back to article Stolen Microsoft key may have opened up a lot more than US govt email inboxes

A stolen Microsoft security key may have allowed Beijing-backed spies to break into a lot more than just Outlook and Exchange Online email accounts. Incredibly as it sounds, and it really does deserve wider coverage, someone somehow obtained one of Microsoft's internal private cryptographic keys used to digitally sign access …

  1. Anonymous Coward
    Anonymous Coward

    Save the politicians!

    This is why it would be an awful, terrible, horrible idea to implement a layer of private group encryption to use in group confidential email and chats.

    Otherwise, how would the CCP be able to monitor whether US govt officials were trading naughty pictures or otherwise harming the public?

    1. Roo
      Windows

      Re: Save the politicians!

      The CCP could just ask that unregistered Chinese agent fella to arrange for the Make America Gag Again crew to leave some dossiers in Trump's ballroom. Oh hang on, that chap is difficult to get hold of right now. Never mind, they could watch a ridiculous waste of tax payer Congress hearing and to see some dick pics and revenge porn being waved around by a Congresswoman. Or maybe they could sign up to congresswoman's mailing list to see some dick pics - hell they could even use a hijacked child's account to do it...

      1. Anonymous Coward
        Anonymous Coward

        Re: Save the politicians!

        You forgot the pictures of that same dick with drugs, hookers, and guns. Enough to get you banned from Denny/s but not enough get any jail time in Delaware or D.C.

        1. Roo
          Windows

          Re: Save the politicians!

          None of which excuses or changes the fact that Marge was caught attacking the President of the USA through persecuting a private citizen who happens to be his son. Marge broke the law: flashing her porn collection in a congressional hearing without the permission of the subjects has no legitimate legislative purpose. Persecuting a private citizen with the goal of bringing down the President of the USA isn't deflection, it is a culmination of the GOP's shilling for Adversaries of the US and their own depravity.

          There is a heavy cloud of sexual abuse, nepotism, grifting, blackmail, porn, drugs, illegally doxxing immigrant children (by aides of a guy who turned a blind eye to sexual abuse for over a decade), trafficking children and asking for pardons hanging over the Gropey Old Perverts party at the moment - they and their supporters + enablers should be cleaning house before pointing the finger. I say this in the hope that they might stop giving the Tory numskulls in Rightpondia ideas, money & speaking engagements.

      2. EricB123 Silver badge

        Re: Save the politicians!

        "Make America Gag Again"

        I only read this far in your post before I upvoted it.

  2. DS999 Silver badge

    Shouldn't such keys only be issued

    On PCs not connected to the internet and kept in a secure location in Microsoft HQ?

    This had to be an inside job, the only question was whether it was done by a Chinese national working there under false pretenses, or a non Chinese employee who was bribed or blackmailed into doing the deed and probably didn't even know on whose behalf it was being done.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shouldn't such keys only be issued

      Shouldn't such keys only be issued on PCs not connected to the internet and kept in a secure location in Microsoft HQ?

      30+ Years of getting away with shoddy code make it clear that the customer's security isn't exactly Microsoft's priority. Unless someone finds a way to connect it to the protection of executive bonuses that isn't going to change either.

      1. Zippy´s Sausage Factory

        Re: Shouldn't such keys only be issued

        Easy... make issuing or receiving any monetary bonus, stock award, or dividend from a company that has had a security breach in the last 12 months a felony with a minimum five-year term (along with stock buybacks for the same period). That would concentrate the mind wonderfully, as Samuel Johnson might have put it.

        I mean, that'll never happen, of course, but it's nice to dream.

    2. matjaggard

      Re: Shouldn't such keys only be issued

      Not only should it only be inside Microsoft, it should also be in HSM devices which don't allow exporting the key.

      1. CoolKoon

        Re: Shouldn't such keys only be issued

        HSM?! They don't need no stinkin' HSM! I personally highly doubt that they have one anyway...

        1. Anonymous Coward
          Anonymous Coward

          Re: Shouldn't such keys only be issued

          Er, I think they have many, as it’s one of their standard cloud services - https://azure.microsoft.com/en-us/pricing/details/azure-dedicated-hsm/

          I’d be surprised if the signing key wasn’t in one of these, non exportable. As for being non internet connected as per commenter further up, this isn’t possible for online OpenID token signing.

          It’s not like HSMs are a vulnerability free panacea - https://www.zdnet.com/article/major-hsm-vulnerabilities-impact-banks-cloud-providers-governments/ . If the attacker profile is as suspected, they might well have had and been willing to burn a HSM zero-day - this looks like a very significant attack. Or they might have compromised the management processes in some way.

