Microsoft to fix NMCI security hole

Navy Department officials are finding that the $6.9 billion Navy Marine Corps Intranet project gives them some clout when asking the world's biggest software vendor to make its product more secure.

At issue is Microsoft Corp.'s Windows 2000 — the operating system officials plan to use for the 360,000 PCs and servers under the NMCI contract with Electronic Data Systems Corp. — and its ability to manage users and network devices in active directories.

NMCI users must insert a Common Access Card into a PC card reader to gain access to a network. However, Microsoft's software must identify the person as a registered Windows 2000 user before it will try to match the card with its corresponding digital certificate, said Ron Turner, the Navy Department's deputy chief information officer for infrastructure, systems and technology.

Instead, Navy officials want NMCI users to have their cards recognized before they are given access to Windows, Turner said. Navy and EDS officials have been working on the problem since early April and hope to have the issue resolved with Microsoft by early 2002, he said.

Unfortunately, Active Directory, Microsoft's twist on the X.500 directory standard, makes it difficult for Windows to work with Net.scape Communications Corp.'s digital certificates, said Marv Langston, former deputy CIO at the Defense Department and a Falls Church, Va.-based consultant. The Navy uses the Netscape certificates through a Defense Information Systems Agency site license.

"We've been working with the [NMCI] product group" on the problem, said Keith Hodson, a Microsoft Government spokesman.

Matching a card against a digital certificate directory before verifying the Windows 2000 user will enhance NMCI security, said Rolin Hua, a senior business development director at Calnet Inc., a consulting company in Vienna, Va.

Without the change, malicious hackers could use servers outside NMCI to launch a distributed denial-of-service attack — flooding the network with bogus requests for admission to Windows 2000 — that could take down part of the NMCI network, Hua said.

That's because it's easier to steal a user name and password to gain access to Windows 2000 than to steal a Common Access Card. If a card must first be inserted into a computer, that makes the hacker's task much more difficult, Hua said.

EDS, which has assumed responsibility for 42,000 Navy users, plans to switch the first users to NMCI hardware and Windows 2000-based software during the next month, said Rick Rosenburg, NMCI program executive at EDS.

Also known as a smart card, the wallet-size Common Access Card has a magnetic strip and a processor embedded in it. The Pentagon plans to issue the cards to all active-duty service members and select contractors and reservists by the end of fiscal 2002, said Dan Porter, the Navy Department's CIO.

The cards will give users access to buildings and computer networks and hold basic identification information.