Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten

Opinion: The BSI's risky silence on Microsoft issues

US authorities take action after Microsoft incidents. BSI should take their proactive approach, says security expert Jürgen Schmidt.

Save to Pocket listen Print view
Windows-Logo mit Rissen, darüber das Wort "Kommentar"

(Bild: heise online)

8 min. read
Security
By
Contents
This article was originally published in German and has been automatically translated.

In the USA, the situation for Microsoft is currently escalating – driven primarily by the top US security authority, the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA). And here in Germany? The great silence: even when asked, the Federal Office for Information Security (BSI) – "the federal cyber security authority and shaper of secure digitization" – sees no problem.

Microsoft currently must disclose catastrophic security incidents on an almost regular basis. I deliberately write "must" because these disclosures are not made voluntarily or transparently; they are instead released bit by bit under the pressure of regulatory requirements, such as those from the Securities and Exchange Commission or an official investigative commission of the Department of Homeland Security.

The stolen master key to the Microsoft cloud

First there was the incident with the master key to the Microsoft cloud. It shouldn 't have existed, it shouldn 't have worked and Microsoft still doesn't know who stole it, when and where. No wonder that the Cyber Safety Review Board set up to investigate the incident concluded that Microsoft had completely failed with a "cascade of avoidable errors" and called for a reprioritization of security at Microsoft in a sharp tone.

Then there was the intrusion by Midnight Blizzard (aka APT29) that became public in January, in which the perpetrators were probably able to read the emails of high-ranking Microsoft managers and their security department for months. Two months later, Microsoft was forced to announce to the US Securities and Exchange Commission that it had not yet been able to eject Midnight Blizzard from its networks. On the contrary, the attacker group's activities had actually increased tenfold.

As an aside, it emerged at the beginning of April that a security company had stumbled across a publicly accessible Azure bucket containing over a million internal Microsoft files. Among other things, the scripts contain rows of addresses, access data and tokens for internal Microsoft services - in other words, great fodder for attacker groups such as Midnight Blizzard.

According to the discoverers from SOCRadar, it took Microsoft almost a month after the notification to remove this extremely sensitive data. How long it had been there is not known. Incidentally, it is also quite typical that Microsoft does not discover such security problems itself, but only takes action following information from third parties. The CSRB already criticized this in the case of the stolen master key, the misuse of which was only discovered by an attentive US authority, which then notified CISA and Microsoft.

Emergency instructions in the USA

To summarize: Microsoft's security culture has been documented as rotten and its IT infrastructure is inadequately secured; attackers of all stripes are busy carrying data out of the company. And, of course, the data of Microsoft's customers in particular is also being leaked.

This became too much for the US security authority CISA; it has now published ED 2024-02: "Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System". This is about how US authorities must investigate and clean up their IT to limit the damage caused by this intrusion at Microsoft. CISA apparently has information that the eavesdropped emails also revealed sensitive information about the IT infrastructure to the attackers. It is somehow obvious that Microsoft's management and security department are not just talking about the weather.

Meanwhile in Villa Alemania

Of course, the activities of government contract hackers are not limited to the USA; many of them are also very active in Europe and especially in Germany. The BSI has recently even compiled a list of state attacker groups active in Germany. And this naturally includes the Microsoft attackers from APT29 and lists their preferred targets in Germany:

The security firm Mandiant adds very recent increased attack activities, specifically aimed at political parties in Germany. Such a potential threat should make the BSI sit up and take notice, as these targets will also use Microsoft products and may therefore have exchanged emails with Microsoft employees.

An opinion by Jürgen Schmidt

Jürgen Schmidt – aka ju – is head of heise Security and Senior Fellow Security at Heise-Verlag. A physicist by training, he has worked at Heise for over 25 years and is also interested in networks, Linux and open source. His current project is heise Security Pro for security managers in companies and organizations.

At the very least, this suggests that there is an urgent need for a discussion in Germany about what Microsoft's security sloppiness means for Germany's IT. And that the BSI - similar to the DHS and CISA in the USA - should play an active and leading role in this. However, Germany's highest security authority does not say anything about this of its own accord.

If asked whether the BSI has requested telemetry data from Microsoft about potentially intercepted emails in the same manner as CISA, or if German authorities are being prompted to scrutinize their communications with Microsoft or their use of Microsoft services due to recent findings, the response is often vague. It is stated that they are in ongoing communication with Microsoft on these issues. It is stated that there is ongoing communication with Microsoft concerning these issues, but the BSI currently does not have any information or reports indicating that German authorities or companies have been affected. Furthermore, it is recommended that any further inquiries in this regard should be directed to Microsoft.

All in all, an answer similar to the one I received last year regarding the theft of the master key. Loosely translated, this simply means: "We prefer to stay out of it."

My questions to the BSI

I posed these questions to the BSI about our reporting on the security problems at and with Microsoft and the Emergency Directive 2024-02:

  • Does the BSI see a need for action in this context? If so, what and what specifically is being done? Are there similar instructions to German authorities or is this currently being
    currently being discussed?
  • What information does the BSI have about communication between compromised accounts at Microsoft and German authorities, politicians or companies and organizations? Can you rule out the possibility that security-relevant information has flowed – or is still flowing – from Germany to the attackers in this context?
    still flowing out?
  • Is there any communication between the BSI and Microsoft in this matter? What exactly is it about? What additional information is Microsoft providing to the BSI or potentially affected parties in Germany to limit the damage?

Enough of this acquiescence

The "shapers of secure digitalization" must not remain on the sidelines, but must actively intervene. In this context, I have already spoken several times about "acquiescence paralysis" – admittedly a provocative term. But what else can we call it when Germany's highest security authority simply refuses to perform its most basic task, when it is no longer a matter of admonishing us citizens to be more secure in our use of IT, but the other party is a multinational mega-corporation?

I don't want to hear anymore about twenty-digit passwords, voluntary cybersecurity seals and BSI basic protection until the BSI openly addresses the scandalous security incidents at Microsoft and finally takes concrete measures that are suitable for understanding and at least limiting this threat to our infrastructure. DHS and CISA have shown that this is possible. The escalation via the CSRB investigation commission and the emergency directive speak for themselves. Of course, a German authority does not have the standing of these US institutions. But Microsoft traditionally generates around half of its turnover outside the USA. So if there is resentment there, possibly under German leadership, that threatens this turnover, the company will not be able to ignore it.

The demand for more security is by no means as hopeless as it may seem. Just over 20 years ago, there was already a steadily growing wave of outrage at Microsoft's ignorance regarding IT security. This culminated in Bill Gates' company-wide announcement in 2002 that the security of its own products would be a top priority from now on. This actually heralded a phase in which Microsoft became something of a role model in this area. In its final report, the CSRB vehemently called for Microsoft to reorient itself along these lines. And the initiator of Emergency Directive 24-01, the US company Ivanti, has itself prescribed a move towards greater security. So the step is not that far away – perhaps the BSI will even give the decisive push?

Members of heise Security Pro can discuss this topic further exclusively with the author here.

(ju)

Spiele

nach oben
Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten