1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Microsoft Office 365 email encryption may not be as watertight as

    From TechnologyDaily@1337:1/100 to All on Fri Oct 14 20:00:04 2022
    Microsoft Office 365 email encryption may not be as watertight as it seems

    Date:
    Fri, 14 Oct 2022 18:42:24 +0000

    Description:
    There's a way to read the messages, a researcher claims, but Microsoft begs
    to differ

    FULL STORY ======================================================================

    There is a flaw in the way Microsoft handles secure emails sent through Microsoft Office 365, a security researcher has claimed.

    As reported by ComputerWeekly , with a sufficiently large sample, a threat actor could apparently abuse the loophole to decipher the contents of encrypted emails .

    However, Microsoft has played down the importance of the findings, saying its not really a flaw. For the time being, the company has no intention of
    putting in place a remediation. More emails, easier discovery

    The flaw was discovered by security researcher Harry Sintonen of WithSecure (formerly F-Secure) in Office 365 Message Encryption (OME).

    Organizations usually use OME when looking to send encrypted emails, both internally and externally. But given the fact that OME encrypts each cipher block individually, and with repeating blocks of the message corresponding to the same cipher text blocks every time, a threat actor can theoretically reveal details about the messages structure.

    This, Sintonen further claims, means that a potential threat actor with big enough a sample of OME emails could deduce the contents of the messages. All theyd need to do is analyze the location and frequency of repeating patterns in each message, and match them to other messages.

    More emails make this process easier and more accurate, so its something attackers can perform after getting their hands on email archives stolen during a data breach, or by breaking into someones email account, email
    server or gaining access to backups, Sintonen said. Read more

    How to make your email more secure


    An unhackable, quantum resistant email technology is on its way


    These are the best VPN service providers right now

    If a threat actor obtains email archives stolen during a data breach, that means theyd be able to analyze the patterns offline, further simplifying the work. That would also render Bring Your Own Encryption/Key (BYOE/K) practices obsolete, too.

    Unfortunately, if a threat actor gets their hands on these emails, theres really not much businesses can do.

    Apparently, the researcher reported the problem to Microsoft early this year, to no avail. In a statement provided to WithSecure, Microsoft said the report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for
    this report". These are the best privacy tools and secure browsers out there

    Via ComputerWeekly



    ======================================================================
    Link to news story: https://www.techradar.com/news/microsoft-office-365-email-encryption-may-not-b e-as-watertight-as-it-seems/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)