New Worlds: Israelis beat 'secure' Windows program

Haifa researchers: Security vulnerability enables tracking of e-mails, passwords, credit card numbers and all correspondence produced by any computer using system.

By JUDY SIEGEL-ITZKOVICH
windows xp logo 88 (photo credit: )
windows xp logo 88
(photo credit: )
A group of Haifa researchers has found a security vulnerability in Microsoft's old-but-still-used Windows 2000, enabling the tracking of e-mails, passwords, credit card numbers and all correspondence produced by any computer using that system. "This is not a theoretical discovery," says Dr. Benny Pinkas of the University of Haifa's computer science department. "Anyone who exploits this security loophole can access this information on other computers." Various security vulnerabilities in different operating systems have been discovered over the years. Previous breaches have enabled hackers to follow correspondence from a computer from the time of the breach onwards. This newly discovered loophole - exposed by a team which included, along with Pinkas, Hebrew University graduate students Zvi Gutterman and Leo Dorrendorf - enables hackers to access information that was sent from the computer prior to the security breach, and even information that is no longer stored on the computer. The results of the research are described in a paper presented at the recent ACM Conference on Computer and Communications Security in Alexandria, Virginia The researchers found the security loophole in the random number generator of Windows. This is a program which is, among other things, a critical building block for file and e-mail encryption, and for the SSL encryption protoco used by all Internet browsers. For example: in correspondence with a bank or any other Web site that requires typing in a password or a credit card number, the random number generator creates a random encryption key which is used to encrypt the communication so that only the relevant Web site can read it. The research team found a way to decipher how the random number generator works and thereby compute previous and future encryption keys used by the computer, thus eavesdropping on private communication. "There is no doubt that hacking into a computer using our method requires advanced planning. On the other hand, simpler security breaches also require planning, and I believe that there is room for concern at large companies, or for people who manage sensitive information, who should understand that the privacy of their data is at risk," explained Pinkas. According to the researchers, who have already notified Microsoft about their discovery, although they only checked Windows 2000 (currently the third-most-popular operating system in use) they assume that newer versions of Windows XP and Vista use similar random number generators and may also be vulnerable in this way. Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of its random number generators as well as of other elements of the Windows security system to enable computer security experts outside Microsoft to evaluate their effectiveness. PRIMATE EMBRYOS CLONED If embryos can be cloned from adult monkeys, are humans far behind? A private US research facility - the Oregon National Primate Research Center - has reported in Nature its ability to create cloned embryos from adult monkeys. Led by researcher Shoukhrat Mitalipov, it was the first time that scientists have been able to create viable cloned embryos from an adult primate. The scientists extracted stem cells from some of the cloned embryos and were then able to stimulate the embryonic cells to develop into mature heart cells and brain neurons. Don Wolf, who ran the center before he retired recently, said the procedure was based on a microscopic technique that doesn't use ultraviolet light and dyes, which seem to damage primate eggs. "We could now produce cloned blastocysts (embryos) in the monkey at a reasonable frequency," Wolf told a newspaper. The Oregon team, working with a group in China, produced about 100 cloned embryos that were transferred into 50 female macaques, but none resulted in a full-term pregnancy, The cloning of human embryos for reproductive purposes is illegal in most of the world, including Israel.