Security hole found in Netscape mail system
December 16, 1999
by Linda Rosencrance
(IDG) -- A Dulles, Va.-based security firm Wednesday warned of a serious flaw in the password encryption of Netscape Navigator's e-mail system.
That flaw could impact businesses deploying the software for e-mail, said Gary McGraw, chief technology officer at Reliable Software Technologies Corp.
McGraw said two RST engineers needed just eight hours to duplicate the algorithm used to scramble an individual's mail password, potentially exposing the password to any attacker.
"We were writing a simple tool to look for key material and other protected stuff on a hard drive," McGraw said. "We started testing it on [the] Netscape Windows Registry file," where Netscape stores information about users, their computers and passwords.
Netscape Communications Corp., in Mountain View, Calif., couldn't be reached for comment by posting deadline.
Any program can access the encrypted password, RST said.
McGraw said having access to a Netscape mail password could potentially lead to malicious use of an individual's mail and possibly allow further access to protected business-critical information systems if people are using the same password elsewhere.
"It's extremely important to protect a person's password with good cryptography," McGraw said. "Businesses are using these shrink-wrapped products in their everyday business, so they want to make sure the people making the programs are doing it right."
Since many people use their mail password for other applications at work and at home, a hacker could potentially use an e-mail password to log in to a more secure corporate machine. The attacker could then access sensitive information or use the account to attack other accounts or set up a monitoring system inside a corporate network.
"This could have a real impact on the manufacturers and the people deploying the software," McGraw said. "People use Netscape software for e-commerce, so they have to get the security right. Netscape stores people's passwords on a Windows Registry -- the problem is not storing the passwords there, but making sure they are protected with strong cryptographic algorithms, like DES, the Data Encryption Standard."
While using DES isn't a perfect solution, McGraw said, it is a "darn good one."
There's long been a debate in the security community about the use of proprietary encryption algorithms. Companies that develop them argue they are secure, but some experts say it's important to allow the entire security community to test an algorithm for robustness.
Industry, feds open security dialogue
RELATED IDG.net STORIES:
Flawed copyright protection puts new spin on DVD
Computer Security Advisories
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.