Feeds

Windows Phones BLAB passwords to hackers, thanks to weak crypto

Rogue Wi-Fi hotspots can hoover up and CRACK encrypted login info

Choosing a cloud hosting partner with confidence

Microsoft has warned IT departments to batten down their Wi-Fi networks following the discovery of a security vulnerability in Windows Phones that leaks users' passwords.

Miscreants who set up rogue hotspots can grab from devices employees' encrypted domain credentials, needed to authenticate with corporate systems and access network resources. But the algorithm encrypting this sensitive data is cryptographically weak, allowing hackers to recover the login details and use them to masquerade as staffers.

“The attacker could take any action that the user could take on that network resource,” Microsoft warned.

The software giant has urged IT bosses to distribute a special root certificate for Windows Phone 8 and 7.8 devices accessing their networks; that certificate allows the handsets to confirm that any corporate wireless access points they’re connecting to are genuine before sending over the sensitive data.

Microsoft won’t issue a security update to fix the vulnerability, though, it said.

The certificate advisory follows the disclosure of a flaw in the Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol (version 2) used in Windows Phones for WPA2 authentication.

Explaining how Windows 8 phones can be immunised against the vuln, the software giant said the devices “can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process. This can be done by validating a certificate that's on your company’s server. Only after validating the certificate is username and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.”

Instructions on how to distribute the certificate, and why it's important, are here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED
Classified systems 'not affected' - but, is this reconnaissance?
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.