Connect with us

Software

According to Microsoft, hackers stole its email signing key. Kind of

blank

Published

on

blank

China-backed hackers stole a digital skeleton key to access US government emails.

A China-backed hacking group stole one of Microsoft’s email keys, allowing near-unfettered access to U.S. government inboxes, due to a series of unfortunate and cascading mistakes. Microsoft revealed how the hackers pulled off the heist in a long-awaited blog post this week. Although one mystery was solved, several crucial details remain unknown.

In July, Microsoft disclosed that Storm-0558 hackers, which it believes are backed by China, “acquired” an email signing key used to secure Outlook.com accounts. The hackers broke into government officials’ Microsoft-hosted personal and enterprise email accounts using that digital skeleton key. The hack targeted unclassified emails of U.S. government officials and diplomats, including Commerce Secretary Gina Raimondo and Ambassador to China Nicholas Burns.

The hackers’ source of that consumer email signing key was unknown until this week, when Microsoft revealed the five issues that led to its leak.

Microsoft reported in its blog that a consumer key signing system crashed in April 2021. The crash created a system snapshot for analysis. This consumer key signing system is “highly isolated and restricted” from the internet to prevent cyberattacks. Microsoft was unaware that the system crash resulted in a snapshot image containing the consumer signing key #1, which they failed to detect in snapshot#2 .

The snapshot image was “subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network” to determine the system crash. Microsoft confirmed its standard debugging process, but credential scanning did not detect the key in snapshot image#3.

After the snapshot image was moved to Microsoft’s corporate network in April 2021, Microsoft said the Storm-0558 hackers were able to “successfully compromise” a Microsoft engineer’s corporate account, which had access to the snapshot image’s debugging environment, which contained the consumer signing key. Microsoft said “we don’t have logs with specific evidence of this exfiltration,” but this was the “most probable mechanism by which the actor acquired the key.”

Microsoft stated that its email systems were not properly validating the consumer signing key#4, allowing access to enterprise and corporate email accounts of various organizations and government departments. The company stated that its email system would accept a request for enterprise email using a security token signed with the consumer key#5.

Mystery solved? Not quite

Microsoft’s admission that the consumer signing key was likely stolen from its systems ends the speculation that it was obtained elsewhere.

How the intruders hacked Microsoft is unknown. Jeff Jones, senior director at Microsoft, told that “token-stealing malware” compromised the engineer’s account but declined to comment.

Phishing and malicious links can spread token-stealing malware that steals session tokens. Session tokens are small files that keep users logged in without having to re-enter a password or two-factor authentication. Thus, stolen session tokens can give an attacker full access without the user’s password or two-factor code.

Last year, a teenage hacking team called Lapsus$ used malware to steal Uber employee passwords and session tokens. CircleCi was compromised in January after its antivirus software missed token-stealing malware on an engineer’s laptop. After hackers broke into LastPass’s cloud storage via a compromised developer’s computer, customers’ password vaults were breached.

How the Microsoft engineer’s account was compromised could help network defenders prevent future incidents. The engineer’s work computer or a personal device Microsoft allowed on its network may have been compromised. The real culprits for the compromise are the network security policies that failed to block the (albeit highly skilled) intruder, so focusing on an engineer seems unfair.

Cybersecurity is difficult even for corporate mega-giants with nearly unlimited cash and resources. Even if they failed, Microsoft engineers considered a wide range of complex threats and cyberattacks when designing protections and defenses for the company’s most sensitive and critical systems. Storm-0558 hacked into Microsoft’s network by chance or knowing it would find the keys to its email kingdom. It’s a reminder that cybercriminals only need to succeed once.

No analogy fits this unique breach or circumstances. It’s possible to admire a bank’s vault security while acknowledging the robbers who stole the loot inside.

It will be some time before the full extent of the espionage campaign is known, and the remaining victims whose emails were accessed are unknown. The Cyber Security Review Board, a group of security experts that analyzes major cybersecurity incidents, will investigate the Microsoft email breach and other issues “relating to cloud-based identity and authentication infrastructure.”

 

As Editor here at GeekReply, I'm a big fan of all things Geeky. Most of my contributions to the site are technology related, but I'm also a big fan of video games. My genres of choice include RPGs, MMOs, Grand Strategy, and Simulation. If I'm not chasing after the latest gear on my MMO of choice, I'm here at GeekReply reporting on the latest in Geek culture.

Apps

Threads finally starts its own program to check facts

blank

Published

on

blank

Meta’s latest social network, Threads, is launching its own fact-checking initiative after leveraging Instagram and Facebook’s networks for a brief period.

Adam Mosseri, the CEO of Instagram, stated that the company has recently implemented a feature that allows fact-checkers to assess and label false content on threads. Nevertheless, Mosseri refrained from providing specific information regarding the exact timing of the program’s implementation and whether it was restricted to certain geographical regions.

The fact-checking partners for Threads—which organizations are affiliated with Meta—are not clearly specified. We have requested additional information from the company and will revise the story accordingly upon receiving a response.

The upcoming U.S. elections appear to be the main driving force behind the decision. India is currently in the midst of its general elections. However, it is improbable that a social network would implement a fact-checking program specifically during an election cycle rather than initiating the project prior to the elections.

In December, Meta announced its intention to implement the fact-checking program on Threads.

“At present, we align the fact-check ratings from Facebook or Instagram with Threads. However, our objective is to empower fact-checking partners to evaluate and assign ratings to misinformation on the application,” Mosseri stated in a post during that period.

Continue Reading

Software

Google developed several pioneering social applications for Android, such as Twitter and various others

blank

Published

on

blank

Here is a lesser-known piece of startup history that may not be widely known outside of the technology companies themselves: Google itself developed the initial iterations of well-known Android applications, such as Twitter. The revelation was made during a recent podcast featuring Sara Beykpour, the former senior director of product management at Twitter and current co-founder of the AI news startup Particle.

