IP: security,as usual, starts at home

[David Farber <farber () cis upenn edu>]

AT&T WorldNet Security Breach an Inside Job
by Brian McWilliams, PC World News Radio 


May 23, 1997
PC World Online's ongoing investigation into security at the AT&T WorldNet
service has revealed that WorldNet user names and passwords were not
recently stolen through an Internet traffic monitoring technique known as
"packet sniffing."


Instead, a source now says that about 20 WorldNet user names and passwords
were gleaned by a corporate network administrator from the hard disks of
PCs on a LAN that he managed. The user sign-on data was stored in plain
text format on systems as part of the WorldNet client software installation
procedure, according to the source


While unencrypted and thereby readable by anyone with physical access to
the PC, or network access via the LAN, the user sign-on data could not be
gained by other WorldNet members or by Internet users at large.


To monitor user changes to the WorldNet account access page, an individual
would need to have "super user" account status on WorldNet's servers,
according to Simson Garfinkel, author of Web Security and Commerce,
(O'Reilly, June 1997).


While the WorldNet security breach is considerably smaller than originally
reported, storing unencrypted passwords on personal computer hard disks is
dangerous, said computer security expert Stephen Cobb.


"The client is really the weak link in client/server computing [security]"
according to Cobb. He advises users to commit passwords to memory and not
store them, even encrypted, on their machines, in the event that the PC is
stolen or accessed without authorization.


At least one other major online service provider, CompuServe, encrypts
users' passwords when it stores them in the client software's
initialization files, according to spokesperson Gail Whitcomb.


AT&T WorldNet officials disabled the service's account access page earlier
this week after reports that subscriber credit card, e-mail, and other
personal information might be accessible to outsiders.


Patrick Cline, a WorldNet subscriber who works as a database engineer for a
Georgia-based software company, previously told PC World Online that he and
an associate had collected WorldNet user account information as a way to
demonstrate a potential security hole at the service. At the time, Cline
said his associate had collected Internet packet data using a sniffer
program, and Cline sorted through the data to find the account information.
Cline later discovered that his associate had gathered the data from hard
disks on a LAN, not over the open Internet.


An AT&T WorldNet spokesperson said the company has no immediate plans to
take legal action against the two men.