mailing list archives
Re: [w00giving '99 #11] IMail's password encryption scheme
From: steve () CELL2000 NET (Steven Alexander)
Date: Wed, 22 Dec 1999 11:48:07 -0600
Actually, ipswitch should do two things. They should protect the registry
keys so that all users cannot read the encrypted passwords. They should
also use stronger crypto so that in the case that someone does get access to
the registry keys, they cannot recover the passwords. This is important.
Suppose that someone can gain temporary access to the server, they should
not be able to recover the passwords so that they can use them in the
A user may be able to get to the administrator's desk while he/she is away
and get to those keys, but if they can get the administrator's password,
they can drop in anytime they want and remotely administer IMail...or the
machine if the administrator's password is the same for the
domain/workstation as it is for IMail. If they use security at all levels
it makes the job of an attacker much more difficult.
I'm really displeased that ipswitch hasn't fixed this problem already. It
is simple to protect the registry keys. Also, when their password scheme
was revealed to be very simple in (April?) they should have moved to
something much more secure, not just another different but simple scheme.
If they're reading, perhaps they should consider MD5 or another hash
----- Original Message -----
From: Mikael Olsson <mikael.olsson () enternet se>
To: Steven Alexander <steve () CELL2000 NET>
Cc: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, December 22, 1999 1:27 PM
Subject: Re: [w00giving '99 #11] IMail's password encryption scheme
It would seem that the best solution is to NOT try fixing the
red herring (crypto with locally stored key) problem.
The better solution would be to set the access rights
for the registry keys in question to only allow the user
running the IMail daemons, and the users that are supposed
to be able to locally administrate IMail.
Am I right or am I right?
(Btw, you can do this yourself; you don't have to wait
for ipswitch to release a fix)