SecurityFocus Microsoft Newsletter #72 -------------------------------------- **SecurityFocus Promotion: Two Week Trial of SIA** SecurityFocus(tm), a leading provider of enterprise security threat management systems, announces new pricing for SIA(tm) our Security Intelligence Alert Service. We are also offering a FREE two-week trial of SIA between January 21st and March 15th, 2002. SIA provides the most comprehensive and customizable vulnerability and malicious code alerts available. SIA delivers complete, up-to-the-minute, specific, actionable information that allows enterprises to prevent attacks before they occur. SIA allows you to: **Fully protect your systems with comprehensive alerts that are specific to your infrastructure. SIA allows you to specify down to the version level those products for which you wish to receive alerts. **Reduce the threat of network downtime from attacks. SIA provides everything you need to know: thorough technical description of the attack, workarounds or available patches, signatures for updating IDSs, mitigation/disinfection strategies, etc. **Save hours a day by not having to look through hundreds of emails or dozens of websites. SIA allows you to prioritize your current vulnerabilities and eliminate the highest risks first. To take advantage of our FREE two-week trial offer and receive real-time configuration-specific vulnerability and malicious code alerts, please call toll-free 1-866-577-6300 in the United States and Canada, or +1-650-655-6300 outside North America. You may also contact us at sales@securityfocus.com , or click here http://www.securityfocus.com/feedback to have a sales representative contact you. ------------------------------------------------------------------------------- I. FRONT AND CENTER 1. SecurityFocus is Hiring! 2. Castles Built on Sand: Why Software is Insecure 3. Understanding IDS Active Response Mechanisms 4. Reject the Corporate Secrecy Grab 5. Solving the Problem of HTML Mail 6. Special Event: Information Security in the Age of Terrorism II. MICROSOFT VULNERABILITY SUMMARY 1. Etype EServ Passive Mode Denial of Service Vulnerability 2. AHG Search Engine Search.CGI Arbitrary Command Execution... 3. Etype EServ Bounce Attack Vulnerability 4. Microsoft Windows NTFS File Hiding Vulnerability 5. Hosting Controller Information Disclosure Vulnerability 6. CNet CatchUp Remote Arbitrary Code Execution Vulnerability 7. SAS SASTCPD Command Line Argument Buffer Overflow Vulnerability 8. SAS SASTCPD Command Format String Vulnerability 9. PhpSmsSend Remote Shell Command Execution Vulnerability 10. PGPFire Desktop Firewall ICMP Fingerprinting Vulnerability 11. BindView NetInventory Password Retrieval Vulnerability 12. Compaq Intel PRO/Wireless 2011B LAN USB Device Driver... III. MICROSOFT FOCUS LIST SUMMARY 1. Windows 2000/.Net Group Policy Locker (Thread) 2. Outlook 2002 SP-1 Plain Text Patch Problem (Thread) 3. latest MS Advisory ms02-001 (Thread) 4. "undelete" for NT2000 file sharing? (Thread) 5. Early Summary: RE: UPnP on Windows 2000 Pro? (Thread) 6. UPnP on Windows 2000 Pro? (Thread) 7. NetBIOS Enumeration Utility 1.1 now available! (Thread) 8. two questions that need answering (Thread) 9. Microsoft CSP Random Key Generation (Thread) 10. Terminal Service Question (Thread) 11. Exchange 5.5 RPC Encryption (Thread) 12. SecurityFocus Microsoft Newsletter #71 (Thread) 13. Administrivia: Fun with Viruses (Thread) 14. Persistent Shares viewable between users? (Thread) 15. Enterprise Web application Security (Thread) 16. Risk Analysis and Management Tool (Thread) 17. How to get my encrypted files back - Copy to FAT32... (Thread) IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS 1. GroupShield Exchange 2. Command AntiVirus for Exchange 3. Antigen 5 for Microsoft Exchange V. NEW TOOLS FOR MICROSOFT PLATFORMS 1. Securepoint Firewall and VPN Server SB v2.06 2. Win Sniffer v1.22 3. CryptoHeaven v1.0b11 4. Locker v1.0 VI. SPONSORSHIP INFORMATION I. FRONT AND CENTER ------------------- 1. SecurityFocus is Hiring! SecurityFocus is currently looking for a programmer/debugger for its Threat Analysis teams. This position requires skillsets which I have outlined below. These positions require the staff members to be located in Calgary, Alberta, Canada. Relocation assistance is possible from within Canada. Skills will require verification by the way of an actual practical test before an in-person interview is secured. Skills required: - Expertise with SoftICE & IDA Pro (or similar tools). - Expertise with x86 assembly language - Programming ability in C & C++, targeting both the Unix and Windows platforms - Strong report writing skills and ability to interface with customers. Additional skills preferred: - Working knowledge of computer viruses, worms, and trojans propagation techniques - Working knowledge of honeypots. Personal Skills Required: Any applicant must