Microsoft Responded Quietly After Detecting Secret Database Hack in 2013 (reuters.com) 48
Citing five former employees, Reuters reported on Tuesday that Microsoft's secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago. From the report: The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident. The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins. The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks. "Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.
Still lots of old computers out there (Score:1, Interesting)
Re: (Score:1)
Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
Nope, just a version Struts not considered ready for "production" use had the issue... Linux and Apache are just fine, not to mention the current stable version of struts.
This was some idiot deciding to go bleeding edge in a production environment when it wasn't recommended or fully vetted.
Re: Equifax ran Linux (Score:2)
methinks you dont really understand any of them, which, afaics, amount to bugs of local users of the system. none of them are critical vulnerabilities. let alone anywhere close to a database chock full of unfixed severe vulnerabilities because not enough developers have access to the windows source code to fix them in a reasonable time.
Re: (Score:2)
Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
Re: (Score:2)
Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.
Re: (Score:2)
Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.
SSA could care less about the SSN in that respect. It'd more likely be the FBI, CIA, NSA, DIA, and a number of other agencies that have more of an interest with collecting all that information...
Re: (Score:2)
Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.
You are going to have to expand on that hypothesis for me. I'm not seeing a link to SSA's desire to not use SSN for financial credentials and a hack of an internal Microsoft bug database.
Re: (Score:2)
Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.
You are going to have to expand on that hypothesis for me. I'm not seeing a link to SSA's desire to not use SSN for financial credentials and a hack of an internal Microsoft bug database.
That's why it's a hypothesis - so I don't have to prove it. The feds did ask NIST (I think NIST) to start working on a crypto based replacement for SSNs a couple of weeks ago. The SSA thing came from the post that is one level up in the hierarchy up, which brought up the topic.
Re: (Score:2)
Re: (Score:2)
> It's nonsensical.
That's because it was a joke. Although with the current government I wouldn't be surprised if it was true.
Re: (Score:2)
Re: (Score:2)
I don't think you understand how jokes work....
Slashdot is the place where jokes go to whoosh.
Closed OS FTW. (Score:2)
Closed OS FTW. On second thought, TFA says "including Windows", so was Microsoft hanging onto zero-days for other companies?
Re: (Score:2)
>so was Microsoft hanging onto zero-days for other companies?
Microsoft sells more than just an OS.
Re: Closed OS FTW. (Score:1)
You'd be surprised how ignorant some people, including IT professionals, can be. I was recently talking to one Linux sysadmin who absolutely hated Windows. Yet the last time he'd used Windows was NT 4! He couldn't even name any Windows Server releases past 2000! He also had no idea what SQL Server is, and although he had heard of C# he knew pretty much nothing about .NET. He was a pretty stereotypical neckbeard, so I can understand him not using Windows often, but it was absurd to see him hate Windows so mu
Re: (Score:2)
You'd be surprised how ignorant some people, including IT professionals, can be. I was recently talking to one Linux sysadmin who absolutely hated Windows. Yet the last time he'd used Windows was NT 4! He couldn't even name any Windows Server releases past 2000! He also had no idea what SQL Server is, and although he had heard of C# he knew pretty much nothing about .NET. He was a pretty stereotypical neckbeard, so I can understand him not using Windows often, but it was absurd to see him hate Windows so much despite not having used it in over 15 years! I think this blind, ignorant hatred is far more prevalent within the Linux community than we might expect. I find it kind of ironic, as Linux has been becoming far more Windows-like with things like systemd and binary logging. These Linux supporters are advocating for what they claim to hate, without even realizing it!
1. systemd is an abomination that should be removed entirely. Glad there's distros like Devuan focused on keeping options open; and Gentoo driving OpenRC development (which started at Gentoo!).
2. I stopped using Windows regularly in 2009 once I was able to switch my work devices over to Linux, save a VM to do deliverable compilations on occasion for a couple years. However, I still get introduced to the changes going on - via co-workers, friends, and family. That said, the basics of Windows haven't chang
Re: (Score:2)
Apparently this was part of their to-do list. The moment the # of vulnerabilities exceeded 1,000,000 the list lost meaning and got abandoned.
Re: (Score:2)
WTF?? (Score:2)
They really kept this database on an internet-facing PC?
Re: (Score:2)
I doubt it. From TFA: "exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then move to company networks"
So...they probably established a CnC beachhead inside the network, let that dial out to their proxied CnC server, and then went into the company's internal network over that connection. In other words, they could have pulled this off without any Internet-facing resources. In fact, they only needed o
Re: (Score:2)
They really kept this database on an internet-facing PC?
Not necessary to be internet facing.. Just internet connected... However, still, why on earth allow that? Air gapped security would be recommended in cases like this I think.
Re: WTF?? (Score:1)
with the âoeeverything is a fileâ philosophy of the *nixs, all your security problems simplify down to file permission problems.
With windows, all security problems simplify down to active directory, which you need a specialised, long winded education to even install.
Re: (Score:2)
What were they supposed to do? (Score:5, Insightful)
What exactly were they supposed to do? Disclosing this publicly wouldn't have gotten the 0-days closed any faster but would have started malicious actors scrambling to get their hands on that database. Some already had it -- publicly admit it exists and has been exfiltrated, and anyone with even a passing interest is going to want it.
Now if it had been a database of someone else's 0-days, then they could be expected to at least tell the vendors of the products in question. But when they are the vendor? It's an internal problem.
So they left the database vunlerable to the hacker (Score:2)
Pedant alert (Score:2)
Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world.
They literally would not.