ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

From...
Computerworld

Security hole found in Netscape mail system

December 16, 1999
Web posted at: 1:06 p.m. EST (1806 GMT)

by Linda Rosencrance graphic

(IDG) -- A Dulles, Va.-based security firm Wednesday warned of a serious flaw in the password encryption of Netscape Navigator's e-mail system.

That flaw could impact businesses deploying the software for e-mail, said Gary McGraw, chief technology officer at Reliable Software Technologies Corp.

McGraw said two RST engineers needed just eight hours to duplicate the algorithm used to scramble an individual's mail password, potentially exposing the password to any attacker.

  MESSAGE BOARD
Insurgency

Ecryption
 

"We were writing a simple tool to look for key material and other protected stuff on a hard drive," McGraw said. "We started testing it on [the] Netscape Windows Registry file," where Netscape stores information about users, their computers and passwords.

Netscape Communications Corp., in Mountain View, Calif., couldn't be reached for comment by posting deadline.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Flawed copyright protection puts new spin on DVD
  Don't go proprietary, crypto expert urges
  E-mail security and virus resources
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute
"In order for a Netscape mail password to be decoded, a small program must run on the computer where the password is saved," RST said in a statement. "The lack of any real security in Windows 95/98 makes exploiting this particular flaw in Netscape particularly easy."

Any program can access the encrypted password, RST said.

McGraw said having access to a Netscape mail password could potentially lead to malicious use of an individual's mail and possibly allow further access to protected business-critical information systems if people are using the same password elsewhere.

"It's extremely important to protect a person's password with good cryptography," McGraw said. "Businesses are using these shrink-wrapped products in their everyday business, so they want to make sure the people making the programs are doing it right."

Since many people use their mail password for other applications at work and at home, a hacker could potentially use an e-mail password to log in to a more secure corporate machine. The attacker could then access sensitive information or use the account to attack other accounts or set up a monitoring system inside a corporate network.

"This could have a real impact on the manufacturers and the people deploying the software," McGraw said. "People use Netscape software for e-commerce, so they have to get the security right. Netscape stores people's passwords on a Windows Registry -- the problem is not storing the passwords there, but making sure they are protected with strong cryptographic algorithms, like DES, the Data Encryption Standard."

While using DES isn't a perfect solution, McGraw said, it is a "darn good one."

There's long been a debate in the security community about the use of proprietary encryption algorithms. Companies that develop them argue they are secure, but some experts say it's important to allow the entire security community to test an algorithm for robustness.



RELATED STORIES:
Industry, feds open security dialogue
December 10, 1999

RELATED IDG.net STORIES:
Flawed copyright protection puts new spin on DVD
(Computerworld)
Don't go proprietary, crypto expert urges
(Computerworld)
NSI makes free e-mail security blunder
(InfoWorld.com)
Privacy groups urge halt to e-mail tracking
(Computerworld)
Y2K e-mail worm seeks to reformat drives
(Computerworld)
HTML provides opening for e-mail vandals
(InfoWorld.com)
E-mail security and virus resources
(Computerworld)
Year 2000 World
(IDG.net)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
Computer Security Advisories
Netscape Communications Corp.
Reliable Software Technologies Corp.
Reliable Software Technologies official statement
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.