Your stolen Passport
Thomas, who is CTO of the Oregon-based software quality assurance company, Bugtoaster, says that he wasn't really trying to get into the security business, but that this was something too obvious to let pass. It was also too important.
Microsoft's Passport service is a core piece of its .NET strategy. Anyone who uses MSN or the MSN Messenger has a Passport. As the Microsoft Internet strategy moves forward, the Passport will serve as a single sign-on for interactions with any company that also uses the Passport, and Microsoft is working hard to sign up as many companies as possible. If Microsoft's plans reach fruition, you will be able to travel around the Internet, moving from an e-mail service to an e-commerce site, and only have to sign in once. This is a great convenience for users.
The problem is, it's also a great convenience to hackers and thieves. Passport requires that you use your e-mail address as your user ID, and that you select a single password for all Passport sites. So all they need is your e-mail address and password, and they can go anywhere you can go. Worse, because Microsoft is also tying its Wallet service to the Passport, they can also spend your money and get your credit card information.
The only upside (if you can call it that) to Bugtoaster's findings is that this particular security hole only applies to Windows 9x, including Windows Me. It's related on the client side to the Windows dial-up networking application. When it logs on to Passport, the application retrieves the sign-on information from an encrypted file, but passes it in clear text from one process to another in memory, where a worm could easily find it because that's an area specified in the API for Windows. Fortunately, Windows NT and 2000 don't have this problem.
Unfortunately, that doesn't mean you're in the clear just because you're using NT or 2000, which pass information in encrypted form. According to Steve Gibson of the highly respected security firm Gibson Research, getting the same Passport sign-on information from those operating systems requires a different approach, but he also calls the process trivial. According to Gibson, it's a simple process to capture sign-on information from any version of Windows using a worm that can record keystrokes. The only reason it hasn't been done in the past, he says, is that it wasn't worth the trouble.
Now, however, with Passport, the target is much more attractive. While it might have been pointless to get someone's ISP password, Passport opens up broad access to any site that uses it.
Unfortunately, there's not much individual users can do without support from Microsoft. Enterprise users, however, have some options. First of all, try to discourage the use of Microsoft's Passport services until you're satisfied that your security is protected. The most important way to protect your company is to check your firewalls, and make sure that they're screening for unauthorized attempts to send information from any of your Windows computers. One very effective way to accomplish this is to use a personal firewall such as Zone Alarm from Zone Labs, which can actually block unauthorized attempts to access the Internet. That way, at least, a worm that captures your sign-on information won't have a way to send it out. You might think about keeping password data out of those encrypted files by forcing users to provide it at login, but a worm that records keystrokes can still access it and send it where it doesn't belong.
Beyond that, however, the best thing you can do is to be scrupulous about password controls, educate your employees, and be suspicious of single-sign-on plans that you don't control. And, of course, hope that Microsoft decides to take these problems seriously enough to fix the problem.