DominoSecurity Newsletter
(from
DominoSecurity.org
)
Date:
07/02/2004
Title:
Web account vulnerability via Soundex and bad passwords
Contents:
Hello DominoSecurity readers,
A new vulnerability has been reported by InfoScreen that relates to "weak web authentication" and the use of Soundex strings. The problem is a combination of these two facts:
1) Multiple Domino web usernames can resolve to the same Soundex string.
2) With weak web authentication, Domino allows users to log on using the Soundex string for their name.
An attacker can exploit this problem by trying Soundex strings as usernames, with common passwords. The chance of breaking into an account is increased because the attacker is essentially testing more than one account at a time.
The solution:
1) All web accounts should use high-quality passwords. This single practice thwarts the vulnerability above.
2) You should consider enabling the Domino setting <server> / Security / Internet Authentication = "Fewer name variations with higher security".
Here is the Lotus advisory:
www.ibm.com/support/docview.wss?rs=463&uid=swg21165495
Chuck Connell
781-939-0505 (office)
connell@chc-3.com
-- email
www.chc-3.com
-- My home page
www.DominoAdministration.com
-- Outsourced administration services for Domino and Notes
www.DominoSecurity.org
-- The best source for security information about Domino and Notes
(NOTE: I use a spam filter for inbound mail. In some cases, this filter
rejects legitimate messages. If I do not answer your mail, please call
me on the phone.)