Article 121809 of comp.os.vms:
I received the following as an E-mail from my friendly Apple person:

+++++++++++


'Utility tool' can crack user passwords -- 'Hack' punches hole in NT nets'
security

By Larry Lange

San Francisco - A major security flaw has been uncovered in the Microsoft Corp.
NT network operating system that could enable a remote user to unscramble
encrypted information including the entire registry of user passwords-and
display it as plain text.

A pair of professional security technologists wrote the code for the "hack"
that found the flaw.  The code has been verified by several experts and is
making the rounds on the Internet via an electronic mailing list frequented by
skilled hackers with an interest in NT-security issues.

The potentially password-cracking code is the third major hack of NT in as many
months and follows recent revelations of security holes in Microsoft's Internet
Explorer Web browser. Certainly, the software giant's security technology has
come under closer scrutiny by the hacking community as NT and Internet Explorer
have found broader market acceptance.

Mike Nash, Microsoft's director of marketing for NT Server, acknowledged the
security flaw without elaborating on a possible fix. "It's good that people are
testing our products, and the best thing we can do is increase the awareness
about security to our customers," he said.

Though presented in the mailing list as a "utility tool" for NT systems
administrators, the latest hack is capable of much more.

"It's a double-edged sword," Jeremy Allison, principal author of the hack's
code, told EE Times."This is a useful utility for migrating users to Unix
systems from Windows NT, but it can also enable people to see all the actual
passwords, which until now wasn't possible.

"If you are inside an NT system, this could be used for hacker purposes."

"All that's missing is intent," noted Yobie Benjamin, senior consulting
architect for emerging technologies at Cambridge Technology Partners
(Cambridge, Mass.) and co-author of the code. "If somebody wanted to crack an
NT server today, for malicious purposes or financial gain, the pieces of the
puzzle are now all there."

Microsoft's Nash admitted to some of that. "In this case, it is possible to
break into the system and decrypt passwords," he said. "But it requires that
you have administrative privilege."

Not so, said Yobie Benjamin, who noted that bypassing administrative privilege
to glean these passwords is possible in other ways. In fact, Benjamin said,
even a "reasonably skilled kid" with an inexpensive 386 PC and a
28.8-kbit/second modem could access an NT network, though not through a direct
dial-in and log-on attack. Rather, access could be obtained via a "Trojan
horse"-a series of small programs embedded in a file that are sent to a user
via e-mail over a network.

"All one of these NT users has to do is double-click on one of these programs
to execute it, and the program does what it's supposed to do"-that is, retrieve
plain-text files of passwords-"and at some point e-mails back the results. You
wouldn't even know what hit you," he said.

Chris Goggans, senior networking security engineer at Wheelgroup Inc. (San
Antonio, Texas), concurred that the hack code "makes NT or anything using
Microsoft networking vulnerable to attacks. Now that NT "is being accepted into
all kinds of environments, you're going to see all kinds of bugs come out," he
said.

But that shouldn't be surprising; after all, Goggans noted, "we're still seeing
bugs coming out of 20-year-old Unix, and NT is a baby in comparison."

Wake-up call

Allison, a programmer at Cygnus Solutions (Sunnyvale, Calif.), which provides
Unix and NT desktop and cross-platform development tools, said he put in only
three months of part-time work on the hack. "Microsoft's marketing has
positioned NT as being much more secure than Unix; they're playing on people's
fears," he told EE Times. But "their password-encryption mechanism obviously
has some flaws in it; it's not as good as Unix's.

"They know that-but I guess they'll really know it now."

The hack is particularly perturbing for Microsoft since it goes directly for
the heart of the NT security system: the Security Accounts Manager(SAM), where
the  passwords reside. The now-public code effectively exploits that area by
"breaking" the hashing algorithm via a reverse-engineering technique.

"If someone can break into NT security," said Allison, "this allows them to
dump out the password database and run a 'dictionary attack.' It's very easy
because NT doesn't use 'salt' [data that avoids duplicate passwords]. Salt adds
another level of complexity to the password-hashing algorithm. Instead, NT uses
a very simple password-hashing algorithm."

Higher purpose

Yet the hack is not without its nobler functions for NT. Benjamin explained
that NT systems administrators, unlike their Unix counterparts, have no way to
view the passwords of their users; once an NT user establishes a password, only
that person alone can see it. That has been a point of contention among NT
sysads.

