T-Mobile Austria stores passwords as plain text, Outlook gets message crypto, and more

Roundup While Facebook caught most of the security-related flak this week, there were other infosec stories out there.

Here's a summary of stuff happening, beyond what we've already covered.

Don't get pwned. Word. Dude

Microsoft, which used to be a byword for insecure software until Bill Gates' trustworthy computing memo that turned the biz around, has added more defense mechanisms to its key suites this week: Redmond has upgraded the security for some Office 365 apps, if you're using a paid-for subscription.

For a start, Microsoft has added password protection for links shared on its OneDrive cloud storage system. Competitor Dropbox did this a while back, and it's about time Redmond followed suit.

Ditto its changes to Outlook, which now claims to have end-to-end message encryption. People using Outlook.com, Outlook for iOS and Android, or Windows Mail can send encrypted messages between themselves transparently – there's no need to click on stuff to decrypt, etc. If you send an encrypted message to someone without the above software or service, then they can "choose to receive a one-time passcode or re-authenticate with a trusted provider before viewing the email," Microsoft Office exec Kirk Koenigsbauer said.

Word, Excel, and PowerPoint are also getting an upgrade, with automatic scanning of links embedded in documents. The new code will check out the URLs to make sure that they aren't on Redmond's databases of dodgy websites and pages.

But one big, and very welcome change by Microsoft could do a lot to quell the scourge of ransomware that has become so prevalent over the last year. The Files Restore feature for paid subscribers allows you to restore OneDrive contents from a backup that covers the last 30 days of use, meaning if some malware has scrambled your files, you can retrieve intact copies. And the system can detect when the ransomware struck, and automatically restore to the last good safe checkpoint.

Another blow for ransomware

For nearly a year now, businesses around the world have been stymied by the LockCrypt ransomware, a particularly nasty strain of the criminal code.

Researchers at Malwarebytes Labs took a deep dive into the code and discovered that the creators had made a bit of a boo boo. Rather than using a proven encryption system, the writers had rolled their own and weren't that good at it.

"The authors did not make the best choice for the random generator," the eggheads report. "Rather than using a cryptographically strong one, they went for the GetTickCount function."

As a result it now looks likely that a number of LockCrypt-infected PCs can now get their files back using suitable recovery tools. Until, that is, the code is refreshed, and the whole cat and mouse game begins again.

Yet another piece of stupidity

Funny, though, the bad LockCrypt code is it hasn't been the worst cockup of the week. As we were going to press, a conversation on Twitter showed a quite astonishing display of hubris.

A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria's Twitter account confirmed that this was the case, but that there was no need to worry because "our security is amazingly good."

Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for https://t.co/vJapgJ50qc ^andrea

— T-Mobile Austria (@tmobileat) April 4, 2018

@Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe

— T-Mobile Austria (@tmobileat) April 6, 2018

That line is going to bite T-Mobile Austria in the backside, if or when they next get hacked. To be fair, it's late at night in Europe and the Twitter account was probably being handled by an overworked social media worker, but it's not a good look. Especially when people started digging further and found various security shortcomings. The whole thread is a mind job.

But that doesn’t excuse the plain-text password storage. T-Mobile USA confirmed it does not store passwords in plain text.

Finnish f**kup

Such stupidity pushed back a story we'd planned to Finnish on. Geddit?

The Finnish Communications Regulatory Authority has issued an alert after the New Business Center in Helsinki, a company set up to advise companies on how best to get their businesses off the ground, got hacked. Information on 130,000 user accounts and their plaintext passwords were stolen in what's thought to be the third largest data loss in numbers of users in Finnish history.

"Details of the business plans may also include information leaked," the Finnish authority stated in an advisory.

"It is currently not known that the disclosed information would be freely accessible to anybody on the Internet. However, it is likely that the disclosed information has spread to cybercriminals." ®