SfBO Secuity

%3CLINGO-SUB%20id%3D%22lingo-sub-133685%22%20slang%3D%22en-US%22%3ESfBO%20Secuity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133685%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Experts%2C%3C%2FP%3E%0A%3CP%3EOne%20of%20our%20partner%20has%20below%20scenarios%20and%20raised%20the%20below%20queries%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3BSCENARIOS%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B1.%20Text%20%E2%80%93%20unprotected%20Android%20phones%20%3CBR%20%2F%3E%26nbsp%3Bi.%20How%20is%20Skype%20for%20Business%20online%20different%20from%20Signal%20and%20WhatsApp%3F%3CBR%20%2F%3E%26nbsp%3Bii.%20Has%20SfB%20been%20compromised%20before%20or%20has%20it%20been%20target%20of%20such%20attempts%20as%20described%3F%3CBR%20%2F%3E%26nbsp%3Biii.%20What%20would%20a%20would-be%20attacker%20require%20to%20compromise%20SfB%20chat%20communication%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B2.%20Voice%20chat%20%E2%80%93%20unprotected%20Android%20phones%3C%2FP%3E%0A%3CP%3ECustomer%20concerned%20that%20perceived%20attackers%20have%20access%20to%20mobile%20operator%20exchanges%20and%20have%20access%20to%20voice%20and%20data%20communication%20for%20all%20mobile%20phone%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3Bc.%20Can%20we%20position%20Skype%20for%20Business%20in%20a%20way%20that%20addresses%20above%20concern%3F%20Examples%20of%20information%20that%20could%20help%3A%3CBR%20%2F%3E%26nbsp%3Bi.%20Can%20we%20confirm%20that%20irrespective%20of%20man-in-the-middle%20access%20of%20perceived%20attackers%2C%20the%20data%20they%20have%20access%20to%20would%20be%20unusable%20as%20both%20types%20of%20voice%20communications%20are%20encrypted%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B3.%20Data%20exchanges%20%E2%80%93%20Windows%20PCs%2C%20Android%20tablets%2C%20unprotected%20phones%3A%3C%2FP%3E%0A%3CP%3ECustomer%20would%20like%20to%20position%20EXO%2C%20SfB%2C%20SPO%2C%20AIP%20(Azure%20Information%20Protection)%2C%20Intune%20etc.%20as%20end-to-end%20tooling%20that%20would%20secure%20end%20user%20productivity%20applications%20(MS)%2C%20devices%20and%20communications%20to%20ensure%20data%20at%20rest%20and%20in%20transit%20is%20secure.%20It%20is%20understood%20that%20such%20guarantees%20are%20possible%20only%20with%20observed%20limitations%20in%20ways%20of%20working%20(e.g.%20BitLocker%2C%20data%20classification%2C%20definition%20of%20trusted%20recipients%20etc.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3Bb.%20Can%20we%20position%20above%20(or%20any%20other%20suggested%20products)%20in%20a%20way%20that%20satisfies%20customer%20concerns%3A%3CBR%20%2F%3E%26nbsp%3Bi.%20What%20would%20a%20would-be%20attacker%20require%20to%20gain%20access%20to%20data%3F%20E.g.%3A%3CBR%20%2F%3E%E2%80%A2%20Attacker%20would%20have%20to%20have%20username%20and%20password%20and%20physical%20access%20to%20trusted%20device%3B%20OR%3CBR%20%2F%3E%E2%80%A2%20Attacker%20would%20have%20to%20have%20the%20master%20decryption%20key%20which%20is%20held%20by%E2%80%A6%20or%20at%E2%80%A6.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E4.%20Data%20exchanges%20%E2%80%93%20Mac%20PCs%20%2F%20Mac%20OS%3A%3C%2FP%3E%0A%3CP%3ECustomer%20stated%20that%20Mac%20OS%20may%20not%20afford%20us%20sufficient%20controls%20to%20achieve%20similar%20security%20to%20scenario%203.%20For%20example%2C%20we%20may%20not%20be%20able%20to%20prevent%20printing%20of%20a%20sensitive%20document%20if%20there%20is%20physical%20access%20to%20device.%3C%2FP%3E%0A%3CP%3E%26nbsp%3Bb.%20Are%20we%20correct%20in%20advising%20reduced%20ability%20to%20guarantee%20security%20of%20data%20at%20rest%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B5..%20Data%20exchanges%20%E2%80%93%20Mac%20PC%20%2F%20Windows%20OS%3A%3C%2FP%3E%0A%3CP%3ECustomer%20stated%20that%20while%20Windows%20OS%20would%20render%20a%20Mac%20PC%20as%20securable%20as%20Windows%20PC%2C%20this%20is%20only%20true%20for%20as%20long%20as%20the%20user%20uses%20Windows%20OS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3Bb.%20Should%20we%20change%20our%20position%20if%20the%20customer%20agreed%20to%20dual-boot%20into%20Windows%3F%20Could%20we%20definitively%20prohibit%20access%20from%20Mac%20OS%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3BAny%20pointers%20would%20be%20of%20great%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-133685%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESfBO%20Secuity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134550%22%20slang%3D%22en-US%22%3ERe%3A%20SfBO%20Secuity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134550%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kenneth%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20very%20much%20for%20your%20response.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMuch%20appreciated!!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20thanks%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134523%22%20slang%3D%22en-US%22%3ERe%3A%20SfBO%20Secuity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134523%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20SB.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EI%20am%20uncertain%20if%20I%20understand%20your%20question%20correctly%2C%20but%20here%20goes.%20If%20an%20unprotected%20device%20is%20lost%20and%20Skype%20for%20Business%20client%20credentials%20has%20been%20stored%20in%20the%20CredentialsStore%2C%20the%20device%20still%20has%20access%20to%20the%20IM%20communication%20with%20other%20parties%20(as%20well%20as%20WhatsApp%2C%20Signal%20and%20other%20messaging%20services)%2C%20to%20prevent%20this%20you%20must%20change%20the%20password%20of%20the%20exposed%20account.%3COL%3E%0A%3CLI%3EMain%20difference%20is%20in%20the%20encryption%20and%20data%20storage%20areas%20of%20the%20services.%20All%20services%20uses%20end%20to%20end%20encryption.%20WhatsApp%20stores%20your%20IM%20data%20on%20the%20Google%20drive%20(unless%20unchecked)%20and%20SfBO%20is%20stored%20in%20your%20Exchange%20Online%20mailbox%2C%20which%20is%20more%20secure%20and%20makes%20it%20easier%20to%20comply%20with%20e.g.%20GDPR%20in%20EU.%3C%2FLI%3E%0A%3CLI%3ENot%20that%20I%20am%20aware%20of.%3C%2FLI%3E%0A%3CLI%3EThe%20server%20certificate%20private%20key%2C%20which%20is%20very%20unlikely%20an%20attacker%20can%20retrieve%2C%20is%20needed.%20Basically%20the%20same%20as%20other%20TLS%20connections.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EIf%20a%20packet%20trace%20is%20captured%20by%20a%20malicious%20person%20(or%20even%20friendly%20person%20for%20troubleshooting%20purpose)%20between%202%20clients%20or%20client%2Fserver%20the%20media%20traffic%20(SRTP)%20is%20encrypted%20and%20unreadable.%20Only%20if%20the%20key%20has%20been%20compromised%2C%20the%20data%20is%20readable.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn481135.aspx%23Anchor_0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn481135.aspx%23Anchor_0%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EI%20am%20not%20able%20to%20respond%20to%20your%20remaining%20questions%2C%20as%20they%20are%20a%20little%20out%20of%20my%20field%20of%20experience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards.%3C%2FP%3E%0A%3CP%3EKenneth%20ML%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi Experts,

