http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814881,00.html
Your stolen Passport By Wayne Rash, Enterprise September 26, 2001 9:37 AM PT URL: The way Dave Thomas describes it, he and his staff were trying to track down a series of unusual bugs in Windows, when they stumbled across something that really worried them. There, on their screens along with the code they were debugging, was the name and password they'd just used for Microsoft's Passport service. Worse, it was in plain text, and readily accessible. As he looked more deeply, he realized that creating a worm that could recover that information would be, in his words, "trivial." Thomas, who is CTO of the Oregon-based software quality assurance company, Bugtoaster, says that he wasn't really trying to get into the security business, but that this was something too obvious to let pass. It was also too important. Microsoft's Passport service is a core piece of its .NET strategy. Anyone who uses MSN or the MSN Messenger has a Passport. As the Microsoft Internet strategy moves forward, the Passport will serve as a single sign-on for interactions with any company that requires Passport-based authentication, and Microsoft is working hard to sign up as many companies as possible. If Microsoft's plans reach fruition, users will only need to authenticate once with the Passport Data Center (run by Microsoft); then they can travel around the Internet, moving from one Passport-enabled service to another without having to log in again. This is a great convenience for users. The problem is, it's also a great convenience for hackers and thieves. All they need is your e-mail address and password to go anywhere you go because Passport requires that you use your e-mail address as your user ID; and you use a single password for all Passport-enabled sites. Worse, because Microsoft is also tying its Wallet service to the Passport, they can also spend your money and get your credit card information. The only upside (if you can call it that) to Bugtoaster's findings is that this particular security hole only applies to Windows 9x and Windows Me. Unfortunately, versions of Windows working off the NT code base are vulnerable, but for different reasons. Windows 95/ME API reveals clear text Bugtoaster's discovery is related to the Windows dial-up networking (DUN) application on the client side. An API that DUN shares with other applications retrieves the Passport credentials from an encrypted file. When a Windows 9x/ME user logs into the Passport Data Center, the API passes sign-on information in clear text from one process to another in memory where a worm could easily find the information because it's an area specified in the API for Windows. While the API often passes log-in information to other services, such as your ISP, hackers with malicious intent have had no incentive to steal this information because there was little to be gained. With Passport and the carte blanche it's designed to give its users, the stakes are completely different. Windows NT and 2000 don't have the clear text problem, but are still vulnerable Windows NT and 2000 not totally safe either One of the benefits of using a version of Windows based on the NT code base (NT, 2000, or XP) is that the API encrypts the log-in information before passing it. But that doesn't mean you're in the clear just because you're using NT or 2000. According to Steve Gibson of the highly respected security firm of Gibson Research, getting the same Passport sign-on information from those operating systems requires a different approach, but he also calls the process trivial. According to Gibson, it's a simple process to capture sign-on information from any version of Windows using a worm that can record keystrokes. Like the data that hackers could have snooped from the API, the only reason it hasn't been done in the past, he says, is that it wasn't worth the trouble. Now, however, with Passport, the target is much more attractive. While it might have been pointless to get someone's ISP password, Passport opens up broad access to any site that uses it. In a response to our questions, a Microsoft spokesperson, who requested anonymity, admitted that password information is passed in clear text within Windows 95 and ME when a user logs on to Passport or any other system. While Microsoft also recognizes that a worm, Trojan horse, or other hostile code could invade Windows and capture a user's sign-on information, the spokesman lays the blame on hostile code and not on any weaknesses in Windows 95, ME or Passport. "By design, a program running on a user's computer can in general take any action the user can," he writes in an e-mailed response. "The real issue here is hostile code, not Passport." According to him, the company doesn't plan to make any patches to the vulnerable versions of Windows to help stop such theft of Windows sign-on information. "Microsoft will not be providing a patch for this because there is nothing to patch," he writes. "Once a user's machine has been hacked, no patch will keep the hacker from gathering the information he or she wants." Future versions of Windows will have security enhancements that prevent such access by hostile code, he said. Unfortunately, there's not much individual users can do without support from Microsoft. Enterprise users, however, have some options. First of all, discourage the use of Microsoft's Passport services until you're satisfied that your security is protected. The most important way to protect your company is to check your firewalls, and make sure they're screening for unauthorized attempts to send information from any of your Windows computers. One very effective way to accomplish this is to use a personal firewall such as Zone Alarm from Zone Labs, which can actually block unauthorized attempts to access the Internet. That way, at least, a worm that captures your sign-on information won't have a way to send it out. If you're a merchant on the Internet, or otherwise run a site that uses Passport, you have some additional concerns. First, you must address Passport's questionable security when you design your site, and make sure you require additional authentication to access personal or financial information. Second, you should be able to authenticate users who don't use Passport, or who don't wish to use it on your site. Finally, you should disclose up front what areas on your site users can access with Passport and other authentication methods, and what the site must authenticate itself. Beyond that, however, the best thing you can do is to be scrupulous about password controls, educate your employees, and be suspicious of single-sign-on plans that you don't control. And, of course, hope that Microsoft decides to take these problems seriously enough to fix the problem with the current installed base of Windows instead of waiting until future versions are shipped. -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