be able to work in a team environment and deal with very tight deliverables. An outgoing pleasant personality is an absolute requiremant. No rockstars, no primadonas. About SecurityFocus SecurityFocus, is the leading provider of security intelligence products and services for business. They include SIA (Security Intelligence Alert), which alerts subscribers to security vulnerabilities, and ARIS (Attack Registry & Intelligence Service), which predicts cyber assaults on customer networks, based on global attack data. SecurityFocus also licenses the world's largest and most comprehensive vulnerability information database, hosts the most popular security community mailing list on the Internet, Bugtraq, and publishes original security content on its Web site. Please send resumes if interested to Alfred Huger ah@securityfocus.com 2. Castles Built on Sand: Why Software is Insecure by Josh Ryder Software developers spend endless hours developing sophisticated programs that will make users' lives easier and more productive. Unfortunately, the outcome is not always what the developers had in mind. Many software programs are plagued by programming flaws that may lead to security vulnerabilities. This article will offer a brief overview of some of the factors that may contribute to insecure software. http://www.securityfocus.com/infocus/1541 3. Understanding IDS Active Response Mechanisms by Jason Larsen, and Jed Haile Debates still rage in the developer community over which methods of detecting attackers are best, but IDS customers as a whole are satisfied with the current IDS technology. To get an edge on the competition, many of the IDS vendors are adding active response capabilities to their products. The concept underlying this tactic is that the IDS will detect an attacker and then move to stop his attack. The problem is that any attacker with a basic knowledge of TCP/IP can easily defeat these mechanisms directly or simply knock the network offline often enough that the Admin is forced to turn off the feature. It is important for Admins to know the limitations of active response mechanisms to avoid being blindsided by them. http://www.securityfocus.com/infocus/1540 4. Reject the Corporate Secrecy Grab By David Banisar In the name of improving cyber security, corporations are pushing for exemptions to the U.S. Freedom of Information Act (FOIA) that are unnecessary and dangerous. These will result in crucial information being suppressed without improving security. http://www.securityfocus.com/columnists/56 5. Solving the Problem of HTML Mail by Shane Coursen Now there are options for screening potentially dangerous messages, or even eliminating HTML email from your life. http://www.securityfocus.com/columnists/58 6. Special Event: Information Security in the Age of Terrorism (March 25-26, 2002, Washington DC) Join an impressive faculty to learn strategic tools to safeguard your trade secrets and assets at Financial Research Associates' conference on Information Security in the Age of Terrorism, March 25-26 in Washington DC. Learn about the burgeoning relationships between terrorist organizations and hackers, the impact of better funded and organized hackers, how to protect your organization and much more. This event focuses on practical security strategies with practitioner case studies and features an all-star faculty. To see a detailed conference brochure, go to www.frallc.com , or call for more information at 800-280-8440. II. BUGTRAQ SUMMARY ------------------- 1. Etype EServ Passive Mode Denial of Service Vulnerability BugTraq ID: 3983 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3983 Summary: EType EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft Windows 9x/NT/2000 systems. There is an exploitable denial of service vulnerability in EServ FTP server. It is possible to cause the server to stop accepting passive mode commands. This is accomplished by sending a large number of 'PASV' requests, consuming ports 1024 to 5000. In the event that the affected service crashes, it will have to be restarted in order to regain normal functionality. This vulnerability does not require any user authentication to exploit. 2. AHG Search Engine Search.CGI Arbitrary Command Execution Vulnerability BugTraq ID: 3985 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3985 Summary: Search.CGI is a component of the HTMLsearch Search Engine software distributed by AHG. The software is available for the Unix, Linux, and Microsoft platforms. A problem with the script could make it possible for a remote user to execute arbitrary commands. The problem is in the filtering of input. The search.cgi script included with the AHG Search Engine does not adequately filter input. Due to lack of sufficient input sanitization, it is possible for a remote user to pass semi-colon (;) and pipe (|) characters through a search request. This can result in the commands encapsulated between the symbols being executed with the privileges of the web server. This problem makes it possible for a remote user to execute arbitrary commands on a vulnerable system. On UNIX systems, this would likely be as an unprivileged user. On Microsoft systems, these commands may be executed with SYSTEM privileges. 