Microsoft Responded Quietly After Detecting Secret Database Hack in 2013 (reuters.com)

← Back to Stories (view on slashdot.org)

Microsoft Responded Quietly After Detecting Secret Database Hack in 2013 (reuters.com)

Posted by msmash on Tuesday October 17, 2017 @03:20AM from the security-woes dept.

Citing five former employees, Reuters reported on Tuesday that Microsoft's secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago. From the report: The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident. The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins. The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks. "Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.

48 comments

Min score:

Reason:

Sort:

Still lots of old computers out there by Anonymous Coward · 2017-10-17 03:27 · Score: 1, Interesting

Regardless of whether Microsoft fixed the flaws or not, there are still millions of old computers out there with important information that do important things that have not been / will not ever be patched.
Equifax ran Linux by Anonymous Coward · 2017-10-17 03:29 · Score: 0, Troll

Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
1. Re:Equifax ran Linux by bobbied · 2017-10-17 03:48 · Score: 0
  
  Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
  Nope, just a version Struts not considered ready for "production" use had the issue... Linux and Apache are just fine, not to mention the current stable version of struts.
  This was some idiot deciding to go bleeding edge in a production environment when it wasn't recommended or fully vetted.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:Equifax ran Linux by EvilSS · 2017-10-17 04:35 · Score: 1
  
  Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
  Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
3. Re:Equifax ran Linux by TechyImmigrant · 2017-10-17 05:37 · Score: 1
  
  Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
  Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
  Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
4. Re:Equifax ran Linux by TemporalBeing · 2017-10-17 06:20 · Score: 1
  
  Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
  Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
  Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.
  SSA could care less about the SSN in that respect. It'd more likely be the FBI, CIA, NSA, DIA, and a number of other agencies that have more of an interest with collecting all that information...
  
  --
  Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
5. Re: Equifax ran Linux by mSparks43 · 2017-10-17 07:18 · Score: 2
  
  methinks you dont really understand any of them, which, afaics, amount to bugs of local users of the system. none of them are critical vulnerabilities. let alone anywhere close to a database chock full of unfixed severe vulnerabilities because not enough developers have access to the windows source code to fix them in a reasonable time.
6. Re:Equifax ran Linux by EvilSS · 2017-10-18 00:24 · Score: 1
  
  Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
  Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
  Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.
  You are going to have to expand on that hypothesis for me. I'm not seeing a link to SSA's desire to not use SSN for financial credentials and a hack of an internal Microsoft bug database.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
7. Re:Equifax ran Linux by TechyImmigrant · 2017-10-18 04:29 · Score: 1
  
  Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.
  Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"
  Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.
  You are going to have to expand on that hypothesis for me. I'm not seeing a link to SSA's desire to not use SSN for financial credentials and a hack of an internal Microsoft bug database.
  That's why it's a hypothesis - so I don't have to prove it. The feds did ask NIST (I think NIST) to start working on a crypto based replacement for SSNs a couple of weeks ago. The SSA thing came from the post that is one level up in the hierarchy up, which brought up the topic.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
8. Re:Equifax ran Linux by EvilSS · 2017-10-19 09:23 · Score: 1
  
  I didn't ask you to prove it, I asked you to explain it. It's nonsensical.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
9. Re:Equifax ran Linux by TechyImmigrant · 2017-10-20 06:22 · Score: 1
  
  > It's nonsensical.
  That's because it was a joke. Although with the current government I wouldn't be surprised if it was true.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
10. Re:Equifax ran Linux by EvilSS · 2017-10-22 03:23 · Score: 1
  
  I don't think you understand how jokes work....
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
11. Re:Equifax ran Linux by TechyImmigrant · 2017-10-22 17:19 · Score: 1
  
  I don't think you understand how jokes work....
  Slashdot is the place where jokes go to whoosh.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Closed OS FTW. by xxxJonBoyxxx · 2017-10-17 03:30 · Score: 1

>> database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system

Closed OS FTW. On second thought, TFA says "including Windows", so was Microsoft hanging onto zero-days for other companies?
1. Re:Closed OS FTW. by Baron_Yam · 2017-10-17 03:36 · Score: 1
  
  >so was Microsoft hanging onto zero-days for other companies?
  Microsoft sells more than just an OS.
2. Re:Closed OS FTW. by UBfusion · 2017-10-17 03:38 · Score: 1
  
  Apparently this was part of their to-do list. The moment the # of vulnerabilities exceeded 1,000,000 the list lost meaning and got abandoned.
3. Re:Closed OS FTW. by messymerry · 2017-10-17 03:55 · Score: 1
  
  I'm guessing that they are talking about other MS software such as Office and other MS produced software other than Windows OS...
  
