Mon 19 Nov 2007
Researchers in Israel say they have cracked the encryption used by Windows 2000, a graphical and business-oriented operating system first released seven years ago.
Windows uses a pseudo-random number generator (PRNG) to create encryption keys for Secure Sockets Layer (SSL) sessions, among other things. These sessions are widely used by online banks and retailers.
The researchers claim they can now predict future and even past keys calculated by the algorithm, due to multiple flaws in the generator. This could give hackers access to, uhhh, everything, including passwords, even if they have not been saved elsewhere on the computer.
All you need is access to the computer, even remote access, with Administrator privileges, and you could see the “state” of the PRNG because Windows does not appear to refresh its state or randomness often enough.
So a single look at the PRNG could compromise up to 1,200 SSL sessions. Linux is not vulnerable to this problem.
Others have noted that it would be relatively difficult to mount an attack exploiting this flaw. Microsoft claims there is no security problem at all, and that all information is supposed to be available to anyone with Administrator access.
Microsoft did say, however, that they are looking into it, and may strengthen the PRNG in a future Windows service pack.
You can now get a weekly summary of these tips and alerts right in your inbox. That way you will not miss something important. Click here, and click Send in your email program. You can unsubscribe anytime, and your details will never be revealed.
Syd Tash is a noted computer security consultant and author of How to Protect Your Computer Online. He has been keeping Internet surfers safe and secure since the last century. Find out how he does it; protect your own computer with five layers of protection right here: => http://MyPCSecuritySite.com
You may include these Tips in your web sites and publications provided they remain unchanged and include the above paragraph, with the author’s name and web site.
One Response to “ Windows Encryption Cracked ”
Comments:
Leave a Reply
` `Trackbacks & Pingbacks:
-
Pingback from Windows XP Service Pack 3 (SP3) is Getting Closer… » Your Daily Computer Security Tips
February 27th, 2008 at 4:44 pm[...] keys, and thus make an end run around Windows encryption. Go here for more details on that story: http://mypcsecurityblog.com/security/windows-encryption-cracked The PRNG flaw is supposedly fixed in SP3. There is also an improvement in ,u>wireless network [...]
