**********************************************************
WINDOWS NT MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT security update newsletter brought to you by
Windows NT Magazine and NTsecurity.net
http://www.winntmag.com/update/
**********************************************************

This week's issue sponsored by

Internet Security Services
http://www.iss.net/mktg/winnt12-1

BindView Corporation
http://webevents.broadcast.com/bindview/intropage1299/
(Below Security Roundup)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
December 1, 1999 - In this issue:

1. IN FOCUS
     - Privacy Is NOT a Thing of the Past

2. SECURITY RISKS
     - Windows 9x Legacy Psw Caching
     - IE 5.0 Task Scheduler Elevates Privileges
     - Mail-Gear Allows Directory Traversal
     - BisonWare FTP Server Subject to Denial of Service
     - WorldClient Server Subject to Denial of Service

3. ANNOUNCEMENTS
     - Answers to NT Frequently Asked Questions
     - Windows NT Magazine Launches ASP Email Newsletter
     - New Resource: ECOMSEC - An E-Commerce Security Mailing List
     - Security Poll: Will You Take Any Security Training in the Near
Future?

4. SECURITY ROUNDUP
     - News: Crypto Advocate Under FBI Investigation
     - News: ASIO Gains Right to Tap Private Computers

5. NEW AND IMPROVED
     - Y2K Internet Security Bundle
     - Compact Fingerprint Reader

6. HOT RELEASE
     - kforce.com
     - Network-1 Security Solutions - Embedded NT Firewalls

7. SECURITY TOOLKIT
     - Book Highlight: Web Security Sourcebook
     - Tip: Blocking RPC Service Access and a Correction
     - How To: A Windows 2000 Post-Installation Checklist
     - How To: Testing Your Exchange Server for Y2K Readiness