3. Etype EServ Bounce Attack Vulnerability BugTraq ID: 3986 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3986 Summary: EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft Windows 9x/NT/2000 systems EServ is prone to FTP bounce attacks. An attacker who logs in to the FTP server may use the PORT command to connect to an arbitrary port on a remote host. The PORT command is normally intended to be used to create a connection to the client machine on a high-numbered port. As a result of this vulnerability, the attacker may use the FTP server as a proxy. 4. Microsoft Windows NTFS File Hiding Vulnerability BugTraq ID: 3989 Remote: No Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3989 Summary: There exists a condition in Microsoft Windows operating systems using NTFS that may allow for files to be hidden. Though the NTFS filesystem allows for a 32000 character path, Microsoft Windows operating systems (NT4, 2000 and XP) enforce a 256 character limit. Any attempt to create, traverse or otherwise operate on a path longer than 256 chatacters will fail. By using drives mapped to directories created with 'SUBST', it is possible to create directory paths longer than 256 characters. This can be accomplished by creating directories on the 'SUBST' drive. The directories on the drive will be subdirectories in the tree to which the drive is mapped. Creating these directories may result in the total absolute path exceeding the 256 character limit. If the absolute path of a directory created on a 'SUBST' mapped drive exceeds 256 characters, any files within will be inaccessible through traversing the full path. The files may still be accessed through the paths on the mapped drive. If the drive is deleted, the files may be completely inaccessible unless a drive is re-mapped to the same position in the directory tree. This vulnerability poses a serious risk to programs which scan the filesystem, such as antivirus software. When attempting to traverse the long path, Norton Antivirus and Kaspersky Antivirus fail to scan files in the long directory trees due to the Windows path restrictions. Furthermore, if a virus executes, they do not scan the disk image because it is inaccessible. Exploitation of this vulnerability may allow for viruses to remain undetected on filesystems. Attackers may also be able to hide files using this vulnerability, as Explorer and any other utility cannot traverse the paths where they are stored. It is not yet known which programs may be affected and in what ways. This report has not been confirmed by Microsoft and will be updated as more information becomes available. 5. Hosting Controller Information Disclosure Vulnerability BugTraq ID: 3971 Remote: Yes Date Published: Jan 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3971 Summary: Hosting Controller is an application which centralizes all hosting tasks to one interface. Hosting Controller gives every user the required control they need to manage the appropriate web site relevant to them. Hosting Controller runs on Microsoft Windows systems. An issue has been discovered in Hosting Controller which may make it easier for remote attackers to brute-force user accounts. In particular, it is trivial for an attacker to determine if a username exists or not. When a user enters an invalid username, Hosting Controller gives the following feedback: "The user name could not be found" The following URLs are common paths to the login page: http://www.thesite.com.tr/admin/ http://www.thesite.com.tr/webadmin/ http://www.thesite.com.tr/advwebadmin/ http://www.thesite.com.tr/hostingcontroller/ This issue allows the attacker to determine which usernames are valid. The attacker may then attempt a brute-force attack in an attempt to crack the passwords of valid usernames. 6. CNet CatchUp Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3975 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3975 Summary: CNET Catchup is a highly customizable utility for retrieving software updates for various products. It runs on Microsoft Windows 9x/ME/NT/2000/XP platforms. CNET Catchup functions by scanning the user's system and then creating a list of possible updates for software that is installed. The user then selects which updates to install. CNET Catchup also provides a feature for scanning the system for ad-ware. A vulnerability has been discovered that may allow a remote attacker to execute arbitrary code on the host running CNET Catchup. Additionally, it may be possible for an attacker to remotely start the CNET Catchup utility. Successful exploitation of this issue may result in a full compromise of the host running the vulnerable software. 