Interesting People mailing list archives
IP: security,as usual, starts at home
From: David Farber <farber () cis upenn edu>
Date: Fri, 23 May 1997 18:34:40 -0400
AT&T WorldNet Security Breach an Inside Job by Brian McWilliams, PC World News Radio May 23, 1997 PC World Online's ongoing investigation into security at the AT&T WorldNet service has revealed that WorldNet user names and passwords were not recently stolen through an Internet traffic monitoring technique known as "packet sniffing." Instead, a source now says that about 20 WorldNet user names and passwords were gleaned by a corporate network administrator from the hard disks of PCs on a LAN that he managed. The user sign-on data was stored in plain text format on systems as part of the WorldNet client software installation procedure, according to the source While unencrypted and thereby readable by anyone with physical access to the PC, or network access via the LAN, the user sign-on data could not be gained by other WorldNet members or by Internet users at large. To monitor user changes to the WorldNet account access page, an individual would need to have "super user" account status on WorldNet's servers, according to Simson Garfinkel, author of Web Security and Commerce, (O'Reilly, June 1997). While the WorldNet security breach is considerably smaller than originally reported, storing unencrypted passwords on personal computer hard disks is dangerous, said computer security expert Stephen Cobb. "The client is really the weak link in client/server computing [security]" according to Cobb. He advises users to commit passwords to memory and not store them, even encrypted, on their machines, in the event that the PC is stolen or accessed without authorization. At least one other major online service provider, CompuServe, encrypts users' passwords when it stores them in the client software's initialization files, according to spokesperson Gail Whitcomb. AT&T WorldNet officials disabled the service's account access page earlier this week after reports that subscriber credit card, e-mail, and other personal information might be accessible to outsiders. Patrick Cline, a WorldNet subscriber who works as a database engineer for a Georgia-based software company, previously told PC World Online that he and an associate had collected WorldNet user account information as a way to demonstrate a potential security hole at the service. At the time, Cline said his associate had collected Internet packet data using a sniffer program, and Cline sorted through the data to find the account information. Cline later discovered that his associate had gathered the data from hard disks on a LAN, not over the open Internet. An AT&T WorldNet spokesperson said the company has no immediate plans to take legal action against the two men.
Current thread:
- IP: security,as usual, starts at home David Farber (May 23)