  --
  Dear Microlimp: I give you 2 valid product keys for win7 and you reject both of them. Piss off you wankers!!!
4. Re: Closed OS FTW. by Anonymous Coward · 2017-10-17 04:11 · Score: 1
  
  You'd be surprised how ignorant some people, including IT professionals, can be. I was recently talking to one Linux sysadmin who absolutely hated Windows. Yet the last time he'd used Windows was NT 4! He couldn't even name any Windows Server releases past 2000! He also had no idea what SQL Server is, and although he had heard of C# he knew pretty much nothing about .NET. He was a pretty stereotypical neckbeard, so I can understand him not using Windows often, but it was absurd to see him hate Windows so much despite not having used it in over 15 years! I think this blind, ignorant hatred is far more prevalent within the Linux community than we might expect. I find it kind of ironic, as Linux has been becoming far more Windows-like with things like systemd and binary logging. These Linux supporters are advocating for what they claim to hate, without even realizing it!
5. Re: Closed OS FTW. by Anonymous Coward · 2017-10-17 05:21 · Score: 0
  
  FWIW, not every linux user agrees with the systemd push.
6. Re: Closed OS FTW. by TemporalBeing · 2017-10-17 06:32 · Score: 1
  
  You'd be surprised how ignorant some people, including IT professionals, can be. I was recently talking to one Linux sysadmin who absolutely hated Windows. Yet the last time he'd used Windows was NT 4! He couldn't even name any Windows Server releases past 2000! He also had no idea what SQL Server is, and although he had heard of C# he knew pretty much nothing about .NET. He was a pretty stereotypical neckbeard, so I can understand him not using Windows often, but it was absurd to see him hate Windows so much despite not having used it in over 15 years! I think this blind, ignorant hatred is far more prevalent within the Linux community than we might expect. I find it kind of ironic, as Linux has been becoming far more Windows-like with things like systemd and binary logging. These Linux supporters are advocating for what they claim to hate, without even realizing it!
  1. systemd is an abomination that should be removed entirely. Glad there's distros like Devuan focused on keeping options open; and Gentoo driving OpenRC development (which started at Gentoo!).
  
  2. I stopped using Windows regularly in 2009 once I was able to switch my work devices over to Linux, save a VM to do deliverable compilations on occasion for a couple years. However, I still get introduced to the changes going on - via co-workers, friends, and family. That said, the basics of Windows haven't changed since the NT4 days. Win32 is just as abysmally insecure as ever. I've done some .NET (VB.NET + ASP.NET; C# + managed C++ for a service), and touched quite a few Windows technologies over the years and done enough in-depth Windows stuff to know why I avoid Windows - all of which applies equally to NT4 and WIn10.
  
  So yeah - a dev might not be able to explain how to use the interface on Win10, or name off all the releases...but their concerns about Windows are still probably just as valid.
  
  --
  Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
7. Re:Closed OS FTW. by Anonymous Coward · 2017-10-19 09:47 · Score: 0
  
  Yes, they partnered with Adobe to track and fix all the Flash exploits.
And THIS is why Linux is the obvious choice by Anonymous Coward · 2017-10-17 03:32 · Score: 0

Because bad guys always have access to the bugs, in writing!
1. Re:And THIS is why Linux is the obvious choice by Anonymous Coward · 2017-10-17 05:48 · Score: 0
  
  I prefer them in semaphore, myself.
WTF?? by UBfusion · 2017-10-17 03:34 · Score: 1

