ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards





Security hole found in Netscape mail system

December 16, 1999
Web posted at: 1:06 p.m. EST (1806 GMT)

by Linda Rosencrance graphic

(IDG) -- A Dulles, Va.-based security firm Wednesday warned of a serious flaw in the password encryption of Netscape Navigator's e-mail system.

That flaw could impact businesses deploying the software for e-mail, said Gary McGraw, chief technology officer at Reliable Software Technologies Corp.

McGraw said two RST engineers needed just eight hours to duplicate the algorithm used to scramble an individual's mail password, potentially exposing the password to any attacker.



"We were writing a simple tool to look for key material and other protected stuff on a hard drive," McGraw said. "We started testing it on [the] Netscape Windows Registry file," where Netscape stores information about users, their computers and passwords.

Netscape Communications Corp., in Mountain View, Calif., couldn't be reached for comment by posting deadline.

  Computerworld's home page
  Flawed copyright protection puts new spin on DVD
  Don't go proprietary, crypto expert urges
  E-mail security and virus resources
  Reviews & in-depth info at
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute
"In order for a Netscape mail password to be decoded, a small program must run on the computer where the password is saved," RST said in a statement. "The lack of any real security in Windows 95/98 makes exploiting this particular flaw in Netscape particularly easy."

Any program can access the encrypted password, RST said.

McGraw said having access to a Netscape mail password could potentially lead to malicious use of an individual's mail and possibly allow further access to protected business-critical information systems if people are using the same password elsewhere.

"It's extremely important to protect a person's password with good cryptography," McGraw said. "Businesses are using these shrink-wrapped products in their everyday business, so they want to make sure the people making the programs are doing it right."

Since many people use their mail password for other applications at work and at home, a hacker could potentially use an e-mail password to log in to a more secure corporate machine. The attacker could then access sensitive information or use the account to attack other accounts or set up a monitoring system inside a corporate network.

"This could have a real impact on the manufacturers and the people deploying the software," McGraw said. "People use Netscape software for e-commerce, so they have to get the security right. Netscape stores people's passwords on a Windows Registry -- the problem is not storing the passwords there, but making sure they are protected with strong cryptographic algorithms, like DES, the Data Encryption Standard."

While using DES isn't a perfect solution, McGraw said, it is a "darn good one."

There's long been a debate in the security community about the use of proprietary encryption algorithms. Companies that develop them argue they are secure, but some experts say it's important to allow the entire security community to test an algorithm for robustness.

Industry, feds open security dialogue
December 10, 1999

Flawed copyright protection puts new spin on DVD
Don't go proprietary, crypto expert urges
NSI makes free e-mail security blunder
Privacy groups urge halt to e-mail tracking
Y2K e-mail worm seeks to reformat drives
HTML provides opening for e-mail vandals
E-mail security and virus resources
Year 2000 World
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Computer Security Advisories
Netscape Communications Corp.
Reliable Software Technologies Corp.
Reliable Software Technologies official statement
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.