7. SAS SASTCPD Command Line Argument Buffer Overflow Vulnerability BugTraq ID: 3979 Remote: No Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3979 Summary: sastcpd is a "Job Spawner" included with the base installation of the SAS Software infrastructure. It is available for various platforms. This issue affects systems running the Unix, Linux, and Microsoft operating systems. A problem with the software could make it possible for a local user to gain elevated privileges. The problem is the handling of long in command line arguments. A problem has been discovered in the sastcpd program. sastcpd is a job spawning program included with the SAS Base product. By default, it is installed setuid root. When sastcpd is executed with a command line argument of 1200 characters, a buffer overflow occurs. This overflow can result in the overwriting of stack variables, including the return address, and the execution of arbitrary code. As the sastcpd program is installed setuid root, the code will be executed with administrative privileges. This problem makes it possible for a local user to gain administrative access. 8. SAS SASTCPD Command Format String Vulnerability BugTraq ID: 3980 Remote: No Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3980 Summary: sastcpd is a "Job Spawner" included with the base installation of the SAS Software infrastructure. It is available for various platforms. This issue affects systems running the Unix, Linux, and Microsoft operating systems. A problem with the software could make it possible for a local user to gain elevated privileges. The problem is the handling of format strings. A problem has been discovered in the sastcpd program. sastcpd is a job spawning program included with the SAS Base product. By default, it is installed setuid root. sastcpd is vulnerable to a format string attack. When executed with a command line argument of a format string, it is possible to overwrite arbitrary addresses in memory. This can result in the execution of arbitrary code. As the sastcpd program is installed setuid root, the code will be executed with administrative privileges. This problem makes it possible for a local user to gain administrative access. 9. PhpSmsSend Remote Shell Command Execution Vulnerability BugTraq ID: 3982 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3982 Summary: PhpSmsSend is a front end to the SmsSend program, and allows users to send SMS messages through a web interface. SmsSend is available for Linux and Microsoft Windows. PhpSmsSend accepts a message to send as a user supplied CGI parameter. This data is then used to build a command calling SmsSend. PhpSmsSend does not properly validate user input used in this manner. A malicious party may include escape characters such as ` in the input, and execute additional, arbitrary shell commands. Exploitation of this vulnerability could lead to arbitrary code being executed as the script user, generally 'nobody'. This could lead to local access to the vulnerable system, from which point futher elevated privileges may be easier to obtain. 10. PGPFire Desktop Firewall ICMP Fingerprinting Vulnerability BugTraq ID: 3961 Remote: Yes Date Published: Jan 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3961 Summary: PGPfire is a desktop firewall solution distributed and maintained by PGP Security. It is available for Microsoft Windows operating systems. A problem with the software could make it possible for a remote user to fingerprint a system with the software installed. The problem is due to the alteration of the system TCP stack. When PGPfire is installed on a system, the software replaces the default Windows TCP stack with a version supplied in the PGPfire package. In doing so, it makes it easier to identify the operating system of the host. This is due to the fact that the altered TCP stack produces responses uncharacteristic of any other operating system. This could allow a remote user to fingerprint and identify sensitive information systems, and could result in an organized attack against sensitive resources. 11. BindView NetInventory Password Retrieval Vulnerability BugTraq ID: 3957 Remote: No Date Published: Jan 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3957 Summary: NETinventory is a commercial system inventory solution distributed and maintained by BindView. It is available for Microsoft Windows and MSDOS Operating Systems. A problem with the program could make it possible for a local user to gain access to sensitive information. The problem is in the creation of the HOSTCFG._NI file. A system monitored by NETinventory typically stores credentials on the local file system. These credentials are stored in the HOSTCFG._NI file, and are usually protected. The credentials stored in HOSTCFG._NI include passwords. If the file is deleted and a new audit is initiated, the data stored in HOSTCFG._NI will be kept temporarily in the file 'HOSTCFG.INI' in plaintext. This may result in a disclosure of sensitive information to an attacker. The validity of this vulnerability has not been confirmed with BindView. 