Security loophole found in Windows operating system

Nov 12, 2007

A group of researchers headed by Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa succeeded in finding a security vulnerability in Microsoft's "Windows 2000" operating system.

The significance of the loophole: emails, passwords, credit card numbers, if they were typed into the computer, and actually all correspondence that emanated from a computer using "Windows 2000" is susceptible to tracking.

"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," remarked Dr. Pinkas.

Various security vulnerabilities in different computer operating systems have been discovered over the years. Previous security breaches have enabled hackers to follow correspondence from a computer from the time of the breach onwards. This newly discovered loophole, exposed by a team of researchers which included, along with Dr. Pinkas, Hebrew University graduate students Zvi Gutterman and Leo Dorrendorf, enables hackers to access information that was sent from the computer prior to the security breach and even information that is no longer stored on the computer.

The researchers found the security loophole in the random number generator of Windows. This is a program which is, among other things, a critical building block for file and email encryption, and for the SSL encryption protocol which is used by all Internet browsers. For example: in correspondence with a bank or any other website that requires typing in a password, or a credit card number, the random number generator creates a random encryption key, which is used to encrypt the communication so that only the relevant website can read the correspondence. The research team found a way to decipher how the random number generator works and thereby compute previous and future encryption keys used by the computer, and eavesdrop on private communication.

"There is no doubt that hacking into a computer using our method requires advanced planning. On the other hand, simpler security breaches also require planning, and I believe that there is room for concern at large companies, or for people who manage sensitive information using their computers, who should understand that the privacy of their data is at risk," explained Dr. Pinkas.

According to the researchers, who have already notified the Microsoft security response team about their discovery, although they only checked "Windows 2000" (which is currently the third most popular operating system in use) they assume that newer versions of "Windows", XP and Vista, use similar random number generators and may also be vulnerable.

Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of their random number generators as well as of other elements of the "Windows" security system to enable computer security experts outside Microsoft to evaluate their effectiveness.

Source: University of Haifa

Explore further: Catch the northern lights with your mobile

add to favorites email to friend print save as pdf

Related Stories

Hackers could make smart homes stupid—or worse

Jan 07, 2015

Imagine the smart home of the future. Thanks to a central controller and wi-fi, not only does the thermostat power up and warm or cool the house as you are heading home. Smart light bulbs come on low at dusk ...

HaptoMime offers mid-air interaction system (w/ Video)

Oct 29, 2014

HaptoMime gives the word "touchscreen" a new meaning—one that will need to be carefully reworded, as HaptoMime involves a screen that you cannot touch. All the same, it enables interaction with floating ...

Five ways to make your email safer in case of a hack attack

Dec 19, 2014

The Sony hack, the latest in a wave of company security breaches, exposed months of employee emails. Other hacks have given attackers access to sensitive information about a company and its customers, such as credit-card ...

Huawei Technologies has big plans, faces big questions

Dec 04, 2014

Many Americans may not be familiar with Huawei Technologies, but the Shenzhen, China-based company has become one of the largest telecommunications and networking suppliers in the world, competing against the likes of Cisco ...

Recommended for you

Catch the northern lights with your mobile

23 hours ago

Updates on the best opportunities to spot the Northern Lights in the UK are now available on a mobile phone app developed in association with scientists at Lancaster University.

App improves the safety of blind pedestrians in cities

Jan 22, 2015

Siemens is developing a system that helps blind and visually impaired people walk safely through cities. In cooperation with the Technical University of Braunschweig and several partners, Siemens is working ...

Nadella: Microsoft aspires to get consumers 'loving Windows'

Jan 22, 2015

Microsoft upped its bid to capture the hearts and minds of technology consumers Wednesday with Windows 10, announcing everything from free upgrades for the majority of Windows users to support for nascent holographic dis ...

WhatsApp adds messaging from Web

Jan 21, 2015

The popular mobile messaging application WhatsApp, acquired by Facebook last year for nearly $22 billion, unveiled a new service Wednesday for sending messages from a Web browser.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

Argiod
1 / 5 (2) Nov 13, 2007
"Security loophole found in Windows operating system..."

So, I thought this was a forum for news. There's nothing new about Windows security loopholes. Anyone who uses Windows has to download security updates at least once a week. The simple cure is to switch to Ubuntu Linux. I have, and no longer have to worry about security problems. And my system runs about two to four times faster now.
superhuman
not rated yet Mar 18, 2008
This one is HUGE though, being able to predict random numbers and security keys is a dream come true for hackers. Seriously microshit needs to hire some professionals.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.