Welcome to Volume 2, Issue 4 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
The editorial calendar at this time includes:
For previous Insights issues are posted click here.
TISC is about sharing clue. So is the newsletter. If we fail to provide something *useful* each issue, complain directly to me.
In this issue, we learn ways popular search engines can be used to locate web sites with security vulnerabilities from the folks at Perfecto Technologies' Black Watch Labs. We also hear a report from Ed Tittel and James Michael Stewart on Windows 2000 Security.
Enjoy, and be safe,
Dave
Search engines have been used to locate vulnerable Web sites since they were invented. However, most people are unaware that millions of sites are exposed. Using simple queries, a hacker is able to locate those millions of vulnerable sites by searching for "signatures" of application-level attacks.
Here are a few examples (use www.infoseek.com):
The Internet community needs to be aware of the importance of security at the Web application level. To test whether your site is vulnerable to malicious searches using a free Web tool, and to understand what actions need to be taken to protect sites from these types of vulnerabilities, visit Black Watch Labs.
[Editor's Note: Black Watch Labs was established to further the knowledge of Web application security within the Internet security community. -dmp]
Windows 2000 is comprised of nearly 60 million lines of code. Experts speculate that there are at least five errors for every thousand lines. Do the math: you should expect some of those problems to relate to security. Other experts claim that Microsoft's use of a modular system architecture, while offering numerous benefits, may actually *cause* security problems. For example, IPC or RPC operations may occur outside the OS security envelope, or post-release plug-ins and patches may reveal security breaches (and offer hackers insight into how to break down barriers). With all the new technologies and embedded features that Windows 2000 introduces, including Active Directory, ActiveX, digital certificates, and remote administration, Windows 2000 is a bold initiative which may have one or more Achilles tendons.
Based on the trials and tribulations that the security-poor Windows NT system suffered, Microsoft has made significant strides toward creating a secure environment in Windows 2000. In addition to including several security technologies we've all be waiting for, such as Kerberos and IPSec, Microsoft has announced that Windows 2000 will ship with 128-bit encryption worldwide. This comes as a result of the US government's lifting of some encryption export restrictions. In a daring move, a Windows 2000 system was placed directly on the Internet along with a challenge to break into it. Microsoft claims no one was able to breach that security, however four denial of service exploits were uncovered. Microsoft employed a 15-member team of consultants and 100 elite customers to "field test" the product over 18 months and to provide feedback on security issues. While many issues were found and resolved even before beta versions were widely distributed, there is still considerable ground to explore. And no beta test can ever match the unbelievable uses to which commercial software is sometimes put!
Some potential problems with Windows 2000 security have been answered by Microsoft quickly, as proof of their improved commitment to the user community on security matters. For example, a paper was released that described vulnerabilities in the EFS file system. Microsoft responded that the only way these vulnerabilities could be exploited is if an administrator of a system makes a configuration error that the documentation specifically warns against. The issue: leaving the EFS recovery key on the machine where sensitive data is encrypted, instead of securing it separately from the protected data.
Windows 2000 has just been released, and there hasn't been much (yet) news about security problems with this new operating system. Even though versions of Windows 2000 have been circulated among Microsoft's testing partners and on the Internet, there is a surprising lack of real information about security problems. Until now, most of the media attention to security issues for Windows 2000 has been hype--predictions of major problems that have not yet materialized. If you are like us, you are waiting on tenterhooks for news of the first major Windows 2000 security breach to hit.
The only two real issues LANWrights has discovered to date involve the Indexing Service and converting a FAT/FAT32 boot partition to NTFS. The Indexing Service is installed by default in Windows 2000, and can cause two problems when used with IIS. Neither vulnerability grants write access to the user, but the first allows users to view files on the Web server and the second reveals the directory path for Web roots. Microsoft has already released a hotfix for this (see Microsoft Security Bulletin MS00-006). As for the second problem, the CONVERT.EXE tool fails to apply correct default permissions to the boot partition. This problem occurs if you install Windows 2000 onto a FAT or FAT32 partition, then later convert that partition to NTFS. The SECEDIT command line tool can be used to re-set the permissions on the boot partition to their correct defaults, see Q237399 for more info.
