[ISN] Windows & .NET Magazine Security UPDATE--New Exploits--April
28, 2004
InfoSec News
isn at c4i.org
Fri Apr 30 03:32:02 EDT 2004
====================
==== This Issue Sponsored By ====
Postini Preemptive Email Protection
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHea0Am
Windows Scripting Solutions
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BFyu0AQ
====================
1. In Focus: New Exploits and a New Security Toolkit
2. Security News and Features
- Recent Security Vulnerabilities
- News: Remote Root Exploit Against IIS Servers
- News: TCP Vulnerabilities
- Feature: Exchange Server SMTP AUTH Attacks
3. Security Toolkit
- FAQ
- Featured Thread
4. New and Improved
- Secure Your Passwords
====================
==== Sponsor: Postini Preemptive Email Protection ====
Free Whitepaper: Top 10 Reports for Email Admins
This paper will show you the top ten reports every email
administrator really shouldn't live without including, dashboard views
of inbound email activity, SMTP connection, and delivery monitoring,
as well as outbound email and content. Assuring comprehensive email
security and management for your enterprise requires real-time
monitoring and detailed, flexible reporting. Postini provides an
award-winning web console "dashboard" that helps email administrators
manage their email protection more effectively and efficiently with a
host of monitoring and trending reports. Reports show inbound spam by
domain and recipient, as well as viruses by name and overall traffic
by domain and recipient.
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHea0Am
====================
==== 1. In Focus: New Exploits and a New Security Toolkit ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net
One of the security patches that Microsoft released in the Microsoft
Security Bulletin MS04-011 on April 13 fixes a serious problem in the
Private Communications Technology (PCT) protocol, which is part of
Microsoft's Secure Sockets Layer (SSL) implementation. If you haven't
patched your production systems yet, consider doing so immediately
because exploits have already been released that can provide remote
access to an intruder. So your unpatched systems are sitting ducks.
http://www.winnetmag.com/article/articleid/42438/42438.html
If you can't load the patch for some reason, consider disabling PCT,
which you can do by adjusting a particular registry key. For more
information about disabling PCT, see "Information about code that
attempts to exploit PCT in SSL" at
http://www.microsoft.com/security/incident/pctdisable.asp
You also need to be aware of the recently reported TCP-reset
vulnerability, which affects many devices, including routers. As
you'll learn in the related news story below, exploiting the
vulnerability causes routers to drop connections, including important
border gateway protocol (BGP) sessions. A new Windows-based exploit
tool was recently released, so be sure to check with your router
vendors to determine whether their particular products are affected.
If they are, install the latest updates.
http://www.winnetmag.com/article/articleid/42437/42437.html
You should ensure your Intrusion Detection System (IDS) has the most
recent rules and signatures available. For example, new Snort rules
became available on April 25 as I was writing this editorial. So if
you use Snort, be sure to obtain the last rules files.
http://www.snort.org/dl/rules
A New Security Toolkit
I don't think a person can ever have enough security tools. If you
share that opinion, you might want to download a copy of the recently
released version 1.0.4 of Network Security Toolkit (NST), which is the
creation of Paul Blankenbaker and Ron Henderson.
NST is available on a bootable CD-ROM or is downloadable as an
International Organization for Standardization (ISO) image and is
based on Red Hat Linux 9.0. The CD-ROM contains dozens upon dozens of
tools and, according to the NST Web site, can "transform most x86
systems into a system designed for network traffic analysis, intrusion
detection, network packet generation, a virtual system service server,
or a sophisticated network/host scanner. This can all be done without
disturbing or modifying any underlying sub-system disk. NST can be up
and running on a typical x86 notebook in less than a minute by just
rebooting with the NST ISO CD. The notebook's hard disk will not be
altered in any way."
Head over to the NST Web site and have a look at NST's contents and
capabilities. At the site, you'll also find the link to download the
194MB package.
http://www.networksecuritytoolkit.org/nst/index.html
====================
==== Sponsor: Windows Scripting Solutions ====
Try a Sample Issue of Windows Scripting Solutions
Windows Scripting Solutions is the monthly newsletter from Windows
& .NET Magazine that shows you how to automate time-consuming,
administrative tasks by using our simple downloadable code and
scripting techniques. Sign up for a sample issue right now, and find
out how you can save both time and money. Click here!
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BFyu0AQ
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries
at
http://www.winnetmag.com/departments/departmentid/752/752.html
News: Remote Root Exploit Against IIS Servers
On April 21, a member of the Full Disclosure mailing list posted a
message that revealed the existence of a new tool that can be used to
exploit Microsoft IIS servers. By using Secure Sockets Layer (SSL) to
target unpatched IIS servers, an attacker can cause the server to open
a port that allows remote access to the system.
http://www.winnetmag.com/article/articleid/42438/42438.html
News: TCP Vulnerabilities
US-CERT and the UK National Infrastructure Security Co-ordination
Centre (NISCC) published information about vulnerabilities in the TCP
protocol. The problems can affect a wide array of platforms, including
many types of routers, such as those used to operate the Internet at
top-tier ISPs.
http://www.winnetmag.com/article/articleid/42437/42437.html
Feature: Exchange Server SMTP AUTH Attacks
If you run Microsoft Exchange Server to process incoming Internet
email, spammers might be using your mail server as a relay, even
though your server isn't an open relay. How is this possible? Spammers
authenticate to your email server, then use your server to send mail.
Alan Sugano outlines how you can determine whether someone is using
your system as a mail relay, how to close the hole, and how to test
the measures you've taken to prevent such attacks in an article at the
first URL below. Paul Robichaux wrote about the attack last fall in
the article at the second URL below.
http://www.winnetmag.com/article/articleid/42406/42406.html
http://www.winnetmag.com/article/articleid/40507/40507.html
====================
==== Announcements ====
(from Windows & .NET Magazine and its partners)
Try a Sample Issue of Exchange & Outlook Administrator!
