Security loophole found in Windows operating system

A group of researchers headed by Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa succeeded in finding a security vulnerability in Microsoft's "Windows 2000" operating system.

The significance of the loophole: emails, passwords, credit card numbers, if they were typed into the computer, and actually all correspondence that emanated from a computer using "Windows 2000" is susceptible to tracking.

"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," remarked Dr. Pinkas.

Various security vulnerabilities in different computer operating systems have been discovered over the years. Previous security breaches have enabled hackers to follow correspondence from a computer from the time of the breach onwards. This newly discovered loophole, exposed by a team of researchers which included, along with Dr. Pinkas, Hebrew University graduate students Zvi Gutterman and Leo Dorrendorf, enables hackers to access information that was sent from the computer prior to the security breach and even information that is no longer stored on the computer.

The researchers found the security loophole in the random number generator of Windows. This is a program which is, among other things, a critical building block for file and email encryption, and for the SSL encryption protocol which is used by all Internet browsers. For example: in correspondence with a bank or any other website that requires typing in a password, or a credit card number, the random number generator creates a random encryption key, which is used to encrypt the communication so that only the relevant website can read the correspondence. The research team found a way to decipher how the random number generator works and thereby compute previous and future encryption keys used by the computer, and eavesdrop on private communication.

"There is no doubt that hacking into a computer using our method requires advanced planning. On the other hand, simpler security breaches also require planning, and I believe that there is room for concern at large companies, or for people who manage sensitive information using their computers, who should understand that the privacy of their data is at risk," explained Dr. Pinkas.

According to the researchers, who have already notified the Microsoft security response team about their discovery, although they only checked "Windows 2000" (which is currently the third most popular operating system in use) they assume that newer versions of "Windows", XP and Vista, use similar random number generators and may also be vulnerable.

Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of their random number generators as well as of other elements of the "Windows" security system to enable computer security experts outside Microsoft to evaluate their effectiveness.

Source: University of Haifa

Related stories:

Microsoft to sell Office, OneCare for $70 a year
(AP) -- Microsoft Corp. will begin selling its Office programs to consumers on a subscription basis starting mid-July, in a bid to reach thrifty PC buyers who would otherwise pass on productivity software.
Soldiers to get 3-D maps in near-real-time
In the near future, soldiers may be using maps that are more akin to long-range but highly accurate security cameras: the maps will enable troops to see both the exterior and interior of buildings, as well as streets and larger areas, as they appeared just minutes ago.
Jump into the screen with 360-degree immersive video
As you watch a video, have you ever wondered what's happening beyond the camera frame? If you could jump inside the video and look around, you would have a 360-degree view of the world in your TV screen or computer monitor.
Attack on computer memory reveals vulnerability of widely-used security systems
A team of academic, industry and independent researchers has demonstrated a new class of computer attacks that compromise the contents of “secure” memory systems, particularly in laptops.
Digital frame virus traced to China
A powerful virus recently discovered in digital photo frames has been identified as a Chinese Trojan Horse that gathers personal information.
Fujitsu Introduces World's Highest Capacity 2.5'' External HDD
Fujitsu today launched its new travel-ready and world’s highest capacity 2.5” External Hard Disk Drive (HDD) for the U.S. market. Featuring up to 300GB of storage space in a sleek, compact design, the new External HDDs are built on the Fujitsu mobile hard disk technology, providing an ideal solution for users looking for a portable HDD with industry-leading capacity.
SanDisk Launches 64 Gigabyte Solid State Drives for Notebooks
Reaching for the “sweet spot” of memory storage for laptop computers, SanDisk today expanded its line of solid state drive products with the introduction of a 64-gigabyte (GB) SSD aimed at both enterprise users and early adopter consumers such as gamers.
Intel Introduces '3-Series' Chipsets at Computex
In his opening keynote at the Computex computer trade show, Intel Corporation Executive Vice President Sean Maloney unveiled the new Intel 3 Series Chipset family along with several other technology plans that surround the company's popular Intel Core 2 Duo and Quad processors for home and business PC users.

News discussion:

Technology news