Microsoft defends WinCE-NT password flaw

Security weakness is OK because password feature is 'just for convenience' says Microsoft

Microsoft has denied that the security hole in Windows CE 2.x that makes it relatively simple to capture a user's NT password after they have connected using the ActiveSync function represents a mistake at all.

Windows CE programmer Jeff Zamora revealed this week that when a CE device saves and supposedly "encrypts" a user's NT password it simply uses a very basic mathematical function to cipher the message, based on the numerical value of the word "susageP". This is Pegasus backwards, the original code name for Windows CE.

But a spokesman for the Windows CE division of Microsoft refused to admit this is a mistake stating, "It's not a blunder. We understand that security is a big issue and we are stepping up to the issue. This network password is meant as a convenience and we don't recommend it as the only security measure."

This spokesman also denied evidence of sloppy CE programming, claiming that security was weak because everyone had been surprised by the adoption of these hand-held computers by the business sector. "I wouldn't say that the coders are lazy," he says. "It's just that for a long time individual users were buying Windows CE machines for individual use. Security is much more significant in this area and has caught a lot of people off guard that these computers have been deployed in corporate so many environments."

The spokesman also said that people should always use all the security measures available to them as part of Windows CE and mentioned some new forthcoming features: "There is device on, network and application security, and forthcoming versions of CE will be compatible with smart cards."

Renowned security expert Bruce Schneier highlights the WinCE flaw in his latest newsletter and says, "It's so pathetic it's staggering."

British security consultant Matt Bevan of TigerTeam security is similarly appalled. "It's criminal," he says. "Any cryptography that's based on a single key is totally useless once that key has been compromised. It's like the DVD encryption. That is pretty useless from a security perspective now because you can fairly easily get hold of the keys. It's basically like basing the enigma code on the word 'Adolf' backwards."