The Verge: https://www.theverge.com/2023/9/6/23861890/microsoft-azure-data-breach-investigation-failures-outlook
Tech

China-BackedHackers Steal Microsoft’s Signing Key because of the Comedy of Errors

admin

How did a Chinese hacker get a password from a sign-up system? Microsoft admits it’s hardened, but it does not admit it

Microsoft says it has corrected all of the issues above, including the error that sent the signing key to the crash dump in the first place. In its post, the company adds that it’s continuously hardening systems. Microsoft has increasingly come under fire for its security practices, which both Senator Ron Wyden (D-OR) and Tenable CEO Amit Yoran have called “negligent,” with Yoran accusing Microsoft of being too slow to react to its security flaws.

A group from China stole a password from the company’s systems in June. Multiple US government agencies as well as 25 organizations were able to access cloud-based Outlook email systems with this key. At the time of the disclosure, however, Microsoft did not explain how the hackers were able to compromise such a sensitive and highly guarded key, or how they were able to use the key to move between consumer- and enterprise-tier systems. A new postmortem published by the company shows that a series of slipups and oversights allowed the attack.

Another unanswered question about the incident had been how the attackers used a cryptographic key from the crash log of a consumer signing system to infiltrate the enterprise email accounts of organizations like government agencies. Microsoft said on Wednesday that this was possible because of a flaw related to an application programming interface that the company had provided to help customer systems cryptographically validate signatures. Many systems can be tricked into accepting either consumer keys or enterprise keys, since the api wasn’t updated to include libraries that would verify whether a system should accept consumer or enterprise keys.

The company added that support, but it failed to make the proper updates to the systems used to authenticate keys — that is, determine whether they’re consumer or enterprise keys. Mail system engineers, assuming the updates had been made, built in no additional authentication, leaving the mail system blind to what sort of key was used.

In short, had those libraries been updated properly, even given all the other failure points, Storm-0558 hackers might not have been able to access the enterprise email accounts used by the corporations they targeted.

The key ended up in the possession of Storm-0558 after a Rube Goldberg machine-style series of events put it in the wrong place. The company writes that when the system made a debugging snapshot of a process that had crashed, it didn’t strip, as it should have, the so-called “crash dump” of all sensitive information, leaving the key in.

The Microsoft investigation summary shows that Storm was able to gain access to corporate and government emails with the help of a Microsoft consumer account key.

What the best hacks could have in common: Hackers vs. Network administrators: How many paper cuts did they need to make?

Jake Williams, a former US National Security Agency hacker who is on the Faculty of the Institute for Applied Network Security, says that all the best hacks are deaths by 1,000 paper cuts.

In, ,
Previous post A new theropod from the dinosaur family
Next post As abortion laws go up, maternity care goes down

More Stories

I would love to berativeai, it’s crazy

admin

Talking about AI-aligned robotics, a man said, “When there is a big tech thing that has the entire brain melting, I keep repeating to myself, ‘It’s just software’.” He further said, “Wordprocessing was supposed to…make it so easy to write a novel that there was no need for it, whilePhotoshop looked like it would help erase history.”

With OpenAI’s release of GPT-4o, is it still worth it?

admin

Gurugram-based artificial intelligence startup OpenAI on Monday launched a new model for its online chat platform ‘ChatGPT’. The ‘GPT-4o’ model will be free and not require a subscription. It will be available for free for non-paying users and will feature features that were previously gated off to paying subscribers, like memory and web browsing.

The Apple iPad Pro (2023) is the best kind of overkill

admin

Apple on Wednesday unveiled its new 12.9-inch iPad Pro, its thinnest and lightest laptop to date. The iPad Pro is powered by an all-new M4 quad-core processor, up to 16GB of RAM and a starting price of $9,999. The iPad Pro is also Apple’s first laptop to come with a full-time facial recognition camera, which will be available in September.

The iPad Air is good, but not the iPad to buy

admin

Apple’s iPad Pro is an iPad, and until Apple fixes things or opens up the operating system, you just aren’t going to get enough out of it to become a must-have, as per TechCrunch. The iPad Pro is also a very expensive iPad, which is great, but it’s still an iPad. Outside of a couple of specific cases, I wouldn’t tell you to buy this year’s iPad Air.