Tag Archive for: Computerworld

Feds say Microsoft security ‘requires an overhaul’ — but will it listen? – Computerworld

/in


What Microsoft did wrong

The DHS Cyber Safety Review Board’s report lays out the Chinese hack and Microsoft’s response in exquisite detail, revealing what the Washington Post calls Microsoft’s “shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency.”

The attack was engineered by the Storm-0558 hacking group — doing the bidding of China’s most powerful spy service, the Ministry of State Security. Storm-0558 has a history of carrying out espionage-related hacks of government agencies and private companies dating back to 2000. Until now, the best-known one was Operation Aurora, brought to light by Google in 2010. The Council on Foreign Relations called that attack “a milestone in the recent history of cyber operations because it raised the profile of cyber operations as a tool for industrial espionage.”

According to the DHS report, the most recent hack took place after Storm-0558 got its hands on a “Microsoft Services Account (MSA)17 cryptographic key that Microsoft had issued in 2016.” Using the key, Storm-0558 forged user credentials and used them to log into government accounts and steal emails of Raimondo, Burns, Bacon, and others. 

There are other unsolved mysteries. The key should only have been able to create credentials for the consumer version of Outlook Web Access (OWA), yet Storm-0558 used it to create credentials for Enterprise Exchange Online, which the government uses. Microsoft can’t explain how that can be done.

There’s worse. That 2016 key should have been retired in 2021, but Microsoft never did so because the company had problems with making its consumer keys more secure. So the key, and presumably many others like it, remained as powerful as ever. And Storm-0558 did its dirty work with it.

This series of events — a key that should have been retired was allowed to stay active, the theft of the key by Storm-0558 stole the key, and then Storm-0558’s ability to use it to forge credentials to get access to enterprise email accounts used by top government officials, even though the key shouldn’t have allowed them to do so — represents the “cascade of errors” the DHS said…

Source…

Mozilla patches Firefox zero-day as attackers exploit flaw – Computerworld

/in
  1. Mozilla patches Firefox zero-day as attackers exploit flaw  Computerworld
  2. Firefox zero-day exploit used in targeted attacks, urgent update issued  Android Authority
  3. Firefox gets patch for critical 0-day that’s being actively exploited  Ars Technica
  4. Firefox Critical Zero-Day Being Exploited: Patch NOW  Security Boulevard
  5. Mozilla Firefox 72.0.1 Patches Actively Exploited Zero-Day  BleepingComputer
  6. View full coverage on read more

“zero day exploit” – read more