August 26, 2002

Reuters Company News

Computer expert says can break Microsoft security

By Peter Andersson

STOCKHOLM, Aug 26 (Reuters) - Software security widely used for Internet banking and e-commerce can be easily circumvented, and customer accounts at several of Sweden's largest banks remain at risk as a result, a computer expert said on Monday.

The Swedish hacking expert, who is well known in computer security circles, but asked not to be named, demonstrated to Reuters how it was possible within minutes to break through security on Web server software from Microsoft Corp. (NasdaqNM:MSFT - News).

The expert showed how to crack the security systems for Internet banking, breaking into three of Sweden's big four banks in quick succession. He was then able to show how to conceal his tracks, making detection difficult afterward.

While stopping short of breaking into customer accounts, the hacker-turned-consultant said an intruder could have hidden instructions to transfer sums into a separate account when the customer authorises a payment from his Internet bank account.

He relied on a variation of a weakness that came to light two weeks ago in Microsoft's implementation of Secure Socket Layer (SSL), an industry standard for transmitting credit card numbers and account passwords via the Web.

"It's a protocol which is very easy to break through," the computer expert said, adding that, "The protocol doesn't provide the security the users think it does."

The attack technique exploited a combination of vulnerabilities over which Microsoft exerts only partial control. A large share of the blame should fall on network administrators inside banks and other organizations who fail to install Microsoft's software properly, he said.

Using the method, an attacker can log in as a Web site customer using certificate authentication and gain access to the Web site's root directory and, from there, enter the organization's internal network.

MICROSOFT AND BANKS DOWNPLAY IMMINENT THREAT

Microsoft has responded to recent reports about the SSL flaw by admitting its existence, saying they are working to develop a fix, but also by downplaying the notion that the flaw poses any widespread security threat.

"Such techniques are difficult, temporary, and generally require favorable network (layout)," the company states on a Microsoft technical discussion site located at http://www.microsoft.com/technet/default.asp

Microsoft in Sweden denied that SSL could be breached in the way shown to Reuters.

"I can't even see the theoretical possibility for it to happen", said Mats Lindkvist, responsible for security at Microsoft in Sweden.

The unnamed expert said an attacker could breach security via hundreds of computers, making detection of the criminal almost impossible, as it might take the police up to four to five months just to follow a trail through 10 computers.

Mike Benham, the San Francisco privacy advocate and security consultant who first revealed the SSL flaw, offered a technical description of how this works: "An attacker could transparently proxy (invisibly transfer) a victim's traffic to the real secure site, while intercepting and logging all the data."

Microsoft embarked earlier this year on what it called a "trustworthy computing" campaign to improve the security of its software. The company was responding to a mounting outcry over widely publicized software security breakdowns.

The four Swedish banks are not unique. According to computer experts, many of the world's major financial institutions are similarly vulnerable because they rely on software using the industry-accepted SSL protocol.

All four major Swedish banks said they were not aware of any break-ins into their systems. But spokesmen at some of them said no system could be perfect.

"If man can fly to the moon, sooner or later someone will be able to circumvent the security systems," Swedbank's head of press relations, Jesper Berggren, told Reuters.

"As far as I can tell no system will ever be 100 percent secure. To say that our systems are 100 percent secure would be presumptuous," added Handelsbanken's information director, Lars Lindmark.

TIP OF THE ICEBERG

But computer experts say banks remain highly vulnerable.

"There's been a lot of denial," said Peter Neumann, principal scientist at Silicon Valley think-tank SRI International and one of the world's authorities on computer security.

Such flaws result from a mix of fatalistic acceptance and technical ignorance, he said. "'Everything is fine,' banks say. That's clearly nonsense. Pretty much everything is vulnerable -- certainly more so with a little bit of insider knowledge."

Computer security expert Lars-Olov Guttke at Swedish security firm Deprotect said his company had managed to use hidden instructions to transfer tens of millions of dollars from an account at a leading European bank.

The bank had asked Deprotect to test its security systems.

After two weeks, Guttke told the bank about the transfers, which had not been detected. The key factor was that the sums transferred secretly were not big enough to alert the system.

"It might take a few days to figure out how to make the intrusion, but once you've done that it doesn't take very long to break through the systems," Guttke said.

Guttke said banks spent huge amounts to secure their customer-facing systems but tend to neglect internal systems giving access to their networks. Security veteran Neumann agreed, saying that former insiders may pose a bigger threat.

Information about the level of computer-related crime is scarce because few crimes are reported. Companies fear bad publicity and additional costs if the weaknesses of their security systems become known.