- Email: [email protected]
Windows 95 stored password vulnerability
SECURITY REPORTS W i n d o w s 95 stored password vulnerability Ed Wehde nadboy Software recently released a product, called Revelation, that can be used to reveal hidden ISP, E-mail or corporate network passwords that are stored in the password cache of Windows 95. Microsoft has responded by posting a bulletin on its W e b site w a r n i n g o f w h a t they call a s e c u r i t y "vulnerability" presented by the product. Revelation is d e s i g n e d to a s s i s t u s e r s w h o have t r o u b l e remembering all their passwords.
S
Windows 95 users who do not want to type in their p a s s w o r d e v e r y time they log on can store the passwords in a cache. In the cache, passwords are represented by asterisks not text. Revelation can be used to reveal the
Revelation can be
used to reveal
hidden ISP, E-mail or
corporate
text r e p r e s e n t e d by the asterisks. Most
Revelation can be used to reveal the that, if there is text represented In the bulletin at its W e b site, Microsoft recommends
users
any p o s s i b i l i t y that the Revelation s o f t w a r e has b e e n d o w n l o a d e d to their computer, users should not check the 'Remember My Password' box.
by the asterisks
Other security policies Microsoft recommends include: logging off when leaving the computer for long periods of time, running a password-protected screen saver when leaving for short periods and not allowing others to run unknown programs on your computer. Revelation can be downloaded free at the Snadboy Software Web site. The product is designed to work with W i n d o w s 95 only, and does not work with Windows NT, Workstation or Server. Windows 98 is expected to be subject to the same threat of stolen passwords from Revelation.
have
network passwords
numerous passwords to r e m e m b e r and are therefore likely to take advantage of the Revelation software to reveal passwords if they get one or more of them confused. "It's the classic tradeoff between convenience and security", Microsoft spokesperson Jon Roberts told US reporters. U n f o r t u n a t e l y , devious, unauthorized persons can also access normally hidden passwords from a computer if the Revelation software has been downloaded to it. Microsoft said that the Revelation software can be used to pilfer passwords only if the computer that is running the s o f t w a r e is left unattended. R e m o t e access is not a security concern in this i n s t a n c e , a c c o r d i n g to M i c r o s o f t . In o r d e r to avoid relying on the cache to keep their passwords straight, users should try to use as few passwords as possible. Microsoft suggests that users can avoid the threat presented by Revelation by not using the cache at all.
Data protection standard on the cards Elspeth Wales he International Standards Organization (ISO) is considering whether or not to draw up a standard that c o v e r s p e r s o n a l data p r o t e c t i o n . The ISO has f o r m e d an Ad H o c G r o u p on P r i v a c y of Information and Personal Data which is charged with the mandate to consider the advisability of the I S O d e v e l o p i n g a s t a n d a r d for p e r s o n a l data p r o t e c t i o n . The g r o u p is d u e to m e e t in mid-December to decide on the next step in their deliberations, ready to make a recommendation to the ISO in January.
T
While the original driver for such a standard to be contemplated came from the ISO's Consumer Policy Committee the need has assumed added urgency
Computer Fraud & Security November 1997 © 1997 Elsevier Science Ltd
S
Windows 95 users who do not want to type in their p a s s w o r d e v e r y time they log on can store the passwords in a cache. In the cache, passwords are represented by asterisks not text. Revelation can be used to reveal the
Revelation can be
used to reveal
hidden ISP, E-mail or
corporate
text r e p r e s e n t e d by the asterisks. Most
Revelation can be used to reveal the that, if there is text represented In the bulletin at its W e b site, Microsoft recommends
users
any p o s s i b i l i t y that the Revelation s o f t w a r e has b e e n d o w n l o a d e d to their computer, users should not check the 'Remember My Password' box.
by the asterisks
Other security policies Microsoft recommends include: logging off when leaving the computer for long periods of time, running a password-protected screen saver when leaving for short periods and not allowing others to run unknown programs on your computer. Revelation can be downloaded free at the Snadboy Software Web site. The product is designed to work with W i n d o w s 95 only, and does not work with Windows NT, Workstation or Server. Windows 98 is expected to be subject to the same threat of stolen passwords from Revelation.
have
network passwords
numerous passwords to r e m e m b e r and are therefore likely to take advantage of the Revelation software to reveal passwords if they get one or more of them confused. "It's the classic tradeoff between convenience and security", Microsoft spokesperson Jon Roberts told US reporters. U n f o r t u n a t e l y , devious, unauthorized persons can also access normally hidden passwords from a computer if the Revelation software has been downloaded to it. Microsoft said that the Revelation software can be used to pilfer passwords only if the computer that is running the s o f t w a r e is left unattended. R e m o t e access is not a security concern in this i n s t a n c e , a c c o r d i n g to M i c r o s o f t . In o r d e r to avoid relying on the cache to keep their passwords straight, users should try to use as few passwords as possible. Microsoft suggests that users can avoid the threat presented by Revelation by not using the cache at all.
Data protection standard on the cards Elspeth Wales he International Standards Organization (ISO) is considering whether or not to draw up a standard that c o v e r s p e r s o n a l data p r o t e c t i o n . The ISO has f o r m e d an Ad H o c G r o u p on P r i v a c y of Information and Personal Data which is charged with the mandate to consider the advisability of the I S O d e v e l o p i n g a s t a n d a r d for p e r s o n a l data p r o t e c t i o n . The g r o u p is d u e to m e e t in mid-December to decide on the next step in their deliberations, ready to make a recommendation to the ISO in January.
T
While the original driver for such a standard to be contemplated came from the ISO's Consumer Policy Committee the need has assumed added urgency
Computer Fraud & Security November 1997 © 1997 Elsevier Science Ltd