Top Tech News HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR MONDAY APRIL 24

Close Search Box
Top Tech News
NETWORK SECURITY
Microsoft May Be Collecting Windows Disk Encryption Keys
Posted December 30, 2015
Microsoft May Be Collecting Windows Disk Encryption Keys
Next Story
EARLIER
Cybersecurity Predictions and Key Threats for 2016
THIS STORY
Microsoft May Be Collecting Windows Disk Encryption Keys
Next Story
LATER
Microsoft To Warn You About State-Sponsored Hacking
YOU ARE HERE:   HOME arrow NETWORK SECURITY arrow THIS STORY
NEWS OPS

By Jennifer LeClaire. Updated December 30, 2015 1:04PM

SHARE

ALSO SEE

If you recently bought a new Windows computer, Microsoft probably has your encryption key. Or at least that’s the news that's causing a flurry of speculation as this holiday season winds down.

Disk encryption is built into Windows and turned on automatically. You have to physically turn it off if you don’t want to use it as a data protection mechanism in case your computer is lost of stolen. You may already know this.

“But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key -- which can be used to unlock your encrypted disk -- to Microsoft’s servers, probably without your knowledge and without an option to opt out,” said The Intercept's Micah Lee, who first reported the story.

In his article, Lee offers advice on “how to make it less bad." All you have to do is log into your computer using your Microsoft account and turn the feature off. But how bad is this vulnerability, really? Is it as bad as some technology news headlines suggest?

How Risky Is It?

We caught up with Craig Young, a cybersecurity researcher for advanced threat detection firm Tripwire, to get his thoughts on the controversial news.

Young told us while this key backup behavior certainly presents an increased risk that someone may be able to bypass advertised encryption protections, it's important to consider the risk in context.

“In order for this ‘vulnerability’ to be exploited, an attacker must be able to both gain access to the backed up key and gain physical access to the encrypted storage,” Young said. “There is essentially an infinitely long list of easier ways for an intruder to bypass disk encryption and retrieve data from a protected device by attacking the endpoint.”

Targeting the Endpoints

Young said it's important to remember that most of the protections afforded by disk encryption aren't applicable after a system has been booted and the file system has been unlocked. His take: an adversary sophisticated enough to gain unauthorized access to Microsoft’s key backups is almost certainly sophisticated enough to get malware installed onto the running system.

“Users with particularly sensitive information beyond the basic personal passwords and financial data can simply use traditional local accounts rather than Microsoft accounts to avoid the possibility of key disclosure,” Young said.

Although it would be nice if the operating system let users opt out of sending the key to Microsoft, many users would mostly likely still want their backup keys stored by Microsoft to help reduce the risk of catastrophic data loss, he said.

Tell Us What You Think
Comment:

Name:

mr very scared:
Posted: 2016-01-10 @ 12:06am PT
I am so scared now.

Garth:
Posted: 2016-01-04 @ 5:50pm PT
NSA also makes a backup for you right after the key leaves your router. 100% free service!!! (unless you are a US taxpayer of course, then you unfortunately pay for the world). And hey they just want you to be safe .. Right ? Or as Goebbels said: You have nothing to fear if you have nothing to hide. Don't you ?

Mataba:
Posted: 2016-01-02 @ 2:03am PT
Do not work on your computer, but rather live with separate drive which you disconnect on completion. Stay off the internet while you are working, and only use access when necessary. Use good security software and take care what info is stored in your cloud.

Sans:
Posted: 2015-12-31 @ 12:29am PT
What a load of BS.
If anyone really believes this garbage, they need their head examined. MS is not this stupid to do this kind of thing it goes against the whole point of Bitlocker and Enterprise systems.

WindowsRocks:
Posted: 2015-12-30 @ 4:17pm PT
And open yourself up to the worst hacks in the history of the internet. Good luck with your antiquated OS

StopSpyware:
Posted: 2015-12-30 @ 2:43pm PT
First thing to do after buying a new computer: wipe out Windows and install Debian or Fedora -- any good Linux distribution will do and save you from this privacy invasion.

MORE IN NETWORK SECURITY

Next Article >

INSIDE TOP TECH NEWS NETWORK SITES SERVICES BENEFITS