
Hackers could read non-corporate Outlook.com, Hotmail for six months - pseudolus
https://arstechnica.com/gadgets/2019/04/hackers-could-read-non-corporate-outlook-comhotmail-for-six-months/
======
fsckin
Storytime!

When I worked for MSN/Hotmail around 2000-2003, there were _dozens_ of
helpdesk folks who had access to an admin panel to easily view any email and
could view/edit PII for anyone with very little (if not zero) accounting or
auditing. It was protected by plaintext auth and open to the internet.

One employee told me that he caught his wife cheating by reading her mail.

Another used it to recover their own stolen EQ account worth thousands.

I personally used this access to help a friend recover a hacked/stolen Hotmail
account. I told them the email address, what had happened to it, and they
forwarded me a screenshot of their Passport.NET PII details for them to use
the self-service password reset.

Obviously not much has changed.

~~~
jonny_eh
PII is personally identifiable info?

What's an EQ account?

~~~
otachack
EverQuest, I assume, which was a popular MMORPG prior to World of Warcraft

~~~
fsckin
Yup.

------
saulrh
Let me get this straight: They were able to use a single helpdesk account
password for six months to read arbitrary emails from arbitrary user accounts.
There was no 2fa. There was no auditing. There was no integration with any
sort of ticketing system ("you can only access an account if you're working on
that specific user's ticket") or paperwork ("reason for access:"). There
wasn't a single piece of automated monitoring to detect this account accessing
accounts off-hours or accessing multiple accounts simultaneously. And this
went on for _six months_. Did I misread something?

~~~
tialaramex
I've built systems which required "helpdesk" type access and had auditing, but
the problem is where do think "audit summary report" is on the TODO pile for
the people getting those summaries? I'm guessing it's between "Delete unread"
and "I really ought to get around to it but I'm too busy so I never do".

Even when it comes to third party audit, those are ring binder driven
processes. Does the audit report get generated? Yes, check. Does the person it
goes to have a requirement to check it? Yes, check. Done, pass. Auditors
_might_ ask to see an example report, but they definitely aren't going to add
bogus entries to see what happens for example.

Spot checks aren't a thing in almost any industry. "Chaos Monkey" style checks
aren't a thing anywhere at all. So it's easily possible that for six months
(or three months) Microsoft was generating internal reports that said "Bob the
Helpdesk worker has accessed ten times more user emails today than anybody
else" and nobody was asking "Wait, why is Bob an outlier?".

With a targeted attack like this one, your suggestion about requiring a ticket
doesn't help very much, the attacker is motivated to jump through hoops unlike
script kiddies looking for low-hanging fruit. Insider fraud at banks has been
known to go as far as a fake "customer" phoning up to authorize the steps that
the bad guys want to take, so that there's an authorization on record when
they do them and it won't immediately be flagged as a problem. The real
customer may later convince a court that it wasn't them, but that's not real
time, the insiders are long gone and so is the money.

Now, you can build systems where it's just impossible for even your own people
to get access. But that has a high cost, as you will see in every thread where
people castigate Google because they got locked out of something. Why can't
Google just hire helpdesk people who have super-user access, they ask...

~~~
saulrh
Yes, I wouldn't expect to find much rigor at Cousin Ricky's house of email.
This is Hotmail. They don't have any excuses. They handle a ton of email for a
lot of people, people depend on them, and they are a big target.

If this was a specially privileged superuser account, it should have had more
attention paid to it. Yes, it's hard to scale audits or monitoring to the
entire customer support org. But if you only have three people that can
actually read people's emails, you can certainly audit _just their_ use.

If it's not a specially privileged superuser, then every random helpdesk
account can read everything from everyone. This does not inspire confidence.

And even skipping all the complex systems that should have been in place for a
system the size of Hotmail: Why did this account not have 2FA? This is _basic
stuff_.

~~~
dragonwriter
> Yes, I wouldn't expect to find much rigor at Cousin Ricky's house of email.
> This is Hotmail. They don't have any excuses.

It's consumer Hotmail. From Microsoft’s perspective, that is probably excuse
enough.

Of course, I've seen pretty bad things in large HIPAA covered entities with
systems with PHI; insufficient security and accountability of support accounts
and recovery processes is found lots of places.

------
0xffff2
This is totally insane. I'm totally baffled by the idea that Microsoft
considers it okay for _anyone_ except the owner to have _any_ level of access
to personal email accounts.

~~~
mrmuagi
Having the 'owner' of the e-mail address have the only access is a better
extreme than having _everyone_ have access, but I don't think that's feasible.
People within Microsoft will always have the ability to access e-mail
accounts, the question is if they are the right people and how big that group
of people should ever be.

If you are talking about secure e-mail cryptography philosophy along the lines
of PGP, ProtonMail, et cetera, sure you can achieve that through those means.
Otherwise it's a pipe dream with a product like Outlook that's built for
businesses and having AD style control.

------
jammygit
I'm imagining a future cottage industry with companies holding offices in
India/Russia/China/<elsewhere> with a full staff reading emails for blackmail
material

(naturally finding a politician or celebrity once in a while)

~~~
scarmig
"Future."

------
EduardoBautista
This further justifies my decision to use an email provider like Protonmail
where only I can decrypt my emails' contents.

------
kerng
Interesting to understand the reason for the attack, it's to recover iCloud
passwords so they adversaries can sell stolen iPhones! Wow!

------
Bhilai
Why would a customer support person need access to people's email without even
seeking the customer's password ?

~~~
dRaBoQ
Maybe to help them recover their password ?

~~~
rad_gruchalski
Read my emails to recover my password? That‘s what „forgot your password“ link
is for!

------
Daniel_sk
I am sure glad I switched to ProtonMail.

~~~
danra
Not sure why you were downvoted.

Protonmail stores all your emails encrypted, with the encryption dependent on
your password, so something like this couldn't happen there.

~~~
RandomBacon
Seems like if ProtonMail can encrypt them automatically, then they can
potentially be decrypted by someone at ProtonMail.

Reasoning:

Are emails automatically encrypted with a hash of the user password when they
are received?

If the user forgets the password, how do password resets work?

Are the emails before the password reset "lost", or does ProtonMail keep a
copy of the hashed password (which I suppose would be needed to log in with in
the first place) to unencrypt the older emails, and re-encrypt with the newer
password?

~~~
int_19h
Yes, you lose your old emails if you reset password on ProtonMail.

~~~
saganus
Really? are there any docs I can read related to this?

It certainly is something that users should probably be aware of. At least I
would...

~~~
int_19h
[https://protonmail.com/support/knowledge-base/reset-
password...](https://protonmail.com/support/knowledge-base/reset-password/)

------
sureste
This is totally not something that NSA uses by the way.

