Tag Archives: Microsoft

News Bites for the Week Ending November 30, 2018

Microsoft Azure and O.365 Multi-Factor Authentication Outage

Microsoft’s cloud environment had an outage this week for the better part of a day, worldwide.  The failure stopped users who had turned on two factor authentication from logging in.

This is not a “gee, Microsoft is bad” or “gee, two factor authentication is bad” problem.  All systems have failures, especially the ones that businesses run internally.  Unfortunately cloud systems fail occasionally too.

The bigger question is are you prepared for that guaranteed, some time in the future, failure?

It is a really bad idea to assume cloud systems will not fail, whether they are from a particular industry specific application or a generic one like Microsoft or Google.

What is your acceptable length for an outage?  How much data are you willing to lose?

More importantly, do you have a plan for what to do in case you pass those points of no return and have you recently tested those plans?

Failures usually happen when it is inconvenient and planning is critical to dealing with it.  Dealing with an outage absent a well thought out and tested plan is likely to be a disaster. Source: ZDNet.


Moody’s is Going to Start Including Cyber Risk in Credit Ratings

We have said for a long time that cyber risk is a business problem.  Business credit ratings represent the overall risk a business represents.

What has been missing is connecting the two.

Now Moody’s is going to do that.

While details are scarce, Moody’s says that they will soon evaluate organizations risk from a cyber attack.

Moody’s has even created a new cyber risk group.

While they haven’t said so yet, likely candidates for initial scrutiny of cyber risk are defense contractors, financial, health care and critical infrastructure.

For companies that care about their risk ratings, make sure that your cybersecurity is in order along with your finances.  Source: CNBC.


British Lawmakers Seize Facebook Files

In what has got to be an interesting game, full of innuendo and intrigue, British lawmakers seized documents sealed by a U.S. court when the CEO of a company that had access to them visited England.

The short version of the back story is that the Brits are not real happy with Facebook and were looking for copies of documents that had been part of discovery in a lawsuit between app maker Six4Three and Facebook that has been going on for years.

So, when Ted Kramer, founder of the company visited England on business, the Parliament’s Sargent-at-arms literally hauled Ted into Parliament and threatened to throw him in jail if he did not produce the documents sealed by the U.S. court.

So Ted is between a rock and a hard place;  the Brits have physical custody of him;  the U.S. courts could hold him in contempt (I suspect they will huff and puff a lot, but not do anything) – so he turns over the documents.

Facebook has been trying to hide these documents for years.  I suspect that Six4Three would be happy if they became public.  Facebook said, after the fact, that the Brits should return the documents.  The Brits said go stick it.  You get the idea.

Did Six4Three play a part in this drama in hopes of getting these emails released?  Don’t know but I would not rule that out.  Source: CNBC.


Two More Hospitals Hit By Ransomware

The East Ohio Regional Hospital (EORH) and Ohio Valley Medical Center (OVMC) were both hit by a ransomware attack.  The hospitals reverted to using paper patient charts and are sending ambulances to other hospitals.  Of course they are saying that patient care isn’t affected, but given you have no information available to you regarding patients currently in the hospital, their diagnoses, tests or prior treatments, that seems a bit optimistic.

While most of us do not deal with life and death situations, it can take a while – weeks or longer – to recover from ransomware attacks if the organization is not prepared.

Are you prepared?  In this case, likely one doctor or nurse clicked on the wrong link;  that is all it takes.  Source: EHR Intelligence.


Atrium Health Data Breach – Over 2 Million Customers Impacted

Atrium Health announced a breach of the personal information of over 2 million customers including Socials for about 700,000 of them.

However, while Atrium gets to pay the fine, it was actually the fault of one of their vendors, Accudoc.  Accudoc does billing for them for their 44 hospitals.

Atrium says that the data was accessed but not downloaded and did not include credit card data.  Of course if the bad guys “accessed” the data and then screen scraped it, it would not show as downloaded.

One more time – VENDOR CYBER RISK MANAGEMENT.  It has to be a priority.   Unless you don’t mind taking the rap and fines for your vendor’s errors.   Source: Charlotte Observer.

