Tag Archive for: Listen

Feds say Microsoft security ‘requires an overhaul’ — but will it listen? – Computerworld

/in


What Microsoft did wrong

The DHS Cyber Safety Review Board’s report lays out the Chinese hack and Microsoft’s response in exquisite detail, revealing what the Washington Post calls Microsoft’s “shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency.”

The attack was engineered by the Storm-0558 hacking group — doing the bidding of China’s most powerful spy service, the Ministry of State Security. Storm-0558 has a history of carrying out espionage-related hacks of government agencies and private companies dating back to 2000. Until now, the best-known one was Operation Aurora, brought to light by Google in 2010. The Council on Foreign Relations called that attack “a milestone in the recent history of cyber operations because it raised the profile of cyber operations as a tool for industrial espionage.”

According to the DHS report, the most recent hack took place after Storm-0558 got its hands on a “Microsoft Services Account (MSA)17 cryptographic key that Microsoft had issued in 2016.” Using the key, Storm-0558 forged user credentials and used them to log into government accounts and steal emails of Raimondo, Burns, Bacon, and others. 

There are other unsolved mysteries. The key should only have been able to create credentials for the consumer version of Outlook Web Access (OWA), yet Storm-0558 used it to create credentials for Enterprise Exchange Online, which the government uses. Microsoft can’t explain how that can be done.

There’s worse. That 2016 key should have been retired in 2021, but Microsoft never did so because the company had problems with making its consumer keys more secure. So the key, and presumably many others like it, remained as powerful as ever. And Storm-0558 did its dirty work with it.

This series of events — a key that should have been retired was allowed to stay active, the theft of the key by Storm-0558 stole the key, and then Storm-0558’s ability to use it to forge credentials to get access to enterprise email accounts used by top government officials, even though the key shouldn’t have allowed them to do so — represents the “cascade of errors” the DHS said…

Source…

How to Talk About Ransomware So Leadership Will Listen

/in


Chief information security officers are working to better engage the rest of government in cybersecurity resiliency and response planning, and several shared their tips during an RSA Conference panel last week.

CISOs need to talk with elected officials and different agencies to help them understand how a ransomware incident could affect them and their priorities, and to prepare them to talk with the public should an incident happen.

Mike Makstman cropped.JPG

“You don’t want it to be that the only time you engage with elected officials — or the only time they think about their role in the cybersecurity program — is during an incident,” said San Francisco CISO and Coalition of City CISOs co-chair Mike Makstman.

GETTING ELECTEDS ON BOARD

Boston CISO and Coalition of City CISOs co-chair Greg McCarthy said he watches budget hearings and elected officials’ speeches to see which parts of city operations have these officials’ attention. If he then explains how cybersecurity impacts those areas, the message is more likely to hit home.

“If we’re talking all technical, most of your elected officials’ … eyes are going to glaze over,” McCarthy said. “But if you say, for example, ‘All of our school systems went online over the pandemic, and they’re doing teaching on Zoom or Teams or Hangouts … if this is disrupted, we can’t teach our students anymore, and that’s a huge impact to our constituents that we serve, it’s a huge impact to their political views or political stances …,’ that was one thing that I found really, really effective,” McCarthy said.

There’s also another reason for non-IT officials to listen up: A city’s cybersecurity posture can have significant impact on government finances.

Municipalities’ cyber defenses can determine whether cyber insurers will offer them affordable plans and even impact their bond ratings. In Boston, for example, rating agencies have asked the city to explain its cybersecurity plan, incident history and security controls, McCarthy said.

“Cyber has been…

Source…

Warning for Android users over flaw which can let hackers listen in on calls

/in


ANDROID users are being warned over a flaw in their devices that could let hackers listen in on calls from the first time you turn it on.

Threat actors could target Android devices that are running on Qualcomm and MediaTek chipsets – who are two of the largest chip providers in the world.

Hackers could listen in on your phone calls due to a flaw in Android devices

1

Hackers could listen in on your phone calls due to a flaw in Android devicesCredit: Getty

Security experts at Check Point Research said two thirds of all smartphones sold in 2021 were vulnerable to the flaw.

This is due to both of these chipsets possessing a compromised Apple Lossless Audio Codec (ALAC) code in their audio decoders.

ALAC is an audio coding format for audio compression that was originally open-sourced by Apple in 2011.

The company responsible releases updates and security fixes for the software, however not every vendor that uses the software reportedly applies this.

A vulnerability of this sort can allow hackers to use remote code execution (RCE) to access a device without gaining physical access to it.

RCE attacks are considered very serious because their impact can range from malware execution to a hacker gaining total control over a device.

This means that threat actors can access personal files, messages, photos, and even a phone camera’s streaming functionality.

Speaking about the threat, Check Point said: “The ALAC issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file. RCE attacks allow an attacker to remotely execute malicious code on a computer.

“The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.

“In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.”

Bleeping Computer report that threat actors can take advantage of the vulnerability by sending a maliciously crafted audio file which the victim is tricked into opening.

For this reason, experts are recommending users update their Android devices immediately.

To update your Android device,…

Source…