Microsoft squeezes 20 flaws into 4 patches

ISSN 1353-4858 April 2004

Incorporating E-Commerce, Internet and Telecommunications Security

Wireless intrusion detection

4

.Net migration

6

Network attached storage

8

Editor: Sarah Hilley Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, California University, Berkeley Lab; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Editoral Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 E-mail: [email protected] Subscription Price for one year: (12 issues) US$736/
657 including first class airmail delivery subject to our prevailing exchange rate Price valid to end of 2004 Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America) Elsevier Customer Support Department PO Box 945, New York NY 10010 USA Tel: (+1) 212-633-3730 [Toll free number for North American customers: 1-888-4ES-INFO (437-4636)] Fax: (+1) 212-633-3680 E-mail: [email protected] For customers in the rest of the World: Elsevier Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 E-mail: [email protected] To order from our website: www.compseconline.com

Publishers of Network Security Computers & Security Computer Fraud & Security Computer Law & Security Report Information Security Technical Report

Microsoft squeezes 20 flaws into 4 patches Microsoft has alerted users to four new patches this month, which extend to cover 20 vulnerabilities in total. Three of the fixes are given the highest level of warning - critical. The remaining update has been cited as important. Microsoft has managed to fit a flood of vulnerabilities into a small number of updates this month. The biggest of the patches, update MS04-011, fixes a whopping 14 flaws in one go. "I bet that Microsoft feels that releasing 14 separate bulletins to describe these

vulnerabilities on different days would stir up considerably more negative reaction within its customer base and the media," said Dr Eugene Schultz at University of California- Berkeley Lab. The most worrisome vulnerability, a buffer overflow, is found in the Windows Local Security Authority Subsystem (LSASS). This flaw could lead to total compromise of a system and could be exploited automatically in a network worm like Blaster. Continued on page 2 (top)...

Contents News Microsoft squeeze s 20 vulnerabilities into 4 patches

1

Former FBI director says encryption fuels terrorists

1

Netscreen combines firewall and intrusion protection

2

News In Brief

2, 3

Wireless Security Wireless intrusion detection

4

.Net Migration Migrating to the .Net platform: an introduction

6

Network attached storage Security in network attached storage (NAS) for workgroups

Former FBI director says encryption fuels terrorists

8

Opinion The state of the hack

12

Wayne Madsen Former FBI Director Louis J. Freeh used the occasion of his testimony before the National Commission on Terrorist Attacks Upon the United States, popularly known as the “911 Commission,” to renew his call for controls on the use of encryption technology. Freeh, in his 13 April, 2004, testimony before the commission, stated, “[a] technical challenge called encryption . . . threatens to make courtauthorized interception orders a nullity.” Freeh told the commission, “Robust and commercially available encryption products

are proliferating and no legal means has been provided to law enforcement to deal with this problem, as was done by Parliament in the United Kingdom. Terrorists have been able to exploit this huge vulnerability in our public safety matrix.” Freeh’s reference to the United Kingdom was due to its adoption of the Regulation of Investigatory Act in 2000. The RIP Act requires the target of a communications intercept to surrender his or her encryption keys or face a jail sentence of up to two years. Continued on page 3 ...

Digital Forensics The importance of text searches in digital forensics

13

Custom Web apps. Network security and custom Web applications

15

Budgets Real IT security on a limited budget 18

Interview Remote access at the BBC

19

Events

20

news

In Brief SPIM AND SPAM KEEP GROWING A study by the Radicati Group, Inc. reveals that SPAM is expected to grow by 115% from 2003, while SPIM will account for 1.2 billion messages. Good news for the anti-spam market however: this also increases, growing to $974 million in 2004. http://www.radicati.com

NETSKY HITS P2P SITES File sharing networks eDonkey, Kazaa, eMule and Cracks have all been targeted by NetSky in a denial-of -service attack. The worm, still taking advantage of a three-year old Microsoft flaw, attempted to block access by creating traffic from infected zombie machines. The Russian authors of the virus claim this attack will stop illegal content sharing, but the affected sites — mainly eDonkey — set up mirror sites to prevent complete denial.

Continued from page 1 (top)... Other severe flaws are found in the Windows Remote Procedure Call (RPC) runtime library, the Microsoft Abstract Syntax Notation One (ASN.1) library and the Negotiate Security Software Provider (SSP) interface. It could be possible for an automated worm to rise out of these, believes Schultz. "Several very prolific worms have already exploited RPC DCOM interface vulnerabilities. Code for each of these worms is publicly available; all

NetScreen combines firewall and intrusion protection Network security company NetScreen has launched a new appliance that is designed to attack Checkpoint and Cisco in the enterprise market. This is its last product launch before its full acquisition by Juniper Networks on 16 April. The company describes the new product, the ISG 2000, as the first platform that integrates firewall, VPN, and intrusion detection and prevention technologies. The company says the platform delivers multiple options

ISSN: 1353-4858/04/ © 2004 Elsevier Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, E-mail: [email protected]. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 171 436 5931; fax: (+44) 171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal

2

someone needs to do is modify part of the code." These many vulnerabilities constitute an almost ideal 'playground' for attackers, but a real nightmare for the rest of us," he said. The software giant said it has moved to monthly releases "to improve predictability and manageability, and to reduce the burden on IT administrators." However Microsoft will release spontaneous patches when a threat is active. "I suspect that the real reason that Microsoft decided to

to customise I/O connections and the services and performance levels of the product to protect each perimeter segment of an organisation's network. Based on the company's next generation ASIC, the GigaScreen3, the platform offers 3 million packets per second firewall throughput and 1.5 million packets per second VPN (3DES or AES). Pricing starts at $50,000. Peter Crowcombe, marketing director, Netscreen EMEA said: "this is about doing some

release multiple hotfixes all at once is that it doesn't look as bad for Microsoft when the negative reactions this company receives for the many vulnerabilities in its products occur only once a month," said Schultz. Windows 2000, XP, Server 2003 and NT 4 are among the systems affected by the new flux of flaws. The researchers who discovered the holes include NSFOCUS, ISS X-Force, eEye, and Foundstone.

platform consolidation between the local area network and the wide area network, combining different technologies in the same appliance. "We are combining intrusion prevention and firewalling for the first time in the history of the industry. We've been able to do that because we've rearchitect the underlying structure of the device and it's a new generation of ASIC". Expanding on the strategic rationale for the release, he said: "CheckPoint/Nokia are very strong in this particular part of the market - large medium to corporate -as is Cisco. So we are looking to take market share from them".

circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) Ltd