[ISN] Hole Found in NT Password Tester

From: mea culpa (jerichoat_private)
Date: Wed Jan 27 1999 - 00:34:34 PST

  • Next message: mea culpa: "RE: [ISN] Y2K may mask hacker attacks"

    Forwarded From: anonat_private
    January 25, 1999
    Hole Found In NT Password Tester
    Filed at 6:50 p.m. EST
    By Andy Patrizio for TechWeb, CMPnet
    The security wizards at L0pht Heavy Industries have uncovered a Windows NT
    security threat in one of the last places you'd expect to find one -- in a
    password-integrity tester. 
    L0pht set out to test Password Appraiser from Quakenbush Consulting.
    Quakenbush was positioning the product as competitive with L0pht's own
    Windows NT security tester, L0phtCrack. Both test the passwords on an NT
    network to make sure users haven't chosen obvious words that are easily
    What it found was that the free demo of Password Appraiser downloaded from
    the Quakenbush home page was, in addition to its audit, sending
    user-password hashes over the Internet to Quakenbush's own site. A hash is
    the password in its encrypted form as stored on the NT server.
    There, the passwords were compared to a database of commonly used
    passwords. If it matched a password in the database, it was sent back in
    plain text, completely unencrypted. 
    Such a glaring error surprised "Dr. Mudge," a L0pht staff member who ran
    the tests. "They are not demonstrating that they know what they're doing,"
    he said. "This is a really basic mistake." He compared it to a locksmith
    putting a padlock on the outside of a house instead of a better lock on
    the inside of the house. 
    Gerald Quakenbush, president of Quakenbush Consulting, defends the
    product, which was released in December. "We never intended for anyone to
    use this on a production network," he said. "For the demo, our intention
    was for someone to run a test on a local system." 
    The L0pht advisory was posted Thursday, and the next day Quakenbush added
    Secure Socket layer encryption for its Internet transmissions. The
    plain-text transmission of data was a bug, which has been fixed, said
    Quakenbush. Both fixes were made available as patches for customers who
    already had the product in addition to revising the downloadable demo. 
    Quakenbush Consulting does a check on all Internet queries now, so if
    someone attempts to run the older version with the bug, the test fails and
    no data is exchanged except for an alert to get the patch from the
    Quakenbush home page.
    The downloadable demo has language in its documentation warning people
    that the passwords are transmitted over the Internet. This has to be done
    to compare the passwords on the NT server with the database of easily
    broken passwords.
    A free demo is also available on CD-ROM from Quakenbush that includes the
    database on CD, so no Internet transmission has to be done. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:22 PDT