Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[ISN] Netscape security flaw revealed
From: mea culpa (jerichoDIMENSIONAL.COM)
Date: Mon Dec 20 1999 - 03:19:14 CST
Forwarded From: "John Q. Public" <tpublicdimensional.com>
By Sharon Cleary, WSJ Interactive Edition
December 15, 1999 5:50 AM PT
A software-security firm warned that its researchers have found a
potentially serious security flaw in the e-mail system used by Netscape's
Reliable Software Technologies, a Sterling, Va., software-security
company, said Tuesday that two RST engineers needed just eight hours to
duplicate the mathematical algorithm Netscape Mail uses to scramble users'
passwords. The company said the problem affects all current versions of
Gary McGraw, vice president for corporate technology at RST, said the
Netscape algorithm was "not an obvious sitting duck -- [the password]
appears to be scrambled up in a good way, but it's not cryptographically
strong." That would allow a determined hacker to reverse-engineer the
algorithm and figure out the password.
Officials of Netscape, now a division of Dulles, Va.-based America Online
Inc. (NYSE: AOL, were concerned by the news but said the unit has no plans
to change its algorithm. [sic, bad parens]
Chris Saito, the senior director for product management at Netscape, said
that the option to save a password locally was included for convenience.
Saito added that Netscape didn't use a stronger encryption algorithm to
protect passwords so that "computer experts could still access the
information, in case someone forgot their password."
ISN is sponsored by Security-Focus.COM