« There is one company benefiting from this status quo: Microsoft itself. »
US senator Ron Wyden has written a letter to the FTC requesting that the organisation investigate Microsoft for what he calls « gross cybersecurity negligence. » His complaint is primarily related to a form of encryption still supported by the company’s Windows operating system, which the senator’s office believes is vulnerable to ransomware attacks.
In the letter [PDF warning], Senator Wyden reveals that an investigation his office conducted into a ransomware breach of healthcare provide Ascension last year found that support of the RC4 encryption cipher was a direct contributor to the attack (via Ars Technica).
“Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” said Wyden.
« Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software. »
RC4, or Rivest Cipher 4, was developed in 1987 by mathematician and cryptographer Ron Rivest, and was considered a protected method of encryption until 1994, when it was compromised as a result of a leaked technical description. Despite this, RC4 was widely used in common encryption protocols until around a decade ago, and is still used by Microsoft to secure Active Directory, a Windows component used by system administrators to configure user accounts.