If you haven't seen Exchange & Outlook Administrator, you're
missing out on key information that will go a long way towards
preventing serious messaging problems and downtime. Request a sample
issue today, and discover tools you won't find anywhere else to help
you migrate, optimize, administer, and secure Exchange and Outlook.
Order now!
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BEf10Aw
Discover the Basics of Active Directory Fundamentals
In this free Web seminar, we'll look at the logical concepts as
they relate to domain, trees, and forests and the physical concepts of
domain controllers and sites. We'll also explain the relationship
between Active Directory and the Domain Naming Service, as well as
cover some operation functions. Register now!
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHb40Ay
SQL Web Seminar--Tactics for Protecting Microsoft SQL Server
It is crucial to protect Microsoft SQL Server from outside forces,
including weather, user error, or system outage, that can jeopardize
application and associated data. Register now for a free, 1-hour Web
seminar on May 4 and learn about the solutions associated with
protecting SQL Server. Register now and receive a free evaluation
version of Double-Take and a free white paper titled, "Protecting Your
Microsoft SQL Server DataSign."
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BG8V0Ap
====================
==== Hot Release ====
Symantec
Free White Paper: "Enterprise Systems and Storage Management
Convergence using File Systems Virtualization"
Download this free technical white paper now, courtesy of Symantec
and Windows & .NET Magazine's White Paper Central:
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHfW0Ad
====================
==== 3. Security Toolkit ====
FAQ: Controlling Access to IISADMPWD
by John Savill, http://www.winnetmag.com/windowsnt20002003faq
Q: How can I control access to the IISADMPWD virtual directory?
A. When you use the default IISADMPWD virtual directory to enable a
Web page on which users can change passwords (which I discussed in the
FAQ "Does Windows Server 2003 provide a way to let users change their
passwords remotely on the Web?"), the Microsoft IIS system sends the
user's password information unencrypted over the network, which
creates a security risk. To avoid transmitting unencrypted passwords,
you must enable Secure Sockets Layer (SSL) by following these steps:
1. Start a command prompt by clicking Start, Run and typing
cmd.exe
2. Navigate to the C:\inetpub\adminscripts directory.
3. At the command prompt, type
adsutil.vbs set w3svc/1/PasswordChangeFlags 0
This command runs the adsutil.vbs script with the Set command. The
w3svc/1 parameter specifies the first default Web site. The
PasswordChangeFlags option with the 0 value means that SSL is
required. (Setting the PasswordChangeFlags value to 1 specifies that
SSL isn't used, and setting the value to 2 disables the user's ability
to change the password.)
4. Restart the IIS server to effect the change.
A new tool lets intruders exploit unpatched IIS servers that use SSL
(see the first News item above). Be sure to patch your server.
Featured Thread: BlackBerry Server Behind ISA Server
(One message in this thread)
A reader writes that he needs to set up BlackBerry Server behind a
Microsoft ISA Server firewall. He's having trouble opening the correct
port, which is TCP port 3101. He created a packet filter by selecting
the following properties: IP Protocol: TCP, Direction: Outbound, Local
Port: Fixed Port, Local Port Number 3101, Remote Port: All Ports,
Remote Ports: subdued. It doesn't work, and he wants to know how to
correct the problem. Lend a hand or read the responses:
http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=119881
====================
==== Events Central ====
(A complete Web and live events directory brought to you by Windows
& .NET Magazine: http://www.winnetmag.com/events )
Sign Up for 2 Great Roadshows About Security and Exchange
Don't miss 2 free roadshow tours covering hot security and Exchange
topics. Learn how to simplify your life with Windows Server 2003 and
Exchange Server 2003 and protect your infrastructure and applications
against security threats. Coming to your city soon. Register now!
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHb50Az
====================
==== 4. New and Improved ====
by Jason Bovberg, products at winnetmag.com
Secure Your Passwords
TK8 Productions released TK8 Safe, Windows password-management
software that simplifies the safe storage and retrieval of user IDs,
passwords, serial numbers, and other confidential information that Web
sites and software applications require. TK8 Safe stores all of a
user's private information in an encrypted database that's accessible
only by its owner, and the software supports multiple users on the
same computer. TK8 Safe costs $19.95 for a single-user license, and
multiuser discounts are available. For more information, contact TK8
Productions on the Web.
http://www.tk8.com
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot at winnetmag.com.
====================
==== Sponsored Links ====
Argent
Comparison Paper: The Argent Guardian Easily Beats Out MOM
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BDWV0AJ
Microsoft(R) TechNet
Microsoft(R) TechNet Webcasts: essential guidance, industry experts
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BG360AE
Microsoft Security
Knowledge Improves Security. Visit www.securitywhitepaper.com.
http://list.winnetmag.com/cgi-bin3/DM/y/effZ0CJgSH0CBw0BHSy0As
====================
==== Contact Us ====
About the newsletter -- letters at winnetmag.com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products at winnetmag.com
About your subscription -- securityupdate at winnetmag.com
About sponsoring Security UPDATE -- emedia_opps at winnetmag.com
====================
==== Contact Our Sponsors ====
Primary Sponsor:
Postini -- http://www.postini.com
Hot Release Sponsor:
Symantec -- http://www.symantec.com
====================
This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.
http://www.winnetmag.com/sub.cfm?code=wswi201x1z
You received this email message because you asked to receive
additional information about products and services from the Windows &
.NET Magazine Network. To unsubscribe, send an email message to
mailto:Security-UPDATE_Unsub at list.winnetmag.com. Thank you!
View the Windows & .NET Magazine privacy policy at
http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy
Windows & .NET Magazine, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2004, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list