From: Robert Hoffman [rfhoffman@yahoo.com] Sent: Wednesday, September 08, 1999 6:41 PM To: croll@tsavo.zko.dec.com; GlennEverhart@FirstUSA.com Subject: Apologist or voice of reason? Who can tell? Fwd: WinNTMag Security UPDATE September 8, 1999 --- "" wrote: > Date: Wed, 8 Sep 1999 15:45:21 -0600 > To: WNT Mag Security UPDATE > > From: "" > > Subject: WinNTMag Security UPDATE September 8, 1999 > > ********************************************************** > WINDOWS NT MAGAZINE SECURITY UPDATE > The weekly Windows NT security update newsletter > > http://www.winntmag.com/Security/ > ********************************************************** > > This week's issue sponsored by > Ripple Tech > http://www.rippletech.com/nws_security > > EngageNT - User Management > http://www.engagent.com/products.asp > > |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- > September 8, 1999 - In this issue: > > 1. FROM THE EDITOR > > 2. HOT OFF THE PRESS > - Back Door in Microsoft OSs? > - Hackers Succeed in Attacking Windows 2000 > - New Fix for IE ActiveX Problem > > 3. ANNOUNCEMENTS > - Windows NT Magazine Presents New > Newsletter--IIS Administrator! > > 4. NEW AND IMPROVED > - Software Protects Internet Privacy > - Take Full Control of Your NT System > > 5. HOT RELEASES > - VeriSign - The Internet Trust Company > - BindView Development's NOSadmin for Windows > NT > > 5. PICKS OF THE WEEK > - Book Highlight: Risky Business: Protect Your > Business From Being > Stalked, Conned, or Blackmailed on the Web > - Hot Thread: Policies Not Working when User > Logs In > - Shareware: BFTelnet > - Tip: Using Showacls and XCACLS to Adjust > Permissions > > ~~~~~~~~~~ SPONSOR: RIPPLETECH ~~~~~~~~~~ > RippleTech LogCaster is a suite of network services > dedicated to the > real-time monitoring of Windows NT event logs, > TCP/IP servers and > devices, Windows NT system services and critical > applications. > RippleTech LogCaster will monitor the Windows NT > Event Log and allow > immediate reaction to events such as, multiple audit > failures, which > could indicate a security breach. It can also > monitor security specific > NT Services such as, firewall services, RippleTech > LogCaster services, > etc., and alert you if the services fail. > RippleTech LogCaster also > ensures uptime of TCP-based devices on your network > and alert you if a > firewall server, dial-up server and any other type > of device may be > down. > http://www.rippletech.com/nws_security > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Want to sponsor UPDATE? Contact Vicki Peterson > (Western and > International Advertising Sales Manager) at > 877-217-1826 or > vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern > Advertising Sales > Manager) at 877-217-1823 or ttatewik@winntmag.com. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Hello everyone, > > You might already be aware of a new report that > alleges there are back > doors in Microsoft's OSs. In the report, Andrew > Fernandes detailed his > discovery of two cryptographic keys within the > Windows Oss: KEY and > _NSAKEY. It is this second key and its name that > touched off a frenzy > of allegations and debate. > In a nutshell, Microsoft OSs have a subsystem > called the CryptoAPI > that helps provide cryptographic services for the > OSs. Developers can > use the CryptoAPI to create their own Cryptographic > Service Providers > (CSPs); Microsoft uses the two keys to sign those > CSPs. According to > Microsoft, the first key is a primary key and the > second is a secondary > (backup) key in case an intruder compromises the > primary key. > However, Microsoft's explanation for the second > key isn't pacifying > Everyone. More than one cryptography aficionado has > pointed out that usually a mechanism exists to > revoke compromised keys; > however, no such revocation mechanism exists within > the CryptoAPI. This > lack of protection has raised suspicions within the > security community. > I watched and read various online forums and > mailing lists as person > after person lashed out at Microsoft. Many people > are centering their > thoughts on the second key's name: _NSAKEY. Some > people apparently > think the name alone is enough to convict Microsoft > of putting a back > door into Windows. So, let me clear the air a little > on this matter. > First, programmers can define variables using any > naming > convention, and just because someone at Microsoft > used the name _NSAKEY > doesn't mean that the company delivered the key to > the National > Security Agency (NSA). Granted, the name leaves room > for suspicion, but > it's hardly convicting evidence. Second, a > cryptographic key alone does > not constitute a genuine back door, because you > can't use the key by > itself to access a Windows OS. Granted, the key can > be an essential > tool for cracking system security, but again, it's > useless without a > way into the system. I fail to see how the existence > of the second key > can be deemed a genuine back door. In comparison, > tools exist to > recover lost administrator passwords, so should this > potential