According to reports, Sebastian Gajek and Xuan Chen and Jorg Schwenk, a professor and chairman of Network and Data Security at the Horst Gortz Institute for IT Security at Ruhr University in Bochum, Germany, "have shown it is possible to intercept the authentication token from CardSpace", which is part of the security system in Windows Vista (and in XP, via .Net 3.0). "A hacker could then use the token to access or send sensitive information to the original website."
However, the claim requires more than one simultaneous action, which makes the claimed procedure sound not much of a threat.
Microsoft's Kim Cameron -- the man mainly responsible for CardSpace -- points out that to make it work, users have to "reconfigure their computers and point to an evil DNS site they have constructed. Once we help them out with this, they attempt to exploit the fact that poisoned DNS allows a rogue site and a legitimate site to appear to have the same internet "domain name" (eg www.goodsite.com) ."
However, the potential problems of DNS are well understood. Computers protect themselves from attacks of this kind by using cryptographic certificates that guarantee a given site REALLY DOES legitimately own a DNS name. Use of certificates prevents the kind of attack proposed by the students. . But this is no problem as far as the students are concerned. They simply ask us to TURN OFF this defense as well. In other words, we have to assist them by poisoning all of the safeguards that have been put in place to thwart their attack.
There's more, of course, but if you can make it work, does the attack sound like a useful approach? Sure, you can break into a house by asking someone to undo all the bolts and then persuading them to pass you the key. However, dozens of neighbours have left their back doors unlocked....
And as Cameron politely points out, the students (and, one assumes, their professor) don't seem to have sufficient clue about computer security. He writes:
One of the most important observations that must be made is that security isn't binary - there is no simple dichotomy between vulnerable and not-vulnerable. Security derives from concentric circles of defense that act cumulatively and in such a way as to reinforce one another. The title of the students' report misses this essential point. We need to design our systems in light of the fact that any system is breachable. That's what we've attempted to do with CardSpace. And that's why there is an entire array of defenses which act together to provide a substantial and practical barrier against the kind of attack the students have attempted to achieve.
True, but still, the weakest link in any security system is usually the one between the seat and the keyboard.....
