Saturday 24 August 2013

German GCHQ says Microsoft Windows 8 unsafe for government use after NSA snooping claims

Windows 8.1 apps and services one vision plan
Germany's Federal Office for Information (BSI) security agency, the equivalent of the UK's GCHQ spy agency, has slammed Windows 8's security, following reports that the NSA placed a back door in it to spy on companies.
The claim stemmed from German paper Zeit, which reported receiving a leaked BSI document claiming that Microsoft built a back door into Windows 8 letting it, or the NSA, hijack control of the machine from the end-user. At the time of publishing the BSI had not responded to V3's request for comment on the report.
However, since then the BSI issued a statement claiming to have also discovered errors in Windows 8's coding. The errors reportedly mean that companies could lose control of their systems if they deploy Windows 8 on machines with a Trusted Platform Module (TPM) chip.
"From the perspective of the BSI, the use of Windows 8 in combination with a TPM 2.0 [chip] is accompanied by a loss of control over the operating system and the hardware used. This result for the user, especially for the federal government and critical infrastructure, new risks," read the statement as translated by Google.
The news is troubling, as the TPM is a specialised chip installed in many business PC systems. It is designed to perform hardware authentication and is able to store information like encryption keys, digital certificates and passwords.
The BSI said that errors could be exploited for sabotage purposes. "In particular, on a hardware, which is operated with a TPM 2.0, with Windows 8 due to unintentional errors of hardware - formed or operating system manufacturer, is also the owner of the IT system error conditions that prevent further operation of the system," read the statement.
"This can cause such an extent that in case of error in addition to the operating system and the used hardware is permanently withdrawn from use [...] In addition, the newly established mechanisms can also be used for sabotage of third parties. These risks need to be addressed."
At the time of publishing Microsoft had not responded to V3's request for comment on the BSI's research. If true the claims are troubling, as attacks on critical infrastructure industries are commonly listed as one of the biggest threats facing governments.
Earlier this year Russian security expert Eugene Kaspersky warned that it is only a matter of time before terrorist groups start targeting critical infrastructure industries with advanced malware during a speech at InfoSec London.

No comments:

Post a Comment