iTnews
  • Home
  • News
  • Technology
  • Security

Microsoft's CardSpace ID technology: breached

By Jim Carr on Jun 2, 2008 11:56AM

Three security researchers in Germany have reportedly broken Microsoft's CardSpace, which was designed to beef up the security of users' personal information while browsing the internet.

The technique essentially co-opts part of the CardSpace technology, which Microsoft believes can reduce problems such as identity theft plaguing internet users. Microsoft has said it plans to integrate CardSpace with OpenID, an open-source standard also designed to toughen up internet security.

CardSpace, which ships with Microsoft's Windows Vista operating system, operates in tandem with a browser when a user visits a website requesting information such as names, addresses or credit card numbers. In the CardSpace scenario, users can store their personal information on their own PC or use a third-party identity provider's service.

CardSpace maintains a list of virtual ID cards, which can be "self-issued" cards stored on the user's PC or "managed" cards stored by the ID provider. When a website asks for personal information, the user selects one of the cards.

When users rely on an ID provider for authenticating with a website, the provider issues a token to the website rather than passing the user's individual information along. This is where the security researchers, from the Horst Gortz Institute for IT Security at Ruhr University in Bochum, Germany, have uncovered a flaw in the process.

The security researchers, students Sebastian Gajek and Xuan Chen and Jorg Schwenk, a professor and chairman of network and data security at the institute, have shown it is possible to intercept the authentication token from CardSpace. The technique requires directing users to a malicious web server.

According to the researchers, an attacker would have to modify the victim's domain name server (DNS) settings -- a hacker technique called pharming -- and direct the visitor to the malicious web server, which then captures the authentication token. A hacker could then use the token to access or send sensitive information to the original website.

This proof-of-concept technique has not been used to attack people. The attack can be easily replicated, according to the Horst Gortz Institute. According to the researchers, it is realistic to expect real-world attacks against CardSpace in the near future.

Microsoft did not respond to SCMagazineUS.com's request for comment.

See original article on SC Magazine US
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
breachedcardspaceidmicrosoftssecuritytechnology

Partner Content

Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
  • Forrester Technology & Innovation Asia Pacific 2022
By Jim Carr
Jun 2 2008
11:56AM
0 Comments

Related Articles

  • Post-quantum cryptography algorithms named
  • Cisco collaboration software vulnerabilities fixed
  • Apple introduces Lockdown Mode as it battles spyware firms
  • ASD creates CISO role in REDSPICE hiring blitz
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Australia scraps digital passenger cards for international arrivals

Australia scraps digital passenger cards for international arrivals
PayTo rollout kicks off

PayTo rollout kicks off
Services Australia spends $50m on IBM Power hardware upgrade

Services Australia spends $50m on IBM Power hardware upgrade
NSW gov adds six providers to cloud panel

NSW gov adds six providers to cloud panel

Digital Nation

Case Study: EY invests in AI to improve approach to flexible working
Case Study: EY invests in AI to improve approach to flexible working
Case study: AFL kicks goals with its new digital platform
Case study: AFL kicks goals with its new digital platform
Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: Good360 deploys NetSuite, Magento and Salesforce
Case Study: Good360 deploys NetSuite, Magento and Salesforce
Personalisation strategies need to be built from the ground up
Personalisation strategies need to be built from the ground up
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.