Message-ID: <21352943.1075840796422.JavaMail.evans@thyme>
Date: Tue, 4 Dec 2001 07:56:57 -0800 (PST)
From: j.kaminski@enron.com
To: vincek@cs.stanford.edu
Subject: FW: E-mail intrusion detection
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-From: Kaminski, Vince J </O=ENRON/OU=NA/CN=RECIPIENTS/CN=VKAMINS>
X-To: 'vincek@cs.Stanford.edu'
X-cc: 
X-bcc: 
X-Folder: \vkamins\Sent Items
X-Origin: KAMINSKI-V
X-FileName: vincent kaminski 1-30-02.pst



 -----Original Message-----
From: 	NW Security and Bug Patch Alert <Security-BugPatch@bdcimail.com>@ENRON  
Sent:	Monday, December 03, 2001 3:40 PM
To:	vkamins@enron.com
Subject:	E-mail intrusion detection

NETWORK WORLD NEWSLETTER: JASON MESERVE on
SECURITY AND BUG PATCH ALERT
12/03/01
Today's focus: E-mail intrusion detection

Dear Wincenty Kaminski,

In this issue:

*  A new tool for detecting malicious e-mail traffic
*  Patches and alerts for wu-ftpd, postfix, Red Hat gdb and
OpenSSH, others
* The problem with gigabit-speed intrusion detection systems,
plus other interesting reading

_______________________________________________________________
Introducing Internetworking with TCP/IP

Convergence is quickly coming to your network and TCP/IP is at
the heart of it. That's why Network World offers two different
skill level, hands-on courses in TCP/IP internetworking. Each
two-day session includes lectures, labs, and resource
materials. Put your team ahead of the curve with cost-
effective, hassle-free onsite training! Visit
http://nww1.com/go/1203netsmart.html

_______________________________________________________________
Today's focus: E-mail intrusion detection

By Jason Meserve


E-mail. It's one of the greatest inventions of our time,
despite the 40 junk mail messages I get each day. Still,
there's one problem: The servers that deliver e-mail also can
become hacker gateways into corporate networks.

Traditional firewalls block a fair amount of malicious traffic,
but they allow e-mail traffic in through Port 25 (SMTP).
Hackers know this and exploit it to gain access to the
corporate goods. Compounding the problem is that many mail
servers run on Windows NT, and as this newsletter has shown,
unless an administrator is ultra-vigilant in applying patches,
NT security can be as solid as Swiss cheese.

IronMail, a new product from Cipher Trust, is designed to help
address this problem. It complements a traditional firewall
while providing intrusion detection specifically for mail
systems. The 1- or 2 rack-unit appliance scans all incoming
mail for viruses, spam and other hacker threats such as buffer
overflow and denial-of-service flood attacks. In the case of
unusually long buffers, IronMail truncates the string before
passing the message off to the mail server, preventing an
overflow and crash on the server.

Also, IronMail can proxy HTTP, IMAP, SMTP and POP, as well as
their secure equivalents. Administrators can set up mail
policies on the server, such as adding a "This e-mail is
company confidential" footer to all outgoing messages or
requiring encryption for messages sent to certain domains.

IronMail operates on a Pentium-based appliance running an
optimized version of the FreeBSD operating system. The 1U unit
sells for $17,500 and the 2U unit for $27,500. Spam and
antivirus filtering is sold separately on a per-user basis.

For more, go to:
http://www.ciphertrust.com/ironmail/index.htm

Today's bug patches and security alert:

* More wu-ftpd patches available

As we mentioned in our last newsletter, Core Security
Technologies has discovered a problem in the wu-ftpd server
used by many Linux and Unix vendors. The vulnerability could be
exploited by a remote user to execute arbitrary code with root
privileges. For more, go to:

Debian:
http://www.debian.org/security/
(The alert/patches should be posted shortly.)

Linux-Mandrake:
http://nww1.com/go/linuxm.html

Caldera Open UNIX and UnixWare 7:
http://nww1.com/go/caldera.html

Conectiva (this is an additional update):
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000443

Immunix (another updated release):
http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-036-02

CERT advisory:
http://www.cert.org/advisories/CA-2001-33.html

* Linux-Mandrake patches postfix

A patch is now available for another vulnerability we reported
last week: Postfix, a simple mail transfer agent, contains a
flaw in the way it handles its log files. This could be
exploited to cause a denial-of-service attack against the
affected system. Linux-Mandrake users can download the
appropriate patch from:

http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-089.php3

* Red Hat updates gdb

Red Hat has released an updated version of the gdb package to
fix a number of bugs reported in previous releases. The new
version can be downloaded from:
http://www.redhat.com/support/errata/RHBA-2001-159.html

