Bull red-faced over Web site security breach

French computing giant says there was no security risk, but the people who found the flaw disagree

Computer experts say they uncovered yesterday a well-known security vulnerability in the UK Web site of Bull, which would have exposed employee usernames and passwords to hackers.

The incident is an embarrassment for the firm, which prides itself in developing secure enterprise solutions, smartcards and software for secure infrastructure and Intranets. In France, Bull is IBM's main competitor in the enterprise space.

A spokeswoman from Bull confirmed the vulnerability: "Due to a software problem, unauthorised individuals were able to get access to a system file on the Web site," she said. "They did not get past the firewall or other security measures. The problem has since been rectified and no security risk was posed."

The security hole was exposed by French activists Kitetoa who probe corporate Websites for weaknesses. A Kitetoa spokesman, speaking on condition of anonymity, said the flaw -- originally discovered over a month ago by bug hunter George Guninski -- gave access via a Web browser to the system's Security Account Manager (SAM) file, which contains vital system usernames and passwords.

Four sets of usernames and passwords were exposed, including those of the administrator, which gives complete control over the machine.

Bull said the passwords were unuseable because they were encrypted, but the Kitetoa expert argued that it is possible to decrypt the passwords using a commonplace security tool called L0phtcrack. "It's just a matter of time," he said.

News of the vulnerability may seem like Deja Vu to the French firm. In September, Kitetoa revealed a more serious problem with servers owned by Bull, which revealed confidential information belonging to Bull and to a number of its corporate customers.

Computer security experts at @Stake confirmed the validity of the vulnerability but stressed that a technical flaw such as this does not in itself mean insecurity. "It is important to mention that these passwords would potentially have been old," says managing security architect with @Stake, Ollie Whitehouse. "If Bull had a good password policy in place, changing passwords every month or so, the risk would have been relatively low."

Is your PC safe? Find out at the Hackers News Special

Take me to ZDNet's Small Business Special.

Take me to ZDNet Enterprise

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read other letters.