Tag Archives: Microsoft

Friday News

Intel will NOT be patching all of its flawed chips

After saying, for months, that it would release firmware updates to all chipsets produced in the last 5 years, Intel is now backtracking saying that it won’t produce patches for the Bloomfield line, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, the Wolfdale line, and the Yorkfield line.  There were several reasons, number one being that it was too hard (read:impossible) given the architecture of those chips.  (Source: The Verge).

Microsoft Patch Tuesday Patches at Least 65 Vulnerabilities

From one perspective, given the breadth of Microsoft’s empire, releasing 65 SECURITY patches a month is not unreasonable.  On the other hand, given that they have been doing this for years, that is thousands of security flaws, which is a bit mind blowing.  This month’s patches affect Internet Explorer and Edge, Office, one more time, the Microsoft Malware Protection Engine, Visual Studio and Microsoft Azure.

A patch for the Malware Protection Engine (MPE) bug was release in an out-of-band patch last week because it affects all of Microsoft’s anti-malware products such as Windows Defender and Security Essentials.  This is at least 3 emergency patches to the MPE in recent months.

Corporate IT usually has patching handled, but when it comes to home users, things are a bit more spotty, so make sure that you install these patches (Source: Krebs On Security).

Identity thieves going after CPAs

If the IRS is warning tax preparers to “step up” their cybersecurity game, it must be bad. Brian Krebs details the story of a tax preparer who allowed his system to become compromised with a not very sophisticated keystroke logger.  The result was that his client’s data was hacked and false returns filed.  When the client’s real returns were rejected by the IRS, the CPA provided form letters to his clients to file with the IRS saying that they were the victim of identity theft but not saying that it was the accountant who was responsible.  No doubt the clients were left with the bill to client up their CPA’s mess on top of it all.

If you use a tax preparer, you should be asking questions about their cybersecurity practices and if he or she says not to worry, you should start worrying.  Or looking for a more astute CPA (Source: Brian Krebs).

Atlanta, Colorado spending millions after ransomware attack

Atlanta has spent over $2 million mitigating the ransomware attack which started on March 12.  The attackers asked for $50,000 which likely would have been covered by insurance.  The costs are for Secureworks, Ernst and Young and others.  If these costs are to upgrade inftrastructure, the insurance would not cover that.

The Colorado Department of Transportation (CDOT) has spent $1.5 million since their ransomware attack in February.  CDOT is still not fully operating yet.

Stories are that Atlanta’s IT was on life support due to lack of funding prior to the attack.  Assuming some of those millions are being spent on upgrading the infrastructure, maybe the attack has a silver lining.  (Source: SC Magazine).

Facebooktwitterredditlinkedinmailby feather

Microsoft Loses Terabytes of Windows 10 Source Code

Both the NSA and CIA have been in the news way too many times recently when organizations like WikiLeaks and others released stolen software that the organizations would rather remain private.  In the case of the spy agencies, that software is their internally developed hacking tools.

Now it is someone else’s turn.

Microsoft has acknowledged that some of their Windows 10 source code has been released into the wild.  Not all of it, but a lot.

32 terabytes of installation images, documentation and code for hardware drivers, USB and WiFi code, some kernel code and other source code was leaked and available for download by anyone who had access to the appropriate hacker sites.

Microsoft calls it their Shared Source Kit.  It is distributed privately based on contracts which restricts how it is handled.  Typically it is provided to hardware manufacturers, selected customers and some researchers.  Now it is available to hackers also.

Some of the images contain information that is never released publicly that would definitely help hackers.

It also would allow hackers to look for bugs that they can exploit.  That is much easier if you have the source code.

While this is not the end of the world and it does not involve a breach of Microsoft’s network, it is still embarrassing and a security problem for Microsoft.

On the other hand, given the number of businesses that likely have access to the Shared Source Kit, this leak is not completely surprising.

After all, it only takes one of these partners to be hacked for the code to be out in the wild.  No one is suggesting that a partner who legally has this code released it into the wild.

What is your level of confidence that your company’s family jewels are really still secret?

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Why Hoarding Zero Days Is Bad Public Policy

This week Microsoft patched a zero day bug that affected Microsoft Word users.  Microsoft was alerted to the bug by the FireEye security firm several months ago.

What we did not know until today is that this bug was being exploited for at least several months.  WHO was exploiting it is less clear because hackers don’t always sign their names to the work, but it appears that both hackers and governments may have been exploiting the bug.

FireEye is saying that perhaps the hacker who discovered the flaw sold it to both other hackers and government actors.  Rarely is there any agreement from hackers to only sell a hack to one party, so if they did that, it is not really surprising.

It is also possible that two different people independently discovered the bug at around the same time.  That doesn’t seem as likely to me.

Hackers used different Word documents to entice folks to open the email attachments.  One was a military manual written in Russian, another was a document referencing the Russian Ministry of Defense and the third was a document that promised to reveal “top 7 hacker chicks”.  Seriously.

