[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Security UPDATE, March 27, 2002
From: InfoSec News <isn () c4i ! org>
Date: 2002-03-28 7:06:19
[Download RAW message or body]
********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
http://www.secadministrator.com
********************
~~~~ THIS ISSUE SPONSORED BY ~~~~
Close the Largest Security Hole in Windows 2000/NT
http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0gDZ0AI
VeriSign--The Value of Trust
http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rcb0A7
(below IN FOCUS)
~~~~~~~~~~~~~~~~~~~~
~~~~ SPONSOR: CLOSE THE LARGEST SECURITY HOLE IN WINDOWS 2000/NT ~~~~
After all the security measures taken to make your network
impenetrable, there is one liability that could undermine your entire
operation.
Allowing lax network logon password policies on your network is
like giving a stranger the keys to the front door of your home.
Strict logon password policy is your first line of defense.
Password Bouncer delivers stronger password enforcement than
Win2K/NT, by preventing users from selecting vulnerable passwords
that can be easily guessed or cracked by hackers. Passwords are
screened and validated against a 300,000-word English wordlist and
a 4,000-word proper name wordlist in addition to highly
configurable password rules.
STOP HACKERS TODAY, DOWNLOAD YOUR FREE TRIAL:
http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0gDZ0AI
~~~~~~~~~~~~~~~~~~~~
March 27, 2002--In this issue:
1. IN FOCUS
- Tin Cans and Wireless LANs
2. ANNOUNCEMENTS
- Learn from (or Try to Stump) Top Windows Security Pros
- Protect Your Data. Protect Your Company.
3. SECURITY ROUNDUP
- News: Security Review Delays Crucial .NET Passport Update
- Feature: Securing Your OS
- Feature: WS-License Associates Security Credentials with SOAP
Messages
4. INSTANT POLL
- Results of Previous Poll: Latest Viruses and Prevention
Techniques
- New Instant Poll: Written and Enforced Password Policy
5. SECURITY TOOLKIT
- Virus Center
- FAQ: Do Third-Party Products Based on the Microsoft Virus
Scanning API (VS API) Scan Email at the Gateway Level?
6. NEW AND IMPROVED
- Protect Proprietary Information
- Manage Patches Across Multiple Servers
7. HOT THREAD
- Windows & .NET Magazine Online Forums
- Featured Thread: Security Templates for Win2K
8. CONTACT US
See this section for a list of ways to contact us.
~~~~~~~~~~~~~~~~~~~~
1. ==== IN FOCUS ====
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* TIN CANS AND WIRELESS LANS
Did you read the recent British Broadcasting Corporation (BBC) news
story about "war-driving"? War-driving is the act of driving around
with an antenna trying to detect unprotected wireless networks, and a
lot of people have been doing just that ever since wireless LAN (WLAN)
equipment made its debut. (See "Hacking with a Pringles tube" at the
URL below.)
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1860000/1860241.stm
The story seems to be an attempt to sensationalize the fact that people
can make their own antennas with readily available parts, such as
standard antenna cable connectors and potato-chip cans, and that those
antennas are more sensitive than run-of-the-mill commercial wireless
antennas. Because the homemade antennas are more sensitive, they're
more capable of finding insecure WLANs that have weaker signals leaking
from their various origin points. In addition, you can orient some
homemade antennas directionally. The antennas not only pick up signals
from and possibly connect to unprotected wireless devices but also help
pinpoint where those unsecured LAN devices are relative to the
antennas' position. Clearly, intruders might use such antennas to
identify and attack companies that don't practice adequate wireless
security.
