[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0305091100000.15980-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: Hotmail & Passport (.NET Accounts)
May 08, Associated Press
Microsoft admits Passport was vulnerable. Computer researcher Muhammad
Faisal Rauf Danka of Pakistan discovered how to breach Microsoft Corp.'s
security procedures for its Internet Passport service. The service is
designed to protect customers visiting some retail Web sites, sending
e-mails and in some cases making credit-card purchases. Microsoft
acknowledged the flaw affected all its 200 million Passport accounts but
said it fixed the problem early Thursday, after details were published on
the Internet Wednesday night. Under a settlement with the Federal Trade
Commission (FTC) last year over lapsed Passport security, Microsoft
pledged
to take reasonable safeguards to protect personal consumer information
during the next two decades or risk fines up to $11,000 per violation. The
FTC's Jessica Rich said Thursday that each vulnerable account could
constitute a separate violation - raising the maximum fine that could be
assessed against Microsoft to $2.2 trillion. Source:
http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html
Thanks,
Ron DuFresne
On Fri, 9 May 2003, Darren Reed wrote:
> In some mail from adf--at--Code511.com, sie said:
> >
> > Is it me or ms never credit vulnerabilities according to
> > http://www.microsoft.com/security/passport_issue.asp "a report was
> > published detailing a security vulnerability(...)"? No more details or
> > credit.
>
> And they should because...? If you ask me, doing this for "fame and
> fortune" is really against what i would call traditional hacker ethic.
>
> > I also saw online news like http://www.vnunet.com/News/1140757 none
> > mentioned as it was said in Muhammad's post the issue was discovered, and
> > ms warned since 12th April 2003. Meaning it let opened user's account (40 m
> > users?) open for almost 3 weeks...
>
> that's ms marketting for you!
>
> but if you think "open for almost 3 weeks", think again.
>
> "_KNOWN_ open for almost 3 weeks" is more correct.
>
> if someone had of been less inclined to show off their skills in being
> able to reset hotmail passwords, it'd still be unknown and may have
> been "in use" for some time before that, if not by that person then
> by others. Will MS tell us? Not likely.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists