Yet another security hole has been found in Microsoft's Windows NT 4.0 operating system.
Last week a US security consultant said NT's support of Virtual Private Networks (VPNs) was "screwed up royally".
Bruce Schneier, president of IT security specialist Counterpane, told PC Week he had found serious flaws in the implementation of Point-to-Point Tunnelling Protocol (PPTP) on Windows NT. "It uses weak authentication and poor encryption," he said. "For example, it uses the user's password as an encryption key instead of using any of the well-known and more secure alternatives. The mistakes are not subtle - they are 'kindergarten cryptographer' mistakes."
PPTP creates and maintains secure VPNs over TCP/IP. Schneier and his team found at least five major problems with Microsoft's implementation of PPTP. These include weak algorithms allowing eavesdroppers to learn users' passwords, a flaw in the challenge/reply protocol allowing attackers to masquerade as the server and unauthenticated messages that let attackers crash PPTP servers.
"I was really surprised at how bad the problem was," Schneier continued.
"If you're using Windows NT, then your VPN is not secure."
David Bridger, Windows NT server product manager at Microsoft, claimed that most of the problems revealed by Counterpane had already been fixed.
"If you have NT Service Pack 2 or later then you will not be vulnerable to this kind of attack," he said. "Security is an on-going process - nobody can have a 100% secure product when it comes out of the box."
But Schneier was testing NT 4.0 with Service Pack 3. He believes the problem is more serious than Microsoft imagines. "The problem has become deeper than Microsoft realises - it is not patchable," he argued. "Microsoft should rebuild it completely. "
Mark Raphael, analyst with the Meta Group, said the Counterpane demonstration showed that NT security is not sufficient on its own, but he added it was not just a problem for Microsoft. "VPNs are inherently insecure," he said. "Microsoft technology may have been weak because the code was new, but I don't think it is more of a problem than Unix VPNs. What is significant here is that NT is a very popular operating system for VPNs."
The site is perfectly situated for launching small satellites into orbit
Delegates at the ESOF 2018 conference were warned that their perceptions of the digital age were coloured by private industry
Concept vehicle uses gas turbine technology to generate electricity
Fresh from the notes of Ming-Chi Kuo of TF International Securities