If people fell for it and opened the document they would get infected with the malware FinSpy made by the hacking firm FinFisher.  It is certainly possible that FinFisher, who makes spy tools and sells them to governments (and likely “others” for the right price) also bought the zero day.

As a testament to the international flavor of hacking, some of the servers hosting this delicious treat were in Italy while others were in Romania.

What is less clear is when our government became aware of this zero day.  Assuming they became aware of it, say, a year ago and decided to keep it secret, that is within the operating parameters of DoJ rules.

IF – and we don’t know if this is true – the government – our government – was keeping this zero day secret and hackers were, at the same time, using this hack against our businesses, that seems like a problem.

But that is a challenge the intelligence community and law enforcement face every day.

Do we tell?  Do we keep it secret?  Do we even know what is happening?  Do we want to watch the bad guys because we do know what is happening?  Do we not want to let the bad guys know we are watching them?  Life is not simple.  It would be nice if it were a little more simple, but it is not.

What does seem clear is that we can’t COUNT on the government to spill the beans, even if American businesses are being compromised by hackers.   Just warning you.

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Google To Appeal Court’s Order To Disclose Emails Stored Abroad

Google has been ordered by a magistrate judge in Philadelphia to turn over emails stored abroad.  While we don’t have all the details of the case, it appears to be related to a domestic fraud case.

The emails in question are stored in a foreign country.  The case is a domestic case.

Last summer, the Second Circuit Court of Appeals agreed that Microsoft did not have to turn over emails stored in Ireland.  The court’s logic was that U.S. law does not apply in foreign countries.

In this case, a magistrate judge (a much lower level court proceeding than an appeals court) said that Google did have to turn over emails stored in a foreign country.  The magistrate’s logic is, in my opinion, somewhat convoluted.  The judge said that since Google could take those emails stored internationally and electronically copy them to the United States and then hand them over to U.S. authorities in California, the search would occur in the United States and, somehow, would not violate foreign laws.

By this logic, U.S. authorities could demand a U.S. based corporation to violate international law at any time by telling the U.S. company to bring data stored in a foreign country back to the U.S. and give it to U.S. authorities, here.

Google has said that it will appeal this order.  If this order stands, U.S. based tech businesses run the risk of being charged with crimes in foreign countries and also run the risk of losing the business of international customers.  This is the rock and a hard place that Google (and Microsoft) are stuck between.

Absent an order from a court of competent jurisdiction in a foreign country to turn over data, Google would potentially be in violation of laws such as the EU’s General Data Protection Regulation.

From a user’s standpoint, in many cases the owner of the email would not even be informed of the court order, since the order is often sealed, sometimes forever,  sometimes for years.

The only way a user has any control over the situation is if the data is encrypted from end to end AND the provider does not control the encryption keys.  Absio Dispatch is an example of an email solution that allows for this; Threema is an example of a messaging application that works this way.

None of the big commercial email applications such as GMail, Yahoo Mail, and Microsoft  Office 365 meet these requirements.

For most users, this is a matter of convenience,  and they don’t worry about the government reading their mail.

For other users, this is a matter privacy and they don’t want the government poking their nose in their private matters.

The good news is that there are options and if it matters to you you can choose whether you want to do something about it or not.  However, if you do want to do something, you need to understand that it will require change for you and your communication buddies.

Information for this post came from the Telegraph.

Facebooktwitterredditlinkedinmailby feather

In Ongoing Battle over Email, Microsoft Wins This Round

Microsoft has been fighting with the U.S. Department of Justice since 2013 when the DoJ tried to get Microsoft to get them to hand over data belonging to a user, stored exclusively in Ireland.  This case has gone back and forth in the courts since then.

The bottom line issue is whether a U.S. Court can force a U.S. based company to break foreign law because the U.S. Court says so.

In this case, the emails in question are stored in Ireland and Irish privacy law is pretty strict.  Microsoft says that they are absolutely willing to hand over the emails if the DoJ convinces an Irish court to issue a subpoena to the Microsoft Ireland subsidiary.  The DoJ, for whatever reason, doesn’t want to do that.  I suspect that they would like to create a precedent that U.S. law trumps Irish law in U.S. Courts.

Microsoft, pretending to be a friend of privacy when it suits them, is saying that they want to protect their user.  They may be more concerned about breaking Irish law and the penalties that come from that.

The EU General Data Protection Regulation, which goes into full effect in 2018, allows a country to fine a business up to 4% of their gross annual revenue for privacy violations.  That doesn’t mean that they have to or will, but they can.  For Microsoft, based on 2015 revenue of $93 billion, that means a POTENTIAL MAXIMUM fine of almost $4 billion.

A short summary of the 180+ page GDGR law is available at Deloitte’s web site, here.  Note that this appears to be a Dutch version of the site, so the notices about privacy and cookies are in Dutch, but the summary text is all in English.

Since 2013, this case has bounced around the courts.  Most recently, this month, the DoJ told the Second Circuit Court of Appeals that the Justice Department has the right to demand the emails of anyone, anywhere in the world from an email provider headquartered in the United States.

