==== 1. In Focus: Properly Timing Full Disclosure ====
   by Mark Joseph Edwards, News Editor, [EMAIL PROTECTED]

Full disclosure has spurred hot security debates for years. As you
know, the Organization for Internet Safety (OIS) has been leading the
latest effort toward establishing a more responsible disclosure

In the past, I've advocated full disclosure for learning purposes--as
have many security professionals. Although I knew that "black hats"
use published code to wreak havoc on other people's systems, I saw a
benefit in what legitimate scientific researchers ("white hats") could
learn by having that code available. The trade-off seemed reasonable
then, and it still does--but the timing of information release is
obviously a problem.

Now, even if somebody's published code can be useful (e.g., the code
can show that a patch might be broken another way)--far more often
than not, that benefit doesn't outweigh the danger of someone taking
that code, twisting it into an attack mechanism, and unleashing it on
the Internet shortly after the code is released. Clearly, the act of
publishing such code only days after the problem has been reported is
irresponsible, dangerous, and potentially damaging. Therefore, I want
to make it clear that I don't condone such behavior, nor do I condone
anyone's use of code for malicious purposes.

Some full-disclosure proponents imply that users deserve to be
attacked because they use Microsoft software and the software is full
of security holes. That's just another jab at Microsoft. Other
proponents maintain that users are responsible for their own problems
because they should load available patches. However, as we know,
loading patches isn't always the best first step to prevent intrusion.
And--although users do need to take responsibility for security--the
latter attitude is a short-sighted way to address the victims of
predators. Why not use the opportunity to teach people about better

The remote procedure call (RPC)/Distributed COM (DCOM) worm (MBlaster)
offers a good example of when loading a patch wasn't necessarily the
best first step. For some people, loading the Microsoft patch might
have actually been the slowest way to defend themselves; for others,
the patch wasn't required at all. Also, many people didn't load the
patch on their systems, yet their network Intrusion Detection System
(IDS) didn't pick up any attempts of the worm trying to infiltrate.
The worm might not have scanned that particular network address block
looking for open systems, or those people might have defended
themselves by other means, such as Network Address Translation (NAT),
border firewalls, server firewalls, desktop firewalls, and antivirus

In cases in which patches were required, we can't reasonably blame
users for not patching their systems fast enough--because all users
have their own issues. Also, not everybody uses the Internet
constantly, and those who don't might not immediately come across the
latest news of a security outbreak. Some home users might not turn on
their computers daily or even weekly, and others are ignorant about
many security problems and products, including firewalls and antivirus
software. Whatever responsibility we assign to them for their own
security, they should carry far less blame than the perpetrators.

Some small office/home office (SOHO) users are in a similar
predicament; they too might lack the knowledge to gauge the problem as
well as the resources to become educated and to properly administer
their networks. But they still need to be better protected through
their own efforts and through responsible disclosure practices. Large
enterprises probably have access to the personnel and know-how, but in
any given instance, they might lack the resources to move as swiftly
as they'd like.

Obviously, something more must be done to help slow the initial
release of malicious programs. Knowing that, I can immediately think
of two ways (ideas that others have long held).

The OIS is already taking steps to promote responsible disclosure,
which includes limiting who has early access to working exploit code.
I think that's a good step, but perhaps we can do more.

Still, mailing lists and other types of discussion forums present a
challenge. Some of these forums promote full disclosure with the
intent of legitimate study. Even so, rogue elements are an
ever-present problem. I question whether a truly responsible student
of security would quickly post code (before users have time to become
aware of the danger as well as ample time to protect themselves) to a
forum in which rogue elements undoubtedly lurk.

