Analytics // Security Monitoring
12/5/2013
11:00 AM
50%
50%

NSA Fallout: Microsoft Rethinks Customer Data Controls

Fallout over NSA surveillance drives Microsoft to promise widespread security and privacy improvements. But do they go far enough?

Stung by revelations that the National Security Agency (NSA) has been conducting a massive surveillance operation against users of online services, Microsoft responded Wednesday by saying that it would encrypt -- or use stronger crypto -- for more of its services, as well as warn business and government users when it receives legal requests for their data. The company also promised to open a network of transparency centers to allow customers to review Microsoft's source code and confirm that it contains no backdoors.

"Many of our customers have serious concerns about government surveillance of the Internet," Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft, said Wednesday in a blog post announcing the changes. "We share their concerns. That's why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data."

Senior executives at Microsoft had reportedly already considered making those changes. But they were driven into action after NSA documents leaked by Edward Snowden suggested that intelligence agencies worldwide were spying on data and communications handled by the likes of Facebook, Google, Microsoft, and Yahoo, perhaps by hacking directly into their datacenters. Industry analysts have warned that the resulting fallout from those revelations could cost global online service providers $180 billion in lost revenue by 2016.

[Existing legislation for online privacy is woefully outdated. It's time for Congress to act. Read Electronic Privacy Laws Need An Overhaul.]

"The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector," Smith told The New York Times. "We concluded that we better assume that there might be such an attempt at Microsoft, or has already been."

Accordingly, by the end of 2014, Microsoft has promised to overhaul its use of crypto for all of its major communications, productivity, and developer services, including Office 365, Outlook.com, SkyDrive, and Windows Azure. That includes adopting the Perfect Forward Secrecy public-key system, as well as stronger 2048-bit key lengths. "Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers," said Smith. "In other areas we're accelerating plans to provide encryption."

One goal is to get any intelligence or law enforcement agencies that might try to hack into Microsoft's services or networks to instead need to go to court to get a subpoena. In addition, these changes might help defuse what's sure to become an escalating arms race between Microsoft and the NSA, or any foreign intelligence agency that wants all-you-can-eat access to Microsoft customers' data or communications.

"We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution," said Smith. "We want to ensure that important questions about government access are decided by courts rather than dictated by technological might."

On the transparency tip, meanwhile, Microsoft promised to notify all business and government customers whenever it received a legal order relating to their data. It also promised to challenge all related gag orders in the court. One related goal of that move is to try to get law enforcement agencies to go directly to businesses from which they want to retrieve data, rather than surreptitiously obtaining it from Microsoft and other such companies.

In order to allow customers to review the integrity of Microsoft's products, the company said it would extend a program it already offers to some government agencies and begin allowing selected customers to review the source code for a selection of products -- to be expanded in the future -- via regional transparency centers located in Europe, Asia, North America, and South America.

But do Microsoft's promised changes go far enough? Secure messaging service Silent Circle, as well as Lavabit founder Ladar Levison, have been urging other online communications providers to adopt a new email protocol called Dark Mail, which was developed by Silent Circle's team, which includes Pretty Good Privacy (PGP) creator Phil Zimmerman.

Unlike today's webmail service providers, Dark Mail would tackle information security by relying on private encryption keys held only by email users. According to Silent Circle's overview, the "dark" aspect doesn't imply anything sinister, but rather "that it is secure, private, and that your written words are not viewed by some data-mining tech firm or a surveillance-hungry government agency."

But according to Silent Circle CEO Mike Janke, it's not clear whether online service providers will embrace an approach such as Dark Mail. "The real friction point is that Yahoo, Google and Microsoft make money mining off free email," he told the NY Times. "They say they're concerned about user privacy. Now we'll see if they really care."

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DSusan2013
100%
0%
DSusan2013,
User Rank: Apprentice
12/5/2013 | 11:45:30 AM
NSA Proof Communication
It is important that more and more software companies protect our data. I am glad to see microsoft try and help protect there useres. It is also nice to see the new apps coming out that are NSA proof for communication. The one I have been using is Jolt, fee free to check it out if you wish. More security and privacy is always a good thing :)

https://play.google.com/store/apps/details?id=com.abmapp.jolt
pjmjr
50%
50%
pjmjr,
User Rank: Apprentice
12/6/2013 | 1:52:14 PM
Re: NSA Proof Communication
This shows the hyprocacy of Microsoft's"scruggoled" campaign. Not only do they use user data to make Bing work, they have worked hand in glove with NSA to provide access to private communications and data. Now they try to tell us they are rethinking issues of data privacy. I remember all their promices about how wonderful Windows 7, Vista, and 8 were going to be.
anon4701114258
100%
0%
anon4701114258,
User Rank: Apprentice
12/5/2013 | 11:54:25 AM
I can smell the pile
BS. MS is in bed with the NSA. Same with Google, Twitter, Facebook, Yahoo, and the list goes on.
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
12/5/2013 | 1:06:02 PM
Re: I can smell the pile
The fact that Microsoft has to fight our own government for privacy seems so ridiculous. This technological arms war almost seems like a waste of money.

But then again, who knows what kinds of new privacy tech may come out of efforts like this?
TwistOneUp
50%
50%
TwistOneUp,
User Rank: Apprentice
12/5/2013 | 4:18:14 PM
Re: I can smell the pile
not all services give it up to the NSA.

social networking org Glom.com does not comply with any NSA, PRISM, or other government demands for people's data, no do they sell people's data, track searches, chats, messaging, etc.

i find it the height of hypocrisy that Microsoft, who at one time allegedly worked with the government to help them read outlook emails, now decides to work on "better privacy".  good luck with that.

can you say, "did a 180"?

TOU
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
12/5/2013 | 6:43:11 PM
Re: I can smell the pile
The problem with any pronouncement about encryption is that is has to be taken on trust, something that has already been violated. How does anyone know the encryption Microsoft (or Google or Apple) provides will function as desired? Very few computer users are technically savvy enough to really understand and evaluate encryption. Unless there are specific laws preventing the NSA (not to mention Russia and China) from accessing data, expect it to try and ulitmately succeed. It has billions in funding and skilled experts. You have assurances but no real proof.
KevinO442
50%
50%
KevinO442,
User Rank: Apprentice
12/5/2013 | 3:05:40 PM
meaningless
Legally required by US Law to submit all data to NSA , and then legally required not to reveil that they're doing it , or they all get thrown in jail.


This is just shuffling deck chairs on the titanic.

The FBI kicked the door in of the email provider Edward Snowden was using and took what they wanted by force , and anyone who resisted was threatenned with jail time. You think promises of encryption mean anything ?

 

The only thing left is to wait for them to release the code to "prove" there are no back doors, and then find out it doesn't match up with the code that's actually out there.

 

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?