8. HOT THREADS
     - Windows NT Magazine Online Forums:
        * Security Over Deleted Files
     - Win2KSecAdvice Mailing List:
        * NTInfoScan Has Been Updated
        * Oracle Web Listener
     - HowTo Mailing List:
        * Viruses and Y2K
        * Username Problem for C$ Share
        * Administrator Password

~~~~ SPONSOR: INTERNET SECURITY SERVICES ~~~~
Your security tightens. Your e-business expands. Welcome to SAFEsuite.
SAFEsuite from ISS protects sensitive data while you serve sensitive
customers. SAFEsuite monitors, detects, and responds to threats across
your enterprise. It adapts to changing security situations. And it
helps expand your e-business by giving suppliers and customers wider
access. For our free E-Commerce Security White Paper, visit:
http://www.iss.net/mktg/winnt12-1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki
Peterson (Western and International Advertising Sales Manager) at 877-
217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Our privacy is continuously under attack. But if you believe Sun
Microsystems' CEO and President, Scott McNealy, our privacy has been
long gone anyway. McNealy made that comment last year, and although in
some ways that statement is true, to hold that blanket statement out as
all-inclusive is incredibly short-sighted. I don't know about McNealy,
but I have no trouble enjoying many private aspects to my life, and I
intend to keep it that way.
   Nonetheless, corporate America, as well as corporations in other
countries, are in direct control of much of our privacy. And that
privacy is being chipped away bit by bit. The bigger the company, the
more serious the privacy invasion can become. Take America Online
(AOL), for example. AOL provides Internet service to millions of people
around the world. AOL knows your every move on the net because it
tracks that information as you surf using its service.
   Tracking that data is not so bad; it's what the company does with
the information that bothers me. As you know, AOL's privacy policy is
under attack from industry critics. And as you might also know, AOL
users must complete an Opt Out form to keep their private information
private. AOL instituted the controversial privacy policy last year.
   Under the service policy, AOL users must fill out the privacy form
every year if they expect to maintain control of their private
information. AOL rudely makes the assumption that if a person doesn't
fill out the form, they thereby agree to let AOL share their name,
address, Web surfing and electronic buying habits, and other private
data with other companies at AOL's discretion.
   Privacy advocates (myself included) see AOL's approach as far less
than ethical. We think that companies should bear the burden of
receiving proof that they can distribute a person's private
information. David Sobel, attorney for the privacy advocacy group
Electronic Privacy Information Center (EPIC), called AOL's approach to
privacy appalling. But Sobel isn't surprised. And neither am I.
   The bottom line is that companies make millions of dollars every
year by selling your private information. And in the case of AOL, users
actually pay for that exposure by subscribing to AOL's services. That
approach just doesn't make sense unless you're OK with having your
name, private information, and personal habits plastered all over the
world at your expense.
   With so many ISPs providing adequate net access complete with
roaming features, a person shouldn't have to tolerate the type of
actions AOL takes. Why should a person have to opt out of information
sharing? Why can't AOL reverse the default assumption in its policy?
Maybe AOL's policy is merely a smokescreen to pacify the masses. The
policy clearly benefits AOL, not the consumer.
   So how long will it take for other major companies to follow AOL?
Are other companies willing to risk their reputation over privacy
concerns? It's up to you, the consumer, to let companies know how you
feel about their privacy practices. And as you know, often the best way
to get a company's attention is by tugging on its purse strings. You
get the picture. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, http://www.ntsecurity.net)

* WINDOWS 9x LEGACY PSW CACHING
Microsoft reported a vulnerability in its Windows 9x OSs (excluding
Win9x Second Edition) caused by a legacy mechanism for caching network
security credentials. The vulnerability could let an intruder retrieve
a user's plaintext network password from the cache.
   According to the company bulletin, "Windows for Workgroups(r)
provided a RAM-based caching mechanism that cached the user's plaintext
network credentials for use by real-mode command-line networking
utilities." Developers carried over part of the mechanism to Windows
9x, thereby introducing the vulnerability. Microsoft has released a
FAQ, Support Online article, and patches for both OSs.
   http://www.ntsecurity.net/go/load.asp?iD=/security/pswcaching.htm
   http://www.microsoft.com/security/bulletins/MS99-052faq.asp
   http://support.microsoft.com/support/kb/articles/q168/1/15.asp

* IE 5.0 TASK SCHEDULER ELEVATES PRIVILEGES
Arne Vidstrom and Svante Sennmark reported a problem with Windows NT
systems that have Internet Explorer (IE) 5.0 installed. The problem