About a month ago, Gregory Rehm updated his Web site with the latest
"802.11b Homebrew Antenna Shootout" data. When you visit the Web site
(see the URL below), you'll find that reviewers rated several homemade
antennas and one commercial antenna during tests. As it turns out, a
waveguide antenna got the best reception. The particular waveguide
antenna was made from a small piece of copper wire, a standard antenna
cable connector, and a metal can that once held Nalley Big Chunk Beef
Stew. No, I'm not kidding. That combination is all you need to make a
powerful wireless antenna. Constructed from those basic parts, the
waveguide antenna demonstrated a tremendous signal gain over off-the-
shelf commercial antennas.
http://www.turnpoint.net/wireless/has.html
So what does this information mean to security administrators? You can
use an inexpensive homemade antenna to test the signal leakage
parameters of your WLAN and perform leakage tests for others against
their WLANs. In addition, if you have LAN-connectivity problems that
require wireless equipment to span a distance (e.g., between two
buildings), you can build your own antennas and save money. Check out
Rehm's Web site, which provides links to information about a half-dozen
homemade wireless antennas (including plans) and to Web-based
calculators that help you design your own antennas from items such as
empty coffee cans from the company break room.
For background information about WLAN security, be sure to read my
commentary "802.11 Wireless Networks: Is Yours Really Safe?"
http://www.secadministrator.com/articles/index.cfm?articleid=22147
Until next time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
~~~~~~~~~~~~~~~~~~~~
~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
Secure all your Web servers now--with a proven 5-part strategy. The
FREE Server Security Guide shows you how: DEPLOY THE LATEST ENCRYPTION
techniques. DELIVER TRANSPARENT PROTECTION with the strongest security
without disrupting users. Get your FREE Guide now:
http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rcb0A7
~~~~~~~~~~~~~~~~~~~~
2. ==== ANNOUNCEMENTS ====
* LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS
The Windows & .NET Magazine LIVE! event brings together industry
gurus who take security seriously. Topic coverage includes Microsoft
IIS security, deploying public key infrastructure (PKI), designing
Group Policies to enhance security, tips for securing Windows 2000
networks, security pitfalls (and solutions) for your mobile workforce,
and more. Early bird discount expires soon, so register now!
http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rFx0Az
* PROTECT YOUR DATA. PROTECT YOUR COMPANY.
Find out how by attending SECURITY MATTERS at Internet World Spring
2002, April 24 through 26 at the Los Angeles Convention Center, where
it's a matter of YOUR security. Internet World is the largest and
longest-running event for Internet Business technology! Register for
discounted conference packages or FREE exhibit hall admission at (use
priority code T26):
http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rzX0AL
3. ==== SECURITY ROUNDUP ====
* NEWS: SECURITY REVIEW DELAYS CRUCIAL .NET PASSPORT UPDATE
Microsoft has delayed until early 2003 an updated Microsoft .NET
Passport version that the company originally envisioned as the first
public step toward its .NET vision. Originally expected in late 2001
but delayed several times since then, .NET Passport 3.0 will include
the industry-standard Kerberos security standard, possibly paving the
way for competing products to integrate with Microsoft's online
authentication system.
http://www.secadministrator.com/articles/index.cfm?articleid=24534
* FEATURE: SECURING YOUR OS
You probably would agree that transforming an OS into a secure
platform isn't a straightforward task. And this task certainly hasn't
been easy for Microsoft because of its "ease of use" end-user-oriented
OS background. For a while, Microsoft seemed to be searching for the
secure OS Holy Grail. The release of Windows 2000 demonstrated
Microsoft's significant progress in its security journey. In this
article, Jan De Clercq explores how you can make Win2K even more secure
by using the OS's built-in hardening features. He also looks at
Microsoft and third-party security tools. You can apply most of the
tips and tools mentioned in this article to both Win2K servers and
workstations.
http://www.itbuynet.com/pdf/0202-security.pdf
* FEATURE: WS-LICENSE ASSOCIATES SECURITY CREDENTIALS WITH SOAP
MESSAGES
In the March 7, 2002, edition of .NET UPDATE, Christa Anderson
discussed how Web Services Security Language (WS-Security) can make
Simple Object Access Protocol (SOAP) communications more secure. One
aspect of security lies in associating credentials with messages so
that a recipient can identify a message's original sender and determine
what type of key the recipient needs to decrypt the message. WS-
Security defines the credentials header, which is a framework for
including a license with a SOAP message, but doesn't describe the
structure of the license information that the header might contain. The
license structure is the bailiwick of Web Services License Language
(WS-License).
