Message-ID: <21352943.1075840796422.JavaMail.evans@thyme> Date: Tue, 4 Dec 2001 07:56:57 -0800 (PST) From: j.kaminski@enron.com To: vincek@cs.stanford.edu Subject: FW: E-mail intrusion detection Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-From: Kaminski, Vince J X-To: 'vincek@cs.Stanford.edu' X-cc: X-bcc: X-Folder: \vkamins\Sent Items X-Origin: KAMINSKI-V X-FileName: vincent kaminski 1-30-02.pst -----Original Message----- From: NW Security and Bug Patch Alert @ENRON Sent: Monday, December 03, 2001 3:40 PM To: vkamins@enron.com Subject: E-mail intrusion detection NETWORK WORLD NEWSLETTER: JASON MESERVE on SECURITY AND BUG PATCH ALERT 12/03/01 Today's focus: E-mail intrusion detection Dear Wincenty Kaminski, In this issue: * A new tool for detecting malicious e-mail traffic * Patches and alerts for wu-ftpd, postfix, Red Hat gdb and OpenSSH, others * The problem with gigabit-speed intrusion detection systems, plus other interesting reading _______________________________________________________________ Introducing Internetworking with TCP/IP Convergence is quickly coming to your network and TCP/IP is at the heart of it. That's why Network World offers two different skill level, hands-on courses in TCP/IP internetworking. Each two-day session includes lectures, labs, and resource materials. Put your team ahead of the curve with cost- effective, hassle-free onsite training! Visit http://nww1.com/go/1203netsmart.html _______________________________________________________________ Today's focus: E-mail intrusion detection By Jason Meserve E-mail. It's one of the greatest inventions of our time, despite the 40 junk mail messages I get each day. Still, there's one problem: The servers that deliver e-mail also can become hacker gateways into corporate networks. Traditional firewalls block a fair amount of malicious traffic, but they allow e-mail traffic in through Port 25 (SMTP). Hackers know this and exploit it to gain access to the corporate goods. Compounding the problem is that many mail servers run on Windows NT, and as this newsletter has shown, unless an administrator is ultra-vigilant in applying patches, NT security can be as solid as Swiss cheese. IronMail, a new product from Cipher Trust, is designed to help address this problem. It complements a traditional firewall while providing intrusion detection specifically for mail systems. The 1- or 2 rack-unit appliance scans all incoming mail for viruses, spam and other hacker threats such as buffer overflow and denial-of-service flood attacks. In the case of unusually long buffers, IronMail truncates the string before passing the message off to the mail server, preventing an overflow and crash on the server. Also, IronMail can proxy HTTP, IMAP, SMTP and POP, as well as their secure equivalents. Administrators can set up mail policies on the server, such as adding a "This e-mail is company confidential" footer to all outgoing messages or requiring encryption for messages sent to certain domains. IronMail operates on a Pentium-based appliance running an optimized version of the FreeBSD operating system. The 1U unit sells for $17,500 and the 2U unit for $27,500. Spam and antivirus filtering is sold separately on a per-user basis. For more, go to: http://www.ciphertrust.com/ironmail/index.htm Today's bug patches and security alert: * More wu-ftpd patches available As we mentioned in our last newsletter, Core Security Technologies has discovered a problem in the wu-ftpd server used by many Linux and Unix vendors. The vulnerability could be exploited by a remote user to execute arbitrary code with root privileges. For more, go to: Debian: http://www.debian.org/security/ (The alert/patches should be posted shortly.) Linux-Mandrake: http://nww1.com/go/linuxm.html Caldera Open UNIX and UnixWare 7: http://nww1.com/go/caldera.html Conectiva (this is an additional update): http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000443 Immunix (another updated release): http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-036-02 CERT advisory: http://www.cert.org/advisories/CA-2001-33.html * Linux-Mandrake patches postfix A patch is now available for another vulnerability we reported last week: Postfix, a simple mail transfer agent, contains a flaw in the way it handles its log files. This could be exploited to cause a denial-of-service attack against the affected system. Linux-Mandrake users can download the appropriate patch from: http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-089.php3 * Red Hat updates gdb Red Hat has released an updated version of the gdb package to fix a number of bugs reported in previous releases. The new version can be downloaded from: http://www.redhat.com/support/errata/RHBA-2001-159.html * New OpenSSH packages from Red Hat Red Hat has released updated OpenSSH packages. According to the company, these updates fix a bug in the packages' handling of restricted keys that could have allowed users to bypass command restrictions by using subsystems. They