[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ProgSoc] Big security holes in Windows NT

To: "The Programmers' Society" <progsoc@nospam.progsoc.uts.edu.au>
Subject: [ProgSoc] Big security holes in Windows NT
From: alister air <baitoven@nospam.progsoc.uts.edu.au>
Date: Thu, 4 Jun 1998 14:25:39 +1000 (EST)
Reply-To: alister air <baitoven@nospam.progsoc.uts.edu.au>
Sender: owner-progsoc@nospam.progsoc.uts.edu.au


What else is new?

"By all means lets agitate for    |  "Still, politicians are the ideal
handouts, tax cuts, freebies,     |    tripe liars. Lying (in addition
bread and circuses (why not bite  |   to giving orders) is what we pay
the hand that feeds you? the      |  them for, or rather what they pay
flavor is excellent) but without  |    themselves for with our taxes."
illusions."            --(Bob Black, 1982/1985)--


---------- Forwarded message ----------
Date: Tue, 2 Jun 1998 12:49:24 -0700
From: Mitch Stone <mstone@nospam.vc.net>
Reply-To: Anti_MS@nospam.enemy.org
To: anti_ms@nospam.enemy.org
Subject: A-M$: Big security holes in Windows NT

http://www.zdnet.com/macweek/1222/nw_security.html
June 2, 1998  

VOLUME 12 ISSUE 22  

Big security holes in Windows NT 

By Robert Lemos, ZDNN  

Flaws in Microsoft Corp.'s Windows NT software threaten the security of 
companies using the Internet to tie together their far-flung corporate 
locations, a computer security consulting firm declared on Monday.  

"We were able to sniff passwords, eavesdrop on the networks and passively 
do traffic analysis," said Bruce Schneier, president of Counterpane 
Systems Inc. of Minneapolis. "Any Microsoft NT server on the Internet is 
insecure."  

Microsoft's report card on security has a few F's. Last year the company 
was criticized for the security threat posed by ActiveX. Monday, crypto 
rivals Network Associates and RSA Data Security settled their suit.  

Counterpane said it discovered the problems while doing a security 
analysis on a Windows NT, an operating system used by a swiftly growing 
number of corporations as the foundation for their computer networks. 
Microsoft confirmed the security problems later the same day.  

The flaws weaken the security of so-called "virtual private networks," or 
VPNs, based on NT and point-to-point tunneling protocol, or PPTP. These 
VPNs connect company networks from various locations and are quickly 
becoming popular in the corporate world as a low-cost solution to buying 
a dedicated phone line to connect computers between company sites.  

"A lot of people are creating their virtual private networks using NT," 
Schneier said. "That makes the flaw that much more serious."  

The PPTP is Microsoft's homegrown way of securely sending and receiving 
data over the Internet. It's also used to identify whether the person 
logging in a valid user.  

But Schneier said the software giant would have been better off using one 
of the public -- and stress-tested -- standards.  

"Developing security implementations in-house is very difficult to do 
right," he said. "That's why it's important to adopt a publicly tested 
and recognized standard."  

Windows NT system can use either a 40-bit or 128-bit encryption key to 
protect a company's data. Those keys, in and of themselves, are extremely 
secure. The problem is that NT secures those keys with a flawed password 
system. "Anyone with a list of the top 10 million passwords can break 
over 99 percent of the systems out there," he said.  

Microsoft promises to fix the flaws as soon as possible.

"(Part of the problem) is already fixed," said Karan Khanna, product 
manager for Windows NT security at Microsoft. "We will be releasing 
patches to fix the rest as soon as we can."  

Khanna attempted to put the flaws in perspective. "The amount of security 
an organization enforces depends on its needs," he said. "The CIA spends 
billions of dollars on security -- our customers don't need the level."  

That you-get-what-you-pay-for philosophy could quickly backfire on the 
software giant, however. Despite the stress on getting fixes out as soon 
as possible, many times such patches just make more problems for system 
administrators, said Schneier.  

"Last time they released a fix, it broke so many other parts of Windows 
NT, Microsoft had to pull it off the Web site three weeks later," he 
said.  
--
"Anti - M$ Mailing List", a service of www.enemy.org located in Linz / Austria

--
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@nospam.progsoc.uts.edu.au.
If you are having trouble, ask owner-progsoc@nospam.progsoc.uts.edu.au for help.

This list is archived at <http://www.progsoc.uts.edu.au/lists/progsoc/>

Prev by Date: Re: [ProgSoc] Linux Survey Results....
Next by Date: [ProgSoc] Dames & Moore
Prev by thread: Re: [ProgSoc] Big security holes in Windows NT
Next by thread: Re: [ProgSoc] MP3 Djing Mixer Thanks!
Index(es):
- Date
- Thread