lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0305091100000.15980-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: Hotmail & Passport (.NET Accounts)

May 08, Associated Press
Microsoft admits Passport was vulnerable. Computer researcher Muhammad
Faisal Rauf Danka of Pakistan discovered how to breach Microsoft Corp.'s
security procedures for its Internet Passport service. The service is
designed to protect customers visiting some retail Web sites, sending
e-mails and in some cases making credit-card purchases. Microsoft
acknowledged the flaw affected all its 200 million Passport accounts but
said it fixed the problem early Thursday, after details were published on
the Internet Wednesday night. Under a settlement with the Federal Trade
Commission (FTC) last year over lapsed Passport security, Microsoft
pledged
to take reasonable safeguards to protect personal consumer information
during the next two decades or risk fines up to $11,000 per violation. The
FTC's Jessica Rich said Thursday that each vulnerable account could
constitute a separate violation - raising the maximum fine that could be
assessed against Microsoft to $2.2 trillion. Source:
http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html



Thanks,

Ron DuFresne

On Fri, 9 May 2003, Darren Reed wrote:

> In some mail from adf--at--Code511.com, sie said:
> >
> > Is it me or ms never credit vulnerabilities according to
> > http://www.microsoft.com/security/passport_issue.asp  "a report was
> > published detailing a security vulnerability(...)"? No more details or
> > credit.
>
> And they should because...?  If you ask me, doing this for "fame and
> fortune" is really against what i would call traditional hacker ethic.
>
> > I also saw online news like http://www.vnunet.com/News/1140757 none
> > mentioned as it was said in Muhammad's post the issue was discovered,  and
> > ms warned since 12th April 2003. Meaning it let opened user's account (40 m
> > users?) open for almost 3 weeks...
>
> that's ms marketting for you!
>
> but if you think "open for almost 3 weeks", think again.
>
> "_KNOWN_ open for almost 3 weeks" is more correct.
>
> if someone had of been less inclined to show off their skills in being
> able to reset hotmail passwords, it'd still be unknown and may have
> been "in use" for some time before that, if not by that person then
> by others.  Will MS tell us?  Not likely.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