Forwarded from: Elyn Wollensky <elynat_private> http://www.silicon.com/a48973 Wednesday 7th November 2001 Deepening Microsoft's increasingly bad reputation for IT security, silicon.com has discovered another loophole in a Microsoft website designed for qualified Microsoft systems professionals. The loophole allows anyone who has access to a Microsoft Certified Professional's MCP number, acquired on passing the exam, to enter that person's MCP site, which includes personal details such as qualifications. The flaw was highlighted to silicon.com by a reader who used the hole to discover his boss wasn't as qualified as he claimed to be. The reader, who wished to remain anonymous, logged onto the site and discovered his boss had not passed all the exams he claimed he had. The silicon.com reader said he had received no response from Microsoft when he told them of the hole. Microsoft has so far declined to provide a representative to answer questions about the issue. The loophole is in the registration for the secure site. To create a new user ID, all MCP's have to do is type in their MCP number and their surname in capitals. On the strength of this validation an MCP then just invents a personal user name and password which is used to access the site from then on. However the problem is that a user is not limited to just one user ID for his or her MCP number. This means that at any point in the future someone using his or her number could create a new ID, with access to all of the person's private details. This is a problem because MCPs are not encouraged to keep their MCP number private, like say a bank PIN card. Indeed every MCP has a card printed with the number on, used to prove their qualified status, and many put the number on their business card. The MCP site is used by Microsoft Certified Professionals to get details of how to apply for further exams, and includes cut-price offers on training. Dr Neil Barrett, technical director with security consultant IRM said the problem was definitely a security breach: "This is undoubtedly information on display here that counts as personal data under the Data Protection Act, and should be looked after accordingly. "This is just another example of the attitude that Microsoft seemingly has toward security - exemplified by the hole in Passport discovered over the weekend - which is either impossibly nave or simply negligent." Microsoft has garnered increasing criticism over its software security in recent months. User dissatisfaction was exemplified last week when online Bank Egg revealed it was using Microsoft software to authenticate its customers, prompting a wave of protests from silicon.com readers. User fears over Passport were realised over the weekend when Microsoft admitted the platform had been hacked and security compromised. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 09:43:46 PST