
Microsoft Live Account Credentials Leaking from Windows 8 and Above - aurhum
https://hackaday.com/2016/08/02/microsoft-live-account-credentials-leaking-from-windows-8-and-above/
======
Nokinside
As a Linux user I have kept Windows 7 & 8 partitions in my laptop and
workstation disks for years because there used to be time where you needed
Windows in the work for some programs to work and some documents to open.

Windows 10 upgrade push made me to realize that that time passed a long time
ago. Last time I booted to Windows for other reason than playing a game was
seven years ago. LibreOffice works well with MS documents and you can always
use them from Google drive.

Windows has lost it's grip for good.

~~~
bsilvereagle
> Windows has lost it's grip for good.

For your listed use case of gaming & document creation.

There are a lot of niche applications that are Windows only. All major CAD
platforms, a decent chunk of FEA packages, hardware vendor software, etc. At
the professional level, Windows still has quite the grip.

~~~
djaychela
Yeah, it's the only reason I have a Windows laptop (or desktop) - I teach
music technology, and that means a DAW which works - in my case Cubase - so
unless Steinberg changes their mind on supporting Linux (which seems massively
unlikely given the amount of effort needed to get it working properly), I'll
have to have a Windows machine for the foreseeable future; everything else I
do is done on my Chromebooks (one Chrome, one GalliumOS).

~~~
zambal
In case you haven't heard about it: Bitwig Studio works effortless on Linux
with a great feature set. The workflow is more similar to Ableton Live than
Cubase though.

~~~
djaychela
I've heard about it, but there are a number of problems - firstly, as you've
said, it's more Ableton than Cubase, and I've spent a fair bit of time trying
to get on with Ableton (I regularly work with a producer who uses it), but
alas, having spent 20 years+ using Cubase, it's difficult for my addled brain
to make the shift in paradigm, and things which are just "natural" now in
Cubase involve a lot of thinking to remember how to do in Ableton.

Secondly, plugins - there are a heap of free and paid plugins that are
Windows-only that I'm not sure will work in Linux (I know about being able to
bridge them, but even 32/64 Windows bridges have issues!) - having said that
I've not tried this lately, so hopefully there's been some good progress.

Third, and probably most intractably - it's a big enough ask to get school IT
departments to support 'odd' software like Cubase; getting them to support
Linux, alas, would be infinitely unlikely, so I'd still need a Windows PC to
support my teaching work (which is my main income).

Thanks for the tip, though, I shall re-look into Bitwig again as it's on
Linux, and then my GalliumOS Chromebook could become even more useful!

------
pjc50
And people wonder why some of us haven't upgraded from Windows 7.

Win10 tries _really hard_ to make you log into your desktop with your Live
Account credentials - you can't use the store without this. Whereas if it were
just leaking a local login it would be much less critical.

~~~
scholia
But if you upgrade to Windows 10 from Windows 7, your existing log-on (which
has no Live account connection) continues exactly as before....

It's not really a surprise if an app store needs an account. Are there any
that don't?

~~~
lucb1e
> It's not really a surprise if an app store needs an account. Are there any
> that don't?

Yeah the ones that have existed since forever: GNU/Linux repositories
(Ubuntu's, Debian's, etc.). Even Ubuntu's Software Center, which you might
find closer to an app store than a command line interface even though it's the
same thing, does not require an account until you try to leave comments or
review an application.

Then there were browser addon repositories which worked the same way, first
from Firefox and later from all other browsers. (Except one of course.)

So yes, no account was the standard. Needing an account is something recent.

~~~
winthrowe
If you don't have to pay and therefore authenticate, it's not really a store,
but only a software repository.

~~~
lucb1e
How many people don't even have payment info in their Google or Microsoft
account? They can't pay anyway and payment info is not required so clearly
that's not it.

I'd just like to download apk files from the play store, but that's not
possible without an account even though there's no reason for it whatsoever.
Moreover, I'd like to contribute to many apps while still not attaching
payment info to my account. Currently I bought some pro versions of apps via
gift cards, but this doesn't work for subscriptions (even if you have 100
bucks prepaid on your account and the subscription is 1 buck a month, and
don't get me started on country locking the credit). They all want to have
your data and lock you in.

~~~
scholia
I think all the major ecosystems require a log-in: Apple, Amazon, Google,
Microsoft.

In Windows 10's case, it's only for apps. If you're happy with Win32 programs,
you still don't need to use a Microsoft Account.

~~~
lucb1e
I'm not, but then that's why I switched to an open platform called Debian.

~~~
scholia
Your choice ;-)

Did you actually use Windows 10 you're complaining about?

~~~
lucb1e
I'm not complaining about Windows 10 in particular.

I'm complaining about walled gardens and application "stores" that require an
account in particular, even when they don't require payment information
(making them not a store at all, just a walled application garden).

And yes, I have used the Windows Store once or twice, but I don't see how that
changes anything.

~~~
scholia
Does needing an account really make it a walled garden?

I borrow books and CDs from a public library: I need an account.

I borrow videos from BlockBuster or stream them from Netflix: I need an
account.

I want to comment on HN or whatever: I need an account.

I want to get a job, I need an account (SSN etc).