          1. CoolKoon

            Re: Shouldn't such keys only be issued

            An HSM zero-day? That's so unlikely that I'm more inclined to believe that M$ just didn't use an HSM for their internal processes and that this was an insider job. It's a LOT more likely than the possibility that they've cracked an actual HSM.

    3. Strahd Ivarius Silver badge
      Devil

      Re: Shouldn't such keys only be issued

      They were securely stored in a public GitLab instance hosted on AWS.

      Nobody in his right mind would have expected it...

    4. dajames

      Re: Shouldn't such keys only be issued

      On PCs not connected to the internet and kept in a secure location in Microsoft HQ?

      Those who've heard of security generate their top-level keys (the keys used to sign other keys) inside dedicated tamper-proof hardware security modules. The keys can then be used inside the said modules but not exported in any way (except perhaps in an encrypted backup).

      ... but this is Microsoft we're talking about here ...

  3. mark l 2 Silver badge

    I guess its another demonstration that the cloud is really someone else's computer and that Microsoft or any of the other cloud providers have the ability to access all of their customers data with these internal cryptography keys. So unless your data has been encrypted with your own personal key before its uploaded then you have to consider its not 100% safe from prying eyes while on Azure, AWS etc..

    1. Terry 6 Silver badge

      In my fantasy idea of secret services, embassies and such like stuff I always assumed that the secret or sensitive government information was encrypted at source.

      Is that not the case? Are they relying on the third party commercial organisations to keep their data safe?

      1. Paul Crawford Silver badge

        - Do it properly.

        - Do it cheap.

        Guess which one is chosen most times?

        1. Anonymous Coward
          Anonymous Coward

          You missed the usual option:

          Give the job to the guy who flies me on private jets, no matter the cost.

      2. trindflo Silver badge

        encrypted at source

        Interesting question. I don't know the answer, but I'll say a couple of things I do know about:

        Most security is implemented as a hardened shell around tender innards. Hardening everything down to individual programs is not practical; if you noticed your machine slowing down because of spectre mitigation, imagine that effect magnified a lot. So security exists around firewalls and VPNs, and once an attacker gets inside a business they are largely free to do what they want.

        What you are describing is encryption at rest or restful encryption. It is strongly recommended for some sorts of data. Much of commercial uses of encryption is only while data is "on the fly" - being used for e-commerce for instance. Once the data has arrived at the business, anything having your personal information should be encrypted before it is stored. How well? I'm not sure any hard and fast rules exist, which means it is a matter for courts to decide if a business has been unreasonably careless.

        Thus, a business is left to decide how to gamble their resources and risks to maximized their profit and minimize their risk for somebody's guess as to what the risk is. Most businesses can work out their profit and loss a lot better than their risks.

        Granted we're talking about TLAs and not businesses; the TLAs should know better... I claim the TLAs have some of the same issues, so they don't always act like they know better.

      3. djnapkin

        Where I worked, the Java crew looked to add Navajo Systems technology to encrypt their data while at rest in the DB and seamlessly encrypt / decrypt it enroute between the DB and the application.

        The cocept was great - but the obstacles weren't able to be overcome, whatever they were, and it did not go ahead.

        1. Anonymous Coward
          Anonymous Coward

          only problem is keys have to be stored somewhere and data will be in the clear somewhere.

          So added complication just to kick the vulnerable point down the road a little way.

    2. CoolKoon

      "So unless your data has been encrypted with your own personal key before its uploaded then you have to consider its not 100% safe from prying eyes while on Azure, AWS etc.." - People should've assumed this from the very start moment they started uploading their business data into the cloud.

      1. donk1

        Given that

        a) Without client side encryption Microsoft can see all of your code or if just the database is in Azure then the whole database schema, data and how your application access the database and can therefore determine cases where your app will not scale.

        b) https://en.wikipedia.org/wiki/Stac_Electronics

        - "examined Stac's code as part of the due diligence process."

        - " sued Microsoft for infringement of two of its data compression patents...awarded Stac $120 million in compensatory damages"

        What stops Microsoft examining your code/database access and writing a competing app, then producing benchmarks showing your app is slower and does not scale?

        Asked that from a developer once and got the reply "I do not care, by the time that happen I will have made my money and moved on" and that their management are the same.

        I wonder if the owners of their employer knew about this and considered the threat to their business or even cared?

