********************************************************** WINDOWS NT MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows NT security update newsletter brought to you by Windows NT Magazine and NTsecurity.net http://www.winntmag.com/update/ ********************************************************** This week's issue sponsored by Sunbelt Software - STAT: NT Vulnerability Scanner http://www.sunbelt-software.com/stat.htm |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- December 22, 1999 - In this issue: 1. IN FOCUS - Once Bitten, Twice Shy? 2. SECURITY RISKS - Syskey Keystream Reuse - LSA Denial of Service 3. ANNOUNCEMENTS - Terminal Server Administrators: Save Time, Increase Performance, Fine-Tune Your Thin-Client Functions - Security Poll: What Is Your Level of Security Expertise? 4. SECURITY ROUNDUP - News: PGP Allowed for Export - Feature: How Secure Is Your Exchange Server? 5. NEW AND IMPROVED - Piracy Intervention - Firewall with Management Capabilities 6. HOT RELEASES - kforce.com - Network-1 Security Solutions – Embedded NT Firewalls 7. SECURITY TOOLKIT - Book Highlight: Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design - Tip: Stress Test Your Servers with Blast! 8. HOT THREADS - Windows NT Magazine Online Forums: * Hidden Shares, What's the Purpose? - Win2KSecAdvice Mailing List: * Windows 2000 Default Share Access * Forcibly Disconnecting Users - HowTo Mailing List: * Windows AT Scheduler Password * PWDump2 Result Question ~~~~ SPONSOR: SUNBELT SOFTWARE - STAT: NT VULNERABILITY SCANNER ~~~~ Ever had that feeling of ACUTE PANIC that a hacker has invaded your network? Plug NT's holes before they plug you. There are many hundreds of known NT vulnerabilities. New ones are found daily. You just have to protect your LAN _before_ it gets attacked. STAT is a new tool that solves your NT security exposure in a completely unique fashion. STAT is not just a shrink-wrap product. It comes with a responsive web-update service and a dedicated Pro SWAT team that helps you to hunt down and kill Security holes. Originally built by anti-hacker experts for Secure Government sites. Download a demo copy before you become a statistic. http://www.sunbelt-software.com/stat.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, I'm glad I'm not the only one that has to learn a few lessons the hard way. Microsoft learned another solid lesson last week when someone discovered that its Syskey technology has a serious security weakness. As you might know, Syskey helps protect the SAM database on Windows NT systems by introducing strong encryption to that area of the Registry. The weakness in Syskey resides in the fact that Microsoft is reusing the RC4 key associated with Syskey encryption, which seriously weakens the technology. The risk in Syskey is very significant, and it's not the first time something of this nature has occurred. Last year, L0pht and Counterpane Systems released a white paper detailing numerous security shortcomings in Microsoft's PPTP implementation. One of those shortcomings was the fact that Microsoft Point to Point Encryption (MPPE) reused RC4 keystreams--just like the Syskey technology. Maybe I'm being an idealist, but I'd have assumed that after the release of the L0pht and Counterpane PPTP white paper, Microsoft would have scoured its encryption code looking for similar security-risk occurrences. But apparently that didn't happen, and here we are again, attending class at the school of hard knocks for NT 4.0. Windows 2000 (Win2K) is just around the corner. Win2K is supposed to be more secure than NT 4.0, and the OS certainly contains more encryption technology than NT 4.0. I can only wonder whether the Win2K developers are paying attention to the encryption follies uncovered in NT 4.0? Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, http://www.ntsecurity.net) * SYSKEY KEYSTREAM REUSE Syskey is a utility that strongly encrypts the hashed password information in the SAM database to protect it against offline password- cracking attacks. Syskey technology first appeared in NT Server 4.0 Service Pack 4 (SP4). The technology is vulnerable to attack because Syskey reuses the RC4 keystream. According to Microsoft's report, "The vulnerability allows a particular crypt analytic attack to be effective against Syskey, significantly reducing the strength of the protection it offers." Microsoft has released patches that correct this risk. http://www.ntsecurity.net/go/load.asp?iD=/security/syskey.htm http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16798 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16799 * LSA DENIAL OF SERVICE Network Associates (NAI) discovered a problem with Windows NT's Logon Security Authority (LSA) that can lead to a denial of service (DoS) attack against the system. According to NAI's report, the misuse of a particular API call will lead to an application error, thereby crashing the LSA. With the LSA unavailable, no authentication takes place. Microsoft has released patches for Intel and Alpha that correct