Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Microsoft May Encrypt All Server-To-Server Communications

Microsoft admits it doesn't encrypt all server-to-server communications, opening the way for the NSA and others to access the data flow.

Windows 8.1: A Visual Tour
Windows 8.1: Visual Tour
(click image for larger view)

Microsoft doesn't currently encrypt all its server-to-server communications. But in response to reports that the National Security Agency (NSA) is tapping communications between datacenters, Microsoft officials are rethinking that approach.

"What I can say today is server-to-server transportation is generally not encrypted," Dorothee Belz, vice president of legal and corporate affairs for Microsoft in Europe, told the European Parliament's civil liberties committee during a hearing into the mass surveillance of European citizens. "That is why we are currently reviewing our security systems."

Officials from Facebook, Google, and Microsoft testified before the committee that at no point did they give the NSA direct or unrestricted access to their networks. But according to recently published documents leaked by former NSA contractor Edward Snowden, an NSA program code named Muscular -- jointly operated with Britain's GCHQ -- has been accessing the data that flows between servers operated by Google, Yahoo, and likely other major technology players.

[ Are you ready for the Windows XP Security Apocalypse? ]

As a result, the NSA could use Muscular to directly access targeted networks -- including potentially Hotmail and Outlook.com email traffic, as well as such services as Office 365 and SkyDrive -- without having to find a way around or be stopped outright by a layer of encryption.

But a Microsoft spokesman told the Register that the company is reconsidering its crypto choices. "Over the last few years, Microsoft and others have increased protection of customer data travelling across the Internet by increasing use of SSL for services. However, recent disclosures make it clear we need to invest in protecting customers' information from a wide range of threats, which, if the allegations are true, include governments," he said. "We are evaluating additional changes that may be beneficial to further protect our customers' data."

In the wake of Belz's disclosure, information security and privacy experts have questioned how Microsoft's online services -- including cloud services -- could be considered secure if the underlying communications aren't encrypted.

"Every European company which has used US-based cloud services must have a contract which specifies conditions for secure data processing," Caspar Bowden, a privacy researcher who formerly served as the chief privacy adviser to Microsoft, told the Register. "It is negligent for cloud companies to have failed to encrypt the high-speed links between datacenters, and this has left EU citizens' data wide open to political and economic surveillance from many Signit powers," government agencies tasked with gathering so-called signals intelligence.

Encryption would be one way to counter -- or at least curtail -- NSA surveillance. Another approach would be for Congress to pass laws that restrict the breadth of information the agency could collect, as well as to scrutinize the agency's collection efforts more closely.

Rep. James Sensenbrenner (R-WI), who authored the USA Patriot Act that the NSA has used to justify its massive digital dragnet, told the European committee that the NSA's surveillance activities occurred outside of congressional oversight. "I hope that we have learned our lesson and that oversight will be a lot more vigorous."

Sensenbrenner has also continued to criticize what he calls an "overbroad interpretation" of the USA Patriot Act, which the NSA says authorizes the digital dragnet it has created. To that end, he has introduced the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection, and Online Monitoring (USA Freedom) Act, together with Sen. Patrick Leahy (D-VT). The bill would still allow the NSA to monitor people suspected of having ties to terrorism, but it would prohibit the arbitrary collection of massive amounts of information on millions of people.

In addition, Sensenbrenner called on European government officials -- who run their own Signit operations and, no doubt, datacenter taps -- to work with the United States. "I ask my friends here in the European Parliament to work pragmatically with the United States to continue balanced efforts to protect our nations. Together we can rebuild trust while defending civil liberties and national security on both sides of the Atlantic."

Want to relegate cloud software to edge apps or smaller businesses? No way. Also in the new, all-digital Cloud Software: Where Next? special issue of InformationWeek: The tech industry is rife with over-the-top, groundless predictions and estimates (free registration required).

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NeilB915
50%
50%
NeilB915,
User Rank: Moderator
10/22/2018 | 3:03:51 AM
Microsoft May Encrypt All Server-To-Server Communications
Yes, i agreed with your Points Microsoft May Encrypt All Server-To-Server Communications. As i also faced this issue few days ago my microsft office get crypted but one of my friend recommed me to concerned with MS office 365 Support, then after this guys help me to resolve my issue.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.