[319] in Best-of-Security
BoS: Passwords a dead giveaway in Windows 95 security hole
daemon@ATHENA.MIT.EDU (Con Zymaris)
Fri Aug 22 00:20:47 1997
From: Con Zymaris <conz@cyber.com.au>
Date: Fri, 22 Aug 1997 11:42:02 +1100 ()
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
http://www.afr.com.au/content/970822/inform/inhands.html
Passwords a dead giveaway in Windows 95 security hole
By Peter Moon
A major Windows 95 security hole has been uncovered.
Internet access passwords, once thought to be hidden by
the operating system, can be revealed in a few seconds
by a program the size of a digital thimble.
Access passwords are meant to ensure that only an
account owner can run up charges on an Internet
account. Once a third party knows your password, they
can use your account from any computer, surfing for
hours at your expense, viewing your e-mail and even
sending messages under your name. Windows 95 can
remember access passwords so that you need not retype
them every time you want to dial up the Net. Probably
the majority of dial-up account holders use the feature.
Why not? When Win95 stores the password, it appears
on the screen as nothing more than a row of asterisks.
The true password is hidden from sight.
Well, was hidden from sight. Hands On has located a tiny
program that sees straight through the asterisks and
displays the underlying password -- instantly.
This is not a password-cracking tool; it isn't breaking in
by trying millions of combinations. As its inventor says:
"Despite what many of my 'customers' believe, I have not
cracked the password-encoding scheme -- it wasn't
necessary. My program simply exploits a hole in Win95
security."
To learn your password, someone must have physical
access to your PC. Apart from one of the kids, or one of
their school friends, or your brother, or a co-worker, or
a computer repair person, or a student in your school, or
one of your employees, Hands On can't think of many
people who have access to a PC that belongs to another.
And if that other's PC has a "hidden" Internet password
on it, any one of those persons might walk away with a
copy in their pocket.
The program can run from a floppy disk and takes up so
little room that it could be buried among dozens of
innocent files. Someone who borrows your PC to print
out an innocuous letter could view your password in far
less time than a page takes to print. Your account key
could be spirited out while you are a few feet away.
Because it doesn't need to be installed on the target PC,
it leaves no footprint. Subsequent examination of the
machine won't give any hint as to whether passwords
have been leached out.
Until now, the worst result from leaving your access
password memorised was that someone could sit at the
actual machine and use your account. As long as the PC
is relatively physically secure, that can be an acceptable
risk. After all, it's hard for an employee to spend too
much time surfing on the office account while they are in
the building, especially if access is limited to a dedicated
computer. Now it is possible for staff to help themselves
to the full account details and do their free surfing from
home.
The Asterisk Trap (as Hands On dubs it) will facilitate
trade in "stolen" Internet accounts. In many cases, the
owners won't know that anything is wrong until the big
access bill arrives.
Internet service providers often enough receive
complaints that customers "couldn't have used that many
hours". Normally, there are only two explanations: a
customer gave free machine access to someone else, or
they carelessly disclosed their password. Now there is a
third: that they used Windows 95 exactly as it was
intended to be used, and someone with brief access to
the PC had a 15K-set of x-ray specs with them. Mr
Richard Preen, director of the national ISP Netspace
Online Systems, told Hands On: "This is a real headache.
The industry will score complaints from users who
genuinely believe that their password was secure, and
that it must be an ISP billing error. Microsoft has to plug
this one urgently."
For businesses that upload files to their Internet sites, the
security breach poses a special risk. It reveals the
passwords in several popular "FTP" packages -- those
used to send materials to websites.
The fix is easy, but you will have to enter your access
password every time you dial your service provider: tell
Win95 not to save your password. The option is set by a
check box that appears when you click on the dial-up
icon.
Peter Moon is a partner in the Melbourne legal
firm John Keating & Associates. Feedback
to: lawyer@netspace.net.au
___________________________________________________________________________
Con Zymaris conz@cyber.com.au Web: www.cyber.com.au
Cybersource Pty Ltd: Windows/Unix Integration and TCP/IP
Network Management
+61 3 9642 5997 Fax:+61 3 9642 5998, 8/140 Queen Street,
Melbourne, Australia