affects NT's Task Scheduler service. According to their report, "This
vulnerability makes it possible for a User to become a member of the
Administrators group if he or she can do an interactive logon. The Task
Scheduler service is an improved version of the Schedule service--they
are not the same thing. The Schedule service is replaced by the Task
Scheduler when Internet Explorer 5 is installed on Windows NT."
   Microsoft has released a FAQ, Support Online article, and an updated
version of IE 5.01.
   http://www.ntsecurity.net/go/load.asp?iD=/security/tasksched.htm
   http://www.microsoft.com/security/bulletins/MS99-051faq.asp

* MAIL-GEAR ALLOWS DIRECTORY TRAVERSAL
Symantec's Mail-Gear has a Web-based administration service that
listens on port 8003. The service is vulnerable to directory traversal
using specific URL patterns. By using a syntax that contains a
particular series of dots and backslashes (..\), an intruder can view
file contents. Symantec has corrected the problem in its new Mail-Gear
1.1.
   http://www.ntsecurity.net/go/load.asp?iD=/security/mailgear1.htm
   http://www.symantec.com/urlabs/public/download/download.html

* BISONWARE FTP SERVER SUBJECT TO DENIAL OF SERVICE
USSRLabs discovered a denial of service (DoS) condition in BisonWare
FTP Server 3.5. The problems are the result of buffer overflow
conditions within the program code. The problem affects the login
sequence. By sending a very long user name of 2000 characters, an
intruder can crash the service. BisonWare is aware of the problem;
however, no fix was available at the time of this writing.
   http://www.ntsecurity.net/go/load.asp?iD=/security/bison1.htm
   http://ourworld.compuserve.com/homepages/nick_barnes/ftpserve.htm

* WORLDCLIENT SERVER SUBJECT TO DENIAL OF SERVICE
USSRLabs discovered several denial of service (DoS) conditions in
Deerfield.com's WorldClient Server 2.0.0.0. The problems are the result
of buffer overflow conditions within the program code. The problem
affects the WorldClient service on port 2000. By sending a very long
URL to the service listening on the port, an intruder can crash the
service, thereby denying service to valid users. USSRLabs notified
Deerfield.com about this problem, but the response is unknown at this
time.
   http://www.ntsecurity.net/go/load.asp?iD=/security/worldc1.htm
   http://mdaemon.deefield.com/

3. ========== ANNOUNCEMENTS ==========

* ANSWERS TO NT FREQUENTLY ASKED QUESTIONS
Check out this technically rich FAQ site:
http://www.jsiinc.com/reghack.htm. Established by Jerold Schulman, it
includes more than 1800 fully searchable Windows NT tips, techniques,
and Registry hacks. With new listings added daily, it is a superior
resource from one of the sharpest minds in the industry.

* WINDOWS NT MAGAZINE LAUNCHES ASP EMAIL NEWSLETTER
Stay current with the latest industry news and trends of the exciting
new Application Service Provider (ASP) marketplace with ASP UPDATE, a
free bi-weekly email newsletter. With coverage of industry players,
available and emerging technologies, and tips on how to evaluate
service providers, ASP UPDATE is a must-read for IT and business
professionals who want to stay at the forefront of their business.
Enter your FREE subscription now at
http://www.winntmag.com/sub.cfm?code=UP99INLUP.

* NEW RESOURCE: ECOMSEC - AN E-COMMERCE SECURITY MAILING LIST
NTSecurity.net's new eComSec is an open forum operated via a moderated
mailing list. The forum promotes the open discussion of security as it
pertains to e-commerce on Windows-based networks. The premise of the
new mailing list is to both spread and locate secure e-commerce know-
how in a rapid fashion. With more companies beginning to supplement
traditional sales channels via e-commerce on the Internet, the need to
learn and share secure e-commerce practices and technologies is
becoming more important.
   For complete details on the new mailing list, be sure to read the
FAQ. To subscribe, send "subscribe ecomsec anonymous" to
listserv@listserv.ntsecurity.net. Or if you prefer, you can sign up for
eComSec and any of our other security-related publications at the URL
listed below.
   http://www.ntsecurity.net/go/load.asp?id=/security/subscribe-ntsd1.htm
   http://www.ntsecurity.net/go/load.asp?id=/security/ecomsec-faq.htm

* SECURITY POLL: WILL YOU TAKE ANY SECURITY TRAINING IN THE NEAR FUTURE?
We asked users in a previous poll if they'd taken any security training
in the past. The results were interesting, so we're conducting another
poll asking users about their plans for security training in the
future. Those results will be equally interesting. To view the survey
results, visit the URL below.
   http://www.ntsecurity.net/go/2c.asp?f=/polls.asp?idf=108&tb=p

4. ========== SECURITY ROUNDUP ==========

* NEWS: CRYPTO ADVOCATE UNDER FBI INVESTIGATION
We recently published a story regarding cryptography and IPv6, where
someone at the Department of Justice (DOJ) accused Scott Brander, an
Internet Engineering Task Force (IETF) area coordinator, of an anti-
social act by trying to get encryption inserted into the new protocol.
Later, at an IETF meeting where members voted for IPv6 encryption
inclusion, Fore System's Brian Rosen brazenly claimed that Fore Systems
would include back doors into any included encryption technology. But