* New OpenSSH packages from Red Hat

Red Hat has released updated OpenSSH packages. According to the
company, these updates fix a bug in the packages' handling of
restricted keys that could have allowed users to bypass command
restrictions by using subsystems. They also fix a subtle bug
that might have aided a passive analysis attack.
http://www.redhat.com/support/errata/RHSA-2001-154.html

* Cyrus SASL patch available

The Cyrus SASL library is used by sendmail and contains a
potential remote vulnerability that could be exploited by a
malicious user to gain root access. Red Hat has patched the
problem:
http://www.redhat.com/support/errata/RHSA-2001-150.html

* SGI patches CDE flaws

We reported a while back that there were a number of root flaws
in the CDE packages for Unix and Linux. The flaw could be
exploited to run arbitrary code on the affected system. SGI has
patched this vulnerability in its IRIX operating system. For
more, go to:
ftp://patches.sgi.com/support/free/security/advisories/20011107-01-P

* SGI will NOT patch Gauntlet firewall

Although flaws have been discovered in the Gauntlet Firewall
for IRIX, the company will not be patching the product since it
is longer supported. For more, go to:
ftp://patches.sgi.com/support/free/security/advisories/20011104-01-I

* Patch available for IRIX NEdit

According to an alert from SGI, there is a vulnerability
related to the way the NEdit editor creates temporary files. A
problem with the software could make it possible to overwrite
any file owned by a user of the editor. For available fixes, go
to:
ftp://patches.sgi.com/support/free/security/advisories/20011105-01-P

* Caldera patches OpenServer setcontext and sysi86
vulnerabilities

A "family" of security holes has been discovered in Caldera's
OpenServer. The patch for the flaws could break the
functionality of some authorized programs. For more, go to:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-
SCO.35/

Today's roundup of virus alerts:

* WM97/Marker-JZ - A Word macro virus that attempts to FTP
document information to the Codebreaker's Web site. (Sophos)

>From the interesting reading department:

* Intrusion alert

There's a persistent problem with today's new breed of gigabit-
speed intrusion-detection systems: They simply cannot plow
through IP traffic fast enough to provide blanket protection on
networks running at gigabit speed, according to industry
experts and at least three vendors who make such products.
http://www.nwfusion.com/news/2001/1203ids.html
Network World, 12/03/01

* Check Point adds clustering support

Check Point Software this week will begin delivering failover
and load sharing capabilities in its VPN-1/Firewall-1 software
in an attempt to make customers' most important sites less
susceptible to crashes.
http://www.nwfusion.com/archive/2001/128038_12-03-2001.html
Network World, 12/03/01

* Linux FTP security vulnerability fixed

A Linux security vulnerability related to FTP, first spotted in
April, is finally getting the attention it deserves as Linux
vendors and the Washington University WU-FTPD Development Group
issued software patches to fix it.
http://www.nwfusion.com/news/2001/1129linftp.html
Network World, 11/29/01

* Archives online

In between shopping for holiday gifts at various online
retailers, surf on over to our online archives:
http://www.nwfusion.com/newsletters/bug/index.html

_______________________________________________________________
To contact Jason Meserve:

Jason Meserve is the Multimedia Editor of Network World
Fusion and writes about streaming media, search engines and
IP Multicast. Jason can be reached at mailto:jmeserve@nww.com.
_______________________________________________________________
Promote your services and generate qualified leads!  Register
on Buy IT, NW Fusion's Vendor Directory and RFP Center.  It's
cost-effective and eliminates the headaches of finding new
business.  List your company today and access millions of
dollars in RFPs posted by active buyers.  Go to NW Fusion now!
http://www.nwfusion.newmediary.com/091201nwwprovnwltr1
_______________________________________________________________
FEATURED READER RESOURCE

JOIN IN!

Network World Forums are a great place to voice your opinion
and hear what your peers have to say about a latest product
release or trend in networking. Our Forums cover such topics as
"Should you upgrade to XP?" to a "Help Desk Forum" in which
you can ask the expert advice of Network World Fusion's Help
Desk editor, Ron Nutter. Our Forums are a great way to express
your opinions and interact with your peers.
http://www.nwfusion.com/forum/index.html
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.nwwsubscribe.com/nl
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To unsubscribe from promotional e-mail go to:
http://www.nwwsubscribe.com/ep

To change your e-mail address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to
this message.

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Director of
Online Sales, at: mailto:jkalbach@nww.com

Copyright Network World, Inc., 2001

------------------------
This message was sent to:  vkamins@enron.com