By logical extension, that means that China could demand emails of U.S. citizens from Google because their court said so.  I don’t think that U.S. courts would be thrilled about that quid pro quo.

The DoJ says that YOUR email is a business record OWNED by Microsoft, not you, hence they should be able to demand that Microsoft give them copies of their business records.  That is a pretty scary concept.  Two lower courts have ruled in favor of the DoJ.

What if those emails were letters and those letters were stored in an office in Ireland.  Would the U.S. DoJ be able to send a Marshal to Ireland, hand them the U.S. search warrant and expect to get those letters?

What if North Korea presented a search warrant to a U.S. company asking for some information on a customer.

As you can see, this gets messy quickly.

Microsoft wanted to make a ‘federal case’ over this and so they told the lower court to hold them in contempt for failing to turn over the emails.

It is important to understand here is that this is different than say the WhatsApp case in Brazil where a Brazilian court put a freeze on $6 million of Facebook’s money because WhatsApp doesn’t have the decryption keys and therefore can’t give them the messages unencrypted.  Since WhatsApp doesn’t have any offices or presence in Brazil, they went after Facebook instead (Facebook owns WhatsApp).  In this case, Microsoft could, technically, turn over those emails in readable format.

But, if Microsoft chose to comply with this warrant, their business model would shrivel up and die.

What foreign company would do business with an American company if they knew that the U.S. government could demand that that U.S. business turn over the foreign company’s records, stored in that foreign country, totally bypassing the legal system in that country.

Currently, companies like Google and Microsoft deal with that by setting up subsidiaries in different countries and have users be customers of that local country subsidiary.

While I don’t even pretend to be a lawyer, even on the Internet, the concept here is called extraterritoriality, meaning that a government declares that their law applies in another country.  While a country can do that, absent the other country agreeing to that statement, the likelihood of the other country enforcing that law is very low.

Microsoft says that if the U.S. wants to go after data stored in foreign countries, that is fine.  What they need to do is pass a law that says that they claim that right and then negotiate treaties with each other country that they want to enforce it.  There are many examples of this today, but it is a complicated process.

For one thing, each other country will likely demand reciprocal rights and those countries will likely demand that those laws can only be enforced if they provide similar rights that the citizen in question has in their country.

In the Microsoft case, that means that, if there was a treaty in place, and if U.S. provided the same protections as Irish law, then Ireland would honor the U.S. law.

Great Britain is trying this same gig with the proposed Snooper’s Charter bill currently in their parliament and while Britain might pass such a law, the likelihood of it being enforced in at least some other countries is basically zero.

For those of you who read this tome hoping I would tell you how it turned out – the appeals court ruled in Microsoft’s favor.

Whether the DoJ chooses to appeal this to the Supreme Court or wait until after the November elections and hope that Trump gets elected and stacks the court the way they would like, is unclear.  If Clinton gets elected it is unlikely that the DoJ would get the judge that they want.  In fact, whoever gets elected will likely control the slant of the court for decades to come and that is probably the most important issue related to the U.S. Presidential elections, bar none.

 

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Microsoft Sues The Department Of Justice

In the turnabout is fair play department, Microsoft is now suing the Department of Justice.  Turns out that over the last 18 months, Microsoft has received about 5 orders a day for customer information which do not allow Microsoft to tell the customer that the government filched their data.  For the majority of them, that order is forever.

Microsoft thinks that is highly overplayed – that in many cases there is no reasonable need for long term security.

And, of course, it hurts Microsoft’s business.  If people think that if they store their data in Microsoft’s cloud that the government can grab their data – in many cases without even needing a warrant – they may be reluctant to use Microsoft’s services.

Some of you amateur cyber law geeks may remember ECPA – The Electronic Communications (non) Privacy Act.  Back in the 1980s when it was written, no one left stuff in the cloud.  After all, that would be really stupid.  So, as a result and for some bizarre logic that is only clear to Congress, ECPA says that if you store an email in the cloud for more than 180 days, they consider it unimportant or abandoned, so if law enforcement wants to see it, all they have to do is ask. No need for a warrant.

Congress has toyed with fixing this bit of stupidity, but has never actually gotten around to it.  They are talking about fixing it again this year.  One likely reason Congress has not changed the law is that the prosecutors like the status quo and have no interest in seeing the law changed.

If that same email is stored, instead, on your own server or on your PC, – same age, same content – then a prosecutor has to go before a judge and convince the judge to issue a warrant.  Then they have to present that warrant to you and you can choose to fight it.

If that email is stored in Google’s cloud or Microsoft’s cloud, then all that same prosecutor has to do is ask Microsoft or Google for a copy of it.

Needless to see, Microsoft likely thinks that this could have a negative impact on selling their services, hence the lawsuit.

This is especially a problem for non U.S. customers who might not be thrilled with American law enforcement rifling through their stuff.

This suit was just filed in the Western District of Washington.  Unless the government blinks, this could make it up to the Supreme Court – minus one justice  Stay tuned for details.

Information for this post came from Microsoft’s Blog.

Facebooktwitterredditlinkedinmailby feather