Beykpour discusses her involvement in Twitter’s past in a podcast with Lightspeed partner Michael Mignano. She details her employment at Twitter in 2009, where she started as a tools engineer, during a time when the company had a workforce of approximately 75 individuals. Subsequently, Beykpour transitioned to working on mobile applications at Twitter during a period when third-party applications were gaining traction on different platforms, such as BlackBerry and iOS. Twitter bought one of those applications, called Loren Brichter’s Tweetie, and used it as the basis for its initial official iOS app.

Beykpour stated that Twitter’s Android app originated from Google.

The Twitter for Android client was a prototype app that Google created and gave to them, according to her statement on the podcast. “During that period, Google developed all the popular social apps such as Foursquare and Twitter, resulting in a similar appearance among them.”

Mignano interrupted, requesting clarification on the matter. Did Google develop applications in order to encourage companies to adopt Android?

“Yes, precisely,” Beykpour replied.

Following that, Twitter took over control of the Google-developed Android app and started to improve its features. According to her, Beykpour was the company’s second Android engineer.

Google documented its efforts on the Android Twitter client in a blog post in 2010. However, the media coverage during that time failed to acknowledge Google’s contribution, resulting in this aspect of internet history being overlooked. Google’s post details the integration of early Android best practices into the Twitter app. Beykpour informed TechCrunch that Virgil Dobjanschi, the post’s author, held the primary role of software engineer.

“We were expected to direct any inquiries to him,” she recalls.

Beykpour also recounted additional anecdotes regarding Twitter’s early stages. As an example, she was involved in the development of Vine, Twitter’s video app, after returning to Twitter from working at Secret. She faced pressure to release Vine on Android before Instagram launched its own video product. According to her, she managed to meet the deadline by introducing Vine approximately two weeks prior to the release of Instagram Video.

The latter had a significant impact on Vine’s metrics, and according to Beykpour, it was the main factor that caused the downfall of the popular app.

She claimed that, even though it took several years for Vine to finally shut down, “that was the day when the signs of its demise became evident.”

At Twitter, Beykpour spearheaded the discontinuation of Vine’s product—an application that remains highly popular, to the extent that even Elon Musk, the new owner of Twitter/X, continues to playfully hint at its potential revival. However, Beykpour believes that Twitter made a sound decision regarding Vine, as he acknowledges that the app was not experiencing growth and was costly to maintain. She concedes that others may have a different perspective, possibly contending that Vine lacked sufficient resources or support from leadership. However, the ultimate reason for the closure was Vine’s effect on Twitter’s financial performance.

Beykpour also recounted a captivating anecdote regarding his experience working on Periscope. She left Secret and joined the startup just as Twitter purchased it. She recalls the necessity of rejoining Twitter using an alias in order to maintain secrecy about the acquisition for a period of time.

During her presentation on Twitter, she also discussed the challenges associated with acquiring the necessary resources to create and enhance products and features specifically designed for power users, such as journalists.

“Twitter faced difficulties in defining its user,” she stated, as it “relied heavily on conventional OKRs and metrics.” However, it was a reality that only a small proportion of individuals engage in tweeting, and within this subset, only a portion of them are responsible for creating the content that is truly desired by everyone. Beykpour acknowledges that quantifying this subset was a challenging task.

Currently at Particle, her expertise in developing Twitter is influencing the approach for the AI news application, which aims to facilitate the connection between individuals and the news that is relevant to their interests and happening in their vicinity.

“Particle represents a new approach to consuming your daily news,” Beykpour states in the podcast. The objective of the app is to offer a comprehensive and diverse outlook on news while also granting users access to journalism of exceptional quality. The startup is seeking alternative methods to generate revenue from reporting, in addition to advertisements, subscriptions, or micropayments. Nevertheless, the precise details of Particle’s approach are still under deliberation. The startup is presently engaging in discussions with potential publisher partners regarding the remuneration for their contributions.

Continue Reading

Apps

Mark Zuckerberg reports that Threads has a total of 150 million users who engage with the app on a monthly basis

blank

Published

on

blank

Threads, Meta’s alternative to Twitter and X, is experiencing consistent and steady growth. During the Q1 2024 earnings call, Mark Zuckerberg stated that the social network currently has over 150 million monthly active members, which is an increase from 130 million in February.

Threads made significant progress in integrating with ActivityPub, the decentralized protocol that powers networks such as Mastodon, during the last quarterly earnings conference. In March, the firm granted U.S.-based users who are 18 years of age or older the ability to link their accounts to the Fediverse, enabling their posts to be seen on other servers.

By June, the business intends to make its API available to a broad range of developers, enabling them to create experiences centered on the social network. Nevertheless, it remains uncertain whether Threads will enable developers to create comprehensive third-party clients.

Meta just introduced their AI chatbot on various platforms like Facebook, Messenger, WhatsApp, and Instagram. Threads was conspicuously omitted from this list, perhaps because of its lack of built-in direct messaging capabilities.

Threads introduced a new test feature on Wednesday that allows users to automatically archive their posts after a certain length of time. Additionally, users have the ability to store or remove specific postings from an archive and make them accessible to the public.

Threads is around nine months old, and Meta has consistently expanded its readership. Nevertheless, Threads cannot be considered a viable substitute for X, as Instagram’s head, Adam Mosseri, explicitly stated in October that Threads will not “amplify news on the platform.” However, Meta’s social network continues to grow in popularity. According to app analytics company Apptopia, Threads now has more daily active users in the U.S. than X, as Business Insider reported earlier this week.

Continue Reading

Trending