this problem. http://www.ntsecurity.net/go/load.asp?iD=/security/lsa3.htm 3. ========== ANNOUNCEMENTS ========== * TERMINAL SERVER ADMINISTRATORS: SAVE TIME, INCREASE PERFORMANCE, FINE-TUNE YOUR THIN-CLIENT FUNCTIONS If you’re thinking about going thin or if you're already using Terminal Server, point your browser to http://www.winntmag.com/Techware/InteractiveProduct/TerminalServer. At this Web site, you’ll be able to quickly and efficiently evaluate thin- client-related solutions and gather additional information. Also at this site you can: * Access a world of thin-client-related solutions * Take advantage of informative product overviews * Utilize direct links to more product information * Use the convenient product download links * Evaluate products quickly and efficiently The Terminal Server Interactive Product Guide is designed to direct you to the latest products and services by the industry's leading Terminal Server-related technology vendors. Check it out today and bookmark it for tomorrow. http://www.winntmag.com/Techware/InteractiveProduct/TerminalServer/ * SECURITY POLL: WHAT IS YOUR LEVEL OF SECURITY EXPERTISE? We've just launched a brand new survey designed to help us understand your current level of security knowledge. The survey results will help us better shape the content of our security-related material, including information in this newsletter. So please stop by and take the one- question survey located right on the home page. http://www.ntsecurity.net 4. ========== SECURITY ROUNDUP ========== * NEWS: PGP ALLOWED FOR EXPORT Network Associates (NAI) announced that the US government has granted the company a full license to export its PGP encryption software. The license, effective immediately, lets NAI export its full-strength PGP encryption software to virtually all countries worldwide that are not on the government's restricted list. Countries on that list include Cuba, Iraq, and others. http://www.pgp.com * FEATURE: HOW SECURE IS YOUR EXCHANGE SERVER? In his recent Web Exclusive article, Jerry Cochran reminds us of several security risks associated with Exchange Server. Several items are held out for consideration, including Outlook Web Access (OWA). Be sure to stop by for a quick review of common Exchange Server gotchas! http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=143&TB=f 5. ========== NEW AND IMPROVED ========== (contributed by Carolyn Mascarenas, products@winntmag.com) * PIRACY INTERVENTION New Wave Software announced Software Piracy Intervention (SPI), software that adds a protective layer to software products to prevent piracy and to track those that attempt it. When you install a protected product, the SPI archive goes through a series of validation checks. If any check fails, the product won’t install and the user’s IP information is recorded so that the software developer can track and prosecute the user. The Lock Point feature locks the product to the first computer that it successfully installs on. The Uninstaller feature lets the user move an SPI-protected product to another computer. The built-in e-commerce feature lets an online customer purchase your product without the use of shopping cart software. Once a customer purchases your software product online, the SPI-protected product installs on their system and is ready to run. SPI runs on Windows 2000 (Win2K), Windows NT, Windows 9x, Mac, and PowerMac. For pricing, contact New Wave Software, 800-920-9283. http://www.nwspi.com * FIREWALL WITH MANAGEMENT CAPABILITIES Network-1 Security Solutions announced CyberwallPLUS 5.2 and CyberwallPLUS Central 1.0, a suite of embedded firewalls with management capabilities and enhanced intrusion detection and protection. This suite provides network security policies across numerous server-based firewalls. The suite also provides tools for remote management, enhanced logging and reporting, and increased intrusion detection and prevention capabilities. Application Service Providers (ASPs) and e-businesses can use the central management capability to deploy Web or other types of server farms that require the maintenance efficiencies, increased security, and scalability. CyberwallPLUS 5.2 and CyberwallPLUS Central 1.0 run on Windows NT and Windows 98. Pricing starts at $995. Contact Network-1 Security Solutions, 800-638-9751. http://www.network-1.com 6. ========== HOT RELEASES (ADVERTISEMENT) ========== * KFORCE.COM Real results by real people!***kforce.com*** Resumes read by over 2,300 Career Specialists, Not another Job Board, But the Career Resource Center. Search our Vast Database, use the Salary Calculator, and receive your own Career Development Coach. Opportunity has a new address kforce.com http://ad.doubleclick.net/clk;629716;3578931;w?http://www.kforce.com * NETWORK-1 SECURITY SOLUTIONS – EMBEDDED NT FIREWALLS CyberwallPLUS-SV is the first embedded firewall for NT servers. It secures valuable servers with network access controls and intrusion prevention. Visit http://www.network-1.com/eval/eval6992.htm to receive a free CyberwallPLUS evaluation kit and white paper. 