ReportWire

Tag: microsoft cloud

  • An App Used to Dox Charlie Kirk Critics Doxed Its Own Users Instead

    [ad_1]

    New research released this week shows that over the past few years the US Department of Homeland Security has collected DNA data of nearly 2,000 US citizens. The activity raises questions about legality and oversight given that DHS has been putting the information into an FBI crime database. Some of the genetic data is from US citizens as young as 14.

    The US Secret Service said on Tuesday that it had discovered facilities across the “New York tristate area” running so-called SIM servers—devices that manage and coordinate 100,000 SIM cards at a time for illicit operations. The Secret Service warned, though, that in addition to being used by cybercriminals for scamming, the apparatuses could also be used to launch critical infrastructure attacks that could disrupt mobile networks.

    A cyberattack on the UK-based automaker Jaguar Land Rover has been causing a supply chain meltdown, halting vehicle production, costing JLR tens of millions of dollars, and forcing its parts suppliers to lay off workers. The beleaguered company will have to shoulder the full cost of the attack because of inadequate insurance coverage, prompting talks of possible UK government assistance.

    If you’re worried about phone searches while traveling or doing specific activities, the password manager known as 1Password has a Travel Mode feature that can help you manage sensitive data and temporarily remove it from your device. We’ve got advice on how to use the tool most effectively.

    And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    An app used to out those who spoke ill of the murdered right-wing activist Charlie Kirk was found to be leaking its users’ personal information, doxing the very people it had invited to dox its targets.

    The app Cancel the Hate, founded in the wake of Kirk’s September 10 assassination, suspended its services this week after it was revealed that security flaws in the website where the app was hosted exposed users’ email addresses and phone numbers. That site had asked its users to collect and share employment and other personal information of critics of Kirk and others “supporting political violence.” But a security researcher who identified themselves only as BobDaHacker demonstrated to news outlet Straight Arrow News that privacy settings on the site didn’t work as advertised, publicly leaking users’ information even when it was set to private. The hacker also reportedly had the ability to delete users’ accounts at will.

    Cancel the Hate, which displayed a photo of Kirk on its homepage and was founded by a Kirk supporter who cited his death as the motivation for creating the site, has since taken down its reporting features. It now displays a message on its homepage that it’s moving to a “new service provider.” The page that allows visitors to buy a $23 T-shirt remains online.

    Ransomware groups continued to plumb the depths of abject immorality this week with a new tactic: extorting preschools by stealing toddlers’ personal information and threatening their parents. The BBC reports that a hacker group says it has stolen the names, addresses, and photos of around 8,000 children from the preschool chain Kido, which has sites largely around London but also in the US and India. The hackers are threatening to leak the data if a ransom isn’t paid, going so far as to contact some of the children’s parents to reinforce their threat. The group has also posted sample information and photos of 10 children on their dark-web site.

    In August, The Guardian, Israeli-Palestinian publication +972 Magazine, and Hebrew-language publication Local Call revealed how Israeli signals intelligence agency Unit 8200 had built a comprehensive surveillance system to intercept and store Palestinian phone calls. More than “a million calls an hour” could be collected by the system, which reportedly amassed around 8,000 terabytes of call data and stored it in Microsoft’s Azure cloud service in the Netherlands, the publications reported.

    This week, following an external investigation commissioned by Microsoft, the company pulled some of the Israeli military’s access to its technology. In a statement, Microsoft president Brad Smith said the firm has taken the decision to “cease and disable” some “specific cloud storage and AI services and technologies” that it was providing to Israeli forces. Microsoft’s action—its investigation is still ongoing—follows a wave of staff protests at its ties to Israel and its ongoing war in Gaza. “We do not provide technology to facilitate mass surveillance of civilians. We have applied this principle in every country around the world, and we have insisted on it repeatedly for more than two decades,” Smith wrote in a statement.

    [ad_2]

    Andy Greenberg, Matt Burgess, Lily Hay Newman

    Source link

  • This Microsoft Entra ID Vulnerability Could Have Been Catastrophic

    [ad_1]

    As businesses around the world have shifted their digital infrastructure over the last decade from self-hosted servers to the cloud, they’ve benefitted from the standardized, built-in security features of major cloud providers like Microsoft. But with so much riding on these systems, there can be potentially disastrous consequences at a massive scale if something goes wrong. Case in point: Security researcher Dirk-jan Mollema recently stumbled upon a pair of vulnerabilities in Microsoft Azure’s identity and access management platform that could have been exploited for a potentially cataclysmic takeover of all Azure customer accounts.

    Known as Entra ID, the system stores each Azure cloud customer’s user identities, sign-in access controls, applications, and subscription management tools. Mollema has studied Entra ID security in depth and published multiple studies about weaknesses in the system, which was formerly known as Azure Active Directory. But while preparing to present at the Black Hat security conference in Las Vegas in July, Mollema discovered two vulnerabilities that he realized could be used to gain global administrator privileges—essentially god mode—and compromise every Entra ID directory, or what is known as a “tenant.” Mollema says that this would have exposed nearly every Entra ID tenant in the world other than, perhaps, government cloud infrastructure.

