[13077] in bugtraq
Re: [w00giving '99 #11] IMail's password encryption scheme
daemon@ATHENA.MIT.EDU (Steven Alexander)
Thu Dec 23 14:26:22 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000c01bf4ca4$b531f1c0$0202110a@cell2000>
Date: Wed, 22 Dec 1999 11:48:07 -0600
Reply-To: Steven Alexander <steve@CELL2000.NET>
From: Steven Alexander <steve@CELL2000.NET>
X-To: Mikael Olsson <mikael.olsson@enternet.se>
To: BUGTRAQ@SECURITYFOCUS.COM
Actually, ipswitch should do two things. They should protect the registry
keys so that all users cannot read the encrypted passwords. They should
also use stronger crypto so that in the case that someone does get access to
the registry keys, they cannot recover the passwords. This is important.
Suppose that someone can gain temporary access to the server, they should
not be able to recover the passwords so that they can use them in the
future.
A user may be able to get to the administrator's desk while he/she is away
and get to those keys, but if they can get the administrator's password,
they can drop in anytime they want and remotely administer IMail...or the
machine if the administrator's password is the same for the
domain/workstation as it is for IMail. If they use security at all levels
it makes the job of an attacker much more difficult.
I'm really displeased that ipswitch hasn't fixed this problem already. It
is simple to protect the registry keys. Also, when their password scheme
was revealed to be very simple in (April?) they should have moved to
something much more secure, not just another different but simple scheme.
If they're reading, perhaps they should consider MD5 or another hash
algorithm.
-steven
----- Original Message -----
From: Mikael Olsson <mikael.olsson@enternet.se>
To: Steven Alexander <steve@CELL2000.NET>
Cc: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Wednesday, December 22, 1999 1:27 PM
Subject: Re: [w00giving '99 #11] IMail's password encryption scheme
>
> It would seem that the best solution is to NOT try fixing the
> red herring (crypto with locally stored key) problem.
>
> The better solution would be to set the access rights
> for the registry keys in question to only allow the user
> running the IMail daemons, and the users that are supposed
> to be able to locally administrate IMail.
>
> Am I right or am I right?
>
> (Btw, you can do this yourself; you don't have to wait
> for ipswitch to release a fix)
>
> /Mike
