MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: NT Password Security Issue Report Number: iMCISE:IMCIAFCERT:040997:01:P1R1 Report Date: 04/09/97 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- _/_/ _/_/_/_/ _/_/_/ _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/_/ _/ _/ _/ AIR FORCE COMPUTER EMERGENCY RESPONSE TEAM ADVISORY 97-19 04 Apr 97 - 1500 (GMT -6) Subject: Windows NT and Windows 95 Password Vulnerability 1. The AFCERT has received information concerning password vulnerabilities in Windows NT and Windows 95. 2. Problem: Windows NT and Windows 95, under certain conditions, will transmit user names and passwords across the Internet to rogue server systems. Information on both the Windows NT and Windows 95 vulnerabilities can be found at http://www-genome.wi.mit.edu/WWW/faqs/wwwsf7.html#Q65 2.a. Windows NT. Windows NT will, under certain conditions, transmit the user name and encrypted password over the Internet. Microsoft Network (SMB) uses a challenge/response system. When a logon request is received, a challenge is sent by the server system to the user (client) system. The user's password will then be encrypted using the challenge, and sent to the server system. This is done automatically, without asking the user for confirmation. Normally at this point the server system will compare the encrypted password to the password list and either grant or deny access to the system. However, some servers (i.e., rogue servers) have been modified to accept the user's information and grant access. This allows the server to attempt to use a "dictionary attack" against any password received. A dictionary attack consists of encrypting dictionary words with the challenge and comparing them with the encrypted password. Information on this vulnerability and a second similar vulnerability can be found at the following sites: http://www.ee.washington.edu/computing/iebug/ http://www.efsl.com/security/ntie/ 2.b. Windows 95. Because Windows 95 uses a less sophisticated authentication system, it will under certain conditions, transmit the user name and password in the clear over the Internet to the rogue server. Information on this vulnerability can be found at http://www.security.org.il/msnetbreak/ According to Microsoft this vulnerability will only affect a user if there is not a properly configured firewall or proxy server between the user's system and the Internet, and the user has Microsoft Network (SMB) enabled. 3. Platform: Windows 95 or Windows NT. 4. Damage: Potential compromise of computer systems and networks. 5. Solution: Block ports 137 and 139 (Microsoft Network - SMB traffic) at the router or firewall. Enforce good password selection to prevent dictionary attacks. The following text on choosing passwords is based on chapter 2 of AFSSI 5013 (available from Air Force Communications Agency http://infosphere.safb.af.mil/~sysi/sate/afssi.htm ). You should use an alphanumeric password, with at least one special character. Where technically feasible, the password should also consist of a combination of uppercase and lowercase letters. A good idea for choosing a password is to choose an easy to remember phrase, such as "by the dawn's early light", and take the first letters of each word to form a password. Throw in some punctuation or mixed case letters as well. For the phrase above, one example password might be: Bt}deL{. Syllables can be formed using randomly generated letters as consonant-vowel-consonant (cvc) create a pronounceable password, you can then randomly place a number or special characters among the syllables. By using the cvc concept with two syllables, a number in the middle (cvc#cvc), and a special character at the end, the password could look like this: kar7Naq&. Avoid passwords that are either all numbers or all letters to the greatest extent possible. Where possible, the user should create passwords that are case sensitive. Passwords must contain at least six characters or more. For best protection, passwords should contain at least eight alpha numeric characters. Passwords with more characters provide better protection. The chance of a potential perpetrator guessing the password and gaining access to the system is greater when a password is one character longer than it is with a length of eight characters. However, making the password even longer is risky because the user may not remember it. Microsoft is working on patches for these vulnerabilities. The patch for the Windows NT systems will ask the users for confirmation before transmitting the user name and password. More information can be found at http://www.micrsosoft.com/security/ 6. If you are not part of the Air Force community, please contact your agency's response team to report incidents. Other teams include DISA-ASSIST team, Army's ACERT, Navy's NAVCIRT, DARPA's CERT/CC, and DOE's CIAC. Your agency's team will coordinate with the AFCERT. 7. AFCERT Advisories, ASSIST Bulletins, The DoD Anti-Viral product and other security tools are available on the anonymous ftp server. For those systems without internet access AFCA/SYSI maintains the Security Awareness, Training, and Education (SATE) Bulletin Board, DSN 576-4545. ************************************************************************* * AFIWC/EACA DSN: 969-3157 * * 102 HALL BLVD STE 215 COML: (210) 977-3157 * * SAN ANTONIO TX 78243-7013 HOTLINE: 1(800) 854-0187 * * * * e-mail: afcert@afcert.kelly.af.mil UNCLAS FAX: DSN 969-3632 * * ftp server: afcert.kelly.af.mil SECURE FAX: DSN 969-3633 * * http: www.afcert.kelly.af.mil ip address: 137.242.142.199 * ************************************************************************* -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM0V6HptBJ/QsyeedAQFY/wQAz9WjVMipn8Sp1ByvWQ+GV8zTZaZc3zhC U22Dfio2z2OpPhIcsyhm/bHxhfB5cmAtfmoKclMjf0r38fJffGwK88R5YunopJs4 aSdOF0k0AvjviYi/trbVrFZD+Bb6lv9Ozi59WQWfgfPNxR5yzLNbOYebMmlx91UV 5NXS9CfH7XI= =VTdk -----END PGP SIGNATURE-----