If people are responsible, they should try to find a safe outlet for
the work they want to publish, one for which timing is a primary
consideration. Although finding a safe outlet that considers timing
paramount seems like common sense, I point out the need to do so
because a few popular forums have long been used to publish security
information--so much so that they're "traditional" elements in the
security arena. The interchange among the forums' users is largely
professional, the signal-to-noise ratio is low, and the discussions
stay on topic. Most of you probably know which forums I'm talking

Could the operators of those forums become a part of responsible
disclosure by more carefully taking into consideration the need for
adequate timing--despite the fact that allowing such posting has been
longstanding policy? Even in instances in which the posted code is
somehow "broken on purpose" to prevent the less educated from using it
maliciously, it still presents a danger, especially when people don't
consider timing. Let's face it, the worst offenders are smart, so
posting broken code is irresponsible disclosure because sooner or
later, some attacker will fix and use it. Let's not give them a head

By limiting public disclosure of code (and command sequences) related
to vulnerabilities, a line will begin to appear dividing responsible
security students who do have the public interest entirely at heart
from those who don't "get" the inherent dangers of some forms of open
discussion when conducted at the wrong time. Security students can
find other ways to conduct and discuss security vulnerability details
without resorting to a public forum that anyone with an email address
can join unchecked.


==== 2. Security Risks ====
   contributed by Ken Pfeil, [EMAIL PROTECTED]

DoS in Cisco CSS 11000 Series Content Switches
   Cisco Systems' Cisco CSS 11000 series content service switches are
vulnerable to a Denial of Service (DoS) condition. By delivering a
heavy load of TCP SYN packets directed to the Cisco CSS's circuit
address, a malicious user can cause a high CPU load or even sudden
reboots, resulting in a DoS condition. Cisco recommends upgrading the
software to release WebNS 5.00.110s, which you can download from the
company's Web site.

DoS in Meteor FTP Server for Windows
   A Denial of Service (DoS) condition exists in Meteor FTP 1.5 for
Windows. By connecting to the Meteor FTP server and issuing the USER
command followed by large amounts of data, someone can cause the FTP
server to stop responding.

Multiple Vulnerabilities in NetWin's SurgeLDAP
   Zive Kamir discovered four new vulnerabilities in NetWin's
SurgeLDAP, the most serious of which could result in a Denial of
Service (DoS) condition. NetWin recommends upgrading to the latest
release of SurgeLDAP, which is available on the company's Web site.
Multiple Vulnerabilities in CiscoWorks Common Management Foundation
   Two vulnerabilities exist in Cisco Systems' CiscoWorks Common
Management Foundation (CMF) 2.1 and earlier, the more serious of which
could let an attacker execute arbitrary commands on the vulnerable
server. Cisco has published a notice regarding these vulnerabilities
and is making patches available for CMF 2.1 and CMF 2.0 free of charge
through standard support channels.

   (from Windows & .NET Magazine and its partners)

==== 4. Security Roundup ====

Feature: Evaluating ICF
   In response to a continuous onslaught of malicious Internet
cracking, Microsoft has included the bare-bones Internet Connection
Firewall (ICF) with Windows XP Home Edition and XP Professional
Edition. This firewall lacks many of the frills of commercially
available personal firewalls, but if you configure it correctly, ICF
can provide basic, one-way security protection against mischievous
probes and malicious software (malware). The author discusses the ICF
firewall and examines configuration settings that can maximize its
effectiveness in your enterprise. ICF might not win any
security-industry awards, but using it will make your PC and your
network safer.

Feature: Security IS Your Concern
   Even if security isn't your primary responsibility at your site,
it's too important for you to ignore. We all need to take some
responsibility for the security of our database systems, even if
that's not our official job function. Brian Moran directs you to some
best practices and guidelines that will to help you play a responsible
role in your company's security.

==== 5. Instant Poll ====

Results of Previous Poll: RPC/DCOM Probing
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Has your company experienced someone probing to determine whether
your systems are vulnerable to a remote procedure
call(RPC)/Distributed COM (DCOM) exploit?" Here are the results from
the 196 votes.
   - 70% Yes
   - 17% No
   - 13% I'm not sure

New Instant Poll: The RPC/DCOM Worms
   The next Instant Poll question is, "Now that remote procedure call
(RPC)/Distributed COM (DCOM) worm variants have appeared, have they
affected your network or systems?" Go to the Security Administrator
Channel home page and submit your vote for a) Yes, b) No--We patched
against it, c) No--We patched and used other defenses, or d) No--We
used other defenses, but not the patch.

