Viss
@haroldgodwinson @dangoodin a system is only as good as its sysadmin.
you can harden windows boxes, even unpatchable ones.
you can make macs and linux woefully insecure. I have seen it all.
being a sysadmin is a lot of fun and its really rewarding to build cool shit and watch it hum along under pressure.
but its when they get lazy and assume 'the cloud will do stuff for me' - thats where demons and plagues and evil lives.
Jake Hildreth (acorn) :blacker_heart_outline:
@Viss @haroldgodwinson @dangoodin “Any sufficiently advanced security operation is indistinguishable from operational excellence.”
Harold Godwinson
@Viss @dangoodin Or there was some kind of cursed setup where this dev test tenant shared logins with the corp AAD
Viss
@haroldgodwinson @dangoodin thats the second scenario. where it was indeed some kind of corp vm or something they setup and used legit corp creds on it, then .. just fucked off? and left it to fester?
Harold Godwinson
@Viss @dangoodin all of a sudden feeling glad I ran the other way when I could have gone the sysadmin path
Viss
@dangoodin the first possitiblity is a massive can of worms with regards to implications.
if it is indeed 'customer equipment', then why did someone with corporate creds log into it? does ms routinely log into customer stuff with corp creds and not consider cached creds or logs or anything like that?
or is it the other - where they leave corp creds stashed on some vm they abandoned months or years ago and left to rot?
neither are great. but one is definitely worse.
Viss
@dangoodin one thing their writeup doesnt make clear, is that they were corporate credentials.
thats the only way that you can draw a dotted line from "some test vm somewhere with some kind of creds" to "execs and security team emails".
they refer to it as 'tenant', but there are only two possible explanations for what happened:
1) it was indeed 'customer gear', but staff logged into it for some reason
2) it was corp gear, and they're just calling it 'tenant'.
Dan Goodin
The hackers who recently broke into Microsoft’s network and monitored top executives’ email for two months did so by gaining access to an aging test account with administrative privileges, a major gaffe on the company's part, a researcher said.
The new detail was provided in vaguely worded language included in a post Microsoft published on Thursday. It expanded on a disclosure Microsoft published late last Friday. Russia-state hackers, Microsoft said, used a technique known as password spraying to exploit a weak credential for logging into a “legacy non-production test tenant account” that wasn’t protected by multifactor authentication. From there, they somehow acquired the ability to access email accounts that belonged to senior executives and employees working in security and legal teams.
In Thursday’s post updating customers on findings from its ongoing investigation, Microsoft provided more details on how the hackers achieved this monumental escalation of access. The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protcol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft’s Office 365 email service.
In Thursday’s update, Microsoft officials said as much, although in language that largely obscured the extent of the major blunder.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.