Microsoft mum on 2013 database breach of bug tracking system
News roundup: Former employees reveal a 2013 database breach exposed Microsoft's bug tracking system, DHS sets new rules for federal agencies on web, email security, and more.
Microsoft's internal bug tracking system was hacked in 2013, and no one outside the company knew about the database breach until now, according to a Reuters report.
The breached database was accessible with just a password, according to five former employees. But after the database breach Microsoft added two-factor authentication, as well as other security measures to better protect the bug tracking system containing detailed descriptions of unpatched vulnerabilities in Microsoft software.
Shortly after reports surfaced in 2013 of a security incident at Microsoft, the software giant had stated only that a "small number" of computers had been infected with malicious software. However, it turns out that the database breach exposed details of critical -- and unpatched -- bugs in Windows and other Microsoft software.
The bugs documented in the breached database could have been used by threat actors to create exploits against the unpatched software, although the ex-employees told Reuters that a Microsoft investigation after the database breach failed to uncover any evidence that the vulnerability data had been used in any attacks on other organizations.
"The compromise of Microsoft's database highlights that everyone is vulnerable to sophisticated intrusions," Dmitri Alperovitch, co-founder and CTO at CrowdStrike, told SearchSecurity by email. "From the adversary perspective, having access to critical and unfixed vulnerabilities is the 'holy grail.' We may be seeing the ripple effects of this hack for some time and many businesses may end up suffering stealthy compromises."
According to Reuters, the group behind the database breach was identified as Wild Neutron, also known as Morpho and Butterfly. The breach was discovered after the same group accessed systems at Apple, Facebook and Twitter. The Wild Neutron group, considered to be well-resourced and focused on financial gains, is not thought to be a state-sponsored threat actor.
This isn't the first time a bug tracking system breach of major software provider has been made public. In 2015, Mozilla announced that its Bugzilla bug tracking system had been accessed by an unknown attacker, who used at least one of the vulnerabilities breached to carry out attacks on Firefox users.
In other news
- The U.S. Department of Homeland Security has given federal agencies just 30 days to develop plans to enhance email and web security under a new binding operational directive (BOD). Under the directive, BOD 18-01, agencies have 90 days to deploy STARTTLS on all internet-facing mail servers and to begin deploying Domain-based Message Authentication, Reporting and Conformance, to validate email and combat spam and phishing attacks. STARTTLS is a protocol option added to email and other application protocols in order to specify that transmissions of that protocol use Transport Layer Security (TLS) protocol encryption. Under the new BOD, agencies have 120 days to transition all web content to HTTPS, instead of HTTP, to drop support for deprecated Secure Sockets Layer (SSL) versions 2 and 3, and to disable 3DES and RC4 ciphers on all web and mail servers.
- The U.S. Supreme Court will decide whether authorities can access data stored anywhere in the world. The case in question involves a warrant for emails believed to be connected to a narcotics investigation that were stored on a Microsoft server in Ireland. A warrant was issued for the emails in 2013, which Microsoft challenged in court. Brad Smith, president and chief legal officer at Microsoft, wrote in a blog post this week that Microsoft is contesting the warrant "because we believed U.S. search warrants shouldn't reach over borders to seize the emails of people who live outside the United States and whose emails are stored outside the United States." The Justice Department argues that because the data being demanded can be retrieved from Microsoft's U.S. headquarters, the data must be turned over no matter where it is being stored.
- Google added limited antivirus capability to Chrome for Windows this week. Citing the importance of preventing unwanted software from running on browsers, the ad giant announced three changes to Chrome for Windows that would help prevent unwanted software from taking over the browser. Philippe Rivard, product manager for Chrome Cleanup at Google, wrote that Google "upgraded the technology we use in Chrome Cleanup to detect and remove unwanted software," working with antivirus and internet security vendor ESET to integrate its detection engine with Chrome's sandbox technology. Chrome is now able to detect when an extension attempts to change user settings, a tactic that malicious software sometimes uses to take control of the browser by manipulating search engine results to steer users to malicious sites. The other major change was a simplified method for removing unwanted software using Chrome Cleanup.