They really kept this database on an internet-facing PC?
1. Re:WTF?? by Anonymous Coward · 2017-10-17 03:41 · Score: 0
  
  No, in TFA, several laptops were compromised and (inferral) used to access the database.
2. Re:WTF?? by xxxJonBoyxxx · 2017-10-17 03:43 · Score: 1
  
  >> database on an internet-facing PC
  
  I doubt it. From TFA: "exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then move to company networks"
  
  So...they probably established a CnC beachhead inside the network, let that dial out to their proxied CnC server, and then went into the company's internal network over that connection. In other words, they could have pulled this off without any Internet-facing resources. In fact, they only needed one of the Macbooks to be able to connect out to the Internet; the DB itself may well have been on a machine without any Internet access since the Macbook was the conduit.
3. Re: WTF?? by Anonymous Coward · 2017-10-17 03:48 · Score: 0
  
  Are you saying that all open source projects should keep their bug trackers private?
  How can a million public eyeballs find all bugs if they can't publicly track which bugs have already been found?
4. Re:WTF?? by bobbied · 2017-10-17 03:51 · Score: 1
  
  They really kept this database on an internet-facing PC?
  Not necessary to be internet facing.. Just internet connected... However, still, why on earth allow that? Air gapped security would be recommended in cases like this I think.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
5. Re:WTF?? by Anonymous Coward · 2017-10-17 04:21 · Score: 0
  
  So that noone can enter new bugs, or query or update the status of old bugs without walking over to the machine? Yea, that's gonna make people productive.
6. Re:WTF?? by Anonymous Coward · 2017-10-17 04:27 · Score: 0
  
  WTF??? They have so many known unfixed bugs that they need a database to track it?
7. Re:WTF?? by Anonymous Coward · 2017-10-17 04:31 · Score: 0
  
  Every Linux/BSD related project also has an open Bugzilla database like this:
  https://fedoraproject.org/wiki/Bugzilla
  or
  https://bugs.freebsd.org/bugzilla/
  The only difference is that FOSS projects actually fix their bugs.
8. Re:WTF?? by Anonymous Coward · 2017-10-17 04:40 · Score: 0
  
  Christ, you are lazy. Do you wash yourself with a rag on a stick?
9. Re:WTF?? by xxxJonBoyxxx · 2017-10-17 04:44 · Score: 1
  
  Found the third-year CS student.
10. Re:WTF?? by Anonymous Coward · 2017-10-17 05:06 · Score: 0
  
  Christ, you are lazy. Do you wash yourself with a rag on a stick?
  It's not lazy if you have a big belly and small arms.
11. Re: WTF?? by mSparks43 · 2017-10-17 07:35 · Score: 1
  
  with the âoeeverything is a fileâ philosophy of the *nixs, all your security problems simplify down to file permission problems.
  With windows, all security problems simplify down to active directory, which you need a specialised, long winded education to even install.
What were they supposed to do? by Mal-2 · 2017-10-17 03:51 · Score: 4, Insightful

What exactly were they supposed to do? Disclosing this publicly wouldn't have gotten the 0-days closed any faster but would have started malicious actors scrambling to get their hands on that database. Some already had it -- publicly admit it exists and has been exfiltrated, and anyone with even a passing interest is going to want it.
Now if it had been a database of someone else's 0-days, then they could be expected to at least tell the vendors of the products in question. But when they are the vendor? It's an internal problem.

--
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
1. Re:What were they supposed to do? by Anonymous Coward · 2017-10-17 04:07 · Score: 0
  
  From TFA:
  
  Only one breach of a big database from a software company has been disclosed. In 2015, the nonprofit Mozilla Foundation [...] said an attacker had gotten access to a database that included 10 severe and unpatched flaws [...]
  In contrast to Microsoftâ(TM)s approach, Mozilla provided extensive details of the breach and urged its customers to take action.
  Now what do you prefer?
  Of course the first step is damage control. But once you got the fixes pushed out (which you better do presto), disclosure is king.
  It's *four years* now, FFS!
  No, to me it ain't a surprise. But I don't trust Microsoft at all.
2. Re:What were they supposed to do? by Anonymous Coward · 2017-10-17 05:26 · Score: 0
  
