January 27, 2001, 8:50 AM — In an era where supposedly secure products turn out to be full of holes, Lotus Notes stood alone with little said about its security problems. That ended during a panel at Def Con 8, the annual hackers' conference held last week in Las Vegas. Dutch security consultants The Trust Factory, sitting alongside of ex-hacker Chris Goggins, director of operations for Security Design, announced a veritable flood of problems for Notes installations. Lotus has been aware of the issues for some time, planned to have patches made available soon, and had fixed one problem since the release of Notes 4.6.
Lotus Notes is a secure groupware platform. Unlike Microsoft's Exchange-based groupware, Notes has always relied on strong security techniques such as the use of digital certificates for user authentication and encryption. If users stay with traditional Notes clients, any problems are greatly diminished. It is Domino, Notes' Web interface, that presents the greatest security threat.
The Def Con presentation began by pointing out that default access to almost everything installed on a Notes server is permissive. This becomes a real problem as soon as any unauthorized person gains access to the server. The panelists next explained techniques for gaining such access. They outlined methods for gathering passwords and then showed how to crack passwords. The Dutch consultants showed how they collected password hashes remotely using a tool called Sesame. In some cases, the user database file, names.nsf, is publicly accessible via a Web server.
Lotus has pointed out that cracking passwords became a lot more difficult some time ago with the release Notes 4.6 (the current version is 5.0). With Notes 4.6, it became possible to add "salt" to the password hashes, making them more difficult to crack. But this technique remains optional, as the new password hashes are not backward-compatible with older versions.
Notes is also an application-development platform, and the presenters pointed out that the Windows API left open techniques for accessing secure information while bypassing Execution Control Lists. For example, you could send email with a VBS attachment to a Notes user and acquire his or her credentials. Once the you've stolen the credentials, you can use them to masquerade as your victim via Domino. The presenters suggested that Notes users choose different passwords for their client and the Web interfaces, and that access to the Web interface be restricted (something that Lotus has supported for years).
According to the presentation, there are more than 60 million Notes users worldwide, so even a tiny crack in Notes security has large implications -- and these are not such small cracks. On the other hand, it appears that most of the problems can be solved by updating clients and servers, correcting weak access control lists that are part of default installations, and installing patches as soon as they are available.