Facebooktwitterredditlinkedinmailby feather

Friday News

Intel will NOT be patching all of its flawed chips

After saying, for months, that it would release firmware updates to all chipsets produced in the last 5 years, Intel is now backtracking saying that it won’t produce patches for the Bloomfield line, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, the Wolfdale line, and the Yorkfield line.  There were several reasons, number one being that it was too hard (read:impossible) given the architecture of those chips.  (Source: The Verge).

Microsoft Patch Tuesday Patches at Least 65 Vulnerabilities

From one perspective, given the breadth of Microsoft’s empire, releasing 65 SECURITY patches a month is not unreasonable.  On the other hand, given that they have been doing this for years, that is thousands of security flaws, which is a bit mind blowing.  This month’s patches affect Internet Explorer and Edge, Office, one more time, the Microsoft Malware Protection Engine, Visual Studio and Microsoft Azure.

A patch for the Malware Protection Engine (MPE) bug was release in an out-of-band patch last week because it affects all of Microsoft’s anti-malware products such as Windows Defender and Security Essentials.  This is at least 3 emergency patches to the MPE in recent months.

Corporate IT usually has patching handled, but when it comes to home users, things are a bit more spotty, so make sure that you install these patches (Source: Krebs On Security).

Identity thieves going after CPAs

If the IRS is warning tax preparers to “step up” their cybersecurity game, it must be bad. Brian Krebs details the story of a tax preparer who allowed his system to become compromised with a not very sophisticated keystroke logger.  The result was that his client’s data was hacked and false returns filed.  When the client’s real returns were rejected by the IRS, the CPA provided form letters to his clients to file with the IRS saying that they were the victim of identity theft but not saying that it was the accountant who was responsible.  No doubt the clients were left with the bill to client up their CPA’s mess on top of it all.

If you use a tax preparer, you should be asking questions about their cybersecurity practices and if he or she says not to worry, you should start worrying.  Or looking for a more astute CPA (Source: Brian Krebs).

Atlanta, Colorado spending millions after ransomware attack

Atlanta has spent over $2 million mitigating the ransomware attack which started on March 12.  The attackers asked for $50,000 which likely would have been covered by insurance.  The costs are for Secureworks, Ernst and Young and others.  If these costs are to upgrade inftrastructure, the insurance would not cover that.

The Colorado Department of Transportation (CDOT) has spent $1.5 million since their ransomware attack in February.  CDOT is still not fully operating yet.

Stories are that Atlanta’s IT was on life support due to lack of funding prior to the attack.  Assuming some of those millions are being spent on upgrading the infrastructure, maybe the attack has a silver lining.  (Source: SC Magazine).

Facebooktwitterredditlinkedinmailby feather

Microsoft Loses Terabytes of Windows 10 Source Code

Both the NSA and CIA have been in the news way too many times recently when organizations like WikiLeaks and others released stolen software that the organizations would rather remain private.  In the case of the spy agencies, that software is their internally developed hacking tools.

Now it is someone else’s turn.

Microsoft has acknowledged that some of their Windows 10 source code has been released into the wild.  Not all of it, but a lot.

32 terabytes of installation images, documentation and code for hardware drivers, USB and WiFi code, some kernel code and other source code was leaked and available for download by anyone who had access to the appropriate hacker sites.

Microsoft calls it their Shared Source Kit.  It is distributed privately based on contracts which restricts how it is handled.  Typically it is provided to hardware manufacturers, selected customers and some researchers.  Now it is available to hackers also.

Some of the images contain information that is never released publicly that would definitely help hackers.

It also would allow hackers to look for bugs that they can exploit.  That is much easier if you have the source code.

While this is not the end of the world and it does not involve a breach of Microsoft’s network, it is still embarrassing and a security problem for Microsoft.

On the other hand, given the number of businesses that likely have access to the Shared Source Kit, this leak is not completely surprising.

After all, it only takes one of these partners to be hacked for the code to be out in the wild.  No one is suggesting that a partner who legally has this code released it into the wild.

What is your level of confidence that your company’s family jewels are really still secret?

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Why Hoarding Zero Days Is Bad Public Policy

This week Microsoft patched a zero day bug that affected Microsoft Word users.  Microsoft was alerted to the bug by the FireEye security firm several months ago.

What we did not know until today is that this bug was being exploited for at least several months.  WHO was exploiting it is less clear because hackers don’t always sign their names to the work, but it appears that both hackers and governments may have been exploiting the bug.

FireEye is saying that perhaps the hacker who discovered the flaw sold it to both other hackers and government actors.  Rarely is there any agreement from hackers to only sell a hack to one party, so if they did that, it is not really surprising.

It is also possible that two different people independently discovered the bug at around the same time.  That doesn’t seem as likely to me.

Hackers used different Word documents to entice folks to open the email attachments.  One was a military manual written in Russian, another was a document referencing the Russian Ministry of Defense and the third was a document that promised to reveal “top 7 hacker chicks”.  Seriously.

If people fell for it and opened the document they would get infected with the malware FinSpy made by the hacking firm FinFisher.  It is certainly possible that FinFisher, who makes spy tools and sells them to governments (and likely “others” for the right price) also bought the zero day.

As a testament to the international flavor of hacking, some of the servers hosting this delicious treat were in Italy while others were in Romania.

What is less clear is when our government became aware of this zero day.  Assuming they became aware of it, say, a year ago and decided to keep it secret, that is within the operating parameters of DoJ rules.

IF – and we don’t know if this is true – the government – our government – was keeping this zero day secret and hackers were, at the same time, using this hack against our businesses, that seems like a problem.

But that is a challenge the intelligence community and law enforcement face every day.

Do we tell?  Do we keep it secret?  Do we even know what is happening?  Do we want to watch the bad guys because we do know what is happening?  Do we not want to let the bad guys know we are watching them?  Life is not simple.  It would be nice if it were a little more simple, but it is not.

What does seem clear is that we can’t COUNT on the government to spill the beans, even if American businesses are being compromised by hackers.   Just warning you.

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Google To Appeal Court’s Order To Disclose Emails Stored Abroad

Google has been ordered by a magistrate judge in Philadelphia to turn over emails stored abroad.  While we don’t have all the details of the case, it appears to be related to a domestic fraud case.

The emails in question are stored in a foreign country.  The case is a domestic case.

Last summer, the Second Circuit Court of Appeals agreed that Microsoft did not have to turn over emails stored in Ireland.  The court’s logic was that U.S. law does not apply in foreign countries.

In this case, a magistrate judge (a much lower level court proceeding than an appeals court) said that Google did have to turn over emails stored in a foreign country.  The magistrate’s logic is, in my opinion, somewhat convoluted.  The judge said that since Google could take those emails stored internationally and electronically copy them to the United States and then hand them over to U.S. authorities in California, the search would occur in the United States and, somehow, would not violate foreign laws.

By this logic, U.S. authorities could demand a U.S. based corporation to violate international law at any time by telling the U.S. company to bring data stored in a foreign country back to the U.S. and give it to U.S. authorities, here.

Google has said that it will appeal this order.  If this order stands, U.S. based tech businesses run the risk of being charged with crimes in foreign countries and also run the risk of losing the business of international customers.  This is the rock and a hard place that Google (and Microsoft) are stuck between.

Absent an order from a court of competent jurisdiction in a foreign country to turn over data, Google would potentially be in violation of laws such as the EU’s General Data Protection Regulation.

From a user’s standpoint, in many cases the owner of the email would not even be informed of the court order, since the order is often sealed, sometimes forever,  sometimes for years.

The only way a user has any control over the situation is if the data is encrypted from end to end AND the provider does not control the encryption keys.  Absio Dispatch is an example of an email solution that allows for this; Threema is an example of a messaging application that works this way.

None of the big commercial email applications such as GMail, Yahoo Mail, and Microsoft  Office 365 meet these requirements.

For most users, this is a matter of convenience,  and they don’t worry about the government reading their mail.

For other users, this is a matter privacy and they don’t want the government poking their nose in their private matters.

The good news is that there are options and if it matters to you you can choose whether you want to do something about it or not.  However, if you do want to do something, you need to understand that it will require change for you and your communication buddies.

Information for this post came from the Telegraph.

Facebooktwitterredditlinkedinmailby feather

In Ongoing Battle over Email, Microsoft Wins This Round

Microsoft has been fighting with the U.S. Department of Justice since 2013 when the DoJ tried to get Microsoft to get them to hand over data belonging to a user, stored exclusively in Ireland.  This case has gone back and forth in the courts since then.

The bottom line issue is whether a U.S. Court can force a U.S. based company to break foreign law because the U.S. Court says so.

