Tag: overhaul | SpinSafe

Feds say Microsoft security ‘requires an overhaul’ — but will it listen? – Computerworld

April 9, 2024/in Internet Security

What Microsoft did wrong

The DHS Cyber Safety Review Board’s report lays out the Chinese hack and Microsoft’s response in exquisite detail, revealing what the Washington Post calls Microsoft’s “shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency.”

The attack was engineered by the Storm-0558 hacking group — doing the bidding of China’s most powerful spy service, the Ministry of State Security. Storm-0558 has a history of carrying out espionage-related hacks of government agencies and private companies dating back to 2000. Until now, the best-known one was Operation Aurora, brought to light by Google in 2010. The Council on Foreign Relations called that attack “a milestone in the recent history of cyber operations because it raised the profile of cyber operations as a tool for industrial espionage.”

According to the DHS report, the most recent hack took place after Storm-0558 got its hands on a “Microsoft Services Account (MSA)17 cryptographic key that Microsoft had issued in 2016.” Using the key, Storm-0558 forged user credentials and used them to log into government accounts and steal emails of Raimondo, Burns, Bacon, and others.

There are other unsolved mysteries. The key should only have been able to create credentials for the consumer version of Outlook Web Access (OWA), yet Storm-0558 used it to create credentials for Enterprise Exchange Online, which the government uses. Microsoft can’t explain how that can be done.

There’s worse. That 2016 key should have been retired in 2021, but Microsoft never did so because the company had problems with making its consumer keys more secure. So the key, and presumably many others like it, remained as powerful as ever. And Storm-0558 did its dirty work with it.

This series of events — a key that should have been retired was allowed to stay active, the theft of the key by Storm-0558 stole the key, and then Storm-0558’s ability to use it to forge credentials to get access to enterprise email accounts used by top government officials, even though the key shouldn’t have allowed them to do so — represents the “cascade of errors” the DHS said…

Source…

Discord.io Temporarily Shuts Down After Hack, Promises Security Overhaul

August 15, 2023/in Computer Security

A third-party service that let thousands of users create custom invites for Discord is temporarily shutting down following a hack.

Discord.io on Tuesday confirmed it suffered a “major data breach,” which resulted in a hacker downloading its entire database. “We were made aware of the breach later on in the day, and after confirming the content of the breach, we decided to shut down all services and operations,” Discord.io said in an announcement.

The hacker, who goes by the name “Akhirah,” claims to have stolen data on 760,000 Discord.io users. Akhirah says the hack was motivated in part by the fact that Discord.io allegedly links to child sexual abuse material. The hacker tells Bleeping Computer they would be open to keeping the stolen information private if Discord.io deletes those links, but the stolen data is also currently available for sale on a hacking forum.

Discord.io says it’s “still investigating the breach, but we believe that the breach was caused by a vulnerability in our website’s code, which allowed an attacker to gain access to our database.”

The good news is that affected users don’t need to change their passwords on Discord itself because Discord.io was only storing Discord user IDs, not any Discord authentication tokens.

Still, the hacker stole email addresses associated with Discord.io users, along with the billing addresses of those who made purchases on the service before it started using the Stripe and PayPal payments platform.

In addition, a small number of users who signed up with Discord.io prior to 2018 had their password information stolen. However, the stolen password data was salted and hashed. “While your password was encrypted to industry standards, if it was not unique, we urge you to update any other site that might have used this password,” Discord.io adds.

Although Discord.io has temporarily shut down, the service plans on returning with stronger security in place. “This will include a complete rewrite of our website’s code, as well as a complete overhaul of our security practices,” it says.

Source…

Israeli protesters block highways, train stations as Netanyahu moves ahead with judicial overhaul

July 18, 2023/in Internet Security

JERUSALEM — Tens of thousands of protesters on Tuesday blocked highways and train stations and massed in central Tel Aviv during a day of countrywide demonstrations against Prime Minister Benjamin Netanyahu’s contentious judicial overhaul plan.

