A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Waterfall_Cache has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 47

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 194

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Memcache_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 275

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; Filesystem_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 440

A PHP Error was encountered

Severity: 8192

Message: Methods with the same name as their class will not be constructors in a future version of PHP; APC_Cache_System has a deprecated constructor

Filename: _common/waterfall_cache.php

Line Number: 628

Reliable Software Finds Flaw in Netscape Navigator

Reliable Software Finds Flaw in Netscape Navigator

By Bill Pietrucha (Send Email)
Posted Dec 21, 1999


Move over Hotmail, Netscape Navigator's email has a security flaw, too. Reliable Software Technologies (RST) has found what it calls a serious security flaw in the password encryption of Netscape Navigator's email system.

According to Jeffery Payne, RST's president and CEO of the Dulles, Va.-based software assurance consulting vendor, the company's software security group needed only eight hours to duplicate the algorithm used to scramble an individual's mail password. Move over Hotmail, Netscape Navigator's email has a security flaw, too. Reliable Software Technologies (RST) has found what it calls a serious security flaw in the password encryption of Netscape Navigator's email system.

"Having access to a Netscape mail password could potentially lead to malicious use of an individual's mail and allow further access to protected business-critical information systems where the same password is used," Payne said.

In some versions of Netscape, Payne noted, the scrambled password can be retrieved remotely using Javascript.

Most people's mail password is also their login password for other applications, both at work and at home, he said. A malicious attacker could use the victim's password, gleaned from an insecure home machine, to log in to a more secure corporate machine and take control of the machine. The attacker then could read sensitive information, use the account to attack more privileged accounts, and set up a remote monitoring system inside a corporate network.

Payne said he notified Netscape of the flaw and suggested a simple fix to the flaw.

Chris Sato, senior director for product management at Netscape, said the company's decision to allow a user to save a password locally was for the user's convenience. Sato added that Netscape used a relatively weak encryption algorithm so that "computer experts could still access the information in case someone forgot their password."

Payne noted that the "lack of any real security in Windows95/98 makes exploiting this particular flaw in Netscape particularly easy." In fact, any program running on the computer has access to the encrypted password, he said.

The algorithm used in Netscape was broken by two people, RST's Tim Hollebeek and John Viega, working for eight hours, without any automation and with very minimal computer assistance.

Hollebeek and Viega said carefully chosen passwords were entered, and the results were examined in a standard scientific black box approach. The analysts started by figuring out one character passwords, then used that information to figure out how two character passwords were encrypted, and so on. After three letters, a really obvious pattern emerges, they said.

"This is another illustration of how bad closed, proprietary, cryptography is," Bruce Schneier, CTO of Counterpane Internet Security, said. "What makes this vulnerability particularly nasty is that people tend to use the same passwords over and over again."

Page 1 of 1

Thanks for your registration, follow us on our social networks to keep up-to-date