May 31st, 2008
Microsoft CardSpace killed before it really began?
According to Neowin, computing students at the University of Bochum, Germany, have worked out how to retrieve vital security tokens from Microsoft’s CardSpace framework. CardSpace is highly tipped to be the successor to Windows Live ID (Passport) and making passwords a relic of the Cold War, using self-signed or certificate authority signed digital certificates stored on the local machine as proof of who you are.
The 
report states by many means of manipulating the DNS service, including anti-DNS pinning or DNS spoofing, these are all ways of taking the security tokens from a CardSpace file.
Heise Online which reported this story, almost encourage you to try this out. Considering this major security flaw has been brought to light instead of being exploited, it’s fair to say they’re not interested in stealing your money. It’s recommended you alter your own DNS settings to protect yourself anyway, but feel free to give it a go.
Heise report:
“Microsoft has apparently already been informed of the problem and is working on a solution. In their report, the students propose improving Same Origin Policy as a security function for browsers.”
Good to know really; considering this “ultra-secure” technology will one day be taking over hundreds of millions of accounts, I speak for a lot of people when I say I’d really rather I keep my password if it’ll keep my details that bit more secure.
Update: British students have done it again, blowing another hole in one of Microsoft’s attempt at security; this time they’ve managed to fool the CAPTCHA application applied to many of the Live services like Hotmail and Live ID. Dancho Danchev covers the story in the Zero Day blog.
Zack Whittaker, the youngest in the ZDNet network, is a British student at the University of Kent, Canterbury, where he studies BA (Hons) Criminology and Social Policy. His insight into the next-generation is unique and first-hand, sharing his knowledge of the here and now but more so what's next and how to get there.
You can read his public biography and his work disclosures of his current and past industry affiliations.
Fire off an email if you feel like sharing a story or insight, or leave a voicemail. You can also follow him on Twitter to keep up to date with his ramblings.
Subscribe to iGeneration via Email alerts or RSS.
