Former employees say Microsoft did not inform victims about email hack

[rmstock]

Former employees say Microsoft did not inform victims about email hack
By Justine Brown | January 4, 2016
http://www.ciodive.com/news/former-employees-say-microsoft-did-not-inform-victims-about-email-hack/411432/
  "Dive Brief:
     * Chinese authorities reportedly hacked into more than a thousand
   Hotmail email accounts several years ago, but Microsoft decided against
   informing the victims, former employees of the company said.
     * The hackers targeted international leaders of China's Tibetan and
   Uighur minorities. After Microsoft conducted an investigation it
   discovered interception had begun in July 2009 and had compromised the
   emails of Chinese leaders in multiple countries. Former Microsoft 
   employees said diplomats from Japan and Africa, human rights lawyers
   and others in key roles inside China were also compromised.
     * Microsoft says it will now change its policy and inform email
   customers when it suspects there has been a government hacking attempt.
   
   Dive Insight:
   
   The first public signal of the attacks came in May 2011. Former
   Microsoft employees say the company allowed the hackers to continue
   their campaign and did not tell Hotmail users their email had been
   compromised. Instead, it forced users to pick new passwords and quietly
   patched the vulnerability. Trend Micro eventually found more than a
   thousand victims.
   
   In announcing its new policy of disclosing such attacks, Microsoft
   said: "As the threat landscape has evolved our approach has too, and
   we'll now go beyond notification and guidance to specify if we
   reasonably believe the attacker is `state-sponsored.'"
   
   Google began issuing warnings about state-sponsored hacking in 2012.
   Yahoo and Facebook have also been issuing these types of warnings for
   several years.

   Recommended Reading
   
   Reuters: Microsoft failed to warn victims of Chinese email hack: former
   employees



An electronic Microsoft logo is seen at the Microsoft store in New York City, July 28, 2015.
Reuters/Mike Segar

Thu Dec 31, 2015 9:38pm EST
Related: Tech, China, Cybersecurity
Microsoft failed to warn victims of Chinese email hack: former employees
SAN FRANCISCO | By Joseph Menn
http://www.reuters.com/article/us-microsoft-china-insight-idUSKBN0UE01Z20160101

  "Microsoft Corp (MSFT.O) experts concluded several years ago that
   Chinese authorities had hacked into more than a thousand Hotmail email
   accounts, targeting international leaders of China's Tibetan and Uighur
   minorities in particular – but it decided not to tell the victims,
   allowing the hackers to continue their campaign, according to former
   employees of the company.
   
   On Wednesday, after a series of requests for comment from Reuters,
   Microsoft said it would change its policy and in future tell its email
   customers when it suspects there has been a government hacking attempt.
   Microsoft spokesman Frank Shaw said the company was never certain of
   the origin of the Hotmail attacks.
   
   The company also confirmed for the first time that it had not called,
   emailed or otherwise told the Hotmail users that their electronic
   correspondence had been collected. The company declined to say what
   role the exposure of the Hotmail campaign played in its decision to
   make the policy shift.
   
   The first public signal of the attacks came in May 2011, though no
   direct link was immediately made with the Chinese authorities. That's
   when security firm Trend Micro Inc (4704.T) announced it had found an
   email sent to someone in Taiwan that contained a miniature computer
   program.
   
   The program took advantage of a previously undetected flaw in
   Microsoft's own web pages to direct Hotmail and other free Microsoft
   email services to secretly forward copies of all of a recipient's
   incoming mail to an account controlled by the attacker.
   
   Trend Micro found more than a thousand victims, and Microsoft patched
   the vulnerability before the security company announced its findings
   publicly.
   
   Microsoft also launched its own investigation that year, finding that
   some interception had begun in July 2009 and had compromised the emails
   of top Uighur and Tibetan leaders in multiple countries, as well as
   Japanese and African diplomats, human rights lawyers and others in
   sensitive positions inside China, two former Microsoft employees said.
   They spoke separately and on the condition that they not be identified.
   
   Some of the attacks had come from a Chinese network known as AS4808,
   which has been associated with major spying campaigns, including a 2011
   attack on EMC Corp's security division RSA that U.S. intelligence
   officials publicly attributed to China. To see the report click here
   
   Microsoft officials did not dispute that most of the attacks came from
   China, but said some came from elsewhere. They did not give further
   detail.
   
