________________________________________________________________________________ Wired News Hotmail Accounts Still Exposed by Declan McCullagh and by James Glave 8:05 a.m. 30.Aug.99.PDT No sooner was one catastrophic security flaw closed Monday -- one that exposed millions of Hotmail accounts to prying eyes -- when another one appeared. The net result: As of 2 p.m. PDT, Hotmail account holders remain in jeopardy of having their email messages read, as well as being impersonated in email. The first breach was closed Monday at around 9 a.m. PDT, when Hotmail restored access to legitimate subscribers. The second breach is a variation of the first, and may be the result of one Hotmail machine that evidently was not fixed when the others were. The significance of these security holes is that private Hotmail accounts became available to anyone with a Web browser. Most security vulnerabilities on the Internet require in-depth knowledge of Unix or Windows NT language, technical knowledge that the average Web user does not possess. The bug appears to have affected every customer of what Microsoft says is "the world's largest provider of free Web-based email." Between 8:30 and 9 am PDT, Microsoft pulled the plug on large portions of the entire Hotmail site, rendering it unreachable for millions of subscribers. During that period, the only access to Hotmail accounts could be made through illicit means -- by those who had access to a simple code that was spread wildly on the Net over the weekend. That was about 12 hours after the company was notified of the security hole. But users already logged in to their accounts -- or someone else's -- could continue to send, receive, and delete email. Around 9:30, sections of Hotmail began to slowly come back online. By that time, people without Hotmail accounts could connect to the site's homepage. Users with accounts configured to remember their password, however, received this unhelpful message: "ERROR: Cannot open UserData file." As of 10:15 a.m., Microsoft engineers, led by Mike Nichols in Redmond, Washington, had managed to fix that problem, too, and users could log in normally again. Yet there still was no reference to the problem anywhere on either the Hotmail or MSN sites. A Microsoft spokeswoman could not offer any explanation for the problem. She said that the company took down the Hotmail servers as soon as the company was notified of the problem by the European press Monday morning. She said Monday morning that the company had resolved the issue so that future attacks of this type would not be possible. That has not proven the case. The exploit worked this way: Any Web page that contained a short, simple code -- visible on most browsers as a type-in form -- was able connect to a Hotmail server simply by typing in a user name without requiring a password. By early Monday, copies of that HTML code were posted on hacking-related Web sites. The Hotmail exploit apparently took advantage of a bug in the start script that processed a login session between a Web browser and a server. One site where the problem surfaced was at 2038.com, which Network Solutions shows registered to Moving Pictures, a group based in Sweden. Erik Barkel, the contact associated with that domain, could not be reached for comment. As of about 8:30 a.m. that site redirected to a Web page promoting a marketing company. The managers of that company said they had nothing to do with the redirect. "It's just a point[er] put there by a person who's trying make a joke," said Anders Herlin, business development manager at Abel and Baker. "We haven't had the slightest idea why." "All I know is we do not want to be associated with it," said Herlin. "We are a fairly new company. Maybe someone wanted to cause us harm." But the code quickly spread to dozens, if not hundreds of sites. A Swedish newspaper, Expressen , reported the bug in its Monday editions. The bug let anyone log into a Hotmail account without typing a password. "We know nothing about [the individual who tipped us]. It was anonymous," said Christian Carrwik, one of two Expressen reporters who broke the news. "It has been circulating for a couple of days." Expressen said Microsoft was alerted very early Sunday morning. This is only the most recent Microsoft security gaffe. Redmond admitted earlier this month that its MSN Messenger instant messaging client can accidentally disclose Hotmail account passwords. Even if the password is supposedly deleted from a computer, someone else could still view it if they knew the proper keystrokes. Last week, Wired News reported a bug in tens of millions of Microsoft Windows computers that lets an attacker take control of a PC by sending an email message. Lindsey Arent contributed to this report. http://www.wired.com/news/news/business/story/21490.html ================================================================================ Wired News Did MS Dig Its Hotmail Hole? by James Glave 12:05 p.m. 30.Aug.99.PDT The Hotmail security hole may have been an intentional backdoor that Microsoft built into its system for maintenance purposes, security experts said. Monday's exploit, which opened Hotmail accounts to any casual user, apparently took advantage of a hidden login script. The script may have been either old code left on the server by mistake, or long-forgotten script used for production purposes. "From an outsider's perspective this appears to be some type of backdoor," said Kit Knox, a systems administrator who maintains the Rootshell archive of security exploits. "It looks like something that was used for testing or service that probably got out," he said. "I can't verify what goes on because they have disabled everything on the site." The hidden script sent the password "eh" to a Hotmail login script called "start." That script differs from "dologin," the normal program running on the welcome page that logs Hotmail users into the site. "It is possible that non-production code was left on their servers by mistake," said Knox. One network security specialist said that backdoors are all too common in Web sites because the site owners do not think anyone will find them. "There is the belief that security can be achieved through obscurity," said Peter Shipley, chief security architect with KPMG. "A lot of companies I have dealt with -- while doing security audits -- I have seen backdoors, and they said, 'No one will find that.'" "But someone will find it by accident, or someone will know about it, or a disgruntled employee will leave the company with the knowledge of how to do it," Shipley said. A