Firm finds big security holes in Windows NT

Flaws in Microsoft Corp.'s Windows NT software threaten the security of companies using the Internet to tie together their far-flung corporate locations, a computer security consulting firm declared on Monday.

"We were able to sniff passwords, eavesdrop on the networks, and passively do traffic analysis," said Bruce Schneier, president of Counterpane Systems Inc., of Minneapolis, Minn. "Any Microsoft NT server on the Internet is insecure."

	Microsoft's report card on security has a few F's. Last year, the company was criticized for the security threat posed by ActiveX.
	Monday, crypto rivals Network Associates and RSA Data Security settled their suit.

Counterpane discovered the problems while doing a security analysis on a Windows NT, an operating system used by a swiftly growing number of corporations as the foundation for their computer networks. Microsoft (MSFT) confirmed the security problems later the same day.

VPNs increasingly popular
The flaws weaken the security of so-called "virtual private networks," or VPNs, based on NT and point-to-point tunneling protocol, or PPTP. These VPNs connect company networks from various locations and are quickly becoming popular in the corporate world as a low-cost solution to buying a dedicated phone line to connect computers between company sites.

"A lot of people are creating their virtual private networks using NT," said Schneier. "That makes the flaw that much more serious."

'A lot of people are creating virtual private networks using NT. That makes the flaw that much more serious.' -- Bruce Schneier, Counterpane Systems Inc.

The PPTP is Microsoft's homegrown way of securely sending and receiving data over the public Internet. It's also used to identify whether the person logging in a valid user.

But the software giant would have been better off using one of the public -- and stress-tested -- standards, said Schneier.

"Developing security implementations in-house is very difficult to do right," said Schneier. "That's why it's important to adopt a publicly tested and recognized standard."

Microsoft promises fix ASAP
Windows NT system can use either a 40-bit or 128-bit encryption key to protect a company's data. Those keys, in and of themselves, are extremely secure. The problem is that NT secures those keys with a flawed password system. "Anyone with a list of the top 10 million passwords can break over 99 percent of the systems out there," he said.

Microsoft promises to fix the flaws as soon as possible.

"(Part of the problem) is already fixed," said Karan Khanna, product manager for Windows NT security at Microsoft. "We will be releasing patches to fix the rest as soon as we can."

Khanna attempted to put the flaws in perspective. "The amount of security an organization enforces depends on its needs," he said. "The CIA spends billions of dollars on security -- our customers don't need the level."

Is fix worse than flaw?
That you-get-what-you-pay-for philosophy could quickly backfire on the software giant, however. Despite the stress on getting fixes out as soon as possible, many times such patches just make more problems for system administrators, said Schneier.

"Last time they released a fix, it broke so many other parts of Windows NT, Microsoft had to pull it off the Web site three weeks later," he said.