Microsoft Spikes Again: A Public Postmortem After a Consumer Signing System Collided with an Automated Data Dropout

After the fateful crash of a consumer signing system, the cryptographic key ended up in an automatically generated “crash dump” of data about what had happened. Microsoft’s systems are meant to be designed so signing keys and other sensitive data don’t end up in crash dumps, but this key slipped through because of a bug. The systems built to detect the data in crash dumps failed to flag the key.

A group from China stole a key from Microsoft’s systems in June. This key allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies. At the time of the disclosure, however, Microsoft did not explain how the hackers were able to compromise such a sensitive and highly guarded key, or how they were able to use the key to move between consumer- and enterprise-tier systems. But a new postmortem published by the company on Wednesday explains a chain of slipups and oversights that allowed the improbable attack.

Another unanswered question about the incident had been how the attackers used a cryptographic key from the crash log of a consumer signing system to infiltrate the enterprise email accounts of organizations like government agencies. Microsoft said on Wednesday that this was possible because of a flaw related to an application programming interface that the company had provided to help customer systems cryptographically validate signatures. The API had not been fully updated with libraries that would validate whether a system should accept tokens signed with consumer keys or enterprise keys, and as a result, many systems could be tricked into accepting either.

The company added that support, but it failed to make the proper updates to the systems used to authenticate keys — that is, determine whether they’re consumer or enterprise keys. Mail system engineers, assuming the updates had been made, built in no additional authentication, leaving the mail system blind to what sort of key was used.

In short, had those libraries been updated properly, even given all the other failure points, Storm-0558 hackers might not have been able to access the enterprise email accounts used by the corporations they targeted.

After a Rube Goldberg machine-style series of events put the key in the wrong place, Storm-0758 was able to get the key. The company writes that when the system made a debugging snapshot of a process that had crashed, it didn’t strip, as it should have, the so-called “crash dump” of all sensitive information, leaving the key in.

In the first half of July, Microsoft disclosed that the Chinese hacking group Storm-0558 had gained access to emails from around 25 organizations, including agencies in the US government. The company is explaining how it went wrong, while emphasizing just how serious a responsibility it is to maintain Massive, growing software infrastructure in an increasingly digital insecure world.

Jake Williams, who used to work for the National Security Agency and is now on the Institute for Applied Network Security’s faculty, says that all the best hacks are deaths by 1,000 paper cuts.