>    http://www.webroot.com
>    
> * TAKE FULL CONTROL OF YOUR NT SYSTEM 
> SmartLine released Advanced Security Control (ASC),
> an NT service for 
> restricting execution of any 32-bit software on
> Windows NT 4.0 or 
> Windows 2000 systems. ASC lets administrators
> control user access to 
> any 32-bit software (e.g., games, Internet browsers)
> by setting up 
> login hour restrictions. The Y2K-compliant software
> offers access 
> control for NT users to protect and maintain a
> corporate environment.
>    ASC costs $60 for a single-user license. Site
> license and 
> educational discounts are available. For more
> information, contact 
> SmartLine, sales@protect-me.com.
>    http://www.protect-me.com
> 
> ========== HOT RELEASES (ADVERTISEMENT) ==========
> 
> * VERISIGN - THE INTERNET TRUST COMPANY 
> Protect your servers with 128-bit SSL encryption! 
> Get a FREE Guide 
> from VeriSign, "Securing Your Web Site for
> Business." Click Here! 
>
http://www.verisign.com/cgi-bin/go.cgi?a=n028601390003000
> 
> * BINDVIEW DEVELOPMENT'S NOSADMIN FOR WINDOWS NT
> Visit BindView's Web site to learn why people say
> that NOSadmin for NT 
> is the easiest way to administer and secure your
> Windows NT enterprise!
> Call 1 (888) 837-4220 or visit our Web site at
> http://www.bindview.com/a14.html.
> 
> ========== PICKS OF THE WEEK ==========
> 
> * BOOK HIGHLIGHT: RISKY BUSINESS: PROTECT YOUR
> BUSINESS FROM BEING 
> STALKED, CONNED, OR BLACKMAILED ON THE WEB 
> By Dan Janal
> Online Price: $27.95
> Softcover; 352 Pages
> Published by John Wiley & Sons, March 1998
> 
> This important guide offers tips on using the Web as
> a business tool 
> and protecting a company from various online
> threats. Risky Business 
> covers the numerous threats, crimes, and management
> maladies that beset 
> corporations that promote themselves online. More
> importantly, this 
> book offers remedies and preventative techniques to
> companies that can 
> help them overcome these problems and use the Web to
> their advantage.
> 
> For Windows NT Magazine Security UPDATE readers
> only--Receive an 
> additional 10 PERCENT off the online price by typing
> in WINNTMAG in the 
> referral field on the Shopping Basket Checkout page.
> To order this 
> book, go to
>
http://www.fatbrain.com/shop/info/0471197068?from=SUT864.
> 
> * HOT THREAD: POLICIES NOT WORKING WHEN USER LOGS IN
> The following text is from a recent threaded
> discussion on the Windows 
> NT Magazine online forums
> (http://www.winntmag.com/support). 
> 
> September 1, 1999, 04:39 PM 
> Policies Not Working When User Logs In 
> I created policies with Policy Editor. After I
> replicate the 
> /scripts/export from my PDC to all BDCs, the policy
> does not seem to 
> stick when I login as that user on a workstation. I
> was trying to lock 
> down the display properties box so my students
> couldn't change the 
> display. But, if that policy didn't work, then
> disabling Registry 
> editing tools, etc. with policy editor didn't work
> either. 
> Please help. 
> 
> Thread continues at
>
http://winntmag.com/Support/Forums/Application/Thread.cfm?CFApp=69&Thread_ID=24190&mc=7
> 
> * SHAREWARE: BFTELNET
> (contributed by Jonathan Chau, jjc@winntmag.com)
> 
> Despite claims to the contrary, Windows NT isn't
> well suited to remote 
> administration. If you find yourself running from
> server to server 
> trying to keep your systems running smoothly,
> BFTelnet might be the 
> tool for you. Designed as a secure telnet server for
> NT, BFTelnet lets 
> you connect to remote NT systems and monitor or kill
> processes, 
> maintain services, and check for unauthorized access
> to your network.
>    http://www.bytefusion.com/telnet.html
> 
> * TIP: USING SHOWACLS AND XCACLS TO ADJUST
> PERMISSIONS
> (contributed by Mark Joseph Edwards,
> http://www.ntsecurity.net)
> 
> Many people enjoy working from the command line, as
> opposed to using 
> the standard Windows-based management GUIs. If
> you're in that crowd, 
> then you already know Windows NT doesn't ship with
> many command line 
> utilities--instead, Microsoft offers command line
> tools (as well as 
> additional GUI-based tools) in the Microsoft Windows
> NT Server 4.0 
> Resource Kit. 
>    One command-line tool from the Resource Kit I
> find very useful is 
> showacls.exe. The tool will display the current
> permission settings 
> (Access Control List--ACL) for a given directory
> directly from within a 
> DOS command window. In many cases, I find using
> SHOWACLS to be much 
> quicker than firing up Explorer to inspect
> permissions.
>   And, in cases where you need to adjust ACLs, you
> can use the 
> xcacls.exe tool, also found within the Resource Kit.
> XCACLS gives you 
> all the power of Explorer's permission controls, but
> again, from within 
> a DOS command window.
>   
>
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
> 
> WINDOWS NT MAGAZINE SECURITY UPDATE STAFF
> News Editor - Mark Joseph Edwards (mje@winntmag.com)
> Ad Sales Manager (Western and International) - Vicki
> Peterson 
> (vpeterson@winntmag.com)
> Ad Sales Manager (Eastern) - Tanya T. TateWik
> (ttatewik@winntmag.com)
> Editor - Gayle Rodcay (gayle@winntmag.com)
> New and Improved - Judy Drennen
> (products@winntmag.com)
> Shareware - Jonathan Chau (jjc@winntmag.com)
> Copy Editor - Judy Drennen (jdrennen@winntmag.com)
> 
>
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
> 
> Thank you for reading Windows NT Magazine Security
> UPDATE.
> 
> To subscribe or change your email address, go to the
> Windows NT 
> Magazine Security UPDATE home page:
> http://www.winntmag.com/Security/
> 
> To remove yourself from the list, go to the Windows
> NT Magazine 
> Security UPDATE home page, or send email to 
> securityupdate@list.winntmag.com with the following
> as the subject: 
> unsubscribe WNT Mag Security UPDATE
> 
> If you have questions or problems with your
> subscription, please send 
> email to securityupdate@list.winntmag.com
> 
> ========== GET UPDATED! ==========
> Receive the latest information on the NT topics of
> your choice. 
> Subscribe to these other FREE email newsletters and
> stay informed.
> 
> Windows NT Magazine UPDATE
> http://www.winntmag.com/sub.cfm?code=up99inxsup
> 
> Windows NT Magazine Thin-Client UPDATE 
> http://www.winntmag.com/sub.cfm?code=ut99inxsup
> 
> SQL Server Magazine UPDATE
> http://www.sqlmag.com/sub.cfm?code=uq99inxsup
> 
> Exchange Server UPDATE
> http://www.winntmag.com/sub.cfm?code=ue99inxsup
> 
>
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
> Copyright 1999, Windows NT Magazine
> 
> 
> 

__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com