Microsoft Azure Cloud Computing Grows 50 Percent, Xbox Sales Sees Boost During Pandemic

Microsoft Failed to Fix Problems That Could Limit SolarWinds Hack: US Senator


Microsoft’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden.

A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.

Wyden, who has faulted tech companies on security and privacy issues as a member of the Senate Intelligence Committee, blasted Microsoft for not doing more to prevent forged identities or warn customers about it.

“The federal government spends billions on Microsoft software,” Wyden told Reuters ahead of a SolarWinds hearing on Friday in the House of Representatives.

“It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017,” he said.

Microsoft President Brad Smith will testify on Friday before the House committee investigating the SolarWinds hacks.

US officials have blamed Russia for the massive intelligence operation that penetrated SolarWinds, which makes software to manage networks, as well as Microsoft and others, to steal data from multiple governments and about 100 companies. Russia denies responsibility.

Microsoft disputed Wyden’s conclusions, telling Reuters that the design of its identity services was not at fault.

In a response to Wyden’s written questions on February 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritised by the intelligence community as a risk, nor was it flagged by civilian agencies.”

But in a public advisory after the SolarWinds hack, on December 17, the National Security Agency called for closer monitoring of identity services, noting, “This SAML forgery technique has been known and used by cyber actors since at least 2017.”

In response to additional questions from Wyden this week, Microsoft acknowledged its programmes were not set up to detect the theft of identity tools for granting cloud access.

Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, said the failure showed cloud security risks should be a higher priority.

The hackers’ sophisticated abuse of identities “exposes a concerning weakness in how cloud computing giants invest in security, perhaps failing to adequately mitigate the risk of high impact, low probability failures in systems at the root of their security model,” Herr said.

In congressional testimony on Tuesday, Microsoft’s Smith said that only about 15 percent of the victims in the SolarWinds campaign were hurt via Golden SAML. Even in those cases the hackers had to have already gained access to systems before deploying the method.

But Wyden’s staff said one of those victims was the US Treasury, which lost emails from dozens of officials.

© Thomson Reuters 2021


Is Samsung Galaxy S21+ the perfect flagship for most Indians? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

ISRO Gears Up for Maiden 2021 Launch With Brazil’s Amazonia-1 Satellite

Countdown for the launch of PSLV-C51/Amazonia-1 mission commenced on Saturday from Satish Dhawan Space Centre at Sriharikota in Andhra Pradesh. “Countdown for the launch of #PSLVC51/Amazonia-1 mission commenced today at 08:54 am from Satish Dhawan Space Centre (SDSC) SHAR, Sriharikota. The launch is scheduled tomorrow at 10:24 am,” Indian Space Research Organisation (ISRO) said. Primary […]

iQoo Neo 5 Set to Launch on March 16

iQoo Neo 5 is set to launch on March 16, Vivo sub-brand iQoo has revealed through a teaser posted on Weibo. The new smartphone will be the successor to the iQoo Neo 3 5G that was unveiled in China in April last year. The iQoo Neo 5 is speculated to come with the Qualcomm Snapdragon […]

%d bloggers like this: