A prominent US senator has called on the Federal Trade Commission (FTC) to investigate Microsoft for what he described as “gross cybersecurity negligence.” This urgent request comes in light of the company’s continued use of the outdated RC4 encryption cipher as the default setting on Windows.
In a detailed letter to FTC Chairman Andrew Ferguson, Senator Ron Wyden (D–Ore.) referred to an investigation conducted by his office which looked into the 2024 ransomware breach of healthcare giant Ascension. This catastrophic breach compromised the medical records of approximately 5.6 million patients and was attributed directly to the use of the vulnerable RC4 encryption cipher.
Concerns Over Security Practices
This isn’t the first time Wyden has expressed concern regarding Microsoft’s security measures. In fact, he has once again labeled their actions as “negligence.” According to Wyden, “because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection.”
The Vulnerability of RC4
RC4, or Rivest Cipher 4, was created by cryptographer Ron Rivest in 1987. Initially, it was a proprietary cipher until it became publicly documented in 1994. Soon after, significant vulnerabilities were discovered, rendering RC4 susceptible to cryptographic attacks. Despite this, the algorithm remained in widespread use within popular encryption protocols such as SSL and TLS until around a decade ago.
Despite the advancements in encryption technology, Microsoft continues to rely on RC4 as the default encryption method for Active Directory, a crucial Windows component that manages user accounts within large organizations. Many entities do not activate stronger encryption options available in Windows, causing Active Directory authentication to revert to the insecure Kerberos method that employs RC4.
Exploiting Misconfiguration
Cryptography expert Matt Green from Johns Hopkins University has pointed out that the persistent support for Kerberos alongside RC4, compounded by common misconfigurations, exposes networks to a type of attack known as kerberoasting. This attack technique employs offline password-cracking strategies against Kerberos-protected accounts that are not using stronger encryption methods. Kerberoasting has been a known vulnerability since 2014, yet it continues to threaten organizations relying on outdated security protocols.
As the cybersecurity landscape evolves, it becomes imperative for tech giants like Microsoft to prioritize robust security measures that protect sensitive information. The consequences of negligence in this domain can be dire, affecting millions and undermining public trust in technology companies.
For further information, you can read more about this issue here.
Image Credit: arstechnica.com
