this post was submitted on 07 Sep 2023
162 points (100.0% liked)

Technology

59323 readers
4891 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Microsoft finally explains cause of Azure breach: An engineer’s account was hacked::Other failures along the way included a signing key improperly appearing in a crash dump.

you are viewing a single comment's thread
view the rest of the comments
[–] autotldr@lemmings.world 9 points 1 year ago

This is the best summary I could come up with:


Such keys, Microsoft said, are entrusted only to employees who have undergone a background check and then only when they are using dedicated workstations protected by multi-factor authentication using hardware token devices.

To safeguard this dedicated environment, email, conferencing, web research, and other collaboration tools aren’t allowed because they provide the most common vectors for successful malware and phishing attacks.

The hack of a Microsoft engineer’s corporate account allowed Storm-0558 to access the crash dump and, with it, the expired Exchange signing key.

Addressing the second mystery, the post explained how an expired signing key for a consumer account was used to forge tokens for sensitive enterprise offerings.

Human errors prevented a programming interface designed to cryptographically validate which environment a key from working properly.

Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key (this issue has been corrected using the updated libraries).


The original article contains 734 words, the summary contains 154 words. Saved 79%. I'm a bot and I'm open source!