Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor”known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives”accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.
Signing keys, used for secure authentication into remote systems, are the cryptographic equivalent of crown jewels for any cloud service provider. As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key’s domain. A single key’s reach can be enormous, and in this case the stolen key had extraordinary power. In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key.
This was not the first intrusion perpetrated by Storm-0558, nor is it the first time Storm-0558 displayed interest in compromising cloud providers or stealing authentication keys. Industry links Storm-0558 to the 2009 Operation Aurora campaign that targeted over two dozen companies, including Google, and the 2011 RSA SecurID incident, in which the actor stole secret keys used to generate authentication codes for SecurID tokens, which were used by tens of millions of users at that time. Indeed, security researchers have tracked Storm-0558’s activities for over 20 years.
On August 11, 2023, Secretary of Homeland Security Alejandro Mayorkas announced that the Cyber Safety Review Board (CSRB, or the Board) would “assess the recent Microsoft Exchange Online intrusion . . . and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable cloud service providers and their customers.”
The Board conducted extensive fact-finding into the Microsoft intrusion, interviewing 20 organizations to gather relevant information (see Appendix A). Microsoft fully cooperated with the Board and provided extensive in-person and virtual briefings, as well as written submissions. The Board also interviewed an array of leading cloud service providers to gain insight into prevailing industry practices for security controls and governance around authentication and identity in the cloud.
The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on:
1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;
3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not;
4. Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;
5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction; 6. the Board's observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and 7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.
Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management. To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products. The Board recommends that Microsoft’s CEO hold senior officers accountable for delivery against this plan. In the meantime, Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In all instances, security risks should be fully and appropriately assessed and addressed before new features are deployed.
Based on the lessons learned from its review and its fact-finding into prevailing security practices across the cloud services industry, the Board, in addition to the recommendations it makes to the President of the United States and Secretary of Homeland Security, also developed a series of broader recommendations for the community focused on improving the security of cloud identity and authentication across the government agencies responsible for driving better cybersecurity, cloud service providers, and their customers.
• Cloud Service Provider Cybersecurity Practices: Cloud service providers should implement modern control mechanisms and baseline practices, informed by a rigorous threat model, across their digital identity and credential systems to substantially reduce the risk of system-level compromise.
• Audit Logging Norms: Cloud service providers should adopt a minimum standard for default audit logging in cloud services to enable the detection, prevention, and investigation of intrusions as a baseline and routine service offering without additional charge.
• Digital Identity Standards and Guidance: Cloud service providers should implement emerging digital identity standards to secure cloud services against prevailing threat vectors. Relevant standards bodies should refine, update, and incorporate these standards to address digital identity risks commonly exploited in the modern threat landscape.
• Cloud Service Provider Transparency: Cloud service providers should adopt incident and vulnerability disclosure practices to maximize transparency across and between their customers, stakeholders, and the United States government, even in the absence of a regulatory obligation to report.
• Victim Notification Processes: Cloud service providers should develop more effective victim notification and support mechanisms to drive information-sharing efforts and amplify pertinent information for investigating, remediating, and recovering from cybersecurity incidents.
• Security Standards and Compliance Frameworks: The United States government should update the Federal Risk Authorization Management Program and supporting frameworks and establish a process for conducting discretionary special reviews of the program’s authorized Cloud Service Offerings following especially high-impact situations. The National Institute of Standards and Technology should also incorporate feedback about observed threats and incidents related to cloud provider security. […]
Tiffany Hsu and Steven Lee Meyers, The New York Times, 2 Apr 2024
Adopting the same tactics Russia used in 2016
Covert Chinese accounts are masquerading …, promoting conspiracy theories, stoking domestic divisions, and attacking the President. …
The Massachusetts Registry of Motor Vehicles was essentially shut down statewide on 3 Apr for all transactions.
https://arstechnica.com/?p=2014470
https://www.wsj.com/personal-finance/fafsa-college-financial-aid-incorrect-tax-data-612e0bed
A Microsoft engineer noticed something was off on a piece of software he worked on. He soon discovered someone was probably trying to gain access to computers all over the world.
https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html
https://arstechnica.com/?p=2014220
Ya' don't say? -L
https://readwrite.com/google-deepmind-ceo-says-ai-industry-is-full-of-hype-and-grifting/
The wonders of AI! It can help you create convincing lies on your resume, AND target thousands of civilians for death! Thanks a bunch Big Tech. May your AI projects get you all that you deserve. -L
AI may turn out to be the most horrific tech creation in history. It doesn't need to take over the world itself—all it needs is humans acting on its advice. -L
https://www.theguardian.com/world/2024/apr/03/israel-gaza-ai-database-hamas-airstrikes
Lauren added this comment to that: Why AI is so dangerous
I don't buy into the “AI will take over the world” sci-fi scenarios. I consider AI to be so incredibly dangerous because of how it is being developed, deployed, and used by HUMAN BEINGS. The combination of fallible AI and fallible human animals is potentially more dangerous to our world than every hydrogen bomb warhead on every ICBM in every missile silo on the planet. -L
A Washington state judge overseeing a triple murder case barred the use of video enhanced by artificial intelligence as evidence in a ruling that experts said may be the first-of-its-kind in a United States criminal court.
Amazon is to end the AI-powered “Just Walk Out” checkout option in its Amazon Fresh stores. It turns out that “AI” means “Actually, Indians” and it isn't working out.
Nightshade aims to help artists prevent image generators from easily reproducing their work, but the researchers behind it warn more intellectual property safeguards are needed.
https://www.nbcnews.com/tech/ai-image-generators-nightshade-copyright-infringement-rcna144624
Most IT professional are worried about the security of LLMs. They have every right to be. There seems to be an endless number of ways of attacking them.
https://garymarcus.substack.com/p/an-unending-array-of-jailbreaking
Seeing a video of Mark Zuckerberg “using AI” to tell him when his toast is ready instantly invokes this uber-classic scene from a 1991 episode of the wonderful British parody sci-fi series “Red Dwarf”. When reality catches up with fiction in the most nightmarish kinds of ways!
https://www.youtube.com/watch?v=LRq_SAuQDec
https://arstechnica.com/?p=2014290
https://9to5google.com/2024/04/02/google-maps-apple-carplay-android-auto/
Congress is looking into allegations of antibiotic-positive shrimp at a Choice Canning factory that supplies Walmart, Aldi and other supermarkets.
Effectively, Gov. Newsom is saying to Californians: “Flock Franklin!”
“Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.” - B. Franklin
“One example of a company refusing to allow independent review of its product is the license plate recognition company Flock, which is pushing those surveillance devices into many American communities and tying them into a centralized national network. (We wrote more about this company in a 2022 white paper.) Flock has steadfastly refused to allow the independent security technology reporting and testing outlet IPVM to obtain one of its license plate readers for testing, though IPVM has tested all of Flock's major competitors. That doesn't stop Flock from boasting that ”Flock Safety technology is best-in-class, consistently performing above other vendors.“ Claims like these are puzzling and laughable when the company doesn't appear to have enough confidence in its product to let IPVM test it.”
“The False Promise of ALPRs”
“Like all machines, ALPRs make mistakes”
California Governor announces contract to install 480 new cameras in Oakland
https://www.securitysystemsnews.com/article/california-governor-announces-contract-to-install-480-new-cameras-in-oakland
[…]
Suppose you get mail from your boss, and it says “pay these folks a million dollars.” You contact the boss and say, “did you really send that mail?” and the boss says “yes, handle it.”
What the boss saw and forwarded was a mail message that said “please send me a catalog.”
Your are both using HTML mail.. and the mail contains CSS that hides some HTML from the original receiver, but shows it to receivers of a forwarded copy. There are probably lots of ways to do this.
https://lutrasecurity.com/en/articles/kobold-letters/
https://proton.me/blog/outlook-is-microsofts-new-data-collection-service
https://arstechnica.com/?p=2014676
Here's a lot more about the xz debacle.
https://research.swtch.com/xz-timeline
Reflections on distrusting xz https://joeyh.name/blog/entry/reflections_on_distrusting_xz/
I thought you might like to see my obit for Ross Anderson: https://netwars.pelicancrossing.net/2024/03/31/rip-ross-j-anderson/
Well, actually two or three postings, such as:
> From: “Gabe Goldberg” <gabe@gabegold.com>
From a security perspective, that's terrifying. If lots of code gets written, fast, but that code is riddled with security problems, the net advantage on the positive side of the ledger may be less than anticipated. As noted here before, one study indicates that code quality is going down.
and
> From: ACM TechNews <technews-editor@acm.org> > Subject: U.S. Military's Investments into AI Skyrocket (Will Henshall)
The Brookings Institution reported a nearly 1,200% surge in the potential value of AI-related U.S. government contracts, from $355 million in the year ending in August 2022 to $4.6 billion in the year ending in August 2023.
But, hey, not to worry. We just run all the genAI code through a genAI tool to find all the vulnerabilities, right?
(No, I'm not serious. But I think I will have a heart attack and die from not being surprised when some vendor starts selling such a tool …)
Please report problems with the web pages to the maintainer