Did you know that the human brain processes visuals 400,000 times faster than text?

Colorful, visual presentations give your training a competitive edge.

Use Lightware's ultra-portable projectors for high-impact presentations that make you look great!.

Lightware

Windows NT Passwords Accessible
by Dave Murphy
ISSN 1535-3613

A major security flaw in Microsoft Windows NT has been revealed. The flaw enables a remote user to unscramble encrypted information--including the entire registry of user passwords--and display it as text.

This is especially troublesome for Microsoft because it has tried positioning NT as more secure than alternatives such as Unix. And it follows weeks of reports and fixes to the security of Internet Explorer, Microsoft's flagship Internet web browser and email client.

A pair of professional security technologists wrote the code that found the flaw. The code has been verified and is making the rounds on the Internet in areas frequented by skilled hackers with an interest in NT-security issues. The password-cracking code is the third major hack of NT.

Mike Nash, Microsoft's director of marketing for NT Server, acknowledged the security flaw without elaborating on a possible fix.

"It's good that people are testing our products and the best thing we can do is increase the awareness about security to our customers," he said.

"It's a double-edged sword," Jeremy Allison, principal author of the hack's code."This is a useful utility for migrating users to Unix systems from Windows NT, but it can also enable people to see all the actual passwords, which until now wasn't possible. "If you are inside an NT system, this could be used for hacker purposes," he said.

"All that's missing is intent," said Yobie Benjamin, senior consulting architect for emerging technologies at Cambridge Technology Partners and co-author of the code. "If somebody wanted to crack an NT server today, for malicious purposes or financial gain, the pieces of the puzzle are now all there."

Microsoft's Nash admitted to some of that. "In this case, it is possible to break into the system and decrypt passwords," he said. "But it requires that you have administrative privilege."

Yobie Benjamin disagrees. In fact, Benjamin said, even a "reasonably skilled kid" with an inexpensive 386 PC and a 28.8Kbit/s modem could access an NT network, though not through a direct dial-in and log-on attack. Rather, access could be obtained via a "Trojan horse," which is a series of small programs embedded in a file that are sent to a user via email over a network.

"All one of these NT users has to do is double-click on one of these programs to execute it and the program does what it's supposed to do," which is to retrieve plain text files of passwords, he said. "At some point, (the program) E-mails back the results. You wouldn't even know what hit you."

Dave Murphy, Damar Group, Ltd.'s President, warns that all NT networks are now at risk for attack. "Most networks have some access to the outside--either via remote access or direct Internet connectivity--unless tools such as RideWay or Instant Internet are implemented, no NT system administrator will be able to sleep confidently," he said.

Chris Goggans, senior networking security engineer at Wheelgroup agreed that the hack code "makes NT or anything using Microsoft networking vulnerable to attacks." Now that NT "is being accepted into all kinds of environments, you're going to see all kinds of bugs come out," he said. But that shouldn't be surprising. After all, Goggans noted, "we're still seeing bugs coming out of 20-year-old Unix and NT is a baby in comparison."

Allison, a programmer at Cygnus Solutions, which provides Unix and NT desktop and cross-platform development tools, said he put in only three months of part-time work on the hack. "Microsoft's marketing has positioned NT as being much more secure than Unix. They're playing on people's fears," he said. But "their password-encryption mechanism obviously has some flaws in it. It's not as good as Unix's. They know that -- but I guess they'll really know it now."

The security-breaching code goes directly for the heart of the NT security system: the Security Accounts Manager (SAM), where the passwords reside. The code effectively exploits that area by "breaking" the hashing algorithm via a reverse-engineering technique.

"If someone can break into NT security," said Allison, "this allows them to dump out the password database and run a 'dictionary attack.' It's very easy because NT doesn't use 'salt,' data that avoids duplicate passwords (salt adds another level of complexity to the password-hashing algorithm). Instead, NT uses a very simple password-hashing algorithm."

On a positive note, by using this code NT system administrators can view the passwords established by users. For years UNIX administrators have used a program called Crack to open the password databases of their systems. But until now, NT administrators had no similar program.

"However, with this code available on the net, anyone with access to a network can effectively become a system administrator," said Dave Murphy, President of Damar Group, Ltd.

"NT is not as safe as it had been, because of this hack," Goggans said.

Damar Group, Ltd. helps business use technology.

ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.

ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.

Previous issues are on our website at dgl.com/dglinfo.

updated March 30, 1997
http://dgl.com/dglinfo/19978/dg970330.html

Return to DGL homepage
Contact Us
Copyright © 1997, Damar Group, Ltd., All Rights Reserved