also be > considered a back door? I think not. > Microsoft's source code is not in the public > domain, so it's > incredibly difficult to discover what undocumented > functionality might > reside under the hood. Even Microsoft's developers > aren't aware of > everything in an OS, because source code access at > Microsoft is heavily > compartmentalized. As an example, a related > discovery last year showed > that Windows 2000 (Win2K) has not only two, but > three cryptographic > keys for use by the CryptoAPI. But when that > information was released > at a 1998 cryptography convention, a Microsoft > employee in attendance > displayed surprise at the revelation, having no > knowledge of the third > key, even though he directly took part in developing > Win2K's CryptoAPI. > So what's the moral here? We simply have to trust > vendors that don't > provide source code for peer review. That's a tough > item to accept, but > at this point I know of no other choice. > Although the _NSAKEY name is suspicious, and I'm > now required to > trust Microsoft when it says it hasn't shared the > key with anyone > outside of Microsoft, I think a bigger issue > Fernandes discovered is > the fact that a user can easily replace the key. > Fernandes made that > point by releasing a utility that can replace the > second key. > So what are the implications with this part of > his discovery? Well, > several security reports have stated that an > intruder can Trojan > an OS, so what's to stop a Trojan from overwriting > the second key, > loading a new CSP, signing the new CSP with the > newly replaced second > key, and using that CSP to further subvert network > security? The answer > is diligent security practices--the same practices > you'd use to prevent > a Trojan from altering or stealing your SAM database > or other sensitive > system information. If you don't already employ > technology to monitor > and guard your system files and Registry > information, you should > consider adding that type of functionality. Consider > using a tool such > as Tripwire for NT (http://www.tripwiresecurity.com) > to help monitor > your system for unauthorized changes. I reviewed > Tripwire for NT and > found it to be a great add-on. Look for my review of > Tripwire in the > November 1999 issue of Windows NT Magazine. > Keep in mind that if does Trojan your system, you > have more than just > a vulnerable backup cryptography key to worry about. > Until next time, > have a great week. > > Sincerely, > Mark Joseph Edwards, News Editor > mark@ntsecurity.net > > ========== HOT OFF THE PRESS ========= > (contributed by Mark Joseph Edwards, > http://www.ntsecurity.net) > > * BACK DOOR IN MICROSOFT OSs? > Andrew Fernandes released a startling report > alleging that all > Microsoft OSs, from Windows 95 OSR2 onward, have a > back door that could > let an intruder, namely the National Security Agency > (NSA), load > unauthorized security services that might compromise > the entire system. > You might recall that at last year's Crypto '98 > conference, Nicko > van Someren stated that he had discovered two > cryptographic keys in > Microsoft's CrytpoAPI. Microsoft uses the keys to > sign Cryptographic > Service Providers (CSPs). The signing helps ensure > that CSPs adhere to > US export laws regarding strong encryption. > Using van Someren's findings, Fernandes began > looking for > information regarding the keys. Fernandes got his > break with > the release of Service Pack 5 (SP5). > According to his report, Fernandes said that when > Microsoft released > SP5, it failed to remove certain debug symbols > before releasing the > product to the general public. These symbols let him > gather information > about the two keys. > Upon inspection, Fernandes discovered that the > first key is labeled > KEY, and the second key is labeled _NSAKEY. The > second key's label > led Fernandes to make certain assumptions about its > origin and intended > use. In his report, Fernandes claims the second key > must be for use by > the NSA to subvert the OS security. > Microsoft fiercely denied the allegations point > by point, saying the > second key is a backup key in case a problem arises > with the first key. > However, one British-based security professional > argued that building > in a second key makes no sense unless there is a > revocation method for > the first key, and as far as he can tell, no such > revocation method is > available. > In addition to his report, Fernandes released a > program that > replaces the _NSAKEY with a user's own key, > effectively disabling the > intended use of the original second key. > Fernandes' paper is available online at > Cryptonym, and Microsoft has > posted a detailed response on its Web site. > http://www.cryptonym.com/hottopics/msft-nsa.html > > http://www.microsoft.com/security/bulletins/backdoor.asp > > * HACKERS SUCCEED IN ATTACKING WINDOWS 2000 > You might recall that Microsoft launched a new Web > site to give hackers > a chance to penetrate Windows 2000 (Win2K) security. > Last week, a group > of hackers succeeded in disrupting access