On Wednesday, Microsoft announced that private keys for Xbox Live had been leaked, leaving the subscription service open to a potential hack.
Microsoft did not go into detail as to how the private keys were released, or who might be at fault, but they did note that they had no reason to believe that any attacks had been launched thus far. They also released a security advisory.
According to the advisory, the leaked private keys could give hackers the opportunity to launch man-in-the-middle attacks. They cannot be used to issue new certificates, impersonate other domains, or sign any code.
A man-in-the-middle attack is when an attacker reroutes communication between users without their knowledge. The users unknowingly send traffic to and receives traffic from the attacker instead of the intended recipient. An attacker could impersonate one or both of them.
“To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate,” Microsoft said in the advisory.
Microsoft suggests that everyone apply the update for supported releases of Microsoft Windows, and reminds customers to keep all Microsoft software updated. They also suggest enabling a firewall and installing antivirus software.
For information on how you can prevent your organization from being breached by using USBInformer, visit www.miltonsecurity.com/products/USBInformer/ or call 714-515-4011.