  Right. It's four years now, and Microsoft is still not commenting, these are former employers who are talking about it. From the summary, "The Microsoft flaws were fixed likely within months of the hack, according to the former employees." Real comforting, eh? They were probably fixed in a few months. Who knows?
3. Re:What were they supposed to do? by Anonymous Coward · 2017-10-17 07:03 · Score: 0
  
  Fix the bugs? I mean seriously. If this code was available publicly and the bugs were advertised publicly from the get go entities would have a more pressing matter to deal with and things would get fixed sooner. In fact those who release code publicly overall write better code because they're under pressure to do so. I'll give you an example. The LibreCMC project has pushed out bug fixes numerous times within the past six months within hours of vulnerabilities being publicly announced. A release of 1.4.1 was JUST made this past week, and yet an updated fix for another vulnerability that was announced yesterday is fixed and coming out today.
4. Re:What were they supposed to do? by Anonymous Coward · 2017-10-17 07:16 · Score: 0
  
  They should have disclosed the attack and published information on ALL currently unpatched vulnerabilities.
  Perhaps not enough to build a new attack too from scratch, but at least mitigation strategies. The assumption should be that 100% of Bad Guys have all their dirty laundry, now, and so they should air that laundry so that the Good Guys have a chance at stopping the Bad Guys.
  Yes, get the patches out, but also inform everyone at the time that there are a whole bunch of 0-days now likely available online and they need to protect themselves.
  /
  It will also motivate people to apply those updates instead of saying "hmm... miscellaneous 'update' with vague description? I'll skip it because my system runs just fine". Instead, they can say "this is probably one of those vulns that was fixed, and they don't want to disclose too much". Of course, the latter stance is the one anyone who cares about security should have already.
On a GOOD note on MS DB (SQLServer) by Anonymous Coward · 2017-10-17 03:52 · Score: 0

See subject & DataCore tech cranks wheezing SQL Servers to ridiculous speeds https://www.theregister.co.uk/2017/09/26/datacore_drives_sql_server_to_silly_speeds/
* Pretty impressive imo...
(They raised the amount of users that can concurrently hit the DB, especially on writes, massively...)
APK
P.S.=> Great job by DataCore... apk
NSA and CIA by Anonymous Coward · 2017-10-17 03:55 · Score: 0

how else do you think they have so many zero-days and other exploits noone else ever heard of? They are literally cyber terrorists, and it's criminal that they are allowed to do this to the world, and even their own companies.
So they left the database vunlerable to the hacker by evolutionary · 2017-10-17 04:25 · Score: 1

Okay, one can can argue that telling means people will hack. but in my experience, the hacking community finds out anyway, and then the public isn't even given a chance to defend themselves. Perhaps MS thought it was cute to leave a backdoor, say, for the NSA, but as long as the customers are paying their salaries they have an ethical obligation to inform the customers so they can take actions to protect themselves. This is why closed source software cannot be trusted and is in fact less secure: people can leave known issues and nobody who truly knows is going to tell, so they can use it for their own purposes. No accountability, means no responsibility, means irresponsible actions. When the world knows as a whole, the world is stronger as a whole.

--
"Imagination is more important than knowledge" - Einstein
Classification by Anonymous Coward · 2017-10-17 04:33 · Score: 0

'Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks.'
Perhaps Microsoft was told to keep the hack quiet after advising a security agency (likely DHS or possibly NSA I would imagine).
Notice in the above quote 'informed of the breach by Reuters'.
Would these employees have even known about contact between Microsoft and a security agency?
Not enough information to condemn Microsoft's response.
KB by Anonymous Coward · 2017-10-17 05:34 · Score: 0

Nobody mentioned MS KB with bugs mentioned was app accessing network share with guest read, share containing 100s of thousands .txt files with bug descriptions, also connected with Clarify "ticketing system" total joke without any security. Nobody hacked it, anybody could just download it...
Pedant alert by drew_kime · 2017-10-17 08:21 · Score: 1

Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world.
They literally would not.

--
Nope, no sig