[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ProgSoc] Big security holes in Windows NT
What else is new?
"By all means lets agitate for | "Still, politicians are the ideal
handouts, tax cuts, freebies, | tripe liars. Lying (in addition
bread and circuses (why not bite | to giving orders) is what we pay
the hand that feeds you? the | them for, or rather what they pay
flavor is excellent) but without | themselves for with our taxes."
illusions." --(Bob Black, 1982/1985)--
---------- Forwarded message ----------
Date: Tue, 2 Jun 1998 12:49:24 -0700
From: Mitch Stone <firstname.lastname@example.org>
Subject: A-M$: Big security holes in Windows NT
June 2, 1998
VOLUME 12 ISSUE 22
Big security holes in Windows NT
By Robert Lemos, ZDNN
Flaws in Microsoft Corp.'s Windows NT software threaten the security of
companies using the Internet to tie together their far-flung corporate
locations, a computer security consulting firm declared on Monday.
"We were able to sniff passwords, eavesdrop on the networks and passively
do traffic analysis," said Bruce Schneier, president of Counterpane
Systems Inc. of Minneapolis. "Any Microsoft NT server on the Internet is
Microsoft's report card on security has a few F's. Last year the company
was criticized for the security threat posed by ActiveX. Monday, crypto
rivals Network Associates and RSA Data Security settled their suit.
Counterpane said it discovered the problems while doing a security
analysis on a Windows NT, an operating system used by a swiftly growing
number of corporations as the foundation for their computer networks.
Microsoft confirmed the security problems later the same day.
The flaws weaken the security of so-called "virtual private networks," or
VPNs, based on NT and point-to-point tunneling protocol, or PPTP. These
VPNs connect company networks from various locations and are quickly
becoming popular in the corporate world as a low-cost solution to buying
a dedicated phone line to connect computers between company sites.
"A lot of people are creating their virtual private networks using NT,"
Schneier said. "That makes the flaw that much more serious."
The PPTP is Microsoft's homegrown way of securely sending and receiving
data over the Internet. It's also used to identify whether the person
logging in a valid user.
But Schneier said the software giant would have been better off using one
of the public -- and stress-tested -- standards.
"Developing security implementations in-house is very difficult to do
right," he said. "That's why it's important to adopt a publicly tested
and recognized standard."
Windows NT system can use either a 40-bit or 128-bit encryption key to
protect a company's data. Those keys, in and of themselves, are extremely
secure. The problem is that NT secures those keys with a flawed password
system. "Anyone with a list of the top 10 million passwords can break
over 99 percent of the systems out there," he said.
Microsoft promises to fix the flaws as soon as possible.
"(Part of the problem) is already fixed," said Karan Khanna, product
manager for Windows NT security at Microsoft. "We will be releasing
patches to fix the rest as soon as we can."
Khanna attempted to put the flaws in perspective. "The amount of security
an organization enforces depends on its needs," he said. "The CIA spends
billions of dollars on security -- our customers don't need the level."
That you-get-what-you-pay-for philosophy could quickly backfire on the
software giant, however. Despite the stress on getting fixes out as soon
as possible, many times such patches just make more problems for system
administrators, said Schneier.
"Last time they released a fix, it broke so many other parts of Windows
NT, Microsoft had to pull it off the Web site three weeks later," he
"Anti - M$ Mailing List", a service of www.enemy.org located in Linz / Austria
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to email@example.com.
If you are having trouble, ask firstname.lastname@example.org for help.
This list is archived at <http://www.progsoc.uts.edu.au/lists/progsoc/>