InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
App Development
Broadband
Business Intell.
Business News
Business Strategies
Careers & Mgmt
Collab. Software
Content Mgmt
CRM
Database
E-Business
End-User Apps
End-User Hardware
Enterprise Apps
Ethics
Government
Licensing
Middleware
Mobile Computing
Networking
Online Community
Operating Systems
Processors
Security
Servers
Storage
Telecomm.
Web Services
Web Technologies
Wireless
XSPs
NEWS
CTO ZONE
TEST CENTER
FEATURES
COMMUNITY
OPINIONS
RESEARCH
EVENT
WEBCASTS
ABOUT InfoWorld
ABOUT US
About InfoWorld
Services
Advertise
Contact us
Employment
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.
SEARCH:  
Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Your Passport, please

I REVEALED ON Sept. 10 that Windows 9x and Me store your user name and password as plain text in memory every time you dial an ISP and store the text for 10 minutes after you've disconnected. Many PCs are silently infected with Trojan horses that can easily read this information. People who use Microsoft's Passport authentication system, as all Hotmail customers are required to do, are likely to choose the same password for Passport and their dial-up account. With this password, a hacker can access any credit card numbers or other accounts that Passport has recorded.

This scenario was first discovered by Bugtoaster.com, a Windows testing site. Let me assure you that I didn't disclose this security weakness before Microsoft had a chance to patch it. The flaw was discussed with several Microsoft executives back in February, according to Bugtoaster CTO Dave Thomas. The software giant apparently decided not to issue a patch because users can upgrade to Windows NT/2000/XP, all of which correctly encrypt the sensitive information.

In response to that column, reader Dan Ryan wrote, "You shouldn't lump together technical problems with design decisions you don't agree with. If users aren't vigilant about keeping passwords unique, that's hardly Microsoft's fault."

Let me clarify: Using a single password to access your personal and financial accounts is central to Passport, which XP almost requires you to use. This is a design decision I don't agree with. The bundling of Passport with XP is certain to cause more e-commerce sites and Windows 9x and Me users to adopt the authentication scheme. Deciding not to issue a patch for all the Windows 9x and Me users is a technical decision I don't agree with.

Brian Seitz, a spokesman at Microsoft's PR firm, Waggoner Edstrom, wrote, "It's certainly true that a Trojan horse program could compromise the user's security. However, this has nothing to do with Passport -- in fact, it's simply a restatement of the First Immutable Law of Security: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

Seitz listed several steps Microsoft has taken to make it harder for a worm to run mobile code on a PC: the Outlook E-mail Security Update, part of the Outlook 2000 Service Pack 2 and Office XP; the inclusion in Windows XP of Internet Connection Firewall and Software Restriction Policies (which can be configured to prohibit mobile code); and Outlook Express 6.0, which includes security changes similar to Outlook 2000 SP2.

Yes, XP and the latest versions of Outlook and Outlook Express do close some security holes. But Microsoft required all Hotmail users to switch to Passport, not just the ones who have the safer, upgraded programs -- and that exposes the passwords of Windows 9x and Me users to risk.


Brian Livingston's latest book is Windows Me Secrets. Send tips to tips@brianlivingston.com. Go to www.iwsubscribe.com/newsletters to get Window Manager and E-Business Secrets free each week via e-mail.



RELATED SUBJECTS

Operating Systems
MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!
Click here to receive a FREE Success Kit from Oracle.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2001 InfoWorld Media Group, Inc.