   "We weighed several factors in responding to this incident, including
   the fact that neither Microsoft nor the U.S. government were able to
   identify the source of the attacks, which did not come from any single
   country," the company said. "We also considered the potential impact on
   any subsequent investigation and ongoing measures we were taking to
   prevent potential future attacks."
   
   In announcing the new policy, Microsoft said: "As the threat landscape
   has evolved our approach has too, and we'll now go beyond notification
   and guidance to specify if we reasonably believe the attacker is
   `state-sponsored.'"
   
   The Chinese government "is a resolute defender of cyber security and
   strongly opposes any forms of cyber attacks", Chinese Foreign Ministry
   spokesman Lu Kang said, adding that it punishes any offenders in
   accordance with the law.
   
   "I must say that if the relevant party has some real and conclusive
   evidence, then it can carry out mutually beneficial cooperation with
   China in a constructive way in accordance with the existing channels,"
   Lu said at a daily news briefing.
   
   "But if there's the frequent spreading of unfounded rumors, it will, in
   fact, be of no benefit to solving the problem, enhancing mutual trust
   and promoting cyber security."
   
   The Cyberspace Administration of China did not respond to a request for
   comment.
   
   INTERNAL DEBATE
   
   After a vigorous internal debate in 2011 that reached Microsoft's top
   security official, Scott Charney, and its then-general counsel and now
   president, Brad Smith, the company decided not to alert the users
   clearly that anything was amiss, the former employees said. Instead, it
   simply forced users to pick new passwords without disclosing the reason.
   
   The employees said it was likely the hackers by then had footholds in
   some of the victims' machines and therefore saw those new passwords
   being entered.
   
   One of the reasons Microsoft executives gave internally in 2011 for not
   issuing explicit warnings was their fear of angering the Chinese
   government, two people familiar with the discussions said.
   
   Microsoft's statement did not address the specific positions advocated
   by Smith and Charney. A person familiar with the executives' thinking
   said that fear of Chinese reprisals did play a role given the company's
   concerns about the potential impact on customers.
   
   Microsoft said the company had believed the password resets would be
   the fastest way to restore security to the accounts.
   
   "Our primary concern was ensuring that our customers quickly took
   practical steps to secure their accounts, including by forcing a
   password reset," the statement said.
   
   It is unclear what happened to the email users and their correspondents
   as a result of Microsoft's failure to alert them to the suspected
   government hacking. But some of those affected said they were now
   deeply worried about the risks, especially for those inside China.
   
   "The Internet service providers and the email providers have an ethical
   and a moral responsibility to let the users know that they are being
   hacked," said Seyit Tumturk, vice president of the World Uyghur
   Congress, whose account was among those compromised. "We are talking in
   people's lives here."
   
   HUNDREDS OF LIVES
   
   Unrest in Xinjiang, the Chinese region bordering Kazakhstan that is
   home to many Uighurs, has cost hundreds of lives in recent years.
   Beijing blames Islamist militants, while human rights groups say harsh
   controls on the religion and culture of the Uighurs have led to the
   violence.
   
   Until Wednesday, Microsoft had rejected the idea of explicit warnings
   about state-sponsored hacking, such as those Google Inc (GOOGL.O) began
   in 2012, the former employees said. In the 2011 case, the company also
   opted not to send a more generic warning about hacking. Yahoo Inc
   (YHOO.O) and Facebook Inc (FB.O) have been issuing such warnings for
   several years, former employees of those companies told Reuters,
   including when the principal suspect was a government.
   
   Both companies, along with Twitter Inc (TWTR.N), announced in recent
   months that they would follow Google's lead and explicitly notify users
   about suspected state-sponsored hacking.
   
   Google said on average it now issues tens of thousands of warnings
   about targeting every few months, and that recipients often move to
   improve their security with two-factor authentication and other steps.
   
   Reuters interviewed five of the Hotmail hacking victims that were
   identified as part of Microsoft's investigation: two Uighur leaders, a
   senior Tibetan figure and two people in the media dealing with matters
   of interest to Chinese officials.
   
   Most recalled the password resets, but none took the procedure as an
   indication that anyone had read his or her email, let alone that it may
   have been accessed by the Chinese government.
   
   "I thought it was normal, everybody gets it," said one of the men, a
   Uighur émigré now living in Europe who asked not to be named because he
   left family behind in China.
   
   Another victim identified by Microsoft's internal team was Tseten Norbu
   of Nepal, a former president of the Tibetan Youth Congress, one of the
   more outspoken members of a community that has frequently clashed with
   Chinese officials. Another Microsoft-identified victim was Tumturk, the
   World Uyghur Congress vice president who lives in Turkey.
   
