Why private needs to mean private

Public/Private Key encryption and security is one of the most powerful tools when it comes to building great cyber security – it is the security that the internet runs on. So when Microsoft reported a breach on a number of high profile Exchange Online mailboxes, no one expected that the cause would be a breach of Microsoft’s most precious secrets.

Microsoft alleges China behind attack on Exchange Online • The Register

Following investigations, it appears that the Chinese gang got hold of a Microsoft internal private cryptographic key, these are used to digitally sign the cryptographic tokens for Microsoft online services. Access to these keys means the threat actor can craft their own “authorised tokens” for any account they choose to access.

But the trouble goes deeper than just accessing mailboxes – these malicious tokens can give access to far more:

Stolen Microsoft key may have opened up more than inboxes • The Register

However at the moment Microsoft are denying these claims.

The stolen key has been revoked and Microsoft has published the indicators of compromise for customers to check if they have been compromised.

Microsoft, from September, will be making the cloud security logs available to all customers – this was something you could pay for or was included in the top level Azure licenses. To enable better transparency Microsoft was persuaded to make them accessible to everyone.

How Microsoft is expanding cloud logging to give customers deeper security visibility | Microsoft Security Blog

But as of yet no one has said how the key was stolen in the first place.

Your takeaway from this

You probably do not have information that could compromise the world’s cyber security, however the information you do hold is important to you. So treat it as such and look after it.

Clive Catton MSc (Cyber Security) – by-line and other articles

Private