to parts > of that Web site. > By sending what are sometimes referred to as > poison packets, the > hackers successfully caused a partial > denial-of-service attack against > the new OS. The poisoned packets were structured in > a way that > caused Win2K to think the packets were very large, > when in fact the > packets were rather small. > George Davey, a participant in the recent hack, > said the method > involved the Active Server Pages (ASP) component of > Internet > Information Server (IIS). Davey said that when > tested against his own > installation of Win2K, the attack rendered IIS > unusable; even a system > restart wouldn't correct the damage. He had to > reinstall IIS to > overcome the problem. > Although the success of the attack did not grant > the hackers any > elevated access to the OS, Microsoft said the attack > served to alert > the company to an area of the OS that needs > attention. > http://www.windows2000test.com > > * NEW FIX FOR IE ACTIVEX PROBLEM > In the September 1 edition of Security UPDATE, we > reported a problem > with Internet Explorer (IE), discovered by Georgi > Gununski, where an > ActiveX object could allow file creation and > modification. At the time > of our report, no fix was available from Microsoft. > However, Microsoft > has since released a patch for the problem. which > you can find on its > FTP site. > Be sure to read Microsoft Support Online article > Q240308 and > Microsoft's FAQ pertaining to the problem. > > ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix > > http://www.microsoft.com/security/bulletins/MS99-032faq.asp > > http://support.microsoft.com/support/kb/articles/q240/3/08.asp > > ========== ANNOUNCEMENTS ========== > > * WINDOWS NT MAGAZINE PRESENTS A NEW NEWSLETTER--IIS > ADMINISTRATOR! > Windows NT Magazine's new monthly print > newsletter--IIS Administrator-- > focuses on Microsoft's Internet Information Server > (IIS) tools and > technical solutions. Each issue will delve into > topics such as IIS and > the Registry, e-commerce, remote management with > HTML, multihosting, > service packs, and much more. IIS Administrator is a > must for anyone > working with IIS. Subscribe today and don't miss a > single issue! > http://www.winntmag.com/sub.cfm?code=NI99IISXUP > > ~~~~ SPONSOR: ENGAGENT - USER MANAGEMENT ~~~~ > Do you want to know where your users have full > control permissions in > your NT network or which directories the marketing > department has > access? Do you want to create a report on stale user > accounts or remove > user accounts in seconds, including all their > resources? You can do all > this if you download the two administration tools > Network ServaNT & > User ManagemeNT Professional today from > http://www.engagent.com/products.asp. > Buy one and receive a 75% discount off the second > tool. > > ========== NEW AND IMPROVED ========== > (contributed by Judy Drennen, products@winntmag.com) > > * SOFTWARE PROTECTS INTERNET PRIVACY > Webroot Software released Private Bookmarks 3.0, > innovative software > that stores a user's favorite Web sites, passwords, > and names in an > encrypted, password-protected program. Private > Bookmarks contains > import and export functions to move existing > bookmarked Web sites > between Internet Explorer and Netscape to the > private protected list. > The software adds or removes a bookmark to or from > the private list > with point-and-click functionality and offers a > pull-down menu > interface similar to familiar Windows programs. > Private Bookmarks runs on Windows NT and Windows > 9x systems and > costs $29.95. For more information, contact Webroot > Software, 303-554- > 6528. > http://www.webroot.com > > * TAKE FULL CONTROL OF YOUR NT SYSTEM > SmartLine released Advanced Security Control (ASC), > an NT service for > restricting execution of any 32-bit software on > Windows NT 4.0 or > Windows 2000 systems. ASC lets administrators > control user access to > any 32-bit software (e.g., games, Internet browsers) > by setting up > login hour restrictions. The Y2K-compliant software > offers access > control for NT users to protect and maintain a > corporate environment. > ASC costs $60 for a single-user license. Site > license and > educational discounts are available. For more > information, contact > SmartLine, sales@protect-me.com. > http://www.protect-me.com > > ========== HOT RELEASES (ADVERTISEMENT) ========== > > * VERISIGN - THE INTERNET TRUST COMPANY > Protect your servers with 128-bit SSL encryption! > Get a FREE Guide > from VeriSign, "Securing Your Web Site for > Business." Click Here! > http://www.verisign.com/cgi-bin/go.cgi?a=n028601390003000 > > * BINDVIEW DEVELOPMENT'S NOSADMIN FOR WINDOWS NT > Visit BindView's Web site to learn why people say > that NOSadmin for NT > is the easiest way to administer and secure your > Windows NT enterprise! > Call 1 (888) 837-4220 or visit our Web site at > http://www.bindview.com/a14.html. > > ========== PICKS OF THE WEEK ========== > > * BOOK HIGHLIGHT: RISKY BUSINESS: PROTECT YOUR > BUSINESS FROM BEING > STALKED, CONNED, OR BLACKMAILED ON THE WEB > By