Passport Passwords Stored in Plaintext

R. A. Hettinga rah at shipwright.com
Wed Oct 3 23:37:08 EDT 2001


http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814881,00.html


Your stolen Passport
By Wayne Rash, Enterprise
September 26, 2001 9:37 AM PT
URL:

The way Dave Thomas describes it, he and his staff were trying to track
down a series of unusual bugs in Windows, when they stumbled across
something that really worried them. There, on their screens along with the
code they were debugging, was the name and password they'd just used for
Microsoft's Passport service. Worse, it was in plain text, and readily
accessible. As he looked more deeply, he realized that creating a worm that
could recover that information would be, in his words, "trivial."

Thomas, who is CTO of the Oregon-based software quality assurance company,
Bugtoaster, says that he wasn't really trying to get into the security
business, but that this was something too obvious to let pass. It was also
too important.

Microsoft's Passport service is a core piece of its .NET strategy. Anyone
who uses MSN or the MSN Messenger has a Passport. As the Microsoft Internet
strategy moves forward, the Passport will serve as a single sign-on for
interactions with any company that requires Passport-based authentication,
and Microsoft is working hard to sign up as many companies as possible. If
Microsoft's plans reach fruition, users will only need to authenticate once
with the Passport Data Center (run by Microsoft); then they can travel
around the Internet, moving from one Passport-enabled service to another
without having to log in again. This is a great convenience for users.

The problem is, it's also a great convenience for hackers and thieves. All
they need is your e-mail address and password to go anywhere you go because
Passport requires that you use your e-mail address as your user ID; and you
use a single password for all Passport-enabled sites. Worse, because
Microsoft is also tying its Wallet service to the Passport, they can also
spend your money and get your credit card information.

The only upside (if you can call it that) to Bugtoaster's findings is that
this particular security hole only applies to Windows 9x and Windows Me.
Unfortunately, versions of Windows working off the NT code base are
vulnerable, but for different reasons.

Windows 95/ME API reveals clear text

Bugtoaster's discovery is related to the Windows dial-up networking (DUN)
application on the client side. An API that DUN shares with other
applications retrieves the Passport credentials from an encrypted file.
When a Windows 9x/ME user logs into the Passport Data Center, the API
passes sign-on information in clear text from one process to another in
memory where a worm could easily find the information because it's an area
specified in the API for Windows.

While the API often passes log-in information to other services, such as
your ISP, hackers with malicious intent have had no incentive to steal this
information because there was little to be gained. With Passport and the
carte blanche it's designed to give its users, the stakes are completely
different. Windows NT and 2000 don't have the clear text problem, but are
still vulnerable

Windows NT and 2000 not totally safe either

One of the benefits of using a version of Windows based on the NT code base
(NT, 2000, or XP) is that the API encrypts the log-in information before
passing it. But that doesn't mean you're in the clear just because you're
using NT or 2000. According to Steve Gibson of the highly respected
security firm of Gibson Research, getting the same Passport sign-on
information from those operating systems requires a different approach, but
he also calls the process trivial. According to Gibson, it's a simple
process to capture sign-on information from any version of Windows using a
worm that can record keystrokes. Like the data that hackers could have
snooped from the API, the only reason it hasn't been done in the past, he
says, is that it wasn't worth the trouble.

Now, however, with Passport, the target is much more attractive. While it
might have been pointless to get someone's ISP password, Passport opens up
broad access to any site that uses it.

In a response to our questions, a Microsoft spokesperson, who requested
anonymity, admitted that password information is passed in clear text
within Windows 95 and ME when a user logs on to Passport or any other
system. While Microsoft also recognizes that a worm, Trojan horse, or other
hostile code could invade Windows and capture a user's sign-on information,
the spokesman lays the blame on hostile code and not on any weaknesses in
Windows 95, ME or Passport. "By design, a program running on a user's
computer can in general take any action the user can," he writes in an
e-mailed response. "The real issue here is hostile code, not Passport."

According to him, the company doesn't plan to make any patches to the
vulnerable versions of Windows to help stop such theft of Windows sign-on
information. "Microsoft will not be providing a patch for this because
there is nothing to patch," he writes. "Once a user's machine has been
hacked, no patch will keep the hacker from gathering the information he or
she wants." Future versions of Windows will have security enhancements that
prevent such access by hostile code, he said.

Unfortunately, there's not much individual users can do without support
from Microsoft. Enterprise users, however, have some options. First of all,
discourage the use of Microsoft's Passport services until you're satisfied
that your security is protected. The most important way to protect your
company is to check your firewalls, and make sure they're screening for
unauthorized attempts to send information from any of your Windows
computers. One very effective way to accomplish this is to use a personal
firewall such as Zone Alarm from Zone Labs, which can actually block
unauthorized attempts to access the Internet. That way, at least, a worm
that captures your sign-on information won't have a way to send it out.

If you're a merchant on the Internet, or otherwise run a site that uses
Passport, you have some additional concerns. First, you must address
Passport's questionable security when you design your site, and make sure
you require additional authentication to access personal or financial
information. Second, you should be able to authenticate users who don't use
Passport, or who don't wish to use it on your site. Finally, you should
disclose up front what areas on your site users can access with Passport
and other authentication methods, and what the site must authenticate
itself.

Beyond that, however, the best thing you can do is to be scrupulous about
password controls, educate your employees, and be suspicious of
single-sign-on plans that you don't control. And, of course, hope that
Microsoft decides to take these problems seriously enough to fix the
problem with the current installed base of Windows instead of waiting until
future versions are shipped.
-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list