Anyone can trash Microsoft, but can you do it with style?

Skytalk at BSides Las Vegas, Tuesday, 06.08.2024

• Find here the full presentation from the BSides Skytalk: bit.ly/MicrosoftFuckedItUp
  

• Case: 2023 U.S. Government Email Breach
  

  • Chinese threat actors accessed US government emails, using stolen authentication tokens. In addition to this, Microsoft’s failure to properly rotate encryption keys enabled the attackers to sign tokens from 2016 that were still recognized as valid in 2023.
    

• What YOU can learn from Microsoft's mistakes:
  

  • Regularly Rotate Critical Signing Keys
    

    • Explanation: A signing key is like a secret password that systems use to prove something is authentic. By regularly changing these 'secret passwords' / keys, companies can limit how long hackers can exploit them in case they are stolen.
      

    • Therefore, implement a strict key rotation policy. Regular rotation of signing keys ensures that even if a key is compromised, the window of opportunity for attackers is minimized.
      

  • Enforce Strong Token Validation
    

    • Explanation: Tokens are like digital tickets that prove someone is allowed to access a system. Making sure the system only accepts tickets it created helps prevent hackers from forging or reusing stolen tokens to gain access.
      

    • Therefore, accept only tokens that your system has issued. This prevents attackers from gaining access with unauthorized or forged tokens.
      

  • Invest in Comprehensive Logging
    

    • Explanation: Logs are like the security cameras of a system, recording what happened. Paying for better logging tools means companies can spot and stop hackers more quickly.
      

    • Therefore, utilize logging solutions to detect breaches, even if it requires additional investment in premium services.

      
      

  • Separate Keys for Different Services
    

    • Explanation: Using the same encryption key across different services is like having one master key that unlocks both your house and your office. If someone gets hold of that key, they can access everything you own. By using different keys for different services, you ensure that if one key is stolen, only that specific area is at risk.
      

    • Therefore, implement key scoping and segregation.

      Use unique encryption keys for each service or system, especially separating consumer services from high-security enterprise or government services. This way, if a key for a less secure service is compromised, it cannot be used to access more sensitive systems.