Many Unix sysads use a program called Crack that attacks in-house passwords to
reveal vulnerabilities-such as commonly used (and easily guessed) passwords.
Benjamin's and Allison's code, with a bit more development, will allow such a
program to be constructed for NT.

"This is a springboard to that," said Goggans. "I expect, within the next week,
someone out there's going to write such a program for NT."


Yet Wheelgroup's Goggans maintained that immediate harm could result from the
code's being let loose over the Net. If someone has broken into any of the NT
machines, or an employee is angry, Goggans said, "he or she can simply run a
'sniffer' program to pull the encrypted passwords and then run that program
with a common 'dictionary' program to get the plain-text passwords."

That, in effect, would turn a mere user into a full-blown system
administrator-or system saboteur.

"NT is not as safe as it had been, because of this hack," Goggans said.

Frank Ramos, president of Somarsoft Inc. (San Francisco), a
security-auditing-program developer for NT, said the hack appears to have
nullified Microsoft's marketing claims that NT administrators are denied
user-password access in the interest of secure networking.

"With this, a user still has to have access to the network and the SAM" to pull
off the hack, but it's questionable just how difficult it is to get that
[access]," Ramos said.

Indeed, he said, test code resides on his company's posted Web site that shows
just how easy it may be.

"Below is an example of the sort of source code that could be used over the
Internet to attempt logging in as an administrator [by] using a database of
passwords or a password-generator algorithm until a password is found  that
works," the Somarsoft page reads. "Once the administrator password is found,
the hacker has complete access to the machine."

Predicted Benjamin: "I bet that once this SAM-hash crack gets out there, the
next iteration will be an attack through the Net."

Not surprisingly; NT is coming under scrutiny just as it is making significant
inroads into both the workstation and server markets. Hackers are notorious for
targeting high-profile products; consider the assault on Netscape's encryption
technology last year and on Microsoft's IE browser more recently.


Benjamin appears to be no stranger to Microsoft's security staff. He was
actively involved in uncovering at least two other security flaws, in
collaboration with a respected TCP/IP hacker known as Hobbit. The two hackers
exposed holes in NT security that resulted from vulnerabilities in the
Microsoft' Common Internet File System (CIFS), an Internet version of the
Server Message Block (SMB) protocol used in Microsoft networking to provide
access to files, printers and other shared resources.

Microsoft has addressed those issues, primarily by posting advice for
administrators on its Web site and by adding fixes to upgrades in "service
packs."

"In the face of NT's growing popularity, more people such as myself and many
others will push both its capabilities and weaknesses to its breaking
point-and, in  my opinion, rightfully so," Benjamin said. "It is part of the
'operating-system imperative'-constant evolution, through real-world testing,
to meet higher security demands."

Microsoft's Nash said that NT customers can do two things to help themselves in
NT security matters. "First, don't give the security privilege out to people
you don't trust," he said, adding, "don't use words like 'dog' and 'cat'  as
passwords; rather, use 'strong' passwords, words with a combination of upper-
and lowercase characters, numbers and punctuation marks."

Microsoft can be expected to pursue a short-term solution to the potential
password breach by offering a fix or a patch, but Benjamin noted that "it is
not a trivial task to change the NT SAM." He suggests that the company release
NT version 5.0-with an improved security architecture-as quickly as possible.
Microsoft's current schedule for NT 5.0 targets a first-quarter '98 release
date, and beta by the end of this year.

Short- and long-term fixes notwithstanding, Benjamin notes a fundamental issue
with NT: It is rooted in "old-school LAN-manager technology. It was never meant
to be for a large enterprise."

Given that fact, he said, nothing but "continual vigilance" will suffice.
System administrators and users, Benjamin said, should be "careful about what
they are downloading; stay up to date with all the patches; and get on the
relevant mailing lists, such as ntbugtraq."

Goggans of Wheelgroup had this caustic warning for the software monolith:
"Microsoft should spend less money on getting the Rolling Stones' Start Me Up
on their operating systems and more on [recruiting] experts in security and
networking.

"Until that happens, the consumer will continue to be the final beta tester."

-Additional reporting by Margaret Ryan.

  Copyright F 1997 CMP Media Inc.


=====================================================================



*************************************************************************
I date this girl for two years -- and then the nagging starts:  "I wanna know
your name"
     -Mike Binder
*************************************************************************

-- 
==================================================================
Dick Piccard                           Academic Technology Manager
piccard@ouvaxa.cats.ohiou.edu                    Computer Services
http://ouvaxa.cats.ohiou.edu/~piccard/             Ohio University