Reliable Software Finds Flaw in Netscape Navigator
According to Jeffery Payne, RST's president and CEO of the Dulles, Va.-based software assurance consulting vendor, the company's software security group needed only eight hours to duplicate the algorithm used to scramble an individual's mail password. Move over Hotmail, Netscape Navigator's email has a security flaw, too. Reliable Software Technologies (RST) has found what it calls a serious security flaw in the password encryption of Netscape Navigator's email system.
"Having access to a Netscape mail password could potentially lead to malicious use of an individual's mail and allow further access to protected business-critical information systems where the same password is used," Payne said.
Most people's mail password is also their login password for other applications, both at work and at home, he said. A malicious attacker could use the victim's password, gleaned from an insecure home machine, to log in to a more secure corporate machine and take control of the machine. The attacker then could read sensitive information, use the account to attack more privileged accounts, and set up a remote monitoring system inside a corporate network.
Payne said he notified Netscape of the flaw and suggested a simple fix to the flaw.
Chris Sato, senior director for product management at Netscape, said the company's decision to allow a user to save a password locally was for the user's convenience. Sato added that Netscape used a relatively weak encryption algorithm so that "computer experts could still access the information in case someone forgot their password."
Payne noted that the "lack of any real security in Windows95/98 makes exploiting this particular flaw in Netscape particularly easy." In fact, any program running on the computer has access to the encrypted password, he said.
The algorithm used in Netscape was broken by two people, RST's Tim Hollebeek and John Viega, working for eight hours, without any automation and with very minimal computer assistance.
Hollebeek and Viega said carefully chosen passwords were entered, and the results were examined in a standard scientific black box approach. The analysts started by figuring out one character passwords, then used that information to figure out how two character passwords were encrypted, and so on. After three letters, a really obvious pattern emerges, they said.
"This is another illustration of how bad closed, proprietary, cryptography is," Bruce Schneier, CTO of Counterpane Internet Security, said. "What makes this vulnerability particularly nasty is that people tend to use the same passwords over and over again."
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...