× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 1998

No subject given


     From ZDnet
     
     --------------------------------------------
     
     Firm finds big security holes in Windows NT
     By Robert Lemos, ZDNN
     June 1, 1998 5:27 PM PDT
     
     
     Flaws in Microsoft Corp.'s Windows NT software threaten the security 
     of companies using the Internet to tie together their far-flung 
     corporate locations, a computer security consulting firm declared on 
     Monday.
     
     "We were able to sniff passwords, eavesdrop on the networks, and 
     passively do traffic analysis," said Bruce Schneier, president of 
     Counterpane Systems Inc., of Minneapolis, Minn. "Any Microsoft NT 
     server on the Internet is insecure." 
     Microsoft's report card on security has a few F's. Last year, the 
     company was criticized for the security threat posed by ActiveX. 
     Monday, crypto rivals Network Associates and RSA Data Security settled 
     their suit. 
     Counterpane discovered the problems while doing a security analysis on 
     a Windows NT, an operating system used by a swiftly growing number of 
     corporations as the foundation for their computer networks. Microsoft 
     (MSFT) confirmed the security problems later the same day.
     
     VPNs increasingly popular
     The flaws weaken the security of so-called "virtual private networks," 
     or VPNs, based on NT and point-to-point tunneling protocol, or PPTP. 
     These VPNs connect company networks from various locations and are 
     quickly becoming popular in the corporate world as a low-cost solution 
     to buying a dedicated phone line to connect computers between company 
     sites.
     
     "A lot of people are creating their virtual private networks using 
     NT," said Schneier. "That makes the flaw that much more serious."
     
     'A lot of people are creating virtual private networks using NT. That 
     makes the flaw that much more serious.' 
     -- Bruce Schneier, Counterpane Systems Inc. 
     
     The PPTP is Microsoft's homegrown way of securely sending and 
     receiving data over the public Internet. It's also used to identify 
     whether the person logging in a valid user.
     
     But the software giant would have been better off using one of the 
     public -- and stress-tested -- standards, said Schneier.
     
     "Developing security implementations in-house is very difficult to do 
     right," said Schneier. "That's why it's important to adopt a publicly 
     tested and recognized standard."
     
     Microsoft promises fix ASAP
     Windows NT system can use either a 40-bit or 128-bit encryption key to 
     protect a company's data. Those keys, in and of themselves, are 
     extremely secure. The problem is that NT secures those keys with a 
     flawed password system. "Anyone with a list of the top 10 million 
     passwords can break over 99 percent of the systems out there," he 
     said.
     
     Microsoft promises to fix the flaws as soon as possible.
     
     "(Part of the problem) is already fixed," said Karan Khanna, product 
     manager for Windows NT security at Microsoft. "We will be releasing 
     patches to fix the rest as soon as we can."
     
     Khanna attempted to put the flaws in perspective. "The amount of 
     security an organization enforces depends on its needs," he said. "The 
     CIA spends billions of dollars on security -- our customers don't need 
     the level."
     
     Is fix worse than flaw?
     That you-get-what-you-pay-for philosophy could quickly backfire on the 
     software giant, however. Despite the stress on getting fixes out as 
     soon as possible, many times such patches just make more problems for 
     system administrators, said Schneier.
     
     "Last time they released a fix, it broke so many other parts of 
     Windows NT, Microsoft had to pull it off the Web site three weeks 
     later," he said.


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.