Microsoft Responded Quietly After Detecting Secret Database Hack in 2013

Citing five former employees, Reuters reported on Tuesday that Microsoft's secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago. From the report: The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident. The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins. The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks. "Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.

Still lots of old computers out there

Regardless of whether Microsoft fixed the flaws or not, there are still millions of old computers out there with important information that do important things that have not been / will not ever be patched.

Closed OS FTW.

[xxxJonBoyxxx]

>> database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system

Closed OS FTW. On second thought, TFA says "including Windows", so was Microsoft hanging onto zero-days for other companies?

Re:Closed OS FTW.

[Baron_Yam]

>so was Microsoft hanging onto zero-days for other companies?

Microsoft sells more than just an OS.

Re:Closed OS FTW.

[UBfusion]

Apparently this was part of their to-do list. The moment the # of vulnerabilities exceeded 1,000,000 the list lost meaning and got abandoned.

Re:Closed OS FTW.

[messymerry]

I'm guessing that they are talking about other MS software such as Office and other MS produced software other than Windows OS...

Re: Closed OS FTW.

You'd be surprised how ignorant some people, including IT professionals, can be. I was recently talking to one Linux sysadmin who absolutely hated Windows. Yet the last time he'd used Windows was NT 4! He couldn't even name any Windows Server releases past 2000! He also had no idea what SQL Server is, and although he had heard of C# he knew pretty much nothing about .NET. He was a pretty stereotypical neckbeard, so I can understand him not using Windows often, but it was absurd to see him hate Windows so much despite not having used it in over 15 years! I think this blind, ignorant hatred is far more prevalent within the Linux community than we might expect. I find it kind of ironic, as Linux has been becoming far more Windows-like with things like systemd and binary logging. These Linux supporters are advocating for what they claim to hate, without even realizing it!

Re: Closed OS FTW.

[TemporalBeing]

You'd be surprised how ignorant some people, including IT professionals, can be. I was recently talking to one Linux sysadmin who absolutely hated Windows. Yet the last time he'd used Windows was NT 4! He couldn't even name any Windows Server releases past 2000! He also had no idea what SQL Server is, and although he had heard of C# he knew pretty much nothing about .NET. He was a pretty stereotypical neckbeard, so I can understand him not using Windows often, but it was absurd to see him hate Windows so much despite not having used it in over 15 years! I think this blind, ignorant hatred is far more prevalent within the Linux community than we might expect. I find it kind of ironic, as Linux has been becoming far more Windows-like with things like systemd and binary logging. These Linux supporters are advocating for what they claim to hate, without even realizing it!

1. systemd is an abomination that should be removed entirely. Glad there's distros like Devuan focused on keeping options open; and Gentoo driving OpenRC development (which started at Gentoo!).

2. I stopped using Windows regularly in 2009 once I was able to switch my work devices over to Linux, save a VM to do deliverable compilations on occasion for a couple years. However, I still get introduced to the changes going on - via co-workers, friends, and family. That said, the basics of Windows haven't changed since the NT4 days. Win32 is just as abysmally insecure as ever. I've done some .NET (VB.NET + ASP.NET; C# + managed C++ for a service), and touched quite a few Windows technologies over the years and done enough in-depth Windows stuff to know why I avoid Windows - all of which applies equally to NT4 and WIn10.

So yeah - a dev might not be able to explain how to use the interface on Win10, or name off all the releases...but their concerns about Windows are still probably just as valid.

WTF??

[UBfusion]

They really kept this database on an internet-facing PC?

Re:WTF??

[xxxJonBoyxxx]

>> database on an internet-facing PC

I doubt it. From TFA: "exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then move to company networks"

So...they probably established a CnC beachhead inside the network, let that dial out to their proxied CnC server, and then went into the company's internal network over that connection. In other words, they could have pulled this off without any Internet-facing resources. In fact, they only needed one of the Macbooks to be able to connect out to the Internet; the DB itself may well have been on a machine without any Internet access since the Macbook was the conduit.

Re:WTF??

[bobbied]

They really kept this database on an internet-facing PC?

