By Wayne Rash

The way Dave Thomas describes it, he and his staff were trying to track down a series of unusual bugs in Windows when they stumbled across something that really worried them. There, on their screens along with the code they were debugging, was the name and password they’d just used for Microsoft’s Passport service. Worse, it was in plain text and readily accessible. As he looked more deeply, Thomas realized that creating a worm that could recover that information would be, in his words, “trivial.”

Thomas, who is CTO of the Oregon-based software quality assurance company, Bugtoaster, says that he wasn’t really trying to get into the security business but that this was something too obvious to let pass. It was also too important.

Microsoft’s Passport service is a core piece of its .NET strategy. Anyone who uses MSN or the MSN Messenger has a Passport. As the Microsoft Internet strategy moves forward, the Passport will serve as a single sign-on for interactions with any company that requires Passport-based authentication, and Microsoft is working hard to sign up as many companies as possible. If Microsoft’s plans reach fruition, users will only need to authenticate once with the Passport Data Center (run by Microsoft); then they can travel around the Internet, moving from one Passport-enabled service to another without having to log in again. This is a great convenience for users.

CNET and TechRepublic

This article first appeared on CNET’s Enterprise Business site. TechRepublic is part of the CNET family of Web sites dedicated to educating and empowering people and businesses in the IT field.

The problem is that it’s also a great convenience for hackers and thieves. All they need is your e-mail address and password to go anywhere you go because Passport requires that you use your e-mail address as your user ID and that you use a single password for all Passport-enabled sites. Worse, because Microsoft is also tying its Wallet service to the Passport, they can also spend your money and get your credit card information.

The only upside (if you can call it that) to Bugtoaster’s findings is that this particular security hole only applies to Windows 9x and Windows Me. Unfortunately, versions of Windows working off the NT code base are vulnerable but for different reasons.

Windows 95/Me API reveals clear text
Bugtoaster’s discovery is related to the Windows dial-up networking (DUN) application on the client side. An API that DUN shares with other applications retrieves the Passport credentials from an encrypted file. When a Windows 9x/Me user logs in to the Passport Data Center, the API passes sign-on information in clear text from one process to another in memory, where a worm could easily find the information because it’s an area specified in the API for Windows.

While the API often passes login information to other services, such as your ISP, hackers with malicious intent have had no incentive to steal this information because there was little to be gained. With Passport and the carte blanche it’s designed to give its users, the stakes are completely different. Windows NT and 2000 don’t have the clear text problem but are still vulnerable.

Windows NT and 2000 not totally safe either
One of the benefits of using a version of Windows based on the NT code base (NT, 2000, or XP) is that the API encrypts the login information before passing it. But that doesn’t mean you’re in the clear just because you’re using NT or 2000. According to Steve Gibson of the highly respected security firm of Gibson Research, getting the same Passport sign-on information from those operating systems requires a different approach, but he also calls the process trivial. According to Gibson, it’s a simple process to capture sign-on information from any version of Windows using a worm that can record keystrokes. Like the data that hackers could have snooped from the API, the only reason it hasn’t been done in the past, he says, is that it wasn’t worth the trouble.

Now, however, with Passport, the target is much more attractive. While it might have been pointless to get someone’s ISP password, Passport opens up broad access to any site that uses it.

In a response to our questions, a Microsoft spokesperson, who requested anonymity, admitted that password information is passed in clear text within Windows 95 and Me when a user logs on to Passport or any other system. While Microsoft also recognizes that a worm, Trojan horse, or other hostile code could invade Windows and capture a user’s sign-on information, the spokesman lays the blame on hostile code and not on any weaknesses in Windows 95, Me, or Passport. “By design, a program running on a user’s computer can in general take any action the user can,” he writes in an e-mailed response. “The real issue here is hostile code, not Passport.”

According to him, the company doesn’t plan to make any patches to the vulnerable versions of Windows to help stop such theft of Windows sign-on information. “Microsoft will not be providing a patch for this because there is nothing to patch,” he writes. “Once a user’s machine has been hacked, no patch will keep the hacker from gathering the information he or she wants.” Future versions of Windows will have security enhancements that prevent such access by hostile code, he said.

Unfortunately, there’s not much that individual users can do without support from Microsoft. Enterprise users, however, have some options. First of all, discourage the use of Microsoft’s Passport services until you’re satisfied that your security is protected. The most important way to protect your company is to check your firewalls and make sure they’re screening for unauthorized attempts to send information from any of your Windows computers. One very effective way to accomplish this is to use a personal firewall such as ZoneAlarm from Zone Labs, which can actually block unauthorized attempts to access the Internet. That way, at least, a worm that captures your sign-on information won’t have a way to send it out.

If you’re a merchant on the Internet, or you otherwise run a site that uses Passport, you have some additional concerns. First, you must address Passport’s questionable security when you design your site and make sure you require additional authentication to access personal or financial information. Second, you should be able to authenticate users who don’t use Passport or who don’t wish to use it on your site. Finally, you should disclose up front what areas on your site users can access with Passport and other authentication methods, and what the site must authenticate itself.

Beyond that, however, the best thing you can do is to be scrupulous about password controls, educate your employees, and be suspicious of single-sign-on plans that you don’t control. And, of course, hope that Microsoft decides to take these problems seriously enough to fix the problem with the current installed base of Windows instead of waiting until future versions are shipped.

Convenience vs. security

Having a single logon for every site we visit is nice, but is such a convenience worth raising the risk of identity theft? What are you doing to protect yourself and your end users from someone stealing your identity? Post a comment to this article and let us know how you feel.

Wayne Rash runs a product-testing lab near Washington, DC. He’s been involved with secure networking for 20 years, and he’s the author of four books on networking topics.

This document was originally published by CNET on October 1, 2001.