..A warning on Microsoft (in)security

Basic crypto weakness undermines all claims to security, expert says

Longtime readers know that TBTF has been reporting on security weak- nesses in Microsoft's products, particularly Internet Explorer, for more than a year [25]. Now a security expert from New Zealand, Peter Gutmann, has posted a paper [26] claiming that the flaws are so ser- ious that Windows 95 users should entirely refrain from using the Web. Among the problems Gutmann points out is a critical weakness in the way Microsoft software protects (or does not protect) users' master encryption key; this weakness undermines all other encryp- tion components in Web servers and browsers. Gutmann outlines how a cracker could quietly retrieve the private key from a victim's ma- chine and break the encryption that "protects" it in a matter of seconds. The attacker has, Gutmann says, then "effectively stolen [the user's] digital identity, and can use it to digitally sign contracts and agreements, to recover every encryption session key it has ever protected in the past and will ever protect in the future, to access private and confidential email, and so on." TechWeb coverage is here [27].

[25] http://www.tbtf.com/resource/ms-sec-exploits.html
[26] http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt
[27] http://www.techweb.com/wire/story/TWB19980123S0007

The author didn't give sufficient detail for me to understand the attack, but it seems to be based in part on the retention of old, flawed mechanisms protecting private keys that were retained for backward compatibility reasons, and in part on the ability to acquire the encrypted form of a user's password and run password guessing on it.

I'm expecting most readers have heard about the sailor accused of being gay based on information that an AOL technician gave a Navy investigator. Declan McCullagh reporteed in Risks that AOL admitted that it handed over the sailor's personal information to the Navy without a court order, saying in a statement "This clearly should not have happened and we regret it." Given the heightened interest in privacy repurcussions in all sorts of companies (and all the press that the US military's "don't ask, don't tell" policy on gays got a while back), I was quite surprised that the AOL employee made such a mistake.

Lauren Weinstein, PRIVACY Forum moderator, reported on a business service that AT&T offers that allows the business to do a reverse translation of phone number to subscriber name, even for unpublished numbers, even when that number never appeared on the business's bills. Unpublished numbers are usually excluded from other forms of this "upside-down" listing.

Another URL buffer overflow problem that may allow for the execution of arbitrary machine code (http://l0pht.com/advisories.html) was identified in Microsoft's IE, this time for mk:// URLs (earlier, a similar problem was found for res:// URLs). Anyone who's coded secure systems can imagine the problem. For every new URL scheme there's a bunch of new processing code, and a bunch of new programmers who don't know that they shouldn't rely on any stated "legal" limits for URL length.

Someone on the TLS working group list mentioned that Fortify (a program? a company?) modifies the shipping, export approved Netscape Navigator/Communicator with "an easily applied patch" to enable users to use 128-bit encryption with SSL when the server supports it. This gets around the "supercert" restriction imposed by the U.S. government.

Quite a while back (late last summer?), members of the Kerberos community announced that they had been involved with fruitless negotiations with Microsoft directed at assuring that the Kerberos supported in future versions of Microsoft OSes would be "true" standard Kerberos. Just recently, employees at Microsoft have begun to participate in the Kerberos standards process in the Common Authentication Technology (CAT) working group of the IETF. One of the first issues raised was defining a Kerberos with "exportable" (weak) encryption, which not surprisingly raised a few hackles. One suggestion was that any Kerberos standard supporting weak encryption include the necessity of explicitly warning the user of its weakness.

You can now order a 3-meter resolution photograph of anywhere on earth for a few hundred dollars, from EarthWatch, of Longmont, Colorado. In 1999 they plan on launching satellites with a minimum resolution below 1 meter, which is close to being able to spot people from space.

Risks reported that the airforce thinks "push-pull" technology is too risky. "Push-pull" technology allows Web users to subscribe to particular kinds of information and get it sent to them in a timely manner. The Risks article gives no technical details on the risk, but includes the quote "Currently, these technologies introduce security risks and impact data throughput on our networks than cannot be tolerated." The latter is certainly true; I've heard places like HP are beginning to warn users about the performance degradation in the morning when everyone logs on. I suppose there's also concern about sending active code this way, which might be part of the security concern.

Discussions on just what Digest Authentication is supposed to be heated up again on the IETF's HTTP working group list. Digest was initially proposed as a replacement for Basic authentication that does not expose passwords on the net. Of course, there are many other risks that an authentication protocol can address (Man In The Middle being the one that comes up the most in this context), and Digest has been pulled in a variety of directions which have slowed down its definition (and perhaps its use). After much discussion, the working group again affirmed Digest's original charter, and maybe someday all our Web passwords will be cryptographically protected in transit.