---------------------- Forwarded by Vince J Kaminski/HOU/ECT on 04/26/2000 
09:15 AM ---------------------------


"NW Security and Bug Patch Alert" <Security-BugPatch@bdcimail.com> on 
04/25/2000 05:43:21 PM
Please respond to "Security and Bug Patch Alert Help" <NWReplies@bellevue.com>
To: <vkamins@enron.com>
cc:  
Subject: Social engineering


NETWORK WORLD FUSION FOCUS: JASON MESERVE on
SECURITY AND BUG PATCH ALERT
TODAY'S FOCUS: Social engineering
04/25/00

Dear Wincenty Kaminski,

~~~~~~~~~~This issue is sponsored by 
Mission Critical Software~~~~~~~~~

FREE SECURITY eSEMINAR
Windows NT and Windows 2000 security expertise at your fingertips!
Mission Critical Software presents Windows Security: Step-by-Step as
part of its new, innovative on-demand eSeminar site. Reduce the risk
and impact of a security incident by ensuring your NT systems are
properly configured and managed. Review the SANS Institute Security
Checklist to lock out violators.
Register NOW for this and other tracks and product demos!
http://nww1.com/go/1178675a.html
Nobody Does Windows 2000 better. Nobody.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Subscribe to the "Whitepapers Download" newsletter from Network World!!
Keep up-to-date with summaries and links to the latest vendor-sponsored
whitepapers on Network World Fusion.
Subscribe to Whitepapers Download at
http://www.nwfusion.com/go/wppromo.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Today's Focus: Social engineering
---------------------------------------------------------------
By Jason Meserve

Here's an interesting topic that came up in a Butler Group OpinionWire
e-mail newsletter: social engineering.

Instead of using technical skills to break into computers, hackers
often use the weakness of the human mind to gain access to corporations.
Hackers befriend users and trick them into giving away sensitive
information that can be used to gain access to systems. These hackers
also use trickery such as pretending to be from tech support to get
unsuspecting users to give up their username and password information.

Serbian hackers used the technique to gain access to Web sites
registered by Network Solutions, Inc., according to the Butler Group.
The hackers then defaced these sites as a form of political and social
protest.

While no data was stolen, the incidents bring up an interesting point.
While you may have security in place, it is still important to educate
users on security practices, such as never giving passwords or other
sensitive information out to unknown people or Web sites. AOL warns its
users all the time that administrators do not ask for password
information when dealing with customers.

Make sure your employees aren't unwittingly leaving the front door open
to attack.

One other note before we get to the latest alerts. Last week, a brain
cramp had me misreading information about the alleged backdoor
passwords in Microsoft software. The problem is associated with
InterDev 1.0, not Version 7.0 as previously reported. Also, I was
remiss in not mentioning that Microsoft recommends deleting the
DVWSSR.DLL library that installs as part of a number of Web software
applications, including FrontPage 98 Extensions. The library could be
used in buffer overflow attacks.


Now on with the latest patches and alerts:


Panda Software warns of W95/CIH virus

W95/CIH (or Chernobyl) is set to go active on April 26, the anniversary
of the Chernobyl nuclear disaster of 1986. The virus infects various
executables with 1K byte of code, and on the 26th is set to destroy the
Flash BIOS of Intel Pentium processors, rendering the computer useless
until the Flash BIOS is restored to its original settings.
For more information:
http://www.pandasoftware.com/vernoticia.asp?noticia=674&idioma=2
**********


Microsoft releases procedure to eliminate  "Server-Side Image Map
Components" vulnerability

A vulnerability in several Web server products from Microsoft could let
a malicious Web site visitor perform actions that the system
permissions allow, but could not have been accessed without this hole.
The risk is in FrontPage 97 and 98 extensions htimage.exe and
imagemap.exe, which provide server-side image-mapping support.
Microsoft says the affect of this bug is limited, but the company is
providing a means of remedying the situation.
For more information on the procedure:
http://www.microsoft.com/technet/security/bulletin/fq00-028.asp
**********


Buffer overflow in Red Hat's imwheel module

A buffer overflow condition in the imwheel module that comes with Red
Hat Powertools could allow a local user to execute arbitrary commands
as root.
For more information:
http://bugzilla.redhat.com/bugzilla/
**********


Red Hat releases new openldap packages

The new openldap package fixes a vulnerability in Red Hat Linux
Versions 6.1 and 6.2. The old version of the package creates a link to
the /tmp directory that is world writable. This could allow users to
destroy any file on a mounted file system.
For more information:
http://bugzilla.redhat.com/bugzilla
**********


RealNetworks releases patch for denial-of-service vulnerability in
RealServer

RealNetworks' RealServer streaming media server contains a
vulnerability that could allow a malicious user to cause a stack
overflow and shut down the system until it is rebooted by an
administrator. RealNetworks says the problem lies in the PNA
protocol-handling scheme.
Download the patch:
http://service.real.com/help/faq/servg270.html
**********


Bug in Netscape Navigator could allow others to view bookmarks

A flaw has been discovered in Netscape Navigator that could allow a
malicious Web site operator to view a person's bookmark file. By using
a combination of JavaScripts, cookies and frames, an operator could
view the contents of a bookmark file, if the browser user is set to
"default." Also, support for cookies and JavaScript needs to be turned
on. The problem could be part of Microsoft Internet Explorer as well.
While no code can be run on the client machine, the problem could
expose private information in the bookmark file.
http://www.zdnet.com/pcweek/stories/news/0,4153,2553337,00.html
**********


Patch available for "Malformed Environment Variable" vulnerability

