Israelis beat 'secure' Windows program

A group of Haifa researchers has found a security vulnerability in Microsoft's old-but-still-used Windows 2000, enabling the tracking of e-mails, passwords, credit card numbers and all correspondence produced by any computer using that system.

"This is not a theoretical discovery," says Dr. Benny Pinkas of the University of Haifa's computer science department. "Anyone who exploits this security loophole can access this information on other computers."

Various security vulnerabilities in different operating systems have been discovered over the years. Previous breaches have enabled hackers to follow correspondence from a computer from the time of the breach onwards. This newly discovered loophole - exposed by a team which included, along with Pinkas, Hebrew University graduate students Zvi Gutterman and Leo Dorrendorf - enables hackers to access information that was sent from the computer prior to the security breach, and even information that is no longer stored on the computer.

The results of the research are described in a paper presented at the recent ACM Conference on Computer and Communications Security in Alexandria, Virginia

The researchers found the security loophole in the random number generator of Windows. This is a program which is, among other things, a critical building block for file and e-mail encryption, and for the SSL encryption protoco used by all Internet browsers. For example: in correspondence with a bank or any other Web site that requires typing in a password or a credit card number, the random number generator creates a random encryption key which is used to encrypt the communication so that only the relevant Web site can read it. The research team found a way to decipher how the random number generator works and thereby compute previous and future encryption keys used by the computer, thus eavesdropping on private communication.