Microsoft Tightens Security, Deals IT Folks Headaches in Flame Fight
July 12, 2012 12:00 PM
Microsoft roots out obsolete MD5 certificates, disallows RSA keys shorter than 1024 bits
In August, Windows computers will receive a critical update via Windows Update. The patch is designed to close a security loophole in Windows' encryption that is being actively exploited by malware authored by the U.S. government and Israel.
I. Exploiting Trust in Microsoft
Currently, Windows allows 256-, 384-, and 512-bit keys. Some Microsoft Corp. (
) Terminal Server Licensing (MSTL) certificates until recently also used
the weak MD5 hashing algorithm
, despite the algorithm being officially discontinued in 2009.
The weaknesses, both on the hashing and the key-length front, allowed "world-class" malware authors -- believed to be in the employ of the U.S. government and Israel -- to write
a piece of malware called Flame
, which uses a MTSL certificate cracked by a hitherto unknown attack called MD5 chosen prefix collision.
Certificate in hand, Flame was able to masquerade as a Windows Update from the ultimate trusted source in the Windows world -- Microsoft. Thus the malware quickly proliferated in its intended target location -- Iran and the Middle East.
Flame has narrowly targeted the Middle East, particularly Iran. [Image Source: Kapersky Labs]
II. Microsoft Fights Back With Patch
Kurt L. Hudson, a senior technical writer at Microsoft, has posted a
blog regarding next month's Windows Update, which is expected to tighten key restrictions to prevent further abuse.
To further reduce the risk of unauthorized exposure of sensitive information, Microsoft has created a software update that will be released in August 2012 for the following operating systems: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This update will block the use of cryptographic keys that are less than 1024 bits.
To prepare for this update, you should determine whether your organization is currently using keys less than 1024 bits. If it is, then you should take steps to update your cryptographic settings such that keys under 1024 bits are not in use.
The update could render applications with signatures shorter than 1024-bits unable to install. It may also create difficulties with certain websites, SSL certificates, and Active X controls.
Shorter keys will no longer be considered valid in Windows. [Image Source: Microsoft]
Corporate users are given a series of suggestions to prepare the signature length bump. It remains to be seen exactly how difficult the transition will be for everyday consumers.
1024-bit signatures will be short-lived, as well.
The National Institute of Science and Technology
[PDF] Dec. 31, 2013 as the official target date to black out 1024-bit key encryption using the RSA and DSA algorithms.
Key-based encryption algorithms are only as secure as the enemy is weak hardware- and algorithm-wise. [Image Source: Margie Stibora]
The security community must constantly bump encryption algorithm strength and length in the face of ever increasing computing power and clever new attacks.
No encryption standard is safe
from individuals with sufficient computing power and savvy in the long run -- even quantum encryption has proved susceptible to attacks on the hardware used to encrypt the quantum bits (qBits). Thus security is measured in fleeting moments of safety, using technology that in years will be rendered useless.
III. Did the U.S. go to War With Iran?
Since Flame was discovered, Microsoft has also conducted a vigorous screen of its licensing certificates and discovered 28 other certificates that did not live up to its current standards, but had escaped correction in past cleanups.
Flame remains a hot topic, as both it and Stuxnet are the subject of lively debate over whether the U.S. "
" on Iran by unleashing the malware on it.
Rooting out the Flame worm is a top priority for Microsoft. [Image Source: Krishnan Vasuvedan]
Presidents George W. Bush Jr. and Barack H. Obama both
the use of the malware against the Asian nation. Stuxnet primarily
targeted Iran's nuclear weapons refining facilities
, while Flame offered
a general attack on Iran's oil industry
-- one of the key sources of GDP for the nation.
"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer
United States Accused of Using Flame to try to Cripple Iran's Economy
June 22, 2012, 1:31 PM
Japanese Researchers Crack Supposedly Hack-Proof Cryptography
June 19, 2012, 3:54 PM
Microsoft Aims to Harden Windows Update to Fight "Flame"
June 6, 2012, 2:24 PM
NYT: President Obama Authorized Stuxnet Attack on Iran
June 1, 2012, 1:54 PM
Inside the Mega-Hack of Bitcoin: the Full Story
June 19, 2011, 6:40 PM
Not All the High-Tech Jobs Are in California
August 4, 2016, 8:29 PM
Google's Gleaming Glass HQ Gets Mountain View Snub, LinkedIn Gets the Love
May 7, 2015, 6:58 AM
Tech's Tax Day Fortunate Few: Qualcomm, Xerox, GE, et al. Pay Little or No Taxes
April 15, 2015, 11:30 AM
LinkNYC Terminals to Blanket New York City With Free WiFi, Free Calls, and Ads
November 17, 2014, 6:50 PM
Microsoft is Open-Sourcing Most of .NET, Adding OS X and Linux Support
November 12, 2014, 8:27 PM
Home Depot Lost 53 Million Emails, Blames Windows, Buys Execs New Macs
November 9, 2014, 5:00 PM
Most Popular Articles
Car Insurance - The Hidden Discriminatory Practise
October 18, 2016, 5:00 AM
Problems with Windows 10 – Update Now
October 15, 2016, 7:30 AM
Is Razer Blade Stealth Laptop For You?
October 16, 2016, 5:00 AM
Tesla Event Pushed to Wednesday
October 17, 2016, 5:00 AM
Smart Technology Mood Collar To Understand Your Dog’s Emotions
October 17, 2016, 5:00 AM
Latest Blog Posts
Mac Users, Try this if Your Mac is Infected?
Oct 23, 2016, 7:00 AM
Tips to Prevent Smartphones From Overheating:
Oct 22, 2016, 5:00 AM
Nasa Flies Drones at Nevada Airport
Oct 21, 2016, 8:21 AM
T-Mobile Data Problems
Oct 20, 2016, 10:17 AM
Annoying Apple Watch Problems and How to Fix Them
Oct 20, 2016, 5:00 AM
Your Mail May Soon Be Delivered By Robot
Oct 19, 2016, 9:34 AM
2018 Jeep Wrangler Prototype Sells At Junkyard
Oct 18, 2016, 5:00 AM
Samsung Shines with Gold Edition Tablet
Oct 17, 2016, 9:24 AM
Tesla Hints Mysterious Product Debut for October 17th
Oct 16, 2016, 10:14 AM
Samsung Galaxy Note 7 Phones on US flights
Oct 15, 2016, 5:00 AM
Comcast Fined $2.3 Million For Unconfirmed Services Charged To Customers
Oct 14, 2016, 5:00 AM
“American singer / songwriter “Bob Dylan is awarded 2016 Nobel Prize in Literature.
Oct 13, 2016, 10:33 AM
Battery Defect in Medical Device
Oct 12, 2016, 5:00 AM
IBM Bolsters Social Services Sector With Technology Grants
Oct 11, 2016, 5:00 AM
Scientists Sound Alarm on Climate but US Still Toys With Skepticism
Oct 10, 2016, 5:00 AM
IMEX America Trade Show
Oct 9, 2016, 10:00 AM
Phone Wars – Google VS Samsung Free Gifts on Purchase
Oct 6, 2016, 5:00 AM
Member of Parliament’s opposition car exploded in Tbilist capital of Georgia
Oct 5, 2016, 2:52 PM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information