********************************************************** WINDOWS NT MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows NT security update newsletter brought to you by Windows NT Magazine and NTsecurity.net http://www.winntmag.com/update/ ********************************************************** This week's issue sponsored by Internet Security Services http://www.iss.net/mktg/winnt12-1 BindView Corporation http://webevents.broadcast.com/bindview/intropage1299/ (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- December 1, 1999 - In this issue: 1. IN FOCUS - Privacy Is NOT a Thing of the Past 2. SECURITY RISKS - Windows 9x Legacy Psw Caching - IE 5.0 Task Scheduler Elevates Privileges - Mail-Gear Allows Directory Traversal - BisonWare FTP Server Subject to Denial of Service - WorldClient Server Subject to Denial of Service 3. ANNOUNCEMENTS - Answers to NT Frequently Asked Questions - Windows NT Magazine Launches ASP Email Newsletter - New Resource: ECOMSEC - An E-Commerce Security Mailing List - Security Poll: Will You Take Any Security Training in the Near Future? 4. SECURITY ROUNDUP - News: Crypto Advocate Under FBI Investigation - News: ASIO Gains Right to Tap Private Computers 5. NEW AND IMPROVED - Y2K Internet Security Bundle - Compact Fingerprint Reader 6. HOT RELEASE - kforce.com - Network-1 Security Solutions - Embedded NT Firewalls 7. SECURITY TOOLKIT - Book Highlight: Web Security Sourcebook - Tip: Blocking RPC Service Access and a Correction - How To: A Windows 2000 Post-Installation Checklist - How To: Testing Your Exchange Server for Y2K Readiness 8. HOT THREADS - Windows NT Magazine Online Forums: * Security Over Deleted Files - Win2KSecAdvice Mailing List: * NTInfoScan Has Been Updated * Oracle Web Listener - HowTo Mailing List: * Viruses and Y2K * Username Problem for C$ Share * Administrator Password ~~~~ SPONSOR: INTERNET SECURITY SERVICES ~~~~ Your security tightens. Your e-business expands. Welcome to SAFEsuite. SAFEsuite from ISS protects sensitive data while you serve sensitive customers. SAFEsuite monitors, detects, and responds to threats across your enterprise. It adapts to changing security situations. And it helps expand your e-business by giving suppliers and customers wider access. For our free E-Commerce Security White Paper, visit: http://www.iss.net/mktg/winnt12-1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Our privacy is continuously under attack. But if you believe Sun Microsystems' CEO and President, Scott McNealy, our privacy has been long gone anyway. McNealy made that comment last year, and although in some ways that statement is true, to hold that blanket statement out as all-inclusive is incredibly short-sighted. I don't know about McNealy, but I have no trouble enjoying many private aspects to my life, and I intend to keep it that way. Nonetheless, corporate America, as well as corporations in other countries, are in direct control of much of our privacy. And that privacy is being chipped away bit by bit. The bigger the company, the more serious the privacy invasion can become. Take America Online (AOL), for example. AOL provides Internet service to millions of people around the world. AOL knows your every move on the net because it tracks that information as you surf using its service. Tracking that data is not so bad; it's what the company does with the information that bothers me. As you know, AOL's privacy policy is under attack from industry critics. And as you might also know, AOL users must complete an Opt Out form to keep their private information private. AOL instituted the controversial privacy policy last year. Under the service policy, AOL users must fill out the privacy form every year if they expect to maintain control of their private information. AOL rudely makes the assumption that if a person doesn't fill out the form, they thereby agree to let AOL share their name, address, Web surfing and electronic buying habits, and other private data with other companies at AOL's discretion. Privacy advocates (myself included) see AOL's approach as far less than ethical. We think that companies should bear the burden of receiving proof that they can distribute a person's private information. David Sobel, attorney for the privacy advocacy group Electronic Privacy Information Center (EPIC), called AOL's approach to privacy appalling. But Sobel isn't surprised. And neither am I. The bottom line is that companies make millions of dollars