   Microsoft investigators also saw that emails had been forwarded from
   the account of Peter Hickman, a former American diplomatic officer who
   arranged high-profile speeches by international figures at the National
   Press Club in Washington for many years.
   
   Hickman said he used his Hotmail account on Press Club computers to
   correspond with people, including the staff for the Tibetan government
   in exile, whose leader Lobsang Sangay spoke at the club in 2011;
   Tumturk's World Uyghur Congress, whose then-president Rebiya Kadeer
   spoke in 2009; and the president of Taiwan, who spoke by video link-up
   in 2007.
   
   Hickman said he didn't recall the password reset. He said he never
   suspected anything was wrong with the account, which he continues to
   use.
   
   (Reporting by Joseph Menn; Additional reporting by Humeyra Pamuk in
   Istanbul and Sui-Lee Wee in Beijing; Editing by Jonathan Weber and
   Martin Howell)"

[MikeWB]

Can't trust MS with anything anymore.



Why is Microsoft monitoring how long you use Windows 10?

The various privacy concerns surrounding Windows 10 have received a lot of coverage in the media, but it seems that there are ever more secrets coming to light. The Threshold 2 Update did nothing to curtail privacy invasion, and the latest Windows 10 installation figures show that Microsoft is also monitoring how long people are using the operating system.

This might seem like a slightly strange statistic for Microsoft to keep track of, but the company knows how long, collectively, Windows 10 has been running on computers around the world. To have reached this figure (11 billion hours in December, apparently) Microsoft must have been logging individuals' usage times. Intrigued, we contacted Microsoft to find out what on earth is going on.

If the company has indeed been checking up on when you are clocking in and out of Windows 10, it's not going to admit it. I asked how Microsoft has been able to determine the 11 billion hours figure. Is this another invasion of privacy, another instance of spying that users should be worried about? "I just wanted to check where this figure came from. Is it a case of asking people and calculating an average, working with data from a representative sample of people, or it is a case of monitoring every Windows 10 installation?"

You think that Microsoft -- keen as it is on transparency -- would be quite happy to explain how it came about the information, and why it is being collected in the first place. But no. A Microsoft spokesperson provided BetaNews with the following statement:

    Thank you for your patience as I looked into this for you. Unfortunately my colleagues cannot provide a comment regarding your request. All we have to share is this Windows blog post.

Microsoft's spying is intrusive enough to reveal how long you have been using Windows 10, but the company is not willing to be open about the collection of this data.

Cause for concern, or is this just another example of what we have come to expect from Microsoft?

http://betanews.com/2016/01/04/why-is-microsoft-monitoring-how-long-you-use-windows-10/

[MikeWB]

Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key

ee
Micah Lee

2015-12-28T14:57:30+00:00

ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft's servers, probably without your knowledge and without an option to opt out.

During the "crypto wars" of the '90s, the National Security Agency developed an encryption backdoor technology — endorsed and promoted by the Clinton administration — called the Clipper chip, which it hoped telecom companies would use to sell backdoored crypto phones. Essentially, every phone with a Clipper chip would come with an encryption key, but the government would also get a copy of that key — this is known as key escrow — with the promise to only use it in response to a valid warrant. But due to public outcry and the availability of encryption tools like PGP, which the government didn't control, the Clipper chip program ceased to be relevant by 1996. (Today, most phone calls still aren't encrypted. You can use the free, open source, backdoorless Signal app to make encrypted calls.)

The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts (you can skip to the bottom of this article to learn how) — something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.

"The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well," says Matthew Green, professor of cryptography at Johns Hopkins University. "There are certainly cases where it's helpful to have a backup of your key or password. In those cases you might opt in to have a company store that information. But handing your keys to a company like Microsoft fundamentally changes the security properties of a disk encryption system."

As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel it to hand over your recovery key, which it could do even if the first thing you do after setting up your computer is delete it.

As Green puts it, "Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees."

Of course, keeping a backup of your recovery key in your Microsoft account is genuinely useful for probably the majority of Windows users, which is why Microsoft designed the encryption scheme, known as "device encryption," this way. If something goes wrong and your encrypted Windows computer breaks, you're going to need this recovery key to gain access to any of your files. Microsoft would rather give their customers crippled disk encryption than risk their data.

"When a device goes into recovery mode, and the user doesn't have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key," a Microsoft spokesperson told me. "The recovery key requires physical access to the user device and is not useful without it."