http://www.secadministrator.com/articles/index.cfm?articleid=24533
4. ==== INSTANT POLL ====
* RESULTS OF PREVIOUS POLL: LATEST VIRUSES AND PREVENTION TECHNIQUES
The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Is
your company proactive in notifying employees about the latest viruses
and prevention techniques?" Here are the results (+/- 2 percent) from
the 302 votes:
- 34% Yes
- 24% Most of the time
- 20% Sometimes
- 22% No
* NEW INSTANT POLL: WRITTEN AND ENFORCED PASSWORD POLICY
The next Instant Poll question is, "Does your organization have a
written and enforced password policy?" Go to the Security Administrator
Channel home page and submit your vote for a) We have a written password
policy, and we enforce it, b) We have a written password policy, but we
don't enforce it, or c) We don't have a written password policy.
http://www.secadministrator.com
5. ==== SECURITY TOOLKIT ====
* VIRUS CENTER
Panda Software and the Windows & .NET Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
http://www.secadministrator.com/panda
* FAQ: DO THIRD-PARTY PRODUCTS BASED ON THE MICROSOFT VIRUS-SCANNING
API (VS API) SCAN EMAIL AT THE GATEWAY LEVEL?
( contributed by John Savill, http://www.windows2000faq.com )
A. No. Antivirus products that use VS API don't scan mail at the
perimeter of your network. These products scan only the Information
Store (IS). If you want to establish gateway-level scanning, you must
invest in a gateway antivirus product.
6. ==== NEW AND IMPROVED ====
(contributed by Carolyn Mascarenas, products@winnetmag.com)
* PROTECT PROPRIETARY INFORMATION
Griffin Technologies released SecuriKey, a security system that
protects your company's proprietary information through two-factor
authentication. You plug the SecuriKey USB token into the PC's USB
port, and the system will log you on only if you have the right
password and SecuriKey token. When you remove the key, the accompanying
software senses its absence and automatically locks the computer.
SecuriKey runs on Windows XP and Windows 2000 and costs $50 per seat.
Contact Griffin Technologies at 785-832-1623 or 800-986-6578.
http://www.griftech.com
* MANAGE PATCHES ACROSS MULTIPLE SERVERS
Shavlik Technologies announced Shavlik EnterpriseInspector and
Shavlik HFNetChkPRO AdminSuite, software that helps you scan for
network vulnerabilities and keep software patch updates current.
Shavlik EnterpriseInspector remotely inspects for vulnerabilities in
Microsoft IIS; SQL Server; Windows NT Server 4.0, Terminal Server
Edition (WTS); Outlook; Internet Explorer (IE); and domain controllers
(DCs). Shavlik HFNetChkPRO AdminSuite lets you scan the network so that
you can learn which systems aren't properly protected. Shavlik
EnterpriseInspector costs $3123.75 for up to 50 PCs. Shavlik
HFNetChkPRO AdminSuite costs $1123.75 for up to 50 PCs. Both products
support Windows XP, Windows 2000, NT, SQL Server 2000 and SQL Server
7.0, IIS, and Outlook. Contact Shavlik Technologies at 651-426-6624 or
800-690-6911.
http://www.shavlik.com
7. ==== HOT THREAD ====
* WINDOWS & .NET MAGAZINE ONLINE FORUMS
http://www.winnetmag.net/forums
Featured Thread: Security Templates for Win2K
(Four messages in this thread)
A user wants to know where he can find security-related templates for
Windows 2000 that help define items such as which services to disable
and which user rights and permissions to set. In particular, he wonders
whether there is a template to build and secure a Microsoft IIS server
on Win2K. Can you help?
http://www.secadministrator.com/forums/thread.cfm?thread_id=98670
8. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT IN FOCUS -- mark@ntsecurity.net
* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson@winnetmag.com (please
mention the newsletter name in the subject line)
* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums
* PRODUCT NEWS -- products@winnetmag.com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate@winnetmag.com
* WANT TO SPONSOR SECURITY UPDATE? emedia_opps@winnetmag.com
********************
This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise. Subscribe
today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup
Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email
|-+-+-+-+-+-+-+-+-+-|
Thank you for reading Security UPDATE.
SUBSCRIBE
To subscribe, send a blank email to mailto:Security-UPDATE_Sub@list.winnetmag.com.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic