Microsoft 'Windows'
Security Under Heavy Fire


From: Bill Kingsbury <kingsbry@gte.net>

From: Para <para@CLARA.NET>

12-8-99

In on extraordinary ABC News feature on 3 September, 1999 it was alleged that every version of Windows 98 and Windows NT contains a special programme to encrypt sensitive data, from e-mails and documents to e-commerce transactions over the Internet.   The programme is called the cryptoAPI, and it uses an encryption key, managed by Microsoft Corporation, to lock and unlock the sensitive data stored on a computer and sent across the Internet. Instead of having each application do the number crunching, Windows essentially does it instead.   But there's not just one key -- there are two. In an analysis published on the Internet, the head of a Canadian security firm, Cryptonym, claims that the two keys have existed within Windows since the later versions of Windows 95.   He adds that the second key is labelled 'NSAKEY' within the latest service pack for Windows NT 4.0, the Windows operating system widely used in servers and corporate work-stations.   Some analysts hove speculated that the first three letters - NSA - could stand for America's super secret National Security Agency: an intelligence organisation charged with cracking codes and encryption schemes.   "We've never known what the second key was for," Cryptonym founder Andrew Fernandes told ABC News, "but it's certainly possible that it's for law enforcement or espionage purposes."     How Windows Crypto Works   Encryption is used to encode e-mail messages, documents and Internet transactions. In the case of computers, the code can consist of dozens, or hundreds, of ones and zeros. The lowest government-approved encryption standard, a code 56 digits long, took 22 hours to break.   The cryptoAPI essentially lets software developers write programmes that simply plug into Microsoft's encryption scheme, instead of having to write their own.   Microsoft manages the keys, and can provide access to the data or transactions at the request of the user, or a duly authorised third-party,   In the case of corporate users, other people within the corporation could have access to the key as well. But that still didn't answer the question: why two keys?     Federal Government Wants 'Backdoor' Key   The U.S. Commerce Department has maintained strict controls on the export of strong encryption software. U.S. companies can export these overseas -- provided the U.S. government receives a key to that encryption.   In 1997 U.S. companies were given two years to change their policies to comply.   The government's key is often called the 'backdoor' key. It's unclear whether the cryptoAPI falls under the Commerce Department regulations, but when it comes to APIs, Microsoft does not change its encryption schemes to account for the laws in different nations.   Thus, the two-key scheme isn't just on computers overseas, but also on machines running in the United States.   "Talk of NSA involvement aside, one could say that Microsoft has complied with these regulations, and is including two keys," says Peter Tippett, chairman of ICSA Incorporated, a Reston, Virginia, based security consulting firm.     Who Has the Second Key?   Meanwhile, Fernandes says he's come up with a way to change the second key into anything else the user wants. If he or she wants strong, 256-bit encryption, it can be installed in place of 'NSAKEY.'   This means that virus programmes or hacking exploits can be written to change the key without the users' knowledge. Thus, if users do not maintain 'safe computing' practices, they could very well find their strong encryption replaced with no encryption at all, exposing their data to anyone interested in it. Microsoft and the NSA did not immediately answer repeated requests by ABC News for comment, but Russ Cooper, a Windows NT security expert and editor of the Web site NTBugTraq, has reported that the NSA insisted that Microsoft include the second key, though that could not be independently confirmed. And then there's the trust issue.   "Microsoft has not been forthcoming on this issue," Fernandes claimed. "If I don't know anything about this second key, how the hell do I know what else Microsoft has stuck in their code? We've never known what the second key was for, but it's certainly possible that it's for law enforcement or espionage purposes.   "By adding the NSA's key, they have mode it easier -- not easy, but easier -- for the NSA to install security components on your computer without your authorisation or approval," Fernandes said.     Microsoft Refutes Windows 'Spy Key' Allegations   Within 24-hours of the ABC News story, Microsoft vehemently denied allegations by Fernandes that its Windows platform contains a backdoor designed to give the NSA access to personal computers and that the agency has anything to do with the key.   "The key is a Microsoft key -- it is not shared with any party including the NSA," said Windows NT security product manager Scott Culp. "We don't leave back-doors in any products."   Culp said the key was added to signify that it had passed NSA encryption standards.   In previous versions of Windows, Fernandes said Microsoft had disguised the holder of the second key by removing identifying symbols. But while reverse-engineering Windows NT Service Pack 5, Fernandes discovered that Microsoft left the identifying information intact and discovered that the second secret key is labelled 'NSAKEY.'   Microsoft said 'NSAKEY' signifies that it satisfies security standards.   Through its 'signals intelligence' division, the NSA listens in on the communications of other nations throughout the world, principally from RAF Menwith Hill, situated in North Yorkshire, England.   The agency also operates Echelon, a global eavesdropping network that is reportedly able to intercept just about any form of electronic communications anywhere in the world, but is forbidden by law from eavesdropping on American citizens.   Marc Briceno, director of the Smartcard Developer Association, said the inclusion of the key could represent a serious threat to e-commerce. "The Windows operating-system-security compromise installed by Microsoft on behalf of the NSA in every copy of Windows 95, 98, and NT represents a serious financial risk to any company using MS Windows in e-commerce applications," Briceno wrote in an e-mail.   "With the discovery of an NSA backdoor in every copy of the Windows operating systems sold worldwide, both US end especially non-US users of Microsoft Windows must assume that the confidentiality of their business communications has been compromised by the US spy agency," Briceno said.   Briceno coordinated the team that broke the security in GSM cell phones, demonstrating that the phones are subject to cloning -- a feat the cellular industry had thought impossible.   But Microsoft's Culp said all cryptography software intended for export must be submitted to a National Security Agency review process. He said that the key was so named to indicate that it had completed that process and that it complied with export regulations.   "The only thing that this key is used for is to ensure that only those products that meet US export control regulations and have been checked can run under our crypto API (application programming interface)," Culp said.   "It does not allow anyone to start things, stop services, or allow anything [to be executed] remotely," he said. "It is used to ensure that we and our cryptographic partners comply with United States crypto export regulations. We are the only ones who have access to it."   Fernandes made the discovery in early August, he said, but collaborated with the Berlin-based Chaos Computer Club and other experienced hackers worldwide before releasing the information.   "We coordinated this through the worldwide hacker scene," said Andy Muller-Maguhn of the CCC. "It was important to American hackers that it not only be mentioned in America but also in Europe.   "For American citizens it seems to be normal that the NSA is in their software. But for countries outside of the United States, it is not. We don't want to have the NSA in our software."   Coming less than a week after Microsoft was rocked by the embarrassing news that its Hotmail system could be easily penetrated, the latest disclosure could prove damaging to the software giant.   "Say I am at a large bank, and I have the entirety of our operation working on Windows," Fernandes said. "That is a little more serious. The only people who could get in there are the NSA, but that might be bad enough.   "They have to first manage to download a file into your machine. There may be back-doors that allow them to do that... I would be shocked and surprised if the NSA bothered with individuals. What is more of a concern is security systems for a large bank or another data centre. Or even a Web server firm.   "The result is that it is tremendously easier for the NSA to load unauthorised security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system.   "The US government is currently making it as difficult as possible for 'strong' crypto to be used outside of the US; that they have also installed a cryptographic backdoor in the world's most abundant operating system should send a strong message to foreign IT managers," he said.   But Fernandes did not want to set off a panic -- or at least not for everyone.   "I personally don't care if the NSA can get into my machine, because I think they have better ways of spying on me as a person," Fernandes said. But if I was a chief executive officer of a large bank, that would be a different story."   Before Microsoft's explanation, many leading cryptographers said they were convinced it was a key for the NSA.   "I believe it is an NSA key,' said Austin Hill, president of anonymous Internet service company Zero-Knowledge Systems. "We walked though it and talked about all the scenarios why it is there, and this was our conclusion," said Hill.   He said that he and Zero Knowledge's chief scientist, Ion Goldberg, did not believe the key's name is a joke placed there by a Microsoft programmer -- one possible explanation.   "Microsoft has not shown incredible competence in the area of security," Hill added. "We call on Microsoft to learn about open security models that provide independent verification of design. No secure system is based on security by obscurity."   _____   Thanks to: ABC News, Andrew Gingery, Andrew Fernandes, Mark Hall, Robert Collins, Steve Kettmann, James Glove and the NSA (No Such Agency or Never Say Anything...).