evX recently received an article submission that purported to show how to hack the Passport security model. Much excitement among the editorial staff over the prospect of reporting a vulnerability was quashed quickly when the article turned out to be nothing more than directions to copy Passport's login screen and authentication message while displaying a faked URL in the browser's address bar. The code behind the faked login screen then captures the entered username and password.
This is not a novel hacking technique; in fact, anyone with a modicum of HTML and scripting knowledge would find it trivial to implement. But a little research turned up more sophisticated versions that grab the user's authentication information and then act as a proxy; in other words, they act as intermediaries for all future communication with the Passport server with that browser instance.
Faking login screens to fool users into entering their username and password has a long history; I remember cautions about faked login screens even on the University of Illinois CERL PLATO system in the 1980s, so it's an old trick. It wouldn't even be particularly newsworthy except that, as Passport-enabled sites become more common, this particular hack will become more prevalent as well. Users quickly become accustomed to entering their information in the Passport login screen. The fact that Microsoft allows co-branded login screens increases the likelihood of faked versions, and forces people to follow preventive measures that can protect them from falling victim to this particular scam.
Don't Be a VictimLogin at Passport.com
As a Passport account holder, what can you do to avoid becoming a victim of the "fake login screen" hack? The best way is to follow one simple rule: Never log in to Passport except through Hotmail or the main Passport site at http://www.passport.com/. When you see the Passport logo on a site, ignore it; go to Passport, sign in, and then return to the site. Savvy (and careful) Web users can check the URL to ensure that the page will post to the correct location, but that isn't quite as straightforward as it sounds; for example, you might miss a slight misspelling in the URL, which could send your information to a malevolent site, or hidden frames on the page may run code to grab the Passport authentication cookie. It's better to log in where you can be reasonably certain that it's safe.
Microsoft recently incorporated a new type of API-based HTTP authentication in Windows XP. In XP, you can log into Passport through a local dialog rather than a publicly accessible Web page, which greatly reduces risks for people running that OS. If you're running XP, and you see a Passport login screen on some Web site, don't use it; use your client-side login instead. The downside is that it's up to you to remember to log out when you don't need to be on the Passport system anymore.
You may assume that fake login screens are uncommon, and that you're unlikely to run into a site that would implement them. Also, you may think that because the Passport login screen is copyrighted, and therefore illegal to copy for display on a site, that fear of Microsoft reprisal will have a chilling effect on the prevalence of this technique. That may be true to some degree, but searching Google with this search query: "Passport fake login screen" turns up 342 hitsand some contain detailed directions for hacking Passport. Fear of punishment may not be enough of a deterrent.
Usernames and Passwords are Inherently Insecure
Having a Passport account is convenient, and it may eventually prove to be indispensable, but only if users feel assured that their information is secure. As a method of authentication, usernames and passwords are inherently insecure, because they can be stolen or guessed. In addition, they're expensive, because users forget them constantly, as any network administrator can attest. Other common solutions, such as smart cards, aren't much better because people lose the cards.
Fortuitously, biometric recognition technology such as fingerprint and retinal scanning, and facial recognition is becoming increasingly accurate just as the hardware to implement it is becoming more affordable. If you're the paranoid type, you might want to eschew Passport until biorecognition is more commonplacewhich won't be long, as the threat and fear of terrorism is expediting progress in this field.
Should the Media Publish Hacks?
Not all the discussion raised by the recent article submission was technical. There's a question as to whether the media should publish security hacks. While DevX won't knowingly publish malevolent code, in many cases, publishing the idea behind an attack is tantamount to publishing the code itself. For example, publishing the code to copy the Passport login screen is completely unnecessary after presenting the idea of doing soanyone can view the HTML source for the page. However, despite the risks of publishing information about hacks, there are some valid reasons for doing so.
For example, manufacturers may drag their feet in fixing known security vulnerabilities as long as the risks are not widely knownbut often respond quickly to public announcements of such risks. Similarly, users may neglect to install patches even when they're available until apprised of the seriousness of the risks to which they are exposed by not patching them. Of course, a patch wouldn't help in this particular instance, but in general, publishing information about hacks and their risks may goad users into fixing the vulnerabilities, and that, in turn, reduces the effectiveness of the hack itself.
On the other side of the debate, giving any publicity whatsoever to malicious ideas may simply raise the danger level by making more people aware that such ideas are both possible and viable. Again, this editorial is an example. People who might not have thought of faking a login screen may be tempted to do so after reading that it's possible. Such information might be better left unpublished. Also, publishing information about hacks may increase the likelihood of variants. As people copy and reproduce hacks, the pace of mutation increases and security risks become more difficult to prevent via virus-checkers and public warnings about what to watch for.
We're interested in your opinion: Should the media publish detailed information about malicious code or just provide general warnings and help people obtain protection?