A vulnerability in Windows NT 4.0 and Windows 2000 could allow a
malicious user to make some or all of the memory on a server
unavailable, effectively slowing and shutting down the machine. The
CMD.EXE command processor has an unchecked buffer in part of the code
that handles environment strings. Microsoft does not believe this to be
a major threat.
For more information:
http://www.microsoft.com/technet/security/bulletin/fq00-027.asp
**********


Patch available for "Mixed Object Access" vulnerability

Microsoft scores the hat trick with its third vulnerability of the
week. This patch fixes a limited problem in Windows NT 4.0 and 2000
that could allow a user to change information in Active Directory
without permission. The scope of the problem is very small and only
pertains to certain object attributes.
For more information:
http://www.microsoft.com/technet/security/bulletin/fq00-026.asp
**********


WM97/Astia-AI reported in the wild by Sophos

Many people like to write these Word macro viruses. For hackers, these
must be the equivalent of the little Pascal programs that sorted simple
lists, which I had to write back in my early days as a computer science
major. Hackers must start with these viruses before jumping to the big
leagues of distributed-denial-of-service attacks. This particular
strain creates Book.dot and Book.src files in the Word StartUp
directory and affects the Normal.dot file. The virus will pop up a
window titled "TITANUS" if a user enters the Visual Basic Macro Editor.
It will then attempt to infect an open document. Just another pain to
be aware of.
For more information:
http://www.sophos.com/virusinfo/analyses/wm97astiaai.html
**********


Georgi Guninski reports another IE problem

Georgi Guninski is the king of finding bugs in Microsoft Internet
Explorer. This time, Guninski has found an error in the way Microsoft
implements its Java Virtual Machine that could circumvent the cross-
frame security policy built into the browser. This could allow
malicious users to use the Document Object Model to gain access to
files on a vulnerable machine. Guninski reports that fixing the problem
is not as easy as turning off Active Scripting.
For a demonstration of the problem:
http://www.nat.bg/~joro/jsinject.html
**********


Problem with Panda Security 3.0

DeepZone is reporting a problem with Panda Security 3.0's key handling.
Local users could override their privileges and gain access to
administrator rights. This could allow an unauthorized user to
uninstall the product.
For more information and patches:
http://www.pandasoftware.com   (user name and password required)
**********


Denial-of-service problem with some versions of Cisco IOS

A defect in multiple Cisco IOS software versions will cause a Cisco
router to reload unexpectedly when the router is tested for security
vulnerabilities by security scanning software programs. The defect can
be exploited repeatedly to produce a consistent denial-of-service
attack. Cisco recommends upgrading affected systems as soon as possible.
For more information and to see which versions are affected:
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml
**********


FreeBSD Generic-NQS contains a local root compromise

Generic-NQS Versions 3.50.7 and earlier contain a vulnerability that
allows a local user to easily obtain root privileges. Generic-NQS is a
queuing system for running a batch process across multiple machines.
Patches:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/generic-nqs
-3.50.9.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/generic-nqs
-3.50.9.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/generic-nq
s-3.50.9.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/generic-nq
s-3.50.9.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/generic-n
qs-3.50.9.tgz
**********


Other interesting tidbits:

Libsafe 1.3 stack protection software

Some engineers at Bell Labs and MandrakeSoft have developed software
for preventing "smash attacks" against the network stack of a Linux box.
The software is said to prevent attackers from smashing the return
address and taking control of the flow of a running program.
For more information:
http://www.bell-labs.com/org/11356/html/security.html
**********


Alcatel and Funk team to tighten LAN security

Alcatel is making it possible to keep unauthorized LAN users out of
resources they shouldn't be using with a security package from Funk
Software. The package uses Remote Authentication Dial-In User service
RADIUS) to give network professionals the ability to create logical
workgroups and virtual LANs, even when those users are spread out on
different LAN segments or move from location to location with laptops.
Network World, 04/19/00.
http://www.nwfusion.com/news/2000/0419alcatelfunk.html
**********


Miss a newsletter?

Don't fear, if you're new to the newsletter or are looking for past
newsletters, you can check out the archives at:
http://www.nwfusion.com/newsletters/bug/

To contact Jason Meserve:
-------------------------
Jason Meserve is a staff writer with Network World, covering search
engines, portals, videoconferencing, IP Multicast and document
management. He also oversees the "Security Alerts" page on Fusion
(http://www2.nwfusion.com/security/bulletins.html). Jason can be reached
at mailto:jmeserve@nww.com.
-------------------------


May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered at your
fingertips each day. Now, extend your knowledge by receiving 51 FREE
issues to our print publication. Apply today at
http://www.nwwsubscribe.com/nl

*********************************************************
Subscription Services

To subscribe or unsubscribe to any Network World e-mail newsletters,
go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To change your email address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to this
message.

Other Questions/Comments

Have editorial comments? Write Jeff Caruso, Newsletter Editor, at:
mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Account Executive,
at: mailto:jkalbach@nww.com

Network World Fusion is part of IDG.net, the IDG Online Network.
IT All Starts Here:
http://www.idg.com

Copyright Network World, Inc., 2000