US Government Says Recent Microsoft Breach Exposed Federal Agencies to Hacking (msn.com) 15
From the Washington Post:
The U.S. government said Thursday that Russian government hackers who recently stole Microsoft corporate emails had obtained passwords and other secret material that might allow them to breach multiple U.S. agencies.
The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, on Tuesday issued a rare binding directive to an undisclosed number of agencies requiring them to change any log-ins that were taken and investigate what else might be at risk. The directive was made public Thursday, after recipients had begun shoring up their defenses. The "successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies," CISA wrote. "This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure."
"CISA officials told reporters it is so far unclear whether the hackers, associated with Russian military intelligence agency SVR, had obtained anything from the exposed agencies," according to the article. And the article adds that CISA "did not spell out the extent of any risks to national interests."
But the agency's executive assistant director for cybersecurity did tell the newspaper that "the potential for exposure of federal authentication credentials...does pose an exigent risk to the federal enterprise, hence the need for this directive and the actions therein." Microsoft's Windows operating system, Outlook email and other software are used throughout the U.S. government, giving the Redmond, Washington-based company enormous responsibility for the cybersecurity of federal employees and their work. But the longtime relationship is showing increasing signs of strain.... [T]he breach is one of a few severe intrusions at the company that have exposed many others elsewhere to potential hacking. Another of those incidents — in which Chinese government hackers cracked security in Microsoft's cloud software offerings to steal email from State Department and Commerce Department officials — triggered a major federal review that last week called on the company to overhaul its culture, which the Cyber Safety Review Board cited as allowing a "cascade of avoidable errors."
The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, on Tuesday issued a rare binding directive to an undisclosed number of agencies requiring them to change any log-ins that were taken and investigate what else might be at risk. The directive was made public Thursday, after recipients had begun shoring up their defenses. The "successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies," CISA wrote. "This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure."
"CISA officials told reporters it is so far unclear whether the hackers, associated with Russian military intelligence agency SVR, had obtained anything from the exposed agencies," according to the article. And the article adds that CISA "did not spell out the extent of any risks to national interests."
But the agency's executive assistant director for cybersecurity did tell the newspaper that "the potential for exposure of federal authentication credentials...does pose an exigent risk to the federal enterprise, hence the need for this directive and the actions therein." Microsoft's Windows operating system, Outlook email and other software are used throughout the U.S. government, giving the Redmond, Washington-based company enormous responsibility for the cybersecurity of federal employees and their work. But the longtime relationship is showing increasing signs of strain.... [T]he breach is one of a few severe intrusions at the company that have exposed many others elsewhere to potential hacking. Another of those incidents — in which Chinese government hackers cracked security in Microsoft's cloud software offerings to steal email from State Department and Commerce Department officials — triggered a major federal review that last week called on the company to overhaul its culture, which the Cyber Safety Review Board cited as allowing a "cascade of avoidable errors."
How many times do we have to tell you? (Score:2)
Re: (Score:2)
Re: (Score:2)
military certified versions of Windows.
Hopefully not the same version they used on the USS Yorktown [wired.com]. Prior to that, we hadn't lost any military assets to a zero [suwalls.com] for decades.
How many times do they have to prove it? (Score:2)
The gov really should only use the military certified versions of Windows.
The government is reliant on Microsoft solutions that are locked down, which is more certifying a specialists ability to do that properly and monitor it extensively.
"Military certified" reminds me of that time three-letter agency specialists came walked into the classroom to show us how to properly lock down a server. Two hours of regedits on an otherwise-generic NT 4.0 Server OS resulted in a perpetual BSOD. "Certified" would imply those in government know what the fuck they're doing.
Re: (Score:2)
What makes you think "military certified" means anything? This is Microsoft, the best the U.S. Gov. could do is use SE Linux, but then how would those brain-destroying Pooperpoints get made?
Re: How many times do we have to tell you? (Score:2)
Those are oxy-morons.
Perhaps ... (Score:2)
WTF? (Score:3)
I have the feeling I must be missing something obvious here, but I can't figure out what it is:
How and why would Microsoft emails contain passwords that give access to US agencies' computer systems?
Re: (Score:2)
How and why would Microsoft emails contain passwords that give access to US agencies' computer systems?
I had read it as, "...had obtained passwords and other secret material [through other insecure/Microsoft software] that might allow them to breach multiple U.S. agencies."
Re:WTF? (Score:4, Interesting)
Thanks - that makes sense. I had a closer look at TFA and found this:
"Another of those incidents — in which Chinese government hackers cracked security in Microsoft’s cloud software offerings to steal email from State Department and Commerce Department officials".
So both State and Commerce use cloud infrastructure rather than having their own servers. That, right there, explains the problem.
It also prompts me to ask - again - "WTF?".
Re: (Score:3)
The cost of per-file encryption is too high but we use expensive AI to give us dessert recipes. Also, the police and US NSA/CIA/FBI/ATFE want email data to remain plain-text.
Sending digital security such as passwords requires building meat-space security first: eg. snail mail or Numbers Stations or code-word voice/text messages. The government, once-again, didn't ask for the fundamentals, such as meat-space security, and a business selling digital security, didn't want the expense and honesty that digi
Re: (Score:2)
Thanks - that's an informative and insightful response.
Wot? (Score:2)
Are Federal agencies still using Microsoft stuff?
Re: (Score:2)
Microsoft is tired of all that winning (Score:2)
The problem with Microsoft is they have absolutely no taste. And what that means is... I don't mean that in a small way I mean that in a big way... in a sense that they don't think of original ideas and they don't bring much culture into their product. ... I have a problem with the fact they really just make third-rate products. - Steve Jobs
But Steve, you forgot that they also make really insecure, shitty products that create national security incidents by being so reckless and sloppy.