Software
According to Microsoft, hackers stole its email signing key. Kind of
China-backed hackers stole a digital skeleton key to access US government emails.
A China-backed hacking group stole one of Microsoft’s email keys, allowing near-unfettered access to U.S. government inboxes, due to a series of unfortunate and cascading mistakes. Microsoft revealed how the hackers pulled off the heist in a long-awaited blog post this week. Although one mystery was solved, several crucial details remain unknown.
In July, Microsoft disclosed that Storm-0558 hackers, which it believes are backed by China, “acquired” an email signing key used to secure Outlook.com accounts. The hackers broke into government officials’ Microsoft-hosted personal and enterprise email accounts using that digital skeleton key. The hack targeted unclassified emails of U.S. government officials and diplomats, including Commerce Secretary Gina Raimondo and Ambassador to China Nicholas Burns.
The hackers’ source of that consumer email signing key was unknown until this week, when Microsoft revealed the five issues that led to its leak.
Microsoft reported in its blog that a consumer key signing system crashed in April 2021. The crash created a system snapshot for analysis. This consumer key signing system is “highly isolated and restricted” from the internet to prevent cyberattacks. Microsoft was unaware that the system crash resulted in a snapshot image containing the consumer signing key #1, which they failed to detect in snapshot#2 .
The snapshot image was “subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network” to determine the system crash. Microsoft confirmed its standard debugging process, but credential scanning did not detect the key in snapshot image#3.
After the snapshot image was moved to Microsoft’s corporate network in April 2021, Microsoft said the Storm-0558 hackers were able to “successfully compromise” a Microsoft engineer’s corporate account, which had access to the snapshot image’s debugging environment, which contained the consumer signing key. Microsoft said “we don’t have logs with specific evidence of this exfiltration,” but this was the “most probable mechanism by which the actor acquired the key.”
Microsoft stated that its email systems were not properly validating the consumer signing key#4, allowing access to enterprise and corporate email accounts of various organizations and government departments. The company stated that its email system would accept a request for enterprise email using a security token signed with the consumer key#5.
Mystery solved? Not quite
Microsoft’s admission that the consumer signing key was likely stolen from its systems ends the speculation that it was obtained elsewhere.
How the intruders hacked Microsoft is unknown. Jeff Jones, senior director at Microsoft, told that “token-stealing malware” compromised the engineer’s account but declined to comment.
Phishing and malicious links can spread token-stealing malware that steals session tokens. Session tokens are small files that keep users logged in without having to re-enter a password or two-factor authentication. Thus, stolen session tokens can give an attacker full access without the user’s password or two-factor code.
Last year, a teenage hacking team called Lapsus$ used malware to steal Uber employee passwords and session tokens. CircleCi was compromised in January after its antivirus software missed token-stealing malware on an engineer’s laptop. After hackers broke into LastPass’s cloud storage via a compromised developer’s computer, customers’ password vaults were breached.
How the Microsoft engineer’s account was compromised could help network defenders prevent future incidents. The engineer’s work computer or a personal device Microsoft allowed on its network may have been compromised. The real culprits for the compromise are the network security policies that failed to block the (albeit highly skilled) intruder, so focusing on an engineer seems unfair.
Cybersecurity is difficult even for corporate mega-giants with nearly unlimited cash and resources. Even if they failed, Microsoft engineers considered a wide range of complex threats and cyberattacks when designing protections and defenses for the company’s most sensitive and critical systems. Storm-0558 hacked into Microsoft’s network by chance or knowing it would find the keys to its email kingdom. It’s a reminder that cybercriminals only need to succeed once.
No analogy fits this unique breach or circumstances. It’s possible to admire a bank’s vault security while acknowledging the robbers who stole the loot inside.
It will be some time before the full extent of the espionage campaign is known, and the remaining victims whose emails were accessed are unknown. The Cyber Security Review Board, a group of security experts that analyzes major cybersecurity incidents, will investigate the Microsoft email breach and other issues “relating to cloud-based identity and authentication infrastructure.”
Twitter rival, Threads, owned by Meta, now allows account switching without logging out.
This Thursday, the social networking app announced that users can swap accounts on its mobile apps by long pressing the bottom right profile icon. Tap “Add profile” after the long press to add a profile.
Users can easily switch between work and personal profiles. Instagram CEO Adam Mosseri did not say if the profile-switching feature allowed you to add a limit of accounts.
On the same day as Facebook allowed multiple personal profiles on Blue, the text-based social networking app announced its profile feature.
