[ISN] Read your boss's CV online, thanks to Microsoft...

From: InfoSec News (isnat_private)
Date: Thu Nov 08 2001 - 04:13:30 PST

  • Next message: InfoSec News: "[ISN] Personal Firewalls Spring Security Leaks - Update"

    Forwarded from: Elyn Wollensky <elynat_private>
    
    http://www.silicon.com/a48973
    
    Wednesday 7th November 2001   
    
    Deepening Microsoft's increasingly bad reputation for IT security,
    silicon.com has discovered another loophole in a Microsoft website
    designed for qualified Microsoft systems professionals.
    
    The loophole allows anyone who has access to a Microsoft Certified
    Professional's MCP number, acquired on passing the exam, to enter that
    person's MCP site, which includes personal details such as
    qualifications.
    
    The flaw was highlighted to silicon.com by a reader who used the hole
    to discover his boss wasn't as qualified as he claimed to be. The
    reader, who wished to remain anonymous, logged onto the site and
    discovered his boss had not passed all the exams he claimed he had.
    The silicon.com reader said he had received no response from Microsoft
    when he told them of the hole.
    
    Microsoft has so far declined to provide a representative to answer
    questions about the issue.
    
    The loophole is in the registration for the secure site. To create a
    new user ID, all MCP's have to do is type in their MCP number and
    their surname in capitals. On the strength of this validation an MCP
    then just invents a personal user name and password which is used to
    access the site from then on.
    
    However the problem is that a user is not limited to just one user ID
    for his or her MCP number. This means that at any point in the future
    someone using his or her number could create a new ID, with access to
    all of the person's private details.
    
    This is a problem because MCPs are not encouraged to keep their MCP
    number private, like say a bank PIN card. Indeed every MCP has a card
    printed with the number on, used to prove their qualified status, and
    many put the number on their business card.
    
    The MCP site is used by Microsoft Certified Professionals to get
    details of how to apply for further exams, and includes cut-price
    offers on training.
    
    Dr Neil Barrett, technical director with security consultant IRM said
    the problem was definitely a security breach: "This is undoubtedly
    information on display here that counts as personal data under the
    Data Protection Act, and should be looked after accordingly.
    
    "This is just another example of the attitude that Microsoft seemingly
    has toward security - exemplified by the hole in Passport discovered
    over the weekend - which is either impossibly nave or simply
    negligent."
    
    Microsoft has garnered increasing criticism over its software security
    in recent months. User dissatisfaction was exemplified last week when
    online Bank Egg revealed it was using Microsoft software to
    authenticate its customers, prompting a wave of protests from
    silicon.com readers.
    
    User fears over Passport were realised over the weekend when Microsoft
    admitted the platform had been hacked and security compromised.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 09:43:46 PST