All the latest UK technology news, reviews and analysis
|
|
|
13 Nov 2007
A group of Israeli researchers claims to have discovered a serious vulnerability in Microsoft's Windows 2000 operating system.
The flaw allows for the tracking of all text typed into a Windows 2000 computer, including emails, passwords and credit card numbers, according to a team led by Dr Benny Pinkas from the Department of Computer Science at the University of Haifa.
"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," warned Dr Pinkas.
The flaw could enable hackers to access information sent from the computer prior to the security breach, and even information that is no longer stored on the computer.
The researchers found the flaw in the random number generator in Windows. This program plays a critical role in file and email encryption, and the SSL encryption protocol which is used by all internet browsers.
For example, any correspondence with a bank or any other website that requires typing in a password or a credit card number, will invoke the random number generator to create a random encryption key.
This key is used to encrypt the communication so that only the relevant website can read the correspondence.
The research team found a way to decipher how the random number generator works and thereby compute previous and future encryption keys used by the computer, and eavesdrop on private communication.
"There is no doubt that hacking into a computer using our method requires advanced planning. On the other hand, simpler security breaches also require planning," said Dr Pinkas.
"I believe that there is room for concern at large companies, or for people who manage sensitive information using their computers, who should understand that the privacy of their data is at risk."
The researchers said that they have already notified Microsoft's security response team about their discovery.
Although the researchers only checked Windows 2000, which is currently the third most popular operating system in use, they assume that newer versions of Windows, such as XP and Vista, use similar random number generators and may also be vulnerable.
Their conclusion is that Microsoft needs to improve the way it encodes information.
Latest stories from Security
Related articles
Related jobs
Poll
What will be the biggest change to corporate technology in the future?
TFL director of Games transport Mark Evers discusses how the public transport network is preparing for this summer's event
Connect with V3.co.uk
The wrong printers, for the wrong tasks on the wrong contracts
Who leads the BI pack and who should we be watching out for?
Head of Compliance My client is currently seeking...
THis role is working for a multi national Financial organisation...
Professional Services Consultant - Data Protection, Backup...
Web Support Analyst (Drupal, Joomla or Wordpress, CMS...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
So what?
The article leave out the most important thing of all, and that is how it might be exploited. Would a user have to get tricked into clicking on an email or web link? Or are there other ways? What precautions should users take?
Posted by: Al 14 Nov 2007