In this case, the emails in question are stored in Ireland and Irish privacy law is pretty strict.  Microsoft says that they are absolutely willing to hand over the emails if the DoJ convinces an Irish court to issue a subpoena to the Microsoft Ireland subsidiary.  The DoJ, for whatever reason, doesn’t want to do that.  I suspect that they would like to create a precedent that U.S. law trumps Irish law in U.S. Courts.

Microsoft, pretending to be a friend of privacy when it suits them, is saying that they want to protect their user.  They may be more concerned about breaking Irish law and the penalties that come from that.

The EU General Data Protection Regulation, which goes into full effect in 2018, allows a country to fine a business up to 4% of their gross annual revenue for privacy violations.  That doesn’t mean that they have to or will, but they can.  For Microsoft, based on 2015 revenue of $93 billion, that means a POTENTIAL MAXIMUM fine of almost $4 billion.

A short summary of the 180+ page GDGR law is available at Deloitte’s web site, here.  Note that this appears to be a Dutch version of the site, so the notices about privacy and cookies are in Dutch, but the summary text is all in English.

Since 2013, this case has bounced around the courts.  Most recently, this month, the DoJ told the Second Circuit Court of Appeals that the Justice Department has the right to demand the emails of anyone, anywhere in the world from an email provider headquartered in the United States.

By logical extension, that means that China could demand emails of U.S. citizens from Google because their court said so.  I don’t think that U.S. courts would be thrilled about that quid pro quo.

The DoJ says that YOUR email is a business record OWNED by Microsoft, not you, hence they should be able to demand that Microsoft give them copies of their business records.  That is a pretty scary concept.  Two lower courts have ruled in favor of the DoJ.

What if those emails were letters and those letters were stored in an office in Ireland.  Would the U.S. DoJ be able to send a Marshal to Ireland, hand them the U.S. search warrant and expect to get those letters?

What if North Korea presented a search warrant to a U.S. company asking for some information on a customer.

As you can see, this gets messy quickly.

Microsoft wanted to make a ‘federal case’ over this and so they told the lower court to hold them in contempt for failing to turn over the emails.

It is important to understand here is that this is different than say the WhatsApp case in Brazil where a Brazilian court put a freeze on $6 million of Facebook’s money because WhatsApp doesn’t have the decryption keys and therefore can’t give them the messages unencrypted.  Since WhatsApp doesn’t have any offices or presence in Brazil, they went after Facebook instead (Facebook owns WhatsApp).  In this case, Microsoft could, technically, turn over those emails in readable format.

But, if Microsoft chose to comply with this warrant, their business model would shrivel up and die.

What foreign company would do business with an American company if they knew that the U.S. government could demand that that U.S. business turn over the foreign company’s records, stored in that foreign country, totally bypassing the legal system in that country.

Currently, companies like Google and Microsoft deal with that by setting up subsidiaries in different countries and have users be customers of that local country subsidiary.

While I don’t even pretend to be a lawyer, even on the Internet, the concept here is called extraterritoriality, meaning that a government declares that their law applies in another country.  While a country can do that, absent the other country agreeing to that statement, the likelihood of the other country enforcing that law is very low.

Microsoft says that if the U.S. wants to go after data stored in foreign countries, that is fine.  What they need to do is pass a law that says that they claim that right and then negotiate treaties with each other country that they want to enforce it.  There are many examples of this today, but it is a complicated process.

For one thing, each other country will likely demand reciprocal rights and those countries will likely demand that those laws can only be enforced if they provide similar rights that the citizen in question has in their country.

In the Microsoft case, that means that, if there was a treaty in place, and if U.S. provided the same protections as Irish law, then Ireland would honor the U.S. law.

Great Britain is trying this same gig with the proposed Snooper’s Charter bill currently in their parliament and while Britain might pass such a law, the likelihood of it being enforced in at least some other countries is basically zero.

For those of you who read this tome hoping I would tell you how it turned out – the appeals court ruled in Microsoft’s favor.

Whether the DoJ chooses to appeal this to the Supreme Court or wait until after the November elections and hope that Trump gets elected and stacks the court the way they would like, is unclear.  If Clinton gets elected it is unlikely that the DoJ would get the judge that they want.  In fact, whoever gets elected will likely control the slant of the court for decades to come and that is probably the most important issue related to the U.S. Presidential elections, bar none.







Facebooktwitterredditlinkedinmailby feather