Re: [ISN] Hackers Shortcut Hotmail Password Reset Protections

From: InfoSec News (isnat_private)
Date: Wed Feb 13 2002 - 02:13:16 PST

  • Next message: InfoSec News: "[ISN] Group warns of widespread security flaw among Internet network devices"

    Forwarded from: Robert G. Ferrell <rferrellat_private>
    > Security researchers have discovered a vulnerability in Microsoft
    > Corp.'s Hotmail service that allows hackers to bypass security
    > questions that users must answer before resetting their passwords.
    Sorry, but if you're relying on Microsoft to provide security, you
    pretty much deserve what you get.  Hotmail, especially, has been the
    subject of a long string of embarrassing and extremely glaring
    security glitches.  But it's really only the tip of the iceberg.
    Jericho and I had a discussion about Microsoft's security posture over
    a few beers the other day, and I'm fully in agreement with his stance,
    which is basically that the new emphasis on secure programming is a
    smokescreen designed to reassure the gullible without really effecting
    any change in their corporate culture.  They'll crowd their coders
    into some classrooms for a month, milk the experience for all the
    publicity they can, and then go back to spitting out the same
    feature-soaked, security-poor software they always have.  But now they
    can slap little colored labels on it that say "security-enhanced" or
    some other misleading and completely bogus claims.
    Bill Gates is a billionaire.  The reason he's a billionaire is that
    people buy anything and everything that Microsoft cranks out, without
    questioning it, in the same consumer herd mentality that's produced so
    many tycoons in the past.  He's obviously seriously successful; why on
    earth would he he want to change a formula that's worked so well up to
    now?  A few of us in the security community pissing and moaning about
    his crappy software won't make a scrap of difference unless John Q.
    Public stops buying it. We can complain until we get blue in the face
    and pass out, for all he cares.
    Caveat emptor isn't just an aphorism these days, it's a matter of
    Robert G. Ferrell
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 05:54:19 PST