Vulnerability in ‘Windows OS’ Open New Hacking Method

At the University of Haifa, computer researchers have discovered a security flaw in Windows 2000 Operating System (OS) of Microsoft that allows hacking of passwords, credit card numbers and e-mails typed on the computer.

The newly found security hole that a group of researchers including Dr. Pinkas, and Leo Dorrendorff and Zvi Gutterman - graduate students of Hebrew University - exposed makes it easy for hackers to read information that a user sent from his computer earlier to the machine's compromise and even data that was saved on the computer in the past but is no longer saved on the machine.

Dr. Benny Pinkas from the University's Department of Computer Science said about the discovery that it was not theoretical. Any person who exploits the flaw would be able to access information on someone else's computer, he said in a statement. Sciencedaily published it on November 12, 2007.

The computer scientists found the way in which the 'random number generator' of Windows 2000 functions enabling attackers to track future as well as previous encryption keys, and spy on the user's private communication. By creating arbitrary encryption keys for e-mails and files, the generator encourages only the target site to view the message.

When a web user types a credit card number or a password on a Website, the number generator modifies the information and constructs a special code for it so that only the relevant site can read it.

Commenting on the researchers' method of hacking, Dr. Pinkas said it needs advanced planning. However, planning is needed even in simple security compromises that call on large companies to think. It also entails concern for individuals dealing with sensitive information on their computers. These people should realize that risk hovers on the confidentiality of their data.

According to the researchers, Microsoft's Vista and Windows XP also have random number generators that make the OSs vulnerable. The researchers have reported their discovery to the Microsoft security response team.

To help security specialists outside Microsoft to assess the effectiveness of Microsoft's random number generators and other security elements of Windows, the researchers suggested that Microsoft publish these components' corresponding codes.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 11/27/2007