the harassment of the IETF doesn't stop there.
   Just how far will our federal government go toward controlling
strong encryption? Apparently very far. We recently learned that the
federal government has investigated William Allen Simpson, a Detroit-
based computer consultant who was on the IETF staff, for treason
charges related to his pro-cryptography stance.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=186&TB=news
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=167&TB=news
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=177&TB=news

* NEWS: ASIO GAINS RIGHT TO TAP PRIVATE COMPUTERS
Australian Parliament has passed new laws that permit the Australian
Security Intelligence Organization (ASIO--equivalent of the CIA) to tap
the computers of private users. Not only can ASIO tap anyone's system,
but the new laws also let ASIO alter, add, or delete private data if
that action is necessary to gain any required access to a person's
computer.
   The new Amendment passed on November 25, 1999; the vote was
originally set for May. The ASIO act had remained unchanged since 1979,
and more than one member of Parliament complained that the new bill was
rushed through too fast.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=184&TB=news
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=177&TB=news

~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~
BindView provides IT risk management solutions for managing the
security and configuration of networks and the services and
applications that run on them.
Register now for BindView's free educational security Webinar entitled,
"Trust No One - Successfully Defending Your Network," presented by the
leader of BindView's worldwide team of security experts, Scott Blake.
This timely presentation will be shown live at 4:00 p.m. EST on
Tuesday, December 14, 1999. Click here to register:
http://webevents.broadcast.com/bindview/intropage1299/

5. ========== NEW AND IMPROVED ==========
(contributed by Carolyn Mascarenas, products@winntmag.com)

* Y2K INTERNET SECURITY BUNDLE
Trend Micro announced InterScan 2000 Suite, a specially priced Y2K
Internet content security product bundle with 24x7 access to support
engineers leading up to and beyond the new year. The bundle includes
InterScan VirusWall 3.3 to protect against viruses traveling the Web,
email, and FTP traffic; InterScan eManager 3.1 to delay or block
delivery of unsolicited commercial email (UCE), greeting cards, and
holiday offers that reduce bandwidth use; and InterScan Y2K Scanner 3.3
to scan inbound and outbound email attachments for potential Y2K
problems within data files. Customer support includes 24x7 email,
online chat, and telephone support. You'll also be proactively notified
by email or pager of significant virus outbreaks.
   InterScan 2000 Suite runs on Windows NT systems. For pricing
information, contact Trend Micro, 800-228-5651.
   http://www.antivirus.com

* COMPACT FINGERPRINT READER
Precise Biometrics released Precise 100A, the world's smallest
fingerprint reader for user identification, so you don't have to
remember any more passwords. The reader is small enough to be placed
next to a PC. A silicon sensor recognizes the fingerprint in less than
1 second and stores an encrypted 3D image of the fingerprint on the
hard disk. Intruders can't recreate a fingerprint image from the stored
information.
   Precise 100A works on Windows NT systems. For pricing information,
contact Precise Biometrics, mo@precisebiometrics.com.
   http://www.precisebiometrics.com

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* KFORCE.COM
Afraid of getting lost on another job board? Real results by real
people at kforce.com. Resumes read by 2,300 Career Specialists,
Confidential Searching, and a Career Development Coach! Click on
***kforce.com*** where opportunity has a new address.
   http://ad.doubleclick.net/clk;629716;3578931;w?http://www.kforce.com

* NETWORK-1 SECURITY SOLUTIONS - EMBEDDED NT FIREWALLS
CyberwallPLUS-SV is the first embedded firewall for NT servers.  It
secures valuable servers with network access controls and intrusion
prevention.  Visit <http://www.network-1.com/eval/eval6992.htm> to
register for a free trip to SANS Security `99 in San Francisco.

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: WEB SECURITY SOURCEBOOK
By Aviel D. Rubin, Dan Geer, and Marcus Ranum
Online Price: $23.95
Softcover; 350 pages
Published by John Wiley, June 1997

The Web has made it easier to transfer information around the world.
Unfortunately, the Internet has also made it harder to keep that
information secure. This book shows Web masters, Web managers, and Web
designers the hands-on programming techniques necessary to build secure
Web sites. Readers will learn how to secure the server, use firewalls
and cryptography, write secure Java applets and CGI scripts, and more.

For Windows NT Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WINNTMAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/047118148X?from=SUT864.

* TIP: BLOCKING RPC SERVICE ACCESS AND A CORRECTION
(contributed by Mark Joseph Edwards, http://www.ntsecurity.net)

Last week I published a tip regarding ways to block NetBIOS access to a
given machine. Several readers wrote to point out that you can
accomplish similar goals by unbinding NetBIOS from any Internet-exposed