After you finish setting up your Windows computer, you can login to your Microsoft account and delete the recovery key. Is this secure enough? "If Microsoft doesn't keep backups, maybe," says Green. "But it's hard to guarantee that. And for people who aren't aware of the risk, opt-out seems risky."

This policy is in stark contrast to Microsoft's major competitor, Apple. New Macs also ship with built-in and default disk encryption: a technology known as FileVault. Like Microsoft, Apple lets you store a backup of your recovery key in your iCloud account. But in Apple's case, it's an option. When you set up a Mac for the first time, you can uncheck a box if you don't want to send your key to Apple's servers.

This policy is also in contrast to Microsoft's premium disk encryption product called BitLocker, which isn't the same thing as what Microsoft refers to as device encryption. When you turn on BitLocker you're forced to make a backup of your recovery key, but you get three options: Save it in your Microsoft account, save it to a USB stick, or print it.

To fully understand the different disk encryption features that Windows offers, you need to know some Microsoft jargon. Windows comes in different editions: Home (the cheapest), Pro, and Enterprise (more expensive). Windows Home includes device encryption, which started to become available during Windows 8, and requires your computer to have a tamper-resistant chip that stores encryption keys, something all new PCs come with. Pro and Enterprise both include device encryption, and they also include BitLocker, which started to become available during Windows Vista, but only for the premium editions. Under the hood, device encryption and BitLocker are the same thing. The difference is there's only one way to use device encryption, but BitLocker is configurable.

If you're using a recent version of Windows, and your computer has the encryption chip, and if you have a Microsoft account, your disk will automatically get encrypted, and your recovery key will get sent to Microsoft. If you login to Windows using your company's or university's Windows domain, then your recovery key will get sent to a server controlled by your company or university instead of Microsoft — but still, you can't prevent device encryption from sending your recovery key. If you choose to not use a Microsoft or a domain account at all and instead create a "local only" account, then you don't get disk encryption.

BitLocker, on the other hand, gives you more control. When you turn on BitLocker you get the choice to store your recovery key locally, among other options. But if you buy a new Windows device, even if it supports BitLocker, you'll be using device encryption when you first set it up, and you'll automatically send your recovery key to Microsoft.

In short, there is no way to prevent a new Windows device from uploading your recovery key the first time you log in to your Microsoft account, even if you have a Pro or Enterprise edition of Windows. And this is worse than just Microsoft choosing an insecure default option. Windows Home users don't get the choice to not upload their recovery key at all. And while Windows Pro and Enterprise users do get the choice (because they can use BitLocker), they can't exercise that choice until after they've already uploaded their recovery key to Microsoft's servers.

How to delete your recovery key from your Microsoft account

Go to this website and log in to your Microsoft account — this will be the same username and password that you use to log in to your Windows device. Once you're in, it will show you a list of recovery keys backed up to your account.

If any of your Windows devices are listed, this means that Microsoft, or anyone who manages to access data in your Microsoft account, is technically able to unlock your encrypted disk, without your consent, as long as they physically have your computer. You can go ahead and delete your recovery key on this page — but you may want to back it up locally first, for example by writing it down on a piece of paper that you keep somewhere safe.

If you don't see any recovery keys, then you either don't have an encrypted disk, or Microsoft doesn't have a copy of your recovery key. This might be the case if you're using BitLocker and didn't upload your recovery key when you first turned it on.

When you delete your recovery key from your account on this website, Microsoft promises that it gets deleted immediately, and that copies stored on its backup drives get deleted shortly thereafter as well. "The recovery key password is deleted right away from the customer's online profile. As the drives that are used for failover and backup are sync'd up with the latest data the keys are removed," a Microsoft spokesperson assured me.

If you have sensitive data that's stored on your laptop, in some cases it might be safer to completely stop using your old encryption key and generate a new one that you never send to Microsoft. This way you can be entirely sure that the copy that used to be on Microsoft's server hasn't already been compromised.
Generate a new encryption key without giving a copy to Microsoft

Update: After this article was published, Ars Technica wrote about a method for preventing the recovery key you sent to Microsoft from being able to unlock your disk that doesn't require upgrading from Windows Home to Pro or Enterprise. However if you already have a Pro or Enterprise edition, following the rest of the steps in this article might be simpler.

In order to generate a new disk encryption key, this time without giving a copy to Microsoft, you need decrypt your whole hard disk and then re-encrypt it, but this time in such a way that you'll actually get asked how you want to backup your recovery key.

