Microsoft responded quietly after detecting secret database hack in 2013

[captain_to_fire]

Source: Reuters

 

HOT OFF THE PRESS

Quote

(Reuters) - Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.

 

The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident.

 

The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins. The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks. (Emphasis is mine)

I therefore conclude that 2017 is the year of cybersecurity woes. Either you're an owner of an SME or a big enterprise or just a home user, I get why many people got concerned and why is this just being discussed now in 2017 when the sophisticated hacking happened in 2013.

Quote

In an email responding to questions from Reuters, Microsoft said: “Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected.”

 

Sometime after learning of the attack, Microsoft went back and looked at breaches of other organizations around then, the five ex-employees said. It found no evidence that the stolen information had been used in those breaches.

I doubt it. To execute a potential sponsored attack on Microsoft and not use it to breach other Windows PCs immediately? I call BS. Anyone remember the Eternal Blue and Eternal Romance exploits used by WannaCry and Petya ransomware which where part of NSA's playbook that was later dumped in Github?

 

After WannaCry, Microsoft President Brad Smith compared the NSA’s loss to the “the U.S. military having some of its Tomahawk missiles stolen,” and cited “the damage to civilians that comes from hoarding these vulnerabilities.” (Reuters)

 

Now, not only Microsoft was the one hacked. Back in 2015, Mozilla corporation was also hacked.

Quote

Only one breach of a big database from a software company has been disclosed. In 2015, the nonprofit Mozilla Foundation - which develops the Firefox web browser - said an attacker had gotten access to a database that included 10 severe and unpatched flaws. One of those flaws was then leveraged in an attack on Firefox users, Mozilla disclosed at the time.

 

In contrast to Microsoft’s approach, Mozilla provided extensive details of the breach and urged its customers to take action.

 

Mozilla Chief Business and Legal Officer Denelle Dixon said the foundation told the public about what it knew in 2015 “not only inform and help protect our users, but also to help ourselves and other companies learn, and finally because openness and transparency are core to our mission.”

I got to commend Mozilla for informing the public that they got compromised and told their users how to protect themselves. Microsoft on the other hand waited for years even though they patched their own system months after the 2013 hack. Also in the Reuters article, both Facebook and Apple also got their systems compromised. 

Quote

Microsoft discovered the database breach in early 2013 after a highly skilled hacking group broke into computers at a number of major tech companies, including Apple Inc, Facebook Inc and Twitter Inc.

 

The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then move to company networks.

 

The group remains active as one of the most proficient and mysterious hacking groups known to be in operation, according to security researchers. Experts can’t agree about whether it is backed by a national government, let alone which one.

I think this is potentially a state sponsored APT based hack. But it definitely refutes the notion that Macs are immune to malware. I think there's more to the story more than meets the eye and it will continue to unfold as the days go by. People interested are very much invited to read the Reuters exclusive report.

[Ryujin2003]

Quote

That’s partly because Microsoft relied on automated reports from software crashes to tell when attacks started showing up. The problem with this approach, some security experts say, is that most sophisticated attacks do not cause crashes, and the most targeted machines - such as those with sensitive government information - are the least likely to allow automated reporting.

If you want access for more than a couple seconds, you don't make it noticeable. It could very likely be a nation state actor due to the complex nature of such an attack; however, at the same time, yes Microsoft should have mentioned this after the patch. But on the other hand, not publicly announcing an attack does prevent PR for whatever group was responsible. In the internet age of 15 minutes of fame, that could be detrimental. Unless consumer information was released, I don't think they should have to announce anything.

As for the patch.. That's why you take the updates. I'm sure Microsoft had to relay this information to its business clients, and I'm sure they wouldn't want to start a fire by neccessarily freaking out either.

 

But considering the contents of the database, I also wouldn't be surprised if they were shushed by the government to prevent the details of this from leaking out. Which apparently worked (if is the case) since this is only now coming out. I would guess Microsoft has an NDA with the US government concerning flaws in software security for obvious reasons.

 

I wouldn't call 2017 the year of cybersecurity woes. It's been going on for a long while. Consumers still don't get it. They still don't care. Yes, we care on this forum... But we are the 1%. The Sheeople will not notice.

[PlayStation 2]

Woes? I bet there's a big intentional reason for this shit.

[Ryujin2003]

15 minutes ago, Dan Castellaneta said:

Woes? I bet there's a big intentional reason for this shit.

Because in a capitalistic society, its easier to make money without it? There are ZERO repercussions. No liability. No responsibility. Instead of the information holder being held accountable to make sure their stuff is legit, it becomes the end user 's (us) responsibility to prevent our information from getting into their hands to begin with... Which is the opposite of how everything is set up. Don't create a FB page, Myspace profile, LinkedIn, Microsoft Account, iTunes account, Gmail, Yahoo, Hotmail, PSN, etc...

The internet economy thrives on the sale and exchange of personal information. Its always readily available, so there isn't much need to make things secure. And if a breach occurs, it is very quickly buried beneath the continuously growing pile of garbage news. There is no sense of requirement or urgency because everything is quickly forgotten...

 

Oh, also living by laws that were designed to rule a society before the existence of modern internet communication probably has something to do with not being able to hold accountability.

[PlayStation 2]

1 minute ago, Ryujin2003 said:

Because in a capitalistic society, its easier to make money without it? There are ZERO repercussions. No liability. No responsibility. Instead of the information holder being held accountable to make sure their stuff is legit, it becomes the end user 's (us) responsibility to prevent our information from getting into their hands to begin with... Which is the opposite of how everything is set up. Don't create a FB page, Myspace profile, LinkedIn, Microsoft Account, iTunes account, Gmail, Yahoo, Hotmail, PSN, etc...

The internet economy thrives on the sale and exchange of personal information. Its always readily available, so there isn't much need to make things secure. And if a breach occurs, it is very quickly buried beneath the continuously growing pile of garbage news. There is no sense of requirement or urgency because everything is quickly forgotten...

 

Oh, also living by laws that were designed to rule a society before the existence of modern internet communication probably has something to do with not being able to hold accountability.

Or, or, ORRRRRRRRRRRRR, the government probably has a reason for it.

The corruption hole goes really far.

[captain_to_fire]

9 hours ago, Ryujin2003 said:

If you want access for more than a couple seconds, you don't make it noticeable. It could very likely be a nation state actor due to the complex nature of such an attack; however, at the same time, yes Microsoft should have mentioned this after the patch. But on the other hand, not publicly announcing an attack does prevent PR for whatever group was responsible. In the internet age of 15 minutes of fame, that could be detrimental. Unless consumer information was released, I don't think they should have to announce anything.

Announcing to everyone that they've got their internal databases compromised is still the most responsible thing to do and it's actually a form of cybercrime, they could've cooperated with authorities.