The protests, now in their seventh month, have taken on a sense of urgency in recent days as Netanyahu and his allies in parliament march ahead with the program. The first bill in the package – a measure that seeks to limit the Supreme Court’s oversight powers – could become law as soon as next week.

The unrest also cast a shadow over a visit to the White House by Israel’s figurehead president, Isaac Herzog, who was invited to Washington to celebrate Israel’s 75th anniversary.

Herzog, a political centrist, has been involved in behind-the-scenes efforts to broker a compromise on the judicial overhaul, which has strained relations between Netanyahu and President Joe Biden.

In a meeting with Biden in the Oval Office, Herzog acknowledged that Israel was “going through a heated debate as a society.” But he said that debate shows that Israeli society is “strong and resilient.” He added that the country should seek an “amicable consensus.”

Biden, who has criticized the overhaul plan, said that the U.S. commitment to Israel was strong and the bond between the two countries was “unbreakable.”

Netanyahu and his allies say the overhaul is needed to rein in the powers of an unelected judiciary – particularly the Supreme Court – that they believe is overly interventionist in government decisions.

Their opponents, representing a wide cross section of Israeli society, say the plan is a power grab by Netanyahu and his ultranationalist and ultra-Orthodox allies that will destroy the country’s fragile system of checks and balances. They also say the prime minister, who is on trial for corruption charges, and his allies are motivated by various grievances against the justice system.

Late Tuesday, protesters thronged outside the U.S. diplomatic offices, packed the central square of Tel Aviv and crippled the city’s main highway. Police on horseback galloped among the crowds, trying to clear them away.

Earlier, protesters gathered…

Source…

Real-life nonviolent ‘RoboCops’ hitting the streets of NYC in city safety overhaul

April 11, 2023/in Mobile Security

It’s not just science fiction anymore.

Several nonviolent, real-life “RoboCops” are hitting the streets of New York City, as Mayor Eric Adams and the NYPD unveiled the latest technological upgrade for New York’s Finest.

The new devices — resembling, in many ways, the bots typically seen in sci-fi classics such as the 1987 action movie — are replete with new GPS gadgets, and include the return of a robot dog that the mayor said is “out of the pound” after being retired in 2021 due to outrage from advocates.

Police Commissioner Keechant Sewell announced the three new additions on April 11 in what she called a pilot program that includes large security robots that somewhat resemble Daleks from the popular British Television series Doctor Who; a robot dog that officials say will be instrumental in dealing with explosives; and a GPS gun that like a James Bond gadget is used to shoot a tracking device onto the back of a fleeing vehicle.

“To safeguard our modern city and a forward-looking world it is essential that our officers are equipped with the tools, training and technology necessary to do that job safely and effectively,” Sewell said. “The NYPD has always stepped forward. In every era, we have maximized public and officer safety through emerging technology. And that approach continues today.”

The large, wheeled robot is dubbed the K-5 autonomous security robot and is equipped with a camera. The technology is being leased by the NYPD and will be used inside areas, such as in transit as well as outdoors.

Real-life nonviolent 'RoboCops' hitting the streets of NYC in city safety overhaul 2 — K-five autonomous security robot resembles a Dalek from the TV Show Dr. Who. Photo by Dean Moses

Real-life nonviolent 'RoboCops' hitting the streets of NYC in city safety overhaul 3 — K-five autonomous security robot resembles a Dalek from the TV Show Dr. Who.Photo by Dean Moses

According to Chief of Department Jeffrey Maddrey, these machines are equipped with artificial intelligence to provide real time incident notifications to first responders. These robots are also being used on college campuses and shopping malls throughout the country, he added.

The second and perhaps most controversial piece of kit is the “Digidog,” a four-legged android that police say will be invaluable when dealing with hostage situations, bomb threats, or…

Source…

Tag Archive for: overhaul

What Microsoft did wrong