~~~
jhasse
In some cases, yes:

Want to borrow a book from another library because it's missing in yours?

Want to switch from Netflix to a different streaming provider, but don't want
to lose all your history?

You can't easily because you're in their walled garden.

------
besselheim
Until a fix is released, this can be mitigated by blocking outbound TCP
connections on ports 139 and 445.

Individual users can do this using by setting up suitable outbound rules in
the Windows Firewall with Advanced Security snap-in (wf.msc).

~~~
Lagged2Death
Or by using a browser that doesn't silently and promiscuously attempt to
connect to remote network shares. Like, any other browser. Good grief.

~~~
besselheim
Or both. Defense in depth.

------
oneplane
Somehow I'm not surprised, neither by the way it's broken nor the neglect on
Microsofts part on this issue...

Pretty much every non-standard Microsoft-only approach to things seem to be
broken one way or another, only to be fixed after someone threatens to expose
and exploit it. I know it's gotten better in recent years, but the fact that
it's still something that seems to be pushing from the outside in, instead of
being part of the manufacturer's culture is shining through rather harshly.

------
JBiserkov
Microsoft should fix this ASAP.

You should enable Two-factor Authentication (2FA) on your account.

[https://support.microsoft.com/en-us/help/12408/microsoft-
acc...](https://support.microsoft.com/en-us/help/12408/microsoft-account-
about-two-step-verification)

~~~
el_duderino
The permissions their Android 2FA app requires seems a bit much for its
purpose.

The app has access to:

\- Identity

\- Contacts

\- SMS

\- Camera

\- Device ID & call information

\- Other

[https://play.google.com/store/apps/details?id=com.microsoft....](https://play.google.com/store/apps/details?id=com.microsoft.msa.authenticator)

Am I the only one who thinks that?

~~~
Maarten88
You can use several other 2FA apps such as Google Authenticator if you do not
trust the Microsoft one, they are compatible.

That said, personally I do like the Microsoft Authenticator app very much,
it's just a single tap on the phone to confirm the 2FA login, which is much
more convenient than retyping a code. Disadvantage is that the Android version
of the Microsoft Authenticator app can only have one account, I could not
connect a second 2FA service (LastPass) to it.

------
option_greek
I thought they started fresh with Edge browser by keeping it away from
windows/OS specific stuff. Apparently not.

~~~
philjohn
Nope. The started with the IE 11 source code and ripped a whole load of stuff
dealing with compatibility, and previous rendering engines, out. Once they had
completed this step they started adding new features in, but it's still got
the legacy of Internet Explorer code in it.

~~~
Sylos
I still don't understand how this myth that they wrote Edge from scratch even
came to be.

You don't just quickly write a browser from scratch in this day and age. And
if you did, it would be so much better than Edge or the other contemporary
browsers, because you could start out with a much better architecture...

~~~
aurhum
> I still don't understand how this myth that they wrote Edge from scratch
> even came to be.

Because people confuse Microsoft marketing fluff with reality?

"Microsoft Edge is built from the ground up to improve productivity, to be
more secure, and to correctly, quickly and reliably render Web pages. While
Microsoft Edge is the default browser for Windows 10 and is the best fit for
most users, some enterprise customers have line-of-business applications built
specifically for older Web technologies, which require Internet Explorer 11."
[0]

"We designed Microsoft Edge from the ground up to prioritize power efficiency
and deliver more battery life" [1]

"Microsoft Edge is designed from the ground up to provide a modern,
interoperable, and secure browsing experience"[2]

[0]
[https://blogs.microsoft.com/firehose/2016/05/19/improvements...](https://blogs.microsoft.com/firehose/2016/05/19/improvements-
in-windows-10-anniversary-update-help-make-microsoft-edge-and-internet-
explorer-11-work-better-together/)

[1]
[https://blogs.windows.com/windowsexperience/2016/06/20/more-...](https://blogs.windows.com/windowsexperience/2016/06/20/more-
battery-with-edge/)

[2] [https://blogs.windows.com/msedgedev/2016/06/07/edge-
enterpri...](https://blogs.windows.com/msedgedev/2016/06/07/edge-enterprise-
policies-anniversary-update/)

------
be5invis
Tested using Edge on r14393, and the demo returns “Not vulnerable”. There is a
SEC7111 error in the console.

------
Kenji
tl;dr: Simply accessing a website with Edge leaks the user name and password
hash to the attacker site. They mention that this is also default behaviour in
Spartan, Internet Explorer, Outlook (though I do not know how effectively it
can be delivered to something like Outlook).

Works on up to date Windows 10 and Edge (there is an online test if you're
vulnerable). If you don't use the listed software, you're probably completely
safe (maybe there is other Microsoft software that does this, though?). If you
don't use your Microsoft Live Account as a Windows account, you're safe
(someone then just finds out the hash of your local password).

EDIT: Interestingly, Edge on the Xbox One is not vulnerable. It seems like the
behaviour on the console is different.

~~~
deviate_X
I'd be interested to know, how easy is it to actually break the hash of the
password-code

~~~
marcosdumay
Why would you need to? The hash is enough to give you access to any NTLM
service.