==== 6. Security Toolkit ====

Virus Center
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.

FAQ: How Do I Enable ICF?
   contributed by Microsoft

A. Internet Connection Firewall (ICF) is built into Windows XP and
Windows Server 2003. You'll find the dialog boxes that let you enable
the firewall under the Network Settings in the Control Panel. You can
also enable ICF using Active Directory (AD) Group Policy. For more
step-by-step information about setting up ICF, visit Microsoft's Web
site at the first URL below. For details about ICF features and known
issues, visit the second URL below.

==== 8. New and Improved ====
   by Sue Cooper, [EMAIL PROTECTED]

Control Device Usage
   SmartLine announced DeviceLock 5.5, software that lets you restrict
access to USB and FireWire (IEEE 1394) devices on Windows Server
2003/XP/2000/NT. Following installation, you can assign the
appropriate privileges to each user or user group for access to floppy
drives, other removable media, CD-ROM drives, tape devices--or USB,
FireWire, infrared (IR), and serial and parallel ports. DeviceLock
lets you control when, how, and which users can use various devices
inside your network. You can also use DeviceLock 5.5 to flush a
storage device's buffers. The price is $35 for a single user license.
Contact SmartLine at [EMAIL PROTECTED]

Assess Web Security and Defend Servers
   NTOBJECTives released the Fire & Water Toolkit 1.02 to help you
discover and map your network architecture, pinpoint Web servers
vulnerable to attack, protect against the highest-risk Web
vulnerabilities, and provide comprehensive HTML reporting with data
trending. Methods employed include Web server fingerprinting to
identify Web server platforms regardless of banner or stack
manipulation; advanced page proofing to determine whether a requested
resource is on the target or has been designed to return custom error
messages; and smart vulnerability selection to select and execute only
the vulnerabilities relevant to each target, according to the accurate
identification of your Web server platform. The Fire & Water Toolkit
1.02 is free for personal use; for enterprise users, the cost is $199
per user or $999 for an unlimited enterprise license. Contact
NTOBJECTives at 949-635-0981 or [EMAIL PROTECTED]

Submit Top Product Ideas
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to [EMAIL PROTECTED]

==== 9. Hot Threads ====

Windows & .NET Magazine Online Forums

Featured Thread: Help with Patch for MS03-026/Q823980I.exe
   (Nine messages in this thread)

A user writes that he has a Dell server running Windows NT 4.0 Server
with Service Pack 6a (SP6a). When he tries to execute hotfix
Q823980I.exe, which is related to Microsoft Security Bulletin MS03-026
(Buffer Overrun In RPC Interface Could Allow Code Execution) on his
server, he receives two error messages. First, a message box appears
with a red X and the words "Setup Error - The operation completed
successfully." After clicking the OK button, which is the only option,
he receives a second setup error box with a red X and the message
"Windows NT 4.0 Hotfix installation did not complete." His only option
at that point is to again click the OK button. So, the patch isn't
loaded and isn't applied.

Dell Custom Factory Integration installed NT 4.0 Server with SP6a when
the organization purchased the server, which is identical to his other
server on which he deployed the patch with no problem. Does anyone
have any idea what went wrong on this particular server? He has tried
shutting down all applications and all unnecessary NT services, but
that did not help. Lend a hand or read the responses:

HowTo Mailing List

Featured Thread: How to Verify Local Administrator Passwords
   (Six messages in this thread)

A user writes that he's attempting check whether the local
administrator password is different from one of five possible
passwords, and he wants to output the list of noncompliant machines to
a text file. He wants to know about tools, scripts, or insights into
how to accomplish these tasks. Lend a hand or read the responses. The
thread begins at the first URL below and continues at the second URL.

