NEWS NEWS Hackers take 'Notes' in Vegas Hackers take 'Notes' in White Hat hackers from the Netherlands plan to blow the lid Vegas off Lotus Notes security. Just another Saturday night at July 29th DefCon. By Kevin Poulsen U.S. to July 29, 2000 1:56 PM PT Hackers: 'Join Us' LAS VEGAS - (SecurityFocus.com) When former hacker Chris July 28th "Erik Bloodaxe" Goggans and a team from the Netherlands-based company Trust Factory wrap up their FBI Defends fifty-minute presentation at DefCon here Saturday night, Carnivore network administrators filing out of the audience may be July 24th flipping open their cell phones or looking for a place to log on, and hackers may run for their laptops. Update: MS [Related Story] Battles Outlook Bug July 19th "We've already talked to a few of our clients and told them that we're going public with this, and they're scared," says Outlook Bug Goggans, a consultant with Virginia-based Security Design Exposes Net International. July 18th Goggans, along with Trust Factory's Wouter Aukema, Patrick ------------ Guenther and Kevin McPeake, are presenting the results of COMMENTARY months of poking and prodding at Lotus Notes, the comprehensive office collaboration platform that is the Overheard at standard work-a-day tool for 60 million people at 10 DefCon thousand different companies and government agencies, July 31st according to Lotus. Hacking Despite its broad base, has been largely unexplored 'Survivor' territory for hackers. Though it handles email, it has yet July 23rd to be plagued by a Melissa or LoveLetter virus. It's the database tool of choice for many government agencies, but Robot Rebels its files have generally gone unplundered. at HOPE July 16th That may change after Trust Factory and SDI announce at the world's largest hacker convention that they've discovered a The Arcade serious weakness in Notes password scheme. Underground 'All the versions are vulnerable to this, since they've been July 10th using the same hash mechanism since inception. ' -- Chris Goggans, SDI Rocket's Red Glare No Salt July 3rd Notes passwords are stored and verified as a "one-way hash," a scrambled alphanumeric string that, in theory, cannot be ------------ descrambled. Hash mechanisms are a common method of handling passwords, but such systems typically inject a random number into the mix, called a 'salt,' to prevent attackers from building a comprehensive dictionary of every possible password in hashed form. On a Unix system, for example, the word 'secret' can be encoded in 4096 different ways. The researchers discovered that Notes scrambles its password without a salt. So the password 'secret' is always encoded as 06E0 A50B 579A D2CD 5FFD C485 6462 7EE7. The word 'password' is always stored as 355E 98E7 C7B5 9BD8 10ED 845A D0FD 2FC4. That predictability makes attacking Notes passwords, and gaining access to email, databases, and everything else a user can access, shockingly simply for an attacker who can access the hash. "All the versions are vulnerable to this, since they've been using the same hash mechanism since inception," says Goggans. The hashes are stored in the "Name and Address Book" file names.nsf, which is accessible to every Notes user in an organization. More importantly, many Notes servers are wide open to access over the web, allowing attackers to simply download the scrambled passwords, and then attack them. "We've gone around, and there are a lot of sites that have the Name and Address Book available over the Internet," says Trust Factory's Kevin McPeake. An attacker may not even have to crack the password. Trust Factory found that if the user's Internet Notes password is the same as their local Notes password, and their "UserID" file is publicly accessible, the hashed password is enough to crack their account. Trust Factory even wrote a program that opens Notes accounts remotely under these circumstances. They call it "Sesame." A spokesperson for IBM-owned Lotus confirmed the discovery, and said the company was grateful for SDI and Trust Factory's work. Goggans says they don't plan to publicly release Sesame, and will not provide enough specific information during their DefCon presentation for attackers to immediately exploit the weaknesses. Nevertheless, security conscious administrators should consider removing UserID files from public view, blocking access to the Domino server from the Internet, and switching to an optional, more powerful hash setting, says Goggans. And it wouldn't hurt to do it before 7:00 p.m., Las Vegas time. Tips, feedback, flames? Email news@securityfocus.com Want to link to this article? Use this URL: < http://www.securityfocus.com/news/66 > Discussion BOEM Anonymous Notes vulnerabilities Anonymous Notes vulnerabilities Anonymous Poorly written article Anonymous Poorly written article?? Anonymous Vulnerability? Anonymous Notes Vulnerability Anonymous [ Post a comment ] Privacy Statement Copyright © 1999-2000 SecurityFocus.com