Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability

From: Peter W (peterwat_private)
Date: Fri Jun 08 2001 - 13:06:02 PDT

Next message: Peter Ajamian: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"

Previous message: Len Sassaman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
In reply to: Peter Ajamian: "Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Next in thread: Peter Ajamian: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Reply: Peter Ajamian: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:

> While crypt password authentication is not in and of itself very secure,
> Network Sulotions have made it even less so by including the first two
> characters of the password as the salt of the encrypted form.  While the
> password is transmitted via a secure session, the encrypted form is
> returned almost immediately in a non-encrypted www session.  Also, this
> password is typically emailed back and forth to the user no less than two
> times (and often times more).  This allows several opportunities for
> someone to observe the encrypted password, this in and of itself is not
> good.

Plus when you submit a change request template, your email contains the 
plaintext password. :-(

And that's the problem: not the crypt routine, but the cleartext data xfer.

> Possible Workarounds:
> 
> Do not use the Crypt-PW authentication-scheme.  Instead use the MAIL_FROM
> or PGP scheme instead.

If someone attempts to make changes to a domain with a Network Solutions
old-style[0] admin or billing handle, Network Solutions will email the
responsible handle's address. With MAIL_FROM, the email address is availble
via a whois query. Easily obtained, easily spoofed, and if you get cracked,
you have to get NetSol involved to clean up. *Do NOT use mail_from!!!*

You're in just as much trouble if someone gets your encrypted NetSol 
CRYPT-PW password. But, unlike the email address, the encrypted password is 
not readiliy available. An attacker without the encrypted password can only 
attempt to guess the password. And the attacker must send a change request 
to test their guess. And you get emailed each time they try. The only 
effective way to crack a CRYPT-PW handle is to sniff the email channel [so 
the Echelon folks probably know all our NetSol CRYPT-PW passwords ;-)].

Which gets us to footnote [0]: for many months, Network Solutions has been 
using a fully Web-based system for domain/handle maintenance.

So to the extext you're concerned about CRYPT_PW, I'd suggest two viable 
alternatives: change the authentication method to PGP (very easy), or create 
new NIC handles for the Web-based management system and transfer your 
domains' contact handles to the Web-based handles. Those with many domains 
will likely find the Web-based interface annoying, especially for batch 
updates.

But for goodness' sake, do *not* use MAIL_FROM !!!

-Peter

> If you must use CRYPT-PW then the following suggestions are recommended:

Changing your password means sending the cleartext value to NetSol via 
email. So changing your password involves risk. :-(

Next message: Peter Ajamian: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Previous message: Len Sassaman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
In reply to: Peter Ajamian: "Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Next in thread: Peter Ajamian: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Reply: Peter Ajamian: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 15:38:52 PDT