Passport is cracked

About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store

COLUMN ARCHIVE

FORUMS

COLUMN

Window Manager
Brian Livingston

Passport is cracked

MICROSOFT'S Passport authentication program, which is used by tens of millions of people to log on to Hotmail accounts every day, is trivially easy for a Trojan horse to compromise on Windows 9x and Me systems, according to developers. A breach can expose a user's financial information, including credit card numbers that were typed in by a user and stored on Passport's central Web server.

ADVERTISEMENT

<a href="http://ad.doubleclick.net/jump/idg.us.info.opinions/article;abr=!ie;pos=skyscraper;pkey=platforms;skey=;paud=;saud=;sz=160x600;tile=2;ord=594003170508?"> <img src="http://ad.doubleclick.net/ad/idg.us.info.opinions/article;abr=!ie;pos=skyscraper;pkey=platforms;skey=;paud=;saud=;sz=160x600;tile=2;ord=594003170508?" border="0"> </a>

Free IT resource

Open Source Business Conference (OSBC) May 22-23, 2007

TOP NEWS

IT SOLUTION SEARCH

Describing how easily a worm can get access, Bob Puckett, CEO of Bugtoaster.com, in Hillsboro, Ore., says, "If the user uses MSN, it will get their Passport ID, password, and the phone number to dial their ISP." Because a person's e-mail address and password are used to sign on to the Passport server -- where account numbers are held -- an unscrupulous person at an ISP could easily steal credit card numbers, experts say.

The average PC user has a bad habit of choosing the same user name and password to log on to several different Web sites. Passport, which will be bundled into the forthcoming Windows XP, makes this problem far more serious by enforcing a single user name and password for all participating Web sites. The service will be all but mandatory on XP, which tells users, "You need a Passport to use Windows XP Internet communications features ... and to access Net-enabled features."

The specific flaw is that Windows 9x and Windows Me allow any application to "see" the user name, password, and phone number used to access a dial-up ISP, according to Dave Thomas, Bugtoaster's CTO. "For 10 minutes after you place a call," he says, "that info is visible in memory." Windows NT, 2000, and XP guard against this, but that leaves a few hundred million 9x-based systems at risk.

With e-mail viruses and worms silently planting Trojan horse programs on millions of PCs, all the data a rogue programmer needs is out in the open. Most Windows users select the same password for Passport as they would do for any other service.

This newly discovered hole is distinct from the other problems with Passport, such as those identified in a white paper by researchers at AT&T Labs (see www.avirubin.com/passport.html). To name only one, redirection of browsers to Microsoft's Passport server is not protected by SSL (Secure Sockets Layer). This makes it easy for an ISP employee to intercept account numbers. AT&T scientist Avi Rubin told the San Jose Mercury News on Aug. 14 that Passport's problems "are fundamental things that can't really be fixed."

Microsoft did not reply to requests for comment by press time. I'll continue this subject next week.

Puckett and Thomas identified the problem using the free utility called Bugtoaster. Go to their Web site and download the program yourself, which helps isolate the causes of Windows crashes. Any comments sent to me by Sept. 18 will be considered for publication in my Oct. 1 column.

Brian Livingston's latest book is Windows Me Secrets (Hungry Minds). Send tips to tips@brianlivingston.com. Go to www.iwsubscribe.com/newsletters to get Window Manager and E-Business Secrets free each week via e-mail.

RELATED SUBJECTS

Operating Systems

MORE >

SPONSORED WHITE PAPERS

EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library: