"A prominent US Senator has called on the Federal Trade Commission to investigate Microsoft for "gross cybersecurity negligence," citing the company's continued use of an obsolete and vulnerable form of encryption that Windows uses by default. In a letter to FTC Chairman Andrew Ferguson, Sen. Ron Wyden (D-Ore.) said an investigation his office conducted into the 2024 ransomware breach of the health care giant Ascension found that default use of the RC4 encryption cipher was a direct cause."
"It was a trade-secret-protected proprietary cipher until 1994, when an anonymous party posted a technical description of it to the Cypherpunks mail list. Within days the algorithm was broken, meaning its security could be compromised using cryptographic attacks. Despite the known susceptibility to such attacks, RC4 remained in wide use in encryption protocols including SSL and its successor TLS until about a decade ago."
Sen. Ron Wyden requested a Federal Trade Commission investigation into Microsoft for "gross cybersecurity negligence" after linking the 2024 Ascension ransomware breach to Windows' default use of the RC4 encryption cipher. The breach resulted in theft of medical records for 5.6 million patients. RC4 is an aging stream cipher developed in 1987 that was broken soon after its public disclosure and is vulnerable to cryptographic attacks. Despite those vulnerabilities, Microsoft still supports RC4 as the default mechanism for securing Active Directory. Wyden described Microsoft’s engineering choices as dangerous and enabling rapid, organization-wide ransomware infections.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]