This is only possible if you have Windows Pro or Enterprise. Unfortunately, the only thing you can do if you have the Home edition is upgrade to a more expensive edition or use non-Microsoft disk encryption software, such as BestCrypt, which you have to pay for. You may also be able to get open source encryption software like VeraCrypt working, but sadly the open source options for full disk encryption in Windows don't currently work well with modern PC hardware (as touched on here).

Go to Start, type "bitlocker," and click "Manage BitLocker" to open BitLocker Drive Encryption settings.

From here, click "Turn off BitLocker." It will warn you that your disk will get decrypted and that it may take some time. Go ahead and continue. You can use your computer while it's decrypting.

After your disk is finished decrypting, you need to turn BitLocker back on. Back in the BitLocker Drive Encryption settings, click "Turn on BitLocker."

It will check to see if your computer supports BitLocker, and then it will ask you how you want to backup your recovery key. It sure would be nice if it asked you this when you first set up your computer.

If you choose to save it to a file, it will make you save it onto a disk that you're not currently encrypting, such as a USB stick. Or you can choose to print it and keep a hard copy. You must choose one of them to continue, but make sure you don't choose "Save to your Microsoft account."

On the next page it will ask you if you want to encrypt used disk space only (faster) or encrypt your entire disk including empty space (slower). If you want to be on the safe side, choose the latter. Then on the next page it will ask you if you wish to run the BitLocker system check, which you should probably do.

Finally, it will make you reboot your computer.

When you boot back up your hard disk will be encrypting in the background. At this point you can check your Microsoft account again to see if Windows uploaded your recovery key – it shouldn't have.

Now just wait for your disk to finish encrypting. Congratulations: Your disk is encrypted and Microsoft no longer has the ability to unlock it.


https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/

[MikeWB]

Win7 was the last Windows OS I used. It all went downhill from there. Now Windows is a spyware and adware masquerading itself as an OS. MS is changing their business model and has adopted the same model as google/NSA: track everything and everyone.


Microsoft reveals details of Windows 10 usage tracking
http://www.bbc.com/news/technology-35251484

By Chris Baraniuk
7 January 2016

Microsoft has revealed details about the data it is tracking via its new operating system (OS), Windows 10.

In a blog, the firm listed statistics on how many minutes had been spent by users in total in the Edge browser and the number of photographs which had been viewed in the Photo app.

The firm also said that Windows 10 was now active on over 200 million devices.

However, some people have questioned whether the data tracking is a threat to privacy.

Since Windows 10 was launched, Microsoft has been tracking information about how those with the OS are using it.

Until now though, relatively little has been known about what data is being collected.

"Microsoft is deeply committed to protecting our customers' privacy," a spokesman for the company told the BBC.

"Consistent with all modern services and websites, the Windows 10 information highlighted in the blog on January 4 is standard diagnostic, anonymous analytics that enables us to deliver the best Windows 10 experience possible.

"We are committed to delivering industry leading privacy protection for our customers, as shared in a recent blog from Terry Myerson."
Minutes tracked

The company blog listed a range of figures, including:

    * 44.5 billion minutes spent by users in the Microsoft Edge browser across Windows 10 devices
    * 2.4 billion questions asked to virtual assistant Cortana
    * 30% more Bing search queries per Windows 10 device versus previous versions of the OS
    * 82 billion photos viewed with the Photo app
    * More than four billion hours spent playing PC games

Microsoft also reported that Windows 10 continued to be the fastest growing version of Windows, outpacing the adoption of both Windows 8 and Windows 7.

Security expert Prof Alan Woodward told the BBC he was interested to know the long-term plans for the data.

"[This information] might be collected for one purpose, but how long will it be stored for? What else are they going to use it for?" he said.

"As soon as it goes outside the EU it's no longer protected by things like the UK's Data Protection Act."

Recently, Microsoft announced it would be opening UK data centres for corporate clients in a move the firm hoped would address privacy watchdogs' concerns about "data sovereignty".

However, it is not clear where data relating to the company's own operating system is transmitted and stored.
'Walking in blind'

It is possible to increase the privacy controls in Windows 10 by setting the feedback option to Basic, so that activity data is not sent to Microsoft - bar error reports.

However, Prof Woodward suggested that users of the new OS may not be fully aware of the range of options and what they do.

"I've noticed it because I've been installing it a lot recently. The default is for them to track a whole lot of things about usage and send details back to Microsoft," he said.

"I think some people are walking into it blindfolded, they don't necessarily realise what's going on."