From...

by Linda Rosencrance

(IDG) -- A Dulles, Va.-based security firm Wednesday warned of a serious flaw in the password encryption of Netscape Navigator's e-mail system.

That flaw could impact businesses deploying the software for e-mail, said Gary McGraw, chief technology officer at Reliable Software Technologies Corp.

McGraw said two RST engineers needed just eight hours to duplicate the algorithm used to scramble an individual's mail password, potentially exposing the password to any attacker.

	MESSAGE BOARD
Insurgency Ecryption

"We were writing a simple tool to look for key material and other protected stuff on a hard drive," McGraw said. "We started testing it on [the] Netscape Windows Registry file," where Netscape stores information about users, their computers and passwords.

Netscape Communications Corp., in Mountain View, Calif., couldn't be reached for comment by posting deadline.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Computerworld's home page

Flawed copyright protection puts new spin on DVD

Don't go proprietary, crypto expert urges

E-mail security and virus resources

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for IT leaders

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

"In order for a Netscape mail password to be decoded, a small program must run on the computer where the password is saved," RST said in a statement. "The lack of any real security in Windows 95/98 makes exploiting this particular flaw in Netscape particularly easy."

Any program can access the encrypted password, RST said.

McGraw said having access to a Netscape mail password could potentially lead to malicious use of an individual's mail and possibly allow further access to protected business-critical information systems if people are using the same password elsewhere.

"It's extremely important to protect a person's password with good cryptography," McGraw said. "Businesses are using these shrink-wrapped products in their everyday business, so they want to make sure the people making the programs are doing it right."

Since many people use their mail password for other applications at work and at home, a hacker could potentially use an e-mail password to log in to a more secure corporate machine. The attacker could then access sensitive information or use the account to attack other accounts or set up a monitoring system inside a corporate network.

"This could have a real impact on the manufacturers and the people deploying the software," McGraw said. "People use Netscape software for e-commerce, so they have to get the security right. Netscape stores people's passwords on a Windows Registry -- the problem is not storing the passwords there, but making sure they are protected with strong cryptographic algorithms, like DES, the Data Encryption Standard."

While using DES isn't a perfect solution, McGraw said, it is a "darn good one."

There's long been a debate in the security community about the use of proprietary encryption algorithms. Companies that develop them argue they are secure, but some experts say it's important to allow the entire security community to test an algorithm for robustness.