network adapters.
   Additionally, several readers wrote to inform me that I had
introduced an error into last week's tip: port 135 (Remote Procedure
Call--RPC) is not related to NetBIOS traffic, so please disregard
mention of that port when examining and employing last week's tip.
   And, I received an email from a reader that serves as a good example
of how to block access to RPC services. By using Windows NT's built-in
TCP/IP security features, you can block access to RPC services, which
present a risk when exposed to Internet traffic. RPC listens on TCP and
UDP ports 135. In addition, keep in mind that RPC also uses dynamic
ports above 1023. To stop connections to RPC services through
technology such as DCOM, enable NT's TCP/IP security, and don't provide
access to those ports.
   Keep in mind that using NT's TCP/IP security is very cumbersome
because the interface requires that you define allowed ports rather
than denied ports. But as any seasoned security practitioner will
admit, the best policy is to deny all access and then only allow access
to desired services.
   And since I mentioned DCOM, be sure to check out the DCOMCNFG.EXE
utility on Windows NT. The utility serves as a GUI-based interface to
other DCOM-related Registry settings, including security settings you
might want to inspect.

* HOW TO: A WINDOWS 2000 POST-INSTALLATION CHECKLIST
Zubair Ahmad offers a great Web Exclusive how-to article regarding
Windows 2000 (Win2K) installations. In the article, Zubair writes,
"After I install Windows 2000 Server (Win2K Server) or Windows 2000
Professional (Win2K Pro), I like to make several minor configuration
changes before I do anything else. For example, it really bugs me when
I can't see hidden files in Windows Explorer. (In case you didn't
notice, Windows Explorer has moved to Start, Programs, Accessories.)
I'm sure you have your own list of changes you'd like to make.
   This week, I'll share some of the default settings that I change on
my Win2K computers. My list changes a bit, depending on whether I'm
working on my computer or a customer's. I don't necessarily make these
changes in the order I've listed them." To read the rest of Zubair's
checklist article, be sure to visit the URL below.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=114&TB=howto

* HOW TO: TESTING YOUR EXCHANGE SERVER FOR Y2K READINESS
Thanksgiving is a time to be thankful--thankful that you're not at work
keeping your Exchange Server deployment running. We're getting closer
to that magical time--12:01 A.M., January 1, 2000. Do you know how your
Exchange server is going to act? Read the full Web Exclusive story by
Jerry Cochran.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=113&TB=howto

8. ========== HOT THREADS ==========

* WINDOWS NT MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
NT Magazine online forums (http://www.winntmag.com/support).

November 23, 1999, 11:58 A.M.
Security Over Deleted Files
We are trying to get some stats on the security over deleted files in
NT4. The question is, when a file gets deleted, how long does it exist
for before it gets written over, and how long before any of these file
recovery programs are unable to retrieve the deleted files?

Thread continues at
http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag
e_ID=79402

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:
1. NTInfoScan Has Been Updated
http://www.ntsecurity.net/go/L.asp?A2=IND9911E&L=WIN2KSECADVICE&P=237
2. Oracle Web Listener
http://www.ntsecurity.net/go/L.asp?A2=IND9911E&L=WIN2KSECADVICE&P=374

Follow this link to read all threads for Nov. Week 5:
   http://www.ntsecurity.net/go/l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
"HowTo for Security" mailing list. The following threads are in the
spotlight this week:

1. Viruses and Y2K
http://www.ntsecurity.net/go/L.asp?A2=IND9911D&L=HOWTO&P=2168
2. Username Problem for C$ Share
http://www.ntsecurity.net/go/L.asp?A2=IND9911D&L=HOWTO&P=1953
3. Administrator Password
http://www.ntsecurity.net/go/L.asp?A2=IND9911D&L=HOWTO&P=3156

Follow this link to read all threads for Nov. Week 5:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS NT MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@winntmag.com)
Ad Sales Manager (Western and International) - Vicki Peterson
(vpeterson@winntmag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com)
Editor - Gayle Rodcay (gayle@winntmag.com)
New and Improved - Carolyn Mascarenas (products@winntmag.com)
Security Shareware - Jonathan Chau (jjc@winntmag.com)
Editor-at-Large - Jane Morrill (jane@winntmag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows NT Magazine Security UPDATE.

To subscribe, go to http://www.winntmag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

========== GET UPDATED! ==========
Receive the latest information on the NT topics of your choice.
Subscribe to these other FREE email newsletters at
http://www.winntmag.com/sub.cfm?code=up99inxsup.

Windows NT Magazine UPDATE
Windows NT Magazine Thin-Client UPDATE
Windows NT Exchange Server UPDATE
Windows 2000 Pro UPDATE
SQL Server Magazine UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 1999, Windows NT Magazine

Security UPDATE Newsletter is powered by LISTSERV software
http://www.lsoft.com/LISTSERV-powered.html