Dan Janal > Online Price: $27.95 > Softcover; 352 Pages > Published by John Wiley & Sons, March 1998 > > This important guide offers tips on using the Web as > a business tool > and protecting a company from various online > threats. Risky Business > covers the numerous threats, crimes, and management > maladies that beset > corporations that promote themselves online. More > importantly, this > book offers remedies and preventative techniques to > companies that can > help them overcome these problems and use the Web to > their advantage. > > For Windows NT Magazine Security UPDATE readers > only--Receive an > additional 10 PERCENT off the online price by typing > in WINNTMAG in the > referral field on the Shopping Basket Checkout page. > To order this > book, go to > http://www.fatbrain.com/shop/info/0471197068?from=SUT864. > > * HOT THREAD: POLICIES NOT WORKING WHEN USER LOGS IN > The following text is from a recent threaded > discussion on the Windows > NT Magazine online forums > (http://www.winntmag.com/support). > > September 1, 1999, 04:39 PM > Policies Not Working When User Logs In > I created policies with Policy Editor. After I > replicate the > /scripts/export from my PDC to all BDCs, the policy > does not seem to > stick when I login as that user on a workstation. I > was trying to lock > down the display properties box so my students > couldn't change the > display. But, if that policy didn't work, then > disabling Registry > editing tools, etc. with policy editor didn't work > either. > Please help. > > Thread continues at > http://winntmag.com/Support/Forums/Application/Thread.cfm?CFApp=69&Thread_ID=24190&mc=7 > > * SHAREWARE: BFTELNET > (contributed by Jonathan Chau, jjc@winntmag.com) > > Despite claims to the contrary, Windows NT isn't > well suited to remote > administration. If you find yourself running from > server to server > trying to keep your systems running smoothly, > BFTelnet might be the > tool for you. Designed as a secure telnet server for > NT, BFTelnet lets > you connect to remote NT systems and monitor or kill > processes, > maintain services, and check for unauthorized access > to your network. > http://www.bytefusion.com/telnet.html > > * TIP: USING SHOWACLS AND XCACLS TO ADJUST > PERMISSIONS > (contributed by Mark Joseph Edwards, > http://www.ntsecurity.net) > > Many people enjoy working from the command line, as > opposed to using > the standard Windows-based management GUIs. If > you're in that crowd, > then you already know Windows NT doesn't ship with > many command line > utilities--instead, Microsoft offers command line > tools (as well as > additional GUI-based tools) in the Microsoft Windows > NT Server 4.0 > Resource Kit. > One command-line tool from the Resource Kit I > find very useful is > showacls.exe. The tool will display the current > permission settings > (Access Control List--ACL) for a given directory > directly from within a > DOS command window. In many cases, I find using > SHOWACLS to be much > quicker than firing up Explorer to inspect > permissions. > And, in cases where you need to adjust ACLs, you > can use the > xcacls.exe tool, also found within the Resource Kit. > XCACLS gives you > all the power of Explorer's permission controls, but > again, from within > a DOS command window. > > |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- > > WINDOWS NT MAGAZINE SECURITY UPDATE STAFF > News Editor - Mark Joseph Edwards (mje@winntmag.com) > Ad Sales Manager (Western and International) - Vicki > Peterson > (vpeterson@winntmag.com) > Ad Sales Manager (Eastern) - Tanya T. TateWik > (ttatewik@winntmag.com) > Editor - Gayle Rodcay (gayle@winntmag.com) > New and Improved - Judy Drennen > (products@winntmag.com) > Shareware - Jonathan Chau (jjc@winntmag.com) > Copy Editor - Judy Drennen (jdrennen@winntmag.com) > > |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- > > Thank you for reading Windows NT Magazine Security > UPDATE. > > To subscribe or change your email address, go to the > Windows NT > Magazine Security UPDATE home page: > http://www.winntmag.com/Security/ > > To remove yourself from the list, go to the Windows > NT Magazine > Security UPDATE home page, or send email to > securityupdate@list.winntmag.com with the following > as the subject: > unsubscribe WNT Mag Security UPDATE > > If you have questions or problems with your > subscription, please send > email to securityupdate@list.winntmag.com > > ========== GET UPDATED! ========== > Receive the latest information on the NT topics of > your choice. > Subscribe to these other FREE email newsletters and > stay informed. > > Windows NT Magazine UPDATE > http://www.winntmag.com/sub.cfm?code=up99inxsup > > Windows NT Magazine Thin-Client UPDATE > http://www.winntmag.com/sub.cfm?code=ut99inxsup > > SQL Server Magazine UPDATE > http://www.sqlmag.com/sub.cfm?code=uq99inxsup > > Exchange Server UPDATE > http://www.winntmag.com/sub.cfm?code=ue99inxsup > > |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- > Copyright 1999, Windows NT Magazine > > > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com