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: CRACKING DES: SECRETS OF ENCRYPTION RESEARCH, WIRETAP POLITICS AND CHIP DESIGN By Electronic Frontier Foundation Online Price: $23.95 Softcover; 272 pages Published by O'Reilly & Associates, July 1998 For the first time, a book reveals full technical details on how researchers and data-recovery engineers can build a working Data Encryption Standard (DES) Cracker. Cracking DES includes design specifications, board schematics, full source code for the custom chip, a chip simulator, and the software that drives the system. The US government made it illegal to publish these details on the Web, but they're printed here in a form that's easy to read and understand, legal to publish, and convenient for scanning into your computer. For Windows NT Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WINNTMAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/1565925203?from=SUT864. * TIP: STRESS TEST YOUR SERVERS WITH BLAST! (contributed by Mark Joseph Edwards, http://www.ntsecurity.net) Few things are more unsettling than to learn that a piece of your favorite software has a nasty denial of service (DoS) condition in it. We generally find out about these problems from either vendors or hackers who find those bugs or through the direct experience of having a service attacked. Most of us prefer the former means of discovery, as opposed to the latter. Although you can certainly monitor various online information sources waiting for new DoS risk information to pop up, a more proactive way exists to find problems in the software you use in-house. That way is to attack the services yourself. Testing services for various DoS conditions is not an easy chore without a serious tool to assist in that work. One such tool is NT Objectives' Blast. Blast is a new stress-testing tool designed specifically to break a given service. In most cases, when a service breaks because of Blast-based testing, that service has a buffer overflow condition that leads to a DoS. The benefits of testing your software for DoS conditions are many, including possibly finding service problems before they become serious security issues. If you're interested in this type of testing, be sure to check out Blast. And while you're at NT Objectives' Web site, be sure to check out the PowerPoint presentation, "Taking Out an NT Server," which discusses another new tool called NTOMax that NT Objectives plans to release this week. http://www.ntobjectives.com 8. ========== HOT THREADS ========== * WINDOWS NT MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows NT Magazine online forums (http://www.winntmag.com/support). December 16, 1999, 03:04 P.M. Hidden Shares, What's the Purpose? What's the purpose of mapping drives to hidden shares if they reappear in the Map Network Drive drop-down list? How can you clear this list? Thread continues at http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag e_ID=82441 * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following threads are in the spotlight this week: 1. Windows 2000 Default Share Access http://www.ntsecurity.net/go/w.asp?A2=IND9912C&L=WIN2KSECADVICE&P=93 2. Forcibly Disconnecting Users http://www.ntsecurity.net/go/w.asp?A2=IND9912B&L=WIN2KSECADVICE&P=2317 Follow this link to read all threads for Dec. Week 3: http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the "HowTo for Security" mailing list. The following threads are in the spotlight this week: 1. Windows AT Scheduler Password http://www.ntsecurity.net/go/L.asp?A2=IND9912C&L=HOWTO&P=2808 2. PWDump2 Result Question http://www.ntsecurity.net/go/L.asp?A2=IND9912C&L=HOWTO&P=2040 Follow this link to read all threads for Dec. Week 3: http://www.ntsecurity.net/go/l.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS NT MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@winntmag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@winntmag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com) Editor - Gayle Rodcay (gayle@winntmag.com) New and Improved – Carolyn Mascarenas (products@winntmag.com) Editor-at-Large – Jane Morrill (jane@winntmag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows NT Magazine Security UPDATE To subscribe, go to http://www.winntmag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. To change your email address, you must first unsubscribe by sending email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. Then, resubscribe by going to http://www.winntmag.com/update and entering your current contact information or by sending email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.winntmag.com/sub.cfm?code=up99inxsup. Windows NT Magazine UPDATE Windows NT Magazine Thin-Client UPDATE Windows NT Exchange Server UPDATE Windows 2000 Pro UPDATE ASP Review UPDATE SQL Server Magazine UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 1999, Windows NT Magazine Security UPDATE Newsletter is powered by LISTSERV software http://www.lsoft.com/LISTSERV-powered.html