every year by selling your private information. And in the case of AOL, users actually pay for that exposure by subscribing to AOL's services. That approach just doesn't make sense unless you're OK with having your name, private information, and personal habits plastered all over the world at your expense. With so many ISPs providing adequate net access complete with roaming features, a person shouldn't have to tolerate the type of actions AOL takes. Why should a person have to opt out of information sharing? Why can't AOL reverse the default assumption in its policy? Maybe AOL's policy is merely a smokescreen to pacify the masses. The policy clearly benefits AOL, not the consumer. So how long will it take for other major companies to follow AOL? Are other companies willing to risk their reputation over privacy concerns? It's up to you, the consumer, to let companies know how you feel about their privacy practices. And as you know, often the best way to get a company's attention is by tugging on its purse strings. You get the picture. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, http://www.ntsecurity.net) * WINDOWS 9x LEGACY PSW CACHING Microsoft reported a vulnerability in its Windows 9x OSs (excluding Win9x Second Edition) caused by a legacy mechanism for caching network security credentials. The vulnerability could let an intruder retrieve a user's plaintext network password from the cache. According to the company bulletin, "Windows for Workgroups(r) provided a RAM-based caching mechanism that cached the user's plaintext network credentials for use by real-mode command-line networking utilities." Developers carried over part of the mechanism to Windows 9x, thereby introducing the vulnerability. Microsoft has released a FAQ, Support Online article, and patches for both OSs. http://www.ntsecurity.net/go/load.asp?iD=/security/pswcaching.htm http://www.microsoft.com/security/bulletins/MS99-052faq.asp http://support.microsoft.com/support/kb/articles/q168/1/15.asp * IE 5.0 TASK SCHEDULER ELEVATES PRIVILEGES Arne Vidstrom and Svante Sennmark reported a problem with Windows NT systems that have Internet Explorer (IE) 5.0 installed. The problem affects NT's Task Scheduler service. According to their report, "This vulnerability makes it possible for a User to become a member of the Administrators group if he or she can do an interactive logon. The Task Scheduler service is an improved version of the Schedule service--they are not the same thing. The Schedule service is replaced by the Task Scheduler when Internet Explorer 5 is installed on Windows NT." Microsoft has released a FAQ, Support Online article, and an updated version of IE 5.01. http://www.ntsecurity.net/go/load.asp?iD=/security/tasksched.htm http://www.microsoft.com/security/bulletins/MS99-051faq.asp * MAIL-GEAR ALLOWS DIRECTORY TRAVERSAL Symantec's Mail-Gear has a Web-based administration service that listens on port 8003. The service is vulnerable to directory traversal using specific URL patterns. By using a syntax that contains a particular series of dots and backslashes (..\), an intruder can view file contents. Symantec has corrected the problem in its new Mail-Gear 1.1. http://www.ntsecurity.net/go/load.asp?iD=/security/mailgear1.htm http://www.symantec.com/urlabs/public/download/download.html * BISONWARE FTP SERVER SUBJECT TO DENIAL OF SERVICE USSRLabs discovered a denial of service (DoS) condition in BisonWare FTP Server 3.5. The problems are the result of buffer overflow conditions within the program code. The problem affects the login sequence. By sending a very long user name of 2000 characters, an intruder can crash the service. BisonWare is aware of the problem; however, no fix was available at the time of this writing. http://www.ntsecurity.net/go/load.asp?iD=/security/bison1.htm http://ourworld.compuserve.com/homepages/nick_barnes/ftpserve.htm * WORLDCLIENT SERVER SUBJECT TO DENIAL OF SERVICE USSRLabs discovered several denial of service (DoS) conditions in Deerfield.com's WorldClient Server 2.0.0.0. The problems are the result of buffer overflow conditions within the program code. The problem affects the WorldClient service on port 2000. By sending a very long URL to the service listening on the port, an intruder can crash the service, thereby denying service to valid users. USSRLabs notified Deerfield.com about this problem, but the response is unknown at this time. http://www.ntsecurity.net/go/load.asp?iD=/security/worldc1.htm http://mdaemon.deefield.com/ 3. ========== ANNOUNCEMENTS ========== * ANSWERS TO NT FREQUENTLY ASKED QUESTIONS Check out this technically rich FAQ site: http://www.jsiinc.com/reghack.htm. Established by Jerold Schulman, it includes more than 1800 fully searchable Windows NT tips, techniques, and Registry hacks. With new listings added daily, it is a superior resource from one of the sharpest minds in the industry. * WINDOWS NT MAGAZINE LAUNCHES ASP EMAIL NEWSLETTER Stay current with the latest industry news and trends of the exciting new Application Service Provider (ASP) marketplace with ASP UPDATE, a free bi-weekly email newsletter. With coverage of industry players, available and emerging technologies, and tips on how to evaluate service providers, ASP UPDATE is a must-read for IT and business professionals who want to stay at the forefront of their business. Enter your FREE subscription now at http://www.winntmag.com/sub.cfm?code=UP99INLUP. * NEW RESOURCE: ECOMSEC - AN E-COMMERCE SECURITY MAILING LIST NTSecurity.net's new eComSec is an open forum operated via a moderated mailing list. The forum promotes the open discussion of security as it pertains to e-commerce on Windows-based networks. The premise of the new mailing list is to both spread and locate secure e-commerce know- how in a rapid fashion. With more companies beginning to supplement traditional sales channels via e-commerce on the Internet, the need to learn and share secure e-commerce practices and technologies is becoming more important. For complete details on the new mailing list, be sure to read the FAQ. To subscribe, send "subscribe ecomsec anonymous" to listserv@listserv.ntsecurity.net. Or if you prefer, you can sign up for eComSec and any of our other security-related publications at the URL listed below. http://www.ntsecurity.net/go/load.asp?id=/security/subscribe-ntsd1.htm http://www.ntsecurity.net/go/load.asp?id=/security/ecomsec-faq.htm * SECURITY POLL: WILL YOU TAKE ANY SECURITY TRAINING IN THE NEAR FUTURE? We asked users in a previous poll if they'd taken any security training in the past. The results were interesting, so we're conducting another poll asking users about their plans for security training in the future. Those results will be equally interesting. To view the survey results, visit the URL below. http://www.ntsecurity.net/go/2c.asp?f=/polls.asp?idf=108&tb=p 4. ========== SECURITY ROUNDUP ========== * NEWS: CRYPTO ADVOCATE UNDER FBI INVESTIGATION We recently published a story regarding cryptography and IPv6, where someone at the Department of Justice (DOJ) accused Scott Brander, an Internet Engineering Task Force (IETF) area coordinator, of an anti- social act by trying to get encryption inserted into the new protocol. Later, at an IETF meeting where members voted for IPv6 encryption inclusion, Fore System's Brian Rosen brazenly claimed that Fore Systems would include back doors into any included encryption technology. But the harassment of the IETF doesn't stop there. Just how far will our federal government go toward controlling strong encryption? Apparently very far. We recently learned that the federal government has investigated William Allen Simpson, a Detroit- based computer consultant who was on the IETF staff, for treason charges related to his pro-cryptography stance. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=186&TB=news http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=167&TB=news http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=177&TB=news * NEWS: ASIO GAINS RIGHT TO TAP PRIVATE COMPUTERS Australian Parliament has passed new laws that permit the Australian Security Intelligence Organization (ASIO--equivalent of the CIA) to tap the computers of private users. Not only can ASIO tap anyone's system, but the new laws also let ASIO alter, add, or delete private data if that action is necessary to gain any required access to a person's computer. The new Amendment passed on November 25, 1999; the vote was originally set for May. The ASIO act had remained unchanged since 1979, and more than one member of Parliament complained that the new bill was rushed through too fast. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=184&TB=news http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=177&TB=news ~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~ BindView provides IT risk management solutions for managing the security and configuration of networks and the services and applications that run on them. Register now for BindView's free educational security Webinar entitled, "Trust No One - Successfully Defending Your Network," presented by the leader of BindView's worldwide team of security experts, Scott Blake. This timely presentation will be shown live at 4:00 p.m. EST on Tuesday, December 14, 1999. Click here to register: http://webevents.broadcast.com/bindview/intropage1299/ 5. ========== NEW AND IMPROVED ========== (contributed by Carolyn Mascarenas, products@winntmag.com) * Y2K INTERNET SECURITY BUNDLE Trend Micro announced InterScan 2000 Suite, a specially priced Y2K Internet content security product bundle with 24x7 access to support engineers leading up to and beyond the new year. The bundle includes InterScan VirusWall 3.3 to protect against viruses traveling the Web, email, and FTP traffic; InterScan eManager 3.1 to delay or block delivery of unsolicited commercial email (UCE), greeting cards, and holiday offers that reduce bandwidth use; and InterScan Y2K Scanner 3.3 to scan inbound and outbound email attachments for potential Y2K problems within data files. Customer support includes 24x7 email, online chat, and telephone support. You'll also be proactively notified by email or pager of significant virus outbreaks. InterScan 2000 Suite runs on Windows NT systems. For pricing information, contact Trend Micro, 800-228-5651. http://www.antivirus.com * COMPACT FINGERPRINT READER Precise Biometrics released Precise 100A, the world's smallest fingerprint reader for user identification, so you don't have to remember any more passwords. The reader is small enough to be placed next to a PC. A silicon sensor recognizes the fingerprint in less than 1 second and stores an encrypted 3D image of the fingerprint on the hard disk. Intruders can't recreate a fingerprint image from the stored information. Precise 100A works on Windows NT systems. For pricing information, contact Precise Biometrics, mo@precisebiometrics.com. http://www.precisebiometrics.com 6. ========== HOT RELEASE (ADVERTISEMENT) ========== * KFORCE.COM Afraid of getting lost on another job board? Real results by real people at kforce.com. Resumes read by 2,300 Career Specialists, Confidential Searching, and a Career Development Coach! Click on ***kforce.com*** where opportunity has a new address. http://ad.doubleclick.net/clk;629716;3578931;w?http://www.kforce.com * NETWORK-1 SECURITY SOLUTIONS - EMBEDDED NT FIREWALLS CyberwallPLUS-SV is the first embedded firewall for NT servers. It secures valuable servers with network access controls and intrusion prevention. Visit to register for a free trip to SANS Security `99 in San Francisco. 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: WEB SECURITY SOURCEBOOK By Aviel D. Rubin, Dan Geer, and Marcus Ranum Online Price: $23.95 Softcover; 350 pages Published by John Wiley, June 1997 The Web has made it easier to transfer information around the world. Unfortunately, the Internet has also made it harder to keep that information secure. This book shows Web masters, Web managers, and Web designers the hands-on programming techniques necessary to build secure Web sites. Readers will learn how to secure the server, use firewalls and cryptography, write secure Java applets and CGI scripts, and more. For Windows NT Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WINNTMAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/047118148X?from=SUT864. * TIP: BLOCKING RPC SERVICE ACCESS AND A CORRECTION (contributed by Mark Joseph Edwards, http://www.ntsecurity.net) Last week I published a tip regarding ways to block NetBIOS access to a given machine. Several readers wrote to point out that you can accomplish similar goals by unbinding NetBIOS from any Internet-exposed network adapters. Additionally, several readers wrote to inform me that I had introduced an error into last week's tip: port 135 (Remote Procedure Call--RPC) is not related to NetBIOS traffic, so please disregard mention of that port when examining and employing last week's tip. And, I received an email from a reader that serves as a good example of how to block access to RPC services. By using Windows NT's built-in TCP/IP security features, you can block access to RPC services, which present a risk when exposed to Internet traffic. RPC listens on TCP and UDP ports 135. In addition, keep in mind that RPC also uses dynamic ports above 1023. To stop connections to RPC services through technology such as DCOM, enable NT's TCP/IP security, and don't provide access to those ports. Keep in mind that using NT's TCP/IP security is very cumbersome because the interface requires that you define allowed ports rather than denied ports. But as any seasoned security practitioner will admit, the best policy is to deny all access and then only allow access to desired services. And since I mentioned DCOM, be sure to check out the DCOMCNFG.EXE utility on Windows NT. The utility serves as a GUI-based interface to other DCOM-related Registry settings, including security settings you might want to inspect. * HOW TO: A WINDOWS 2000 POST-INSTALLATION CHECKLIST Zubair Ahmad offers a great Web Exclusive how-to article regarding Windows 2000 (Win2K) installations. In the article, Zubair writes, "After I install Windows 2000 Server (Win2K Server) or Windows 2000 Professional (Win2K Pro), I like to make several minor configuration changes before I do anything else. For example, it really bugs me when I can't see hidden files in Windows Explorer. (In case you didn't notice, Windows Explorer has moved to Start, Programs, Accessories.) I'm sure you have your own list of changes you'd like to make. This week, I'll share some of the default settings that I change on my Win2K computers. My list changes a bit, depending on whether I'm working on my computer or a customer's. I don't necessarily make these changes in the order I've listed them." To read the rest of Zubair's checklist article, be sure to visit the URL below. http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=114&TB=howto * HOW TO: TESTING YOUR EXCHANGE SERVER FOR Y2K READINESS Thanksgiving is a time to be thankful--thankful that you're not at work keeping your Exchange Server deployment running. We're getting closer to that magical time--12:01 A.M., January 1, 2000. Do you know how your Exchange server is going to act? Read the full Web Exclusive story by Jerry Cochran. http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=113&TB=howto 8. ========== HOT THREADS ========== * WINDOWS NT MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows NT Magazine online forums (http://www.winntmag.com/support). November 23, 1999, 11:58 A.M. Security Over Deleted Files We are trying to get some stats on the security over deleted files in NT4. The question is, when a file gets deleted, how long does it exist for before it gets written over, and how long before any of these file recovery programs are unable to retrieve the deleted files? Thread continues at http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag e_ID=79402 * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following threads are in the spotlight this week: 1. NTInfoScan Has Been Updated http://www.ntsecurity.net/go/L.asp?A2=IND9911E&L=WIN2KSECADVICE&P=237 2. Oracle Web Listener http://www.ntsecurity.net/go/L.asp?A2=IND9911E&L=WIN2KSECADVICE&P=374 Follow this link to read all threads for Nov. Week 5: http://www.ntsecurity.net/go/l.asp?s=win2ksec * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the "HowTo for Security" mailing list. The following threads are in the spotlight this week: 1. Viruses and Y2K http://www.ntsecurity.net/go/L.asp?A2=IND9911D&L=HOWTO&P=2168 2. Username Problem for C$ Share http://www.ntsecurity.net/go/L.asp?A2=IND9911D&L=HOWTO&P=1953 3. Administrator Password http://www.ntsecurity.net/go/L.asp?A2=IND9911D&L=HOWTO&P=3156 Follow this link to read all threads for Nov. Week 5: http://www.ntsecurity.net/go/l.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS NT MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@winntmag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@winntmag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com) Editor - Gayle Rodcay (gayle@winntmag.com) New and Improved - Carolyn Mascarenas (products@winntmag.com) Security Shareware - Jonathan Chau (jjc@winntmag.com) Editor-at-Large - Jane Morrill (jane@winntmag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows NT Magazine Security UPDATE. To subscribe, go to http://www.winntmag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.winntmag.com/sub.cfm?code=up99inxsup. Windows NT Magazine UPDATE Windows NT Magazine Thin-Client UPDATE Windows NT Exchange Server UPDATE Windows 2000 Pro UPDATE SQL Server Magazine UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 1999, Windows NT Magazine Security UPDATE Newsletter is powered by LISTSERV software http://www.lsoft.com/LISTSERV-powered.html