Microsoft spokeswoman could not offer any explanation for the problem. She said that the company took down the Hotmail servers as soon as the company was notified of the problem by the European press Monday morning. She said the company has resolved the issue so that future attacks of this type would not be possible. Although she said Microsoft received the message Monday morning, she was not certain when it had been sent. The company is composing a letter to users that it will post on the Hotmail site Monday afternoon. She did not know how long Hotmail users had been vulnerable. The identity of the individual or group who discovered the backdoor remains unknown. At least one member is likely to be Swedish because the Swedish press was the first to be alerted to the problem. In an Internet relay chat interview, a Swedish lighting technician who lives in the city of Gothenburg and identified himself as DarkWing claimed that a similar backdoor was discovered in Hotmail six months ago. He said Hotmail closed that hole, which was never made public, in a site redesign about six months ago. http://www.wired.com/news/news/technology/story/21495.html ================================================================================ Wired News Want Security? Forget Web Mail by Declan McCullagh 12:50 p.m. 30.Aug.99.PDT By now you've likely heard of Microsoft's devastating Hotmail security gaffe, which exposed the naked contents of millions of personal email accounts for the perusal of the world's voyeurs. Well, get ready for the disturbing verdict from security experts: These sorts of security holes -- gaping maws, really -- are inevitable. "They're inherently insecure," says Peter Neumann, of Web-based email services. Neumann is a researcher at SRI International who keynoted last week's Usenix security conference. One reason why Web-based email programs are less safe than other email systems is that your archived email remains online. When you're downloading email through a POP server, most email clients delete the message and it ends up stored solely on your local computer's hard drive. So if the remote POP server's security is compromised, an attacker can look at only in-transit email since you last checked your account -- and not that business plan or love letter you received from half a year ago. Other Web email services include ones provided by Yahoo, Mailcity, and email.com. Lycos, the parent company of Wired News, owns Mailcity. Neumann stresses, however, that email security can be compromised in other ways too. "To single this one out and say that it's unsafe is unfair to everything else that's unsafe." Experts say the biggest problem with Web email is that it violates one of the fundamental tenets of electronic security: The user should be the one in control of his or her own files. Or, as some wags put it, don't trust Microsoft with that control. "Microsoft has a long history of ignoring their security problems. That's why I don't completely trust them," says Kathleen Ellis, a system administrator for TSI TelSys. But can you sue the world's largest software company for the glitch, which lasted at least a day and could cost millions if secret info was leaked? Probably not, says one veteran litigator and former prosecutor. "This is a 'service' Microsoft is doing for free," says Mark Rasch, a lawyer for Global Integrity Corporation, which is part of SAIC and based in Reston, Virginia. "That doesn't mean they don't have liability, but in these sorts of things, typically liability will be governed by the contract." However, Rasch also said that anyone who browsed through someone else's Hotmail account, and can be traced, could conceivably be prosecuted under federal criminal laws. In this case, the contract is galactically broad in its disavowal of liability for anything, anywhere, at any time. "In no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever," the contract reads. Translation: There's no such thing as a free lunch. That said, there's also no such thing as carte blanche protection against lawsuits, said Ed Radlo, a partner at Fenwick & West, a Menlo Park, California, law firm that specializes in Internet law. While the boilerplate may absolve Microsoft of liability for the consequences of the initial hack, it doesn't protect them against negligence suits alleging they handled the problem poorly. "Once they're informed of a problem, they have a duty to protect their customers. Depending on how they respond, they could be opening themselves up to litigation," Radlo said. The bottom line, said Radlo, is that Microsoft is the quintessential deep pocket, and people are going to be looking for ways to come after them. Some groups that argue for federal privacy regulations say that more laws are needed to protect the confidentiality of email. David Sobel, staff counsel for the Electronic Privacy Information Center, said that additional regulation would make companies "more diligent in ensuring that there are no privacy flaws in the services." "Right now the downside is that the company takes a PR for a day or two but that's it. There's no system of accountability and not even a legal recognition of a fact that users have been injured in any way by having their email read." "That's a problem," he said. And if increased regulation -- and ensuing liability -- made companies less likely to provide free services? "If that would be the result, that would be the result," Sobel said. Free-market proponents have a ready response. "I don't think we need the government to get in the business of regulating software bugs," says Solveig Singleton, a telecommunications lawyer at the Cato Institute. "If users really do care about security, they'll take their business elsewhere," she says. Which means being better informed, something that SRI's Neumann stresses as well. "Be aware of what's going on. You have to be computer-literate to know what's going on," he said. "The user is at a tremendous disadvantage. The average user can never be expected to understand exactly what's happening to him. So he's going to get screwed," Neumann said. Craig Bicknell contributed to this story. http://www.wired.com/news/news/politics/story/21498.html ________________________________________________________________________________ no copyright 1999 rolux.org - no commercial use without permission. is a moderated mailing list for the advancement of minor criticism. more information: mail to: majordomo@rolux.org, subject line: , message body: info. further questions: mail to: rolux-owner@rolux.org. archive: http://www.rolux.org