Archive for the ‘LINKS’ Category.
June 21, 2001, 11:47 am
ISS X-Force:
Wired-side SNMP WEP key exposure in 802.11b Access Points – (June 20, 2001)
Internet Security Systems (ISS) X-Force has discovered a vulnerability
in several 802.11b Access Point devices. This problem may reveal the
Wired Equivalent Privacy (WEP) key that is associated with the wired
network.
X-Force confirmed the following products are vulnerable:
3Com AirConnect Model Number AP-4111
Symbol 41X1 Access Point Series
Multiple Vendor 802.11b Access Point SNMP authentication flaw – (June 20, 2001)
ISS X-Force has discovered a serious flaw in the authentication
mechanism of the Atmel VNET-B Simple Network Management Protocol (SNMP)
implementation. Atmel devices are provided via Original Equipment
Manufacturer (OEM) agreements to Netgear and Linksys. These devices do
not implement any SNMP security measures, which may allow an attacker
to gain access to or control a wireless LAN (WLAN).
Affected Versions:
Atmel 802.11b VNET-B based Access Point
with firmware versions up to and including 1.3
Linksys WAP11
with Atmel firmware versions up to and including 1.3
Netgear ME102
with Atmel firmware versions up to and including 1.3
June 19, 2001, 8:27 am
eEye: Yet Another IIS Hole.
All versions of Microsoft Internet Information Services Remote buffer overflow (SYSTEM Level Access) “Attackers that leverage the vulnerability can, from a remote location, gain full SYSTEM level access to any server that is running a default installation of Windows NT 4.0, Windows 2000, or Windows XP and using Microsoft’s IIS Web server software. With system-level access, an attacker can perform any desired action, including installing and running programs, manipulating Web server databases, adding, changing or deleting files and Web pages, and more…
Vendor Status:
Microsoft has released a patch for this vulnerability that can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp “Microsoft strongly urges all web server administrators to apply the patch immediately.”
Also eEye Digital Security recommends removing the .ida ISAPI filter from your Web server if it does not provide your Web server with any _needed_ functionality.
[via ZopeNewbies]
June 18, 2001, 12:21 pm
Securing Windows 2000: First Steps (article) Nowhere near as thorough as the NSA recommendations, but OK for extremely basic first steps. [Security Focus]
June 18, 2001, 5:49 am
Kendall Clark: Three Myths of XML.
- The first myth rests on a confusion about the meanings of words like
“free” and “open” when they are applied to XML-encoded information.
- The second myth is that XML is magical, that it has some unique
properties that makes impossible things possible.
- The third is that technology, including XML, is more determinative of
social relations and institutions than they are of it.
[via Scripting News]
June 18, 2001, 5:13 am
“Your tax dollars have been put to good use for a change, as the US National Security Agency (NSA) has been busy figuring out how to make Windows 2000 more secure, and has released a set of templates and instructions to enable anyone to batten down their ‘2K hatches.
“The package had been available briefly at NSA’s Web site, but has temporarily been taken down due to overwhelming demand. The files will be available again from NSA within a week’s time. Meanwhile, Cryptome has kindly mirrored it all
here.
“The templates (.INF files) cover domain controllers, domain policy, and server and workstation settings. The recommendation guides are supplied as .PDF files and address numerous topics such as group policy, Active Directory, DNS, certificates, IIS, routers and Kerberos.”
[via The Register]
