Tag Archive for: signing

Microsoft reveals how hackers stole its email signing key… kind of


A series of unfortunate and cascading mistakes allowed a China-backed hacking group to steal one of the keys to Microsoft’s email kingdom that granted near unfettered access to U.S. government inboxes. Microsoft explained in a long-awaited blog post this week how the hackers pulled off the heist. But while one mystery was solved, several important details remain unknown.

To recap, Microsoft disclosed in July that hackers it calls Storm-0558, which it believes are backed by China, “acquired” an email signing key that Microsoft uses to secure consumer email accounts like Outlook.com. The hackers used that digital skeleton key to break into both the personal and enterprise email accounts of government officials hosted by Microsoft. The hack is seen as a targeted espionage campaign aimed at snooping on the unclassified emails of U.S. government officials and diplomats, reportedly including U.S. Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns.

How the hackers obtained that consumer email signing key was a mystery — even to Microsoft — until this week when the technology giant belatedly laid out the five separate issues that led to the eventual leak of the key.

Microsoft said in its blog post that in April 2021, a system used as part of the consumer key signing process crashed. The crash produced a snapshot image of the system for later analysis. This consumer key signing system is kept in a “highly isolated and restricted” environment where internet access is blocked to defend against a range of cyberattacks. Unbeknownst to Microsoft, when the system crashed, the snapshot image inadvertently included a copy of the consumer signing key 1️⃣ but Microsoft’s systems failed to detect the key in the snapshot 2️⃣.

The snapshot image was “subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network” to understand why the system crashed. Microsoft said this was consistent with its standard debugging process, but that the company’s credential scanning methods also did not detect the key’s presence in the snapshot image 3️⃣.

Then, at some point after the snapshot image was moved to…

Source…

Microsoft Details How Chinese Hackers Acquired Signing Key for Outlook Breach


Microsoft says it’s uncovered the mystery to how suspected Chinese hackers acquired a digital signing key to pull off July’s Outlook breach that ensnared several US government agencies. 

According to Microsoft, the key was accidentally leaked when the company computer holding it crashed in April 2021. During the error, the machine generated a crash dump report, which failed to redact the key from the file due to a software bug. 

Microsoft added that company computers that hold such signing keys are “highly isolated,” and have been stripped of various internet services, such as email and video conferencing. However, the crash dump report ended up opening a hole in the security. The unredacted file was automatically passed to a Microsoft computer devoted to debugging, which also happened to be connected to the internet. 

This paved a way for the Chinese hackers to loot the digital key when they compromised a Microsoft engineer’s corporate account, although it remains unclear how this occurred.

“This account had access to the debugging environment containing the crash dump which incorrectly contained the key,” the company said in Wednesday’s report. “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

Stealing the key then allowed the suspected Chinese hackers to forge the authentication tokens to access customer emails on Microsoft’s Outlook service. That said, the signing key was originally designed for consumer Microsoft accounts—not the enterprise Outlook accounts that the hackers targeted. 

The problem is that Microsoft neglected to update a software library to automatically validate key signing signatures between consumer and enterprise accounts. “Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation,” Microsoft said. “Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key.” 

Microsoft issued the report as the company has come under criticism for failing to…

Source…

Stolen Nvidia code signing certificates used to sign off malware


A number of potentially dangerous malware strains have successfully snuck past antivirus software, thanks to highjacking signing certificates stolen from Nvidia.

The Lapsus$ cybercrime gang recently announced it had stolen a terabyte of data from the chip giant, and after failing to come to an agreement with the company on a ransom payment, decided to push the stolen intel live.

Source…

NEW TECH: DigiCert Document Signing Manager leverages PKI to advance electronic signatures


Most of us, by now, take electronic signatures for granted.

Related: Why PKI will endure as the Internet’s secure core

Popular services, like DocuSign and Adobe Sign, have established themselves as convenient, familiar tools to conduct daily commerce, exclusively online. Yet electronic signatures do have their security limitations. That’s why “wet” signatures, i.e. signing in the presence of a notary, remains a requirement for some transactions involving high dollars or very sensitive records.

Clearly, a more robust approach to verifying identities in the current and future digital landscape would be useful. After all, conducting business transactions strictly online was already on the rise before Covid 19, a trend that only accelerated due to the global pandemic.

And this is why DigiCert recently introduced DigiCert® Document Signing Manager (DSM) – an advanced hosted service designed to increase the level of assurance of the identities of persons signing documents digitally.

I had the chance to learn more about this new tool from Brian Trzupek, DigiCert’s senior vice president of product DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage Public Key Infrastructure. And PKI, of course, is the behind-the-scenes authentication and encryption framework on which the Internet is built.

Trzupek outlined how DSM allows for legally-binding documents with auditability and management of signers. “It adds trust and security into each signature, with the ability to easily work with third-party signing workflows such as Adobe, DocuSign, or other signing workflow platforms,” he says.

As digital transformation has quickened, it has become clear that electronic signatures are destined to become even more pervasively used to conduct business remotely. DigiCert is bringing PKI to bear to help make that happen.  Here are the main takeaways from our discussion:

Leveraging PKI

The experience on many signing platforms goes something like this: you receive a document via email, you select a signature font, and then you click to insert that signature on highlighted areas of the document. You conclude by clicking submit and when the document…

Source…