[ISN] Passport Problems Show Software-Based Security's Fatal Flaw

From: InfoSec News (isnat_private)
Date: Thu Nov 08 2001 - 04:12:34 PST

  • Next message: InfoSec News: "[ISN] Read your boss's CV online, thanks to Microsoft..."

    Microsoft keeps offering fixes for its troubled Passport
    authentication service, but the intrinsic flaws of such software-only
    digital wallets still make them unsuitable for sensitive information.
    Microsoft has acknowledged that it shut down part of its Passport
    Internet authentication system for 48 hours beginning 2 November 2001.
    Microsoft apparently intended to resolve a security problem related to
    cross-site scripting that could enable hackers to access users' credit
    card information.
    First Take
    Passport offers another example of Microsoft releasing software with
    major security vulnerabilities that it later attempts to solve with
    patches, "hot fixes" and new releases. This approach may reduce the
    risk of the original vulnerability but often opens up new security
    weaknesses. The latest Passport "fix" reduces the user's window of
    vulnerability from 15 minutes after log-in to 30 seconds, but neither
    delivers adequate security nor addresses the root cause of the
    problem. If Microsoft's planned Passport migration from browser-based
    mechanisms to Kerberos operating system-based authentication takes
    place, it will eliminate the basis for this weakness by 2003. However,
    this approach will not help today's Passport users (according to
    Gartner research, 25 million U.S. consumers have signed up with
    Passport though only 7 million know it).
    The latest vulnerability also shows that software-only solutions
    cannot deliver high levels of security for sensitive or otherwise
    valuable information. Software-only protection may suffice for
    low-value site registration information e.g., name, zip code and
    preferences but high-value information requires the use of a smart
    card, hardware token or biometric input. Smart cards provide a major
    additional benefit besides strong authentication: storage capacity to
    keep sensitive information offline.
    Gartner's research shows that consumers are already wary of
    Passport-type systems; in a recent study, only 2 million U.S. Passport
    users reported storing credit card information using the service (see
    Research Note M-14-5779 "Microsoft Passport: Build It and They Will
    Haltingly Come"). Enterprises should not encourage their customers or
    their employees to use software-only systems for storage of sensitive
    information before 2005, when vulnerabilities of Passport and
    competing systems will be thoroughly exposed and resolved and when
    smart cards for home PCs will be readily available. All applications
    developed during this period should support migration to smart cards
    as soon as feasible, likely after 2005 for consumer applications.
    Analytical Sources: John Pescatore, Information Security Strategies,
    and Avivah Litan, Financial Services Payment Systems
    Written by Terry Allan Hicks, gartner.com
    Need to know: Reference Material and Recommended Reading
    "Microsoft Passport: Many Registrations, but Few Users (M-14-4839)
    Although Microsoft will succeed in building a ubiquitous Passport
    registry, the companys ability to earn much revenue from Web services
    also known as .NET My Services is far from certain. By Avivah Litan
    "Liberty Alliance Seeks to Advance Open Identity Systems (FT-14-5959)
    For a discussion of another approach to authentication. By David Smith
    and Daryl Plummer
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 08:18:17 PST