Not necessary to be internet facing.. Just internet connected... However, still, why on earth allow that? Air gapped security would be recommended in cases like this I think.

Re:WTF??

[xxxJonBoyxxx]

Found the third-year CS student.

Re: WTF??

[mSparks43]

with the âoeeverything is a fileâ philosophy of the *nixs, all your security problems simplify down to file permission problems.
With windows, all security problems simplify down to active directory, which you need a specialised, long winded education to even install.

What were they supposed to do?

[Mal-2]

What exactly were they supposed to do? Disclosing this publicly wouldn't have gotten the 0-days closed any faster but would have started malicious actors scrambling to get their hands on that database. Some already had it -- publicly admit it exists and has been exfiltrated, and anyone with even a passing interest is going to want it.

Now if it had been a database of someone else's 0-days, then they could be expected to at least tell the vendors of the products in question. But when they are the vendor? It's an internal problem.

So they left the database vunlerable to the hacker

[evolutionary]

Okay, one can can argue that telling means people will hack. but in my experience, the hacking community finds out anyway, and then the public isn't even given a chance to defend themselves. Perhaps MS thought it was cute to leave a backdoor, say, for the NSA, but as long as the customers are paying their salaries they have an ethical obligation to inform the customers so they can take actions to protect themselves. This is why closed source software cannot be trusted and is in fact less secure: people can leave known issues and nobody who truly knows is going to tell, so they can use it for their own purposes. No accountability, means no responsibility, means irresponsible actions. When the world knows as a whole, the world is stronger as a whole.

Re:Equifax ran Linux

[EvilSS]

Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.

Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"

Re:Equifax ran Linux

[TechyImmigrant]

Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.

Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"

Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.

Re:Equifax ran Linux

[TemporalBeing]

Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.

Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"

Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.

SSA could care less about the SSN in that respect. It'd more likely be the FBI, CIA, NSA, DIA, and a number of other agencies that have more of an interest with collecting all that information...

Re: Equifax ran Linux

[mSparks43]

methinks you dont really understand any of them, which, afaics, amount to bugs of local users of the system. none of them are critical vulnerabilities. let alone anywhere close to a database chock full of unfixed severe vulnerabilities because not enough developers have access to the windows source code to fix them in a reasonable time.

Pedant alert

[drew_kime]

Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world.

They literally would not.

Re:Equifax ran Linux

[EvilSS]

Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.

Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"

Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.

You are going to have to expand on that hypothesis for me. I'm not seeing a link to SSA's desire to not use SSN for financial credentials and a hack of an internal Microsoft bug database.

Re:Equifax ran Linux

[TechyImmigrant]

Before you rush to post about how insecure Microsoft is, don't forget that your social security number and financial history were released in a hack of Linux / Apache / Struts.

Funny thing this wasn't a windows hack. FTA: "The group, variously called Morpho, Butterfly and Wild Neutron by security researchers elsewhere, exploited a flaw in the Java programming language to penetrate employees' Apple Macintosh computers and then move to company networks"

Hypothesis: The hack was ordered by the SSA trying to discredit the use of social security numbers as financial credentials, so they could push the government to adopt cryptographically secure credentials for individuals.

You are going to have to expand on that hypothesis for me. I'm not seeing a link to SSA's desire to not use SSN for financial credentials and a hack of an internal Microsoft bug database.

That's why it's a hypothesis - so I don't have to prove it. The feds did ask NIST (I think NIST) to start working on a crypto based replacement for SSNs a couple of weeks ago. The SSA thing came from the post that is one level up in the hierarchy up, which brought up the topic.

Re:Equifax ran Linux

[EvilSS]

I didn't ask you to prove it, I asked you to explain it. It's nonsensical.

Re:Equifax ran Linux

[TechyImmigrant]

> It's nonsensical.

That's because it was a joke. Although with the current government I wouldn't be surprised if it was true.
 

Re:Equifax ran Linux

[EvilSS]

I don't think you understand how jokes work....

Re:Equifax ran Linux

[TechyImmigrant]

I don't think you understand how jokes work....

Slashdot is the place where jokes go to whoosh.