Hotmail flaw may have been admin tool gone awry

Inevitably, Microsoft's PR army is patrolling the Web this morning proclaiming this weekend's disastrous Hotmail security breach as fixed and protected against future attacks.

But why in Gates' name was the privacy of 40 million user accounts ever in jeopardy? What happened and how was such a gaping security hole left open?

Firstly, the evidence at hand.

Sometime Bank Holiday Monday, mirror sites around the world -- believed to be hosted initially in Sweden -- began posting a string of admin script promising entry into any Hotmail account, without a password. An admin script is a high-level programming command compiled by a system administrator to automate certain processes.

According to one source, who requested anonymity, the admin script used in the Hotmail breach could have properly been used to interrogate user accounts in the event of lost passwords.

We would speculate there were three main routes for this information to become wild on the Internet.

Although the latter is pure speculation and has not been confirmed by Microsoft, the possibility should be considered. A member of Hotmail's administrative staff, constantly tasked with interrogating user account information for, say, lost password retrieval, could have got fed up with the time each interrogation took to perform. To shorten this procedure, he/she could have set up that piece of script, possibly HTML, which effectively created a backdoor, or a loophole into private user information.

Gillian Kent, MSN's Group marketing manager confirmed this morning that an admin script was used. "The script was an old administrative script sitting on one of Hotmail's own servers which was somehow hacked into by a third party," she said.

Hotmail is hosted on BSD, widely regarded as a secure Unix flavour. The OS itself doesn't require log-in, but terminals attaching to a Unix server are sent a shell by the given server requiring log-in and password information. With the advent of the Web and FTP downloads, remote users don't actually have to be "logged-in" to a Web-server in order to execute processes on that server, e.g. a page request, mail acceptance or whatever spurs action on the part of that server, i.e. processing. Of course, as the Internet becomes a more tangled Web, more and more alternate routes, backdoors and loops are created and over time become exploitable.

This one just happened to be a lazy loop that affected 40-50 million user accounts. Maybe.

Beyond turning off your machine, or locking yourself behind a personal firewall and declining mail to or from the outside world, there a couple of ways of improving messaging security. But always remember that mail should be regarded as a postcard left lying around on other coffee tables around the Internet. These postcards are viewable by third parties if they really want to see them. That includes well-meaning administrators on the countless systems those postcards may have passed through.

Any Internet mail has to queue. Those queues aren't local and are beyond our control. According to the source, Hotmail could prevent similar occurrences using one-way encryption algorithms that employ a unique key local to your system.

Equally, one-to-one messaging could be encrypted at source and broken locally using a key known only to the sender and intended recipient. Unfortunately, other than those organisations requiring the very highest levels of security, this method will always prove impractical for the majority of us.

Were you affected by the Hotmail breach? Will you continue to use Web-based email?

Tell the Mailroom