    3. Anonymous Coward
      Anonymous Coward

      “ So unless your data has been encrypted with your own personal key before its uploaded then you have to consider its not 100% safe from prying eyes while on Azure, AWS etc..”

      This is true, but if you’re actually of interest to Chinese nation state attackers who have the capability to compromise some of the most critical key signing infrastructure in Azure, your on prem may well have been pwned years ago anyway. It would likely have been a much softer target. It is fair to say that you might have got away with it because you’re simply not important enough on your own to bother with.

  4. sitta_europea Silver badge

    "Incredibly as it sounds..."

    No, it doesn't.

    It isn't incredible that a key gets compromised. It's inevitable.

    But no matter how much I keep on banging this drum, mostly I'm ignored.

    Mr. Crawford is exactly right in his analysis.

    1. abetancort

      Learn from Apple. End to end encryption and the unique key on the customer devices.

    2. John Brown (no body) Silver badge

      "It isn't incredible that a key gets compromised. It's inevitable.

      But no matter how much I keep on banging this drum, mostly I'm ignored."

      Current governments, especially UK, still trying to convince the world that E2E encryption is bad for stopping child abuse/child porn and so must only be enabled if they can see and monitor the data contents without compromising the security just because they say it's possible.

      1. Mishak Silver badge

        Yep

        I'll be pointing this case out to my MP.

        Not that I expect any results, as, when I complained about the proposed legislation and the damage it would cause, he just referred my concerns to the department responsible for it.

  5. BOFH in Training

    List of orgs

    Am still trying to find a list of orgs which may have their emails or other stuff leaked due to this.

  6. bazza Silver badge

    RSA

    Didn't they lose some keys, some years ago?

    How hard is it for these companies to keep really important stuff offline, under physical lock and key? Coz that's probably what they should be doing...

    1. John Brown (no body) Silver badge

      Re: RSA

      Back in the day, we had to have a special, locked and secure room with, at least ion our case, only two authorised people allowed to access it. The PC in that room had to be specially locked down, no network access. It was used for generating Windows key as we were an OEM. All this security was closely monitored by MS and they did surprise inspections pretty much monthly. It was highly secure and we could have been stopped by MS at any time if they decided we weren't adhering to their very strict security protocols.

      Clearly they don't eat their own dog food.

      1. bazza Silver badge

        Re: RSA

        >Clearly they don't eat their own dog food.

        Nor were RSA...

        >All this security was closely monitored by MS and they did surprise inspections pretty much monthly.

        Nobody expects the Seattle Inquisition. Our chief weapon is surprise...surprise and fear...fear and surprise.... Our two weapons are fear and surprise...and ruthless efficiency.... Our *three* weapons are fear, and surprise, and ruthless efficiency...and an almost fanatical devotion to Steve Balmer.... Our *four*...no... *Amongst* our weapons.... Amongst our weaponry...are such elements as fear, surprise.... I'll come in again.

        1. herman Silver badge

          Re: RSA

          You got me at Steve Balmer. His dance moves still haunt me.

      2. Anonymous Coward
        Anonymous Coward

        Re: RSA

        Except, of course, most of the above controls aren’t possible in or relevant to an online token signing use case.

        1. bazza Silver badge

          Re: RSA

          No they're not, and that's really the whole point. If you do have it online, this historical precedent is that someone will eventually hack their way in.

          Offline is no guarantee of total security, of course, but it's one humongous barrier to cross and return from. And offline, there's ways of working that can make it extremely difficult to hack. It takes human resources and determination to do it, but what cost are those vs the security of an entire cloud infrastructure?

      3. trindflo Silver badge

        Re: RSA

        "their own dog food"

        When a customer pays them to implement security, they can do it. Whether they would pay those sorts of costs for their own products is a very different story.

  7. cantankerous swineherd
    Joke

    not encrypting the encryption key is just irresponsible.

    1. Jamie Jones Silver badge
      Joke

      ... well I'd encrypt the encrypted encryption key too!

      1. Strahd Ivarius Silver badge
        Devil

        and using non-reversible encryption, to boost security!

        1. Jamie Jones Silver badge

          Topped off with the "combination to my luggage"!

      2. Peter Gathercole Silver badge

        Russian dolls.

        Jokes aside, we now get to the nub of the matter. You can encrypt it at rest... and then you have to store the encryption key somewhere to allow you to use it. And if you use the data in the cloud, then the keys have to be stored somewhere in the cloud as well.