~~~
dagaci
What NTLM service would you be able to access for example?

~~~
marcosdumay
Wait, what?

NTLM is a generic authentication layer. You use it to get single sign-on for
your web APIs.

------
drzaiusapelord
>Edge, Spartan, Internet Explorer (just saying..)

Why does he keep repeating "Spartan?" That was Edge's codename. Now its just
Edge. Is he's referring to the engine that can be embedded into other
applications? If so, its called EdgeHTML.

------
overlordalex
The articles recommends that you "strengthen your Microsoft Live account
password", but if I understand the vulnerability it is only exposing the hash
of your password?

If it's only exposing the hash, why should you make your password stronger?

~~~
cylo
To make the password hash harder to crack. There's a big difference in time to
crack the hash for "Passw0rd" vs "$)63hjbbdhs23".

~~~
yAnonymous
>$)63hjbbdhs23

Great, I'll just store this in my password manag... oh, wait.

~~~
Relys
[https://www.yubico.com/](https://www.yubico.com/)

------
NKCSS
This is fun to write for yourself; small SMB client to couple a unique file
request to the credentials and website showing the info retrieved via SMB; I
think I found my weekend project :)

~~~
ValdikSS
[https://github.com/SpiderLabs/Responder](https://github.com/SpiderLabs/Responder)

------
robododo
Just to clarify the article a bit:

Your password hash is not sent over the wire. What is sent over the wire is
the NTLMv2 response message. This, simplified, is: HMAC_MD5(Hash | challenge).
If you want the gory details, check out MS-NLMP.

That said, a dictionary-attackable password + attacker with fast GPUs can
still brute-forcing the HMAC, then attack the password hash (MD4). It's a bit
harder than just banging on a simple hash, though not terrifically difficult.

------
batrat
Did the test with edge and it doesn't work. I'm on stable build. Also it needs
edge/ie to be able to do the test...

~~~
KMag
Does your ISP block SMB/CIFS ports?

------
pvdebbe
Is the NTLMv2 hash even salted?

~~~
zaroth
NTLM is designed to do authentication over an unencrypted channel with a
shared secret (password). It's also important to appreciate there is no
initialization protocol for a new user, it's just "please login user x with
y".

As such, the protocol exchanges everything you would need in order to crack
the password in the messages themselves. Adding a salt, unless you stipulate a
way to share that salt across machines ahead of time, would not prevent
cracking a password by intercepting the messages, because the salt would have
to be in the message exchange as well. What a public / visible salt in the
message exchange does do is eliminate rainbow table (instant) cracking based
on intercepting the message.

To answer your question: NTLM is unsalted, and NTLMv2 adds a salt, which is
exchanged in the messaging. In this case the salt is applied a bit differently
-- MD5(MD5(password), salt) -- because the salt is randomly generated each
time, and what's stored in the authentication database is just MD5(password).
The salt is only in the challenge-response protocol, so you can still bulk-
crack all the passwords in the database if you can steal it.

So, you can think of NTLMv2 as "half-salted" and when you tell people that,
you'll have a great story to tell (for values of "great" which include crypto-
inclined audiences).

EDIT: I think KMag has it right. The message has the username, domain, salt,
and:

    
    
      MD5(MD5(MD4(password), username || domain), salt)
    

The nesting is because of their attempts at shoe-horning this in their legacy
codebase and trying to remain backward compatible. A more secure way to hash
the same data, but not backward compatible, is;

    
    
      HMAC(salt, username || domain || password)

------
chocolatebunny
Does this affect Microsoft software on macs? We use Outlook on our macbooks at
work and I'm wondering if a single mass email can get everyone's Exchange
password, or at least the md5sum of their passwords.

------
billpg
Have Microsoft confirmed the issue or planned to roll out a fix?

------
wangchow
Anyone know if this affects Windows phone 10? It also uses all of the
mentioned software.

~~~
ValdikSS
Does not affect Windows Phone 8.

------
jason46
Is signed into Cortana and the Windows store synonymous?

------
anc84
Huh, their evile 31337 haxx0r background looks like a blatant copyright
violation. It's artwork based on a video game cover. Previously also "stolen"
by the BBC: [http://www.gamesradar.com/wait-did-bbc-use-thief-art-
illustr...](http://www.gamesradar.com/wait-did-bbc-use-thief-art-illustrate-
story-about-hacker/) (since then apparently replaced,
[http://www.bbc.com/news/technology-33442419](http://www.bbc.com/news/technology-33442419)
)

Also available for illegitimate at
[http://www.shutterstock.com/pic-389962378/stock-photo-
hacker...](http://www.shutterstock.com/pic-389962378/stock-photo-hacker-and-
computer-virus-concept.html) or
[http://www.shutterstock.com/pic-345906527/stock-photo-
danger...](http://www.shutterstock.com/pic-345906527/stock-photo-dangerous-
hacker-stealing-data-concept.html)

~~~
jswny
It's barely even visible...

~~~
anc84
I meant on [https://msleak.perfect-privacy.com/](https://msleak.perfect-
privacy.com/)