Threads keeps adding features three months after its launch. It began testing full-text search in New Zealand and Australia late last month. The company launched global search this month.
Threads added 24-hour post notifications and web quote functionality in September.
Threads’ competitors ship features in a competitive social media landscape. Mastodon released version 4.2 this week with improved profile and post search, automatic quick action suggestions in the search box, a new web interface with thread indicators and article previews, and a Privacy and Reach settings tab.
X owner Elon Musk suggested today that Twitter may no longer be free. Musk said the business was “moving to a small monthly payment” for the X system in a live-streamed meeting with Netanyahu on Monday. He suggested such a tweak to address platform bots.
Musk said, “It’s the only way I can think of to combat vast armies of bots.” According to him, bots have a high effective cost due to their low cost (a tenth of a penny), even though they require a few dollars. Each bot creator needed a new payment method to make another bot.
Musk said the new subscription price would be a “small amount of money.”
Musk also announced that X now has 550 million monthly users and 100 to 200 million daily postings. Musk’s stats may include automated accounts, either good bots like news feeds or malicious bots like spammers.
This figure couldn’t be compared to Twitter’s pre-Musk user base, which was computed using mDAU, Twitter’s own metric. This earlier statistic identified Twitter users who may be monetized by adverts. Twitter reported 229 million mDAUs in Q1 2022.
Musk did not specify when he would charge for X. Since Musk took over the network last year, it has been pushing users to subscribe to X Premium (formerly Twitter Blue). This $8 per month or $84 per year subscription service lets you modify posts, reduce the ad load, prioritize search and conversation rankings, make lengthier posts, and more.
X doesn’t divulge its paying subscribers, but independent research shows X Premium doesn’t attract most customers. X Premium has 827,615 subscribers, according to one estimate.
Musk has considered charging everyone for X. In fact, Platformer claimed last year that Musk was considering a Twitter paywall.
Though hate speech on X came up, Musk and Netanyahu discussed AI technologies and regulation today. Musk called himself “against antisemitism” and “anything that promotes hate and conflict.” Musk threatened to sue the Anti-Defamation League, which has accused Musk and X of antisemitism, in his latest fight.
For paid users, X, formerly Twitter, has implemented government ID-based account verification to prevent impersonation and provide “prioritized support.”
Social media partner Au10tix provides identity verification solutions from Israel. The ID verification pop-up says the Au10tix can store this data for 30 days.
X’s verification support page says ID verification is available in “numerous countries,” but not in the EU, EEA, or UK. The region’s strict data protection laws likely explain this.
ID-based verification seems unnecessary and rarely beneficial. The company may age-gate content based on ID age.
“X currently focuses on account authentication to prevent impersonation and may explore additional measures, such as ensuring users have access to age-appropriate content and protecting against spam and malicious accounts, to maintain platform integrity and healthy conversations,” it said.
Users who pass the verification badge will receive a government ID verification note. Only clicking the blue checkmark on the profile page shows it. The company said ID-verified users will get “prioritized support from X Services,” but this is unclear.
The company allowed paid users to hide checkmarks from their profiles last month.
X plans to speed up checkmark reviews if users verify their IDs. Plus, they can frequently change their names, usernames, and profile photos without losing the checkmark.
Only paid users can use ID-based verification. Ironically, X promotes impersonation and spam reduction but doesn’t offer verification tools to all users.
Twitter discontinued legacy verification and removed account checkmarks in April. However, the company reinstated the top account checkmark after much chaos.
The social network added biometric data, education, and job history to its privacy policy last month.
“This will additionally help us tie, for those that choose, an account to a real person by processing their government-issued ID,” X told Bloomberg. “This will also help X fight impersonation attempts and secure the platform.”
- Gadgets8 years ago
Why the Nexus 7 is still a good tablet in 2015
- Mobile Devices8 years ago
Samsung Galaxy Note 4 vs Galaxy Note 5: is there room for improvement?
- Editorials8 years ago
Samsung Galaxy Note 4 – How bad updates prevent people from enjoying their phones
- Mobile Devices8 years ago
Nexus 5 2015 and Android M born to be together
- Gaming8 years ago
New Teaser For Five Nights At Freddy’s 4
- Mobile Devices8 years ago
Google not releasing Android M to Nexus 7
- Gadgets9 years ago
Moto G Android 5.0.2 Lollipop still has a memory leak bug
- Mobile Devices8 years ago
Nexus 7 2015: Huawei and Google changing the game