also fix a subtle bug that might have aided a passive analysis attack. http://www.redhat.com/support/errata/RHSA-2001-154.html * Cyrus SASL patch available The Cyrus SASL library is used by sendmail and contains a potential remote vulnerability that could be exploited by a malicious user to gain root access. Red Hat has patched the problem: http://www.redhat.com/support/errata/RHSA-2001-150.html * SGI patches CDE flaws We reported a while back that there were a number of root flaws in the CDE packages for Unix and Linux. The flaw could be exploited to run arbitrary code on the affected system. SGI has patched this vulnerability in its IRIX operating system. For more, go to: ftp://patches.sgi.com/support/free/security/advisories/20011107-01-P * SGI will NOT patch Gauntlet firewall Although flaws have been discovered in the Gauntlet Firewall for IRIX, the company will not be patching the product since it is longer supported. For more, go to: ftp://patches.sgi.com/support/free/security/advisories/20011104-01-I * Patch available for IRIX NEdit According to an alert from SGI, there is a vulnerability related to the way the NEdit editor creates temporary files. A problem with the software could make it possible to overwrite any file owned by a user of the editor. For available fixes, go to: ftp://patches.sgi.com/support/free/security/advisories/20011105-01-P * Caldera patches OpenServer setcontext and sysi86 vulnerabilities A "family" of security holes has been discovered in Caldera's OpenServer. The patch for the flaws could break the functionality of some authorized programs. For more, go to: ftp://stage.caldera.com/pub/security/openserver/CSSA-2001- SCO.35/ Today's roundup of virus alerts: * WM97/Marker-JZ - A Word macro virus that attempts to FTP document information to the Codebreaker's Web site. (Sophos) >From the interesting reading department: * Intrusion alert There's a persistent problem with today's new breed of gigabit- speed intrusion-detection systems: They simply cannot plow through IP traffic fast enough to provide blanket protection on networks running at gigabit speed, according to industry experts and at least three vendors who make such products. http://www.nwfusion.com/news/2001/1203ids.html Network World, 12/03/01 * Check Point adds clustering support Check Point Software this week will begin delivering failover and load sharing capabilities in its VPN-1/Firewall-1 software in an attempt to make customers' most important sites less susceptible to crashes. http://www.nwfusion.com/archive/2001/128038_12-03-2001.html Network World, 12/03/01 * Linux FTP security vulnerability fixed A Linux security vulnerability related to FTP, first spotted in April, is finally getting the attention it deserves as Linux vendors and the Washington University WU-FTPD Development Group issued software patches to fix it. http://www.nwfusion.com/news/2001/1129linftp.html Network World, 11/29/01 * Archives online In between shopping for holiday gifts at various online retailers, surf on over to our online archives: http://www.nwfusion.com/newsletters/bug/index.html _______________________________________________________________ To contact Jason Meserve: Jason Meserve is the Multimedia Editor of Network World Fusion and writes about streaming media, search engines and IP Multicast. Jason can be reached at mailto:jmeserve@nww.com. _______________________________________________________________ Promote your services and generate qualified leads! Register on Buy IT, NW Fusion's Vendor Directory and RFP Center. It's cost-effective and eliminates the headaches of finding new business. List your company today and access millions of dollars in RFPs posted by active buyers. Go to NW Fusion now! http://www.nwfusion.newmediary.com/091201nwwprovnwltr1 _______________________________________________________________ FEATURED READER RESOURCE JOIN IN! Network World Forums are a great place to voice your opinion and hear what your peers have to say about a latest product release or trend in networking. Our Forums cover such topics as "Should you upgrade to XP?" to a "Help Desk Forum" in which you can ask the expert advice of Network World Fusion's Help Desk editor, Ron Nutter. Our Forums are a great way to express your opinions and interact with your peers. http://www.nwfusion.com/forum/index.html _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.nwwsubscribe.com/nl _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp To unsubscribe from promotional e-mail go to: http://www.nwwsubscribe.com/ep To change your e-mail address, go to: http://www.nwwsubscribe.com/news/scripts/changeemail.asp Subscription questions? Contact Customer Service by replying to this message. Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: mailto:jcaruso@nww.com For advertising information, write Jamie Kalbach, Director of Online Sales, at: mailto:jkalbach@nww.com Copyright Network World, Inc., 2001 ------------------------ This message was sent to: vkamins@enron.com