One of our partner has below scenarios and raised the below queries:

 SCENARIOS

 

 1. Text – unprotected Android phones
 i. How is Skype for Business online different from Signal and WhatsApp?
 ii. Has SfB been compromised before or has it been target of such attempts as described?
 iii. What would a would-be attacker require to compromise SfB chat communication?

 

 2. Voice chat – unprotected Android phones

Customer concerned that perceived attackers have access to mobile operator exchanges and have access to voice and data communication for all mobile phone users.

 c. Can we position Skype for Business in a way that addresses above concern? Examples of information that could help:
 i. Can we confirm that irrespective of man-in-the-middle access of perceived attackers, the data they have access to would be unusable as both types of voice communications are encrypted?

 

 3. Data exchanges – Windows PCs, Android tablets, unprotected phones:

Customer would like to position EXO, SfB, SPO, AIP (Azure Information Protection), Intune etc. as end-to-end tooling that would secure end user productivity applications (MS), devices and communications to ensure data at rest and in transit is secure. It is understood that such guarantees are possible only with observed limitations in ways of working (e.g. BitLocker, data classification, definition of trusted recipients etc.)

 b. Can we position above (or any other suggested products) in a way that satisfies customer concerns:
 i. What would a would-be attacker require to gain access to data? E.g.:
• Attacker would have to have username and password and physical access to trusted device; OR
• Attacker would have to have the master decryption key which is held by… or at….

 

4. Data exchanges – Mac PCs / Mac OS:

Customer stated that Mac OS may not afford us sufficient controls to achieve similar security to scenario 3. For example, we may not be able to prevent printing of a sensitive document if there is physical access to device.

 b. Are we correct in advising reduced ability to guarantee security of data at rest?

 

 5.. Data exchanges – Mac PC / Windows OS:

Customer stated that while Windows OS would render a Mac PC as securable as Windows PC, this is only true for as long as the user uses Windows OS.

 b. Should we change our position if the customer agreed to dual-boot into Windows? Could we definitively prohibit access from Mac OS?

 Any pointers would be of great help.

2 Replies

Hi SB.

 

  1. I am uncertain if I understand your question correctly, but here goes. If an unprotected device is lost and Skype for Business client credentials has been stored in the CredentialsStore, the device still has access to the IM communication with other parties (as well as WhatsApp, Signal and other messaging services), to prevent this you must change the password of the exposed account.
    1. Main difference is in the encryption and data storage areas of the services. All services uses end to end encryption. WhatsApp stores your IM data on the Google drive (unless unchecked) and SfBO is stored in your Exchange Online mailbox, which is more secure and makes it easier to comply with e.g. GDPR in EU.
    2. Not that I am aware of.
    3. The server certificate private key, which is very unlikely an attacker can retrieve, is needed. Basically the same as other TLS connections.
  2. If a packet trace is captured by a malicious person (or even friendly person for troubleshooting purpose) between 2 clients or client/server the media traffic (SRTP) is encrypted and unreadable. Only if the key has been compromised, the data is readable. https://technet.microsoft.com/en-us/library/dn481135.aspx#Anchor_0

I am not able to respond to your remaining questions, as they are a little out of my field of experience.

 

Regards.

Kenneth ML

Hi Kenneth,

 

Thank you very much for your response.

 

Much appreciated!!

 

Many thanks again.