Forwarded From: anonat_private http://www.nytimes.com/techweb/TW_Hole_Found_In_NT_Password_Tester.html January 25, 1999 Hole Found In NT Password Tester Filed at 6:50 p.m. EST By Andy Patrizio for TechWeb, CMPnet The security wizards at L0pht Heavy Industries have uncovered a Windows NT security threat in one of the last places you'd expect to find one -- in a password-integrity tester. L0pht set out to test Password Appraiser from Quakenbush Consulting. Quakenbush was positioning the product as competitive with L0pht's own Windows NT security tester, L0phtCrack. Both test the passwords on an NT network to make sure users haven't chosen obvious words that are easily guessed. What it found was that the free demo of Password Appraiser downloaded from the Quakenbush home page was, in addition to its audit, sending user-password hashes over the Internet to Quakenbush's own site. A hash is the password in its encrypted form as stored on the NT server. There, the passwords were compared to a database of commonly used passwords. If it matched a password in the database, it was sent back in plain text, completely unencrypted. Such a glaring error surprised "Dr. Mudge," a L0pht staff member who ran the tests. "They are not demonstrating that they know what they're doing," he said. "This is a really basic mistake." He compared it to a locksmith putting a padlock on the outside of a house instead of a better lock on the inside of the house. Gerald Quakenbush, president of Quakenbush Consulting, defends the product, which was released in December. "We never intended for anyone to use this on a production network," he said. "For the demo, our intention was for someone to run a test on a local system." The L0pht advisory was posted Thursday, and the next day Quakenbush added Secure Socket layer encryption for its Internet transmissions. The plain-text transmission of data was a bug, which has been fixed, said Quakenbush. Both fixes were made available as patches for customers who already had the product in addition to revising the downloadable demo. Quakenbush Consulting does a check on all Internet queries now, so if someone attempts to run the older version with the bug, the test fails and no data is exchanged except for an alert to get the patch from the Quakenbush home page. The downloadable demo has language in its documentation warning people that the passwords are transmitted over the Internet. This has to be done to compare the passwords on the NT server with the database of easily broken passwords. A free demo is also available on CD-ROM from Quakenbush that includes the database on CD, so no Internet transmission has to be done. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:22 PDT