Intology - Intelligent Technology News
Computers Technology Internet Arts Business Science Sports

Security of Windows CardSpace (codenamed InfoCard), a Microsoft’s client software for the identity theft prevention, has been compromised by three researchers from Horst Görtz Institute for IT Security at Ruhr University in Bochum, Germany,

CardSpace, which ships with Microsoft’s Windows Vista operating system, operates in tandem with a browser when a user visits a website requesting information such as names, addresses or credit card numbers. It allows users to create personal (also known as self-issued) Information Cards, which can contain one or more of 14 fields of telephone book-quality identity information

When an Information Card-enabled application or website wishes to obtain information about the user, the application or website requests a particular set of claims from the user. The CardSpace UI then appears, switching the display to the CardSpace service, which displays the user’s stored identities as visual Information Cards. The user selects the InfoCard to use and the CardSpace software contacts the issuer of the identity to obtain a digitally signed XML token that contains the requested information.

The security researchers, students Sebastian Gajek and Xuan Chen and Jorg Schwenk, a professor and chairman of Network and Data Security at the institute, have shown it is possible to intercept the authentication token from CardSpace. The technique requires directing users to a malicious web server.

This is done by modifying the victim’s Domain Name Server (DNS) settings — a hacker technique called “pharming” — and directing the visitor to the malicious web server, which then captures the authentication token. A hacker could then use the token to access or send sensitive information to the original website.

Some DNS pharming examples are:

• Drive-by-Pharming where the DNS configuration of a DSL home router is changed by Javascript embedded in a web page
• Rogue WLAN Access Points which play the role of a free Internet access point in public facilities for the user

When asked if EV SSL can prevent this attack researchers replied:

Maybe, if the user checks the SSL indicators of his browser. However, usability studies have shown that most users simply ignore SSL warnings, or may not be aware of the subtleties between a “normal” certificate and an EV certificate.

Microsoft officials said they are looking into the matter.