12. Compaq Intel PRO/Wireless 2011B LAN USB Device Driver Information Disclosure Vulnerability BugTraq ID: 3968 Remote: No Date Published: Jan 28 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3968 Summary: Compaq's Intel PRO/Wireless 2011B LAN USB Device driver allows a user to connect a number of supported WLAN Ethernet devices via a USB port. It runs on Microsoft Windows platforms that support USB, such as Windows 98/ME/2000. The Compaq Intel PRO/Wireless 2011B LAN USB Device driver may disclose sensitive information to local attackers. The 128-bit WEP (Wired Equivalent Privacy) Key is stored plaintext in the registry. This sensitive information is stored in the appropriate registry key for the device, which by default may be accessed by unprivileged users. The WEP Key may be used by the local attacker to decrypt all network traffic encapsulated in WEP. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. Windows 2000/.Net Group Policy Locker (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=E748F5C5A5A8D411B14100508BDCB15CD7FC47@mail.mis.sandstream.com&threads=1 2. Outlook 2002 SP-1 Plain Text Patch Problem (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=003301c1aab8$a952e110$020ba8c0@jankariwo.com&threads=1 3. latest MS Advisory ms02-001 (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=70465867425FD411A011006008926532013CFD@noc.theworks.com&threads=1 4. "undelete" for NT2000 file sharing? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=93CAA6F0D1EBD311A00C00508B2C2D668B728F@uiexch2.unind.com&threads=1 5. Early Summary: RE: UPnP on Windows 2000 Pro? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=15448.32471.540918.131799@gargle.gargle.HOWL&threads=1 6. UPnP on Windows 2000 Pro? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=MKEAIJIPCGAHEFEJGDOCEEJEDOAA.marc@eeye.com&threads=1 7. NetBIOS Enumeration Utility 1.1 now available! (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020130005650.22436.qmail@mail.securityfocus.com&threads=1 8. two questions that need answering (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=LMEDKDLGMAAFJHCJKOIFOEBECFAA.alancr@ntlworld.com&threads=1 9. Microsoft CSP Random Key Generation (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=LMEDKDLGMAAFJHCJKOIFAEBECFAA.alancr@ntlworld.com&threads=1 10. Terminal Service Question (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=GHEGKEPDEHBCJCAIIMKAGEJOCEAA.sypox@swip.net&threads=1 11. Exchange 5.5 RPC Encryption (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=C3E5D03891AAD411BC6000508B1214FF01F3383B@us-cwi-exc-a05.cwi.cablew.com&threads=1 12. SecurityFocus Microsoft Newsletter #71 (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.LNX.4.43.0201281235450.19908-100000@mail.securityfocus.com&threads=1 13. Administrivia: Fun with Viruses (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.LNX.4.43.0201281148510.19908-100000@mail.securityfocus.com&threads=1 14. Persistent Shares viewable between users? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=NFEFLALDPOIFPKKBBCDNKEHPCCAA.bill.mote@bigfoot.com&threads=1 15. Enterprise Web application Security (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=011d01c1a681$a8dc81e0$e00992da@kornet.net&threads=1 16. Risk Analysis and Management Tool (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=200201261646.g0QGk1901487@uekae.uekae.gov.tr&threads=1 17. How to get my encrypted files back - Copy to FAT32... (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=LMEDKDLGMAAFJHCJKOIFEEPBCEAA.alancr@ntlworld.com&threads=1 IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS ---------------------------------------- 1. GroupShield Exchange by Network Associates Platforms: Windows NT Relevant URL: http://www.nai.com/products/antivirus/groupshield/default2.asp Summary: Since traditional anti-virus products cannot scan inside the proprietary databases that groupware environments utilize, native anti-virus protection at the Exchange server is essential. GroupShield for Exchange uses McAfee's award-winning Hunter scanning technology to stop destructive viruses before they are distributed to other users. 2. Command AntiVirus for Exchange by Command Software Systems Platforms: Windows NT Relevant URL: http://www.commandcom.com/enterprise/exchange.html Summary: Command AntiVirus for Microsoft® Exchange is specifically designed to protect the Microsoft Exchange environment from today's virus threats. E-mail and groupware provide ease of sharing information, which may also facilitate the spread of virus infection. Virus entry points need real-time protection. Command AntiVirus for Microsoft Exchange secures virus entry points, employing HoloCheck scanning technology to stop both known and unknown viruses before they can infiltrate your organization. 