        Client-side encryption can fix this, but you then have to have a means of distributing/generating the client side key, and we're back to the same old problem of signing the new key with something that you can trust on the Internet, which then makes the signing key vulnerable, (and of course, you can't process the data in the cloud!)

        If you have it locked to one device, then sharing data is difficult, which negates many of the perceived benefits of the cloud. And you have to have some form of back-door, because devices can and do fail (and Apple appear to want to replace complete motherboard assemblies including the SSD storage if a device fails in warranty). So where do you secure your device storage in case of failure? Why, the cloud, of course!

        Without some completely inviolate signing method, the cloud can never be completely secure.

  8. ecofeco Silver badge
    Facepalm

    How will Azure come back?

    Come back from what? Everyone affected will just carry on as if nothing happened and keep using it and nothing will be learned except to make more busy work for system admins.

    1. Strahd Ivarius Silver badge
      Coat

      Re: How will Azure come back?

      Azure? what is Azure?

      It doesn't exist anymore, it is MS Entra now!

      And changing the name has absolutely nothing to do with the issue here.

      exeunt omnes

      1. 43300 Silver badge

        Re: How will Azure come back?

        No, no, no - Entrails is just what was Azure AD, not to be confused with Azure, Azure Stack HCI or any of the other blue-sky cloudiness out there...

  9. FirstTangoInParis Silver badge

    So what are small biz admins supposed to do?

    This is all very well, but when I can’t even work out how to enroll devices to roll out policies, how am I supposed to do “refreshing those silos at least once a day.”?

    1. Strahd Ivarius Silver badge
      Linux

      Re: So what are small biz admins supposed to do?

      Go to Linux and drop the cloud

  10. Pascal Monett Silver badge
    Mushroom

    "It's still unclear how the spies obtained the private encryption key in the first place"

    And that is the crux of this whole affair.

    Of course keys can be compromised, that is not the question. But if the compromise is waltzing in through the door, scooping up the key without triggering any alarm and waltzing back out again without trouble, then there's somebody who should spend a few very uncomfortable hours in an interrogation cell.

    Borkzilla has made a major blunder here. I expect full forensics on a very complete investigation, otherwise it seems clear to me that Borkzilla's reliability will be called into question.

    Which is kind of like putting yet another red mark on a blood-soaked sheet.

    1. Anonymous Coward
      Anonymous Coward

      Re: "It's still unclear how the spies obtained the private encryption key in the first place"

      You know that they will resist an investigation as much as possible. They're probably purging log files and shredding paper trails already.

  11. Rgen

    I wonder if they will change laws where they can sue software companies for security breaches.

    Just imagine software company were automotive. Imagine the recalls every month.

  12. Mike VandeVelde
    Trollface

    "but not until September"

    "agreed to provide all customers with free access to cloud security logs – a service usually reserved for premium clients – but not until September"

    They need time to scrub out all the "friendly" snoops first.

  13. razorfishsl

    And guess what.... Microsoft will slime its way out of this with ZERO liability.

    When will this be stopped with legal requirements that prevent such companies from setting up shite services , then using users as testing agents.

    A single company just totally destroyed a countries security & privacy...

    WTF does it rely on a single key to access the whole of the system.

  14. This post has been deleted by its author

  15. Anonymous Anti-ANC South African Coward Silver badge
    FAIL

    Going to be more fun if the US Army, Navy and Air Force put all their secret stuff "in the cloud".... (if they haven't done so already).

    The current security infrastructure cannot be changed or overhauled without breaking a lot of things.

    Batten down the hatches boys, a big storm is coming.

    1. Clausewitz4.0 Bronze badge
      Black Helicopters

      "Going to be more fun if the US Army, Navy and Air Force put all their secret stuff "in the cloud".... (if they haven't done so already).?

      Actually, it is exactly what the USA armed forces are doing. With AWS and Microsoft. Hacking it is a balanced exercise of intelligence, bravery and stupidity, since their job is to kill people.

  16. Tron Silver badge

    Here's a theory.

    Beijing spooks hacked the NSA and borrowed the master key they use for snooping on everyone.

    1. Clausewitz4.0 Bronze badge
      Black Helicopters

      Re: Here's a theory.

      "Beijing spooks hacked the NSA and borrowed the master key they use for snooping on everyone."

      Possible. There are precedents.

  17. Anonymous Coward
    Boffin

    Microsoft compromised universal MSA skeletal key

    Explain like I'm five why such universal MSA skeletal key was made in the such place. Surly strict compartmentalization should be enforced in security. For instance, if I steal my neighbors key, it should not give me access to the whole block.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like