From Newsgroup: comp.os.linux.advocacy

Would you believe, Microsoft is still using an ancient, obsolete and
dreadfully insecure encryption algorithm in Active Directory <https://arstechnica.com/security/2025/09/senator-blasts-microsoft-for-making-default-windows-vulnerable-to-kerberoasting/>:

In a letter to FTC Chairman Andrew Ferguson, Sen. Ron Wyden
(D–Ore.) said an investigation his office conducted into the 2024
ransomware breach of the health care giant Ascension found that
the default use of the RC4 encryption cipher was a direct cause.
The breach led to the theft of medical records of 5.6 million
patients.

RC4 is used by default, if admins don’t select anything better. And it appears most of them don’t.

In a blog post published Wednesday, cryptography expert Matt Green
of Johns Hopkins University said continued support of Kerberos and
RC4—combined with a common misconfiguration that gives non-admin
users access to privileged Active Directory functions—opens the
networks to “kerberoasting,” a form of attack that uses offline
password-cracking attacks against Kerberos-protected accounts that
haven’t been configured to use stronger forms of encryption.
Kerberoasting has been a known attack technique since 2014.

Microsoft keeps dragging its feet over the issue:

More than 11 months after announcing its plans to deprecate
RC4/Kerberos, the company has provided no timeline for doing so.
What’s more, Wyden said, the announcement was made in a “highly
technical blog post on an obscure area of the company’s website on
a Friday afternoon.”

Would you believe ...

In an emailed statement, Microsoft said it has already deprecated
the use of DES, another encryption scheme with known
vulnerabilities.

Well, whoop-de-fuckin-doo ...
--- Synchronet 3.21a-Linux NewsLink 1.2