3. Antigen 5 for Microsoft Exchange by Sybari Platforms: Windows NT Relevant URL: http://www.sybari.com/antigenexchange.htm Summary: Sybari has developed features and techniques not found in any current anti-virus product to meet the reliability and performance requirements of todays Exchange environments. Because of this focus, Antigen 5 for Exchange can scan mailboxes and public folders 3-5 times faster than any other solution available today, eliminating the performance impact concern of adding anti-virus protection to your Exchange Server. V. NEW TOOLS FOR MICROSOFT PLATFORMS ------------------------------------ 1. Securepoint Firewall and VPN Server SB v2.06 by Lutz Hausmann, lutz.hausmann@linkx.de Relevant URL: http://www.securepoint.cc/download.htm Platforms: Linux, Windows 2000, Windows 95/98, Windows NT Summary: The Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer. 2. Win Sniffer v1.22 by WinSniffer Inc. Relevant URL: www.winsniffer.com Platforms: Windows 2000, Windows 95/98, Windows NT Summary: Win Sniffer captures passwords on LAN. It capture ftp, http, telnet, icq, pop3, imap and other passwords. 3. Demarc PureSecure v1.05 by DEMARC ORG Relevant URL: http://www.demarc.com/ Platforms: BSDI, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Perl (any system supporting perl), UNIX, Windows 2000, Windows NT, Windows XP Summary: Instead of having one program perform file integrity checks, another program monitoring the connectivity and health of your network, and yet another monitoring your network for intrusion detection attempts, Demarc PureSecure combines all these services into one powerful client/server program. Not only can you monitor the status of the different machines in your network, but you can also respond to changes in your network all from one centralized location. Security is already a full time job in any network, and the burden of monitoring the reports from multiple programs across dozens of servers can result in information overload. The human mind can only process so much data at any given time before it simply becomes too much to analyze. Demarc PureSecure centralizes the reporting and analysis for the entire network which allows you to more easily weed out the important data from the superfluous background noise, thereby targeting your efforts where they really belong. 4. Locker v1.0 by Robert A. Rota rota_cyberdoc@hotmail.com Relevnat URL: http://www.geocities.com/robertrota2002 Platforms: Windows 2000, Windows XP Summary: This tool turns off Windows 2000/.Net Group Policies (GPO) on your network. It is completly automated and you do not have to be administrator to run the application or turn off all of the security policies in your environment. The developer takes no responsibility for damage or loss of production due to missuse of this tool. C++ source code provided by request. VI. SPONSORSHIP INFORMATION --------------------------- **SecurityFocus Promotion: Two Week Trial of SIA** SecurityFocus(tm), a leading provider of enterprise security threat management systems, announces new pricing for SIA(tm) our Security Intelligence Alert Service. We are also offering a FREE two-week trial of SIA between January 21st and March 15th, 2002. SIA provides the most comprehensive and customizable vulnerability and malicious code alerts available. SIA delivers complete, up-to-the-minute, specific, actionable information that allows enterprises to prevent attacks before they occur. SIA allows you to: **Fully protect your systems with comprehensive alerts that are specific to your infrastructure. SIA allows you to specify down to the version level those products for which you wish to receive alerts. **Reduce the threat of network downtime from attacks. SIA provides everything you need to know: thorough technical description of the attack, workarounds or available patches, signatures for updating IDSs, mitigation/disinfection strategies, etc. **Save hours a day by not having to look through hundreds of emails or dozens of websites. SIA allows you to prioritize your current vulnerabilities and eliminate the highest risks first. To take advantage of our FREE two-week trial offer and receive real-time configuration-specific vulnerability and malicious code alerts, please call toll-free 1-866-577-6300 in the United States and Canada, or +1-650-655-6300 outside North America. You may also contact us at sales@securityfocus.com , or click here http://www.securityfocus.com/feedback to have a sales representative contact you. -------------------------------------------------------------------------------