[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Hole Found in NT Password Tester
From:       mea culpa <jericho () dimensional ! com>
Date:       1999-01-27 8:34:34
[Download RAW message or body]


Forwarded From: anon@iname.com

http://www.nytimes.com/techweb/TW_Hole_Found_In_NT_Password_Tester.html

January 25, 1999
Hole Found In NT Password Tester
Filed at 6:50 p.m. EST
By Andy Patrizio for TechWeb, CMPnet
 
The security wizards at L0pht Heavy Industries have uncovered a Windows NT
security threat in one of the last places you'd expect to find one -- in a
password-integrity tester. 

L0pht set out to test Password Appraiser from Quakenbush Consulting.
Quakenbush was positioning the product as competitive with L0pht's own
Windows NT security tester, L0phtCrack. Both test the passwords on an NT
network to make sure users haven't chosen obvious words that are easily
guessed. 

What it found was that the free demo of Password Appraiser downloaded from
the Quakenbush home page was, in addition to its audit, sending
user-password hashes over the Internet to Quakenbush's own site. A hash is
the password in its encrypted form as stored on the NT server.

There, the passwords were compared to a database of commonly used
passwords. If it matched a password in the database, it was sent back in
plain text, completely unencrypted. 

Such a glaring error surprised "Dr. Mudge," a L0pht staff member who ran
the tests. "They are not demonstrating that they know what they're doing,"
he said. "This is a really basic mistake." He compared it to a locksmith
putting a padlock on the outside of a house instead of a better lock on
the inside of the house. 

Gerald Quakenbush, president of Quakenbush Consulting, defends the
product, which was released in December. "We never intended for anyone to
use this on a production network," he said. "For the demo, our intention
was for someone to run a test on a local system." 

The L0pht advisory was posted Thursday, and the next day Quakenbush added
Secure Socket layer encryption for its Internet transmissions. The
plain-text transmission of data was a bug, which has been fixed, said
Quakenbush. Both fixes were made available as patches for customers who
already had the product in addition to revising the downloadable demo. 

Quakenbush Consulting does a check on all Internet queries now, so if
someone attempts to run the older version with the bug, the test fails and
no data is exchanged except for an alert to get the patch from the
Quakenbush home page.

The downloadable demo has language in its documentation warning people
that the passwords are transmitted over the Internet. This has to be done
to compare the passwords on the NT server with the database of easily
broken passwords.

A free demo is also available on CD-ROM from Quakenbush that includes the
database on CD, so no Internet transmission has to be done. 

-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

[prev in list] [next in list] [prev in thread] [next in thread]