While there has been little news concerning security breaches, a Windows 2000 specific virus has been discovered. The virus is named Win2K.Inta. This is the first virus discovered which targets Windows 2000 directly, but fortunately it does not cause direct damage to a system. The real issue is that Win2K.Inta demonstrates how to build a working 32-bit virus. Furthermore, this virus propagates itself throughout a network by latching onto files used by the Microsoft Installer. Information about this virus appears at the F-Secure Virus Pages and the Symantec ntiVirus Research Center. Most Windows 2000 virus scanner software vendors have already included this virus in their product updates.
In light of the recent denial of service attacks on several major Web sites, keep in mind that any system connected to the Internet is vulnerable. Windows 2000 *can* be affected by denial of service attacks. You can obtain extensive information on the recent issues, steps to help safeguard your own systems, and tools to help detect and deter such attacks at the FBI and CERT web sites.
We expect a flood of security related issues to hit soon, both in online discussion forums and in the trade and general presses. When such issues are reported, however, we suggest you take time to investigate before reacting. Windows 2000 is bound to have flaws, but they are probably not as severe as the hype might indicate.
Your best tool for combating security problems is information. The following resources are invaluable when working with Windows 2000 security:
The Microsoft Security Advisor is a comprehensive site dealing with security issues on all MS products, including Windows 2000. The best feature on this site is the Microsoft Security Bulletin mailing list.
NTBug Traq focuses on security issues related to Windows NT, Windows 2000, and the Internet. This site also contains many helpful editorials on news, events, and happenings, as well as FAQs and downloads.
NTSecurity.Net tracks any security related issue from the Internet to operating systems to client applications. It also boasts tips, resource lists, newsletters, archives of discussions, and more.
Windows 2000 Magazine Online, formerly Windows NT Magazine, is one of the top resources for Windows 2000.
CERT is the national computer security incident response team. CERT is federally funded and considered the most reliable source of security incident information.
Computer Incident Advisory Capability (CIAC) is the security response team for the DOE maintains a useful Web site containing a wide range of security information.
Federal Computer Incident Response Capability (FedCIRC) is the place to go when you need to report a security breach. They provide extensive information on preventing, detecting, tracking, and prosecuting perpetrators of security breaches.
Microsoft TechNet is an invaluable resource for any user of Microsoft operating systems. We recommend purchasing the monthly subscription service which gets you a CD set in the mail. This online version is a bit cumbersome but does contain most of the same documentation as the subscription CD version.
Windows NT/2000 Tips, Tricks, Registry Hacks and more is a Web site with uncountable jewels of information relating to all aspects of Windows NT and Windows 2000. There are some security items here, but the other tips, tricks, hacks, and helps are beyond value.
A Collection of security mailing lists.If you like getting e-mail notification of security information, this is the site for you. This site maintains a fairly comprehensive list of security related mailing lists with instructions on how to subscribe.
Microsoft maintains a public USENET NNTP news server at msnews.microsoft.com which hosts discussions on topics related to Microsoft products. This is a great place to post questions and to get answers from peers and Microsoft experts.
AntiCode and AntiOnline. These two sites are places you'll want to watch since they offer a peek into the world of the Internet terrorist. These sites contain information on how attacks are performed, how attacks can be detected and prevented, plus lots of tools, tips, and discussions from peers, experts, and hackers.
Hacker News Network is dedicated to "deliver the real news from the computer underground for the computer underground" (according to their own self-description). You'll find insights into the minds of non- corporate security experts and lots of helpful information and tools.
The L0pht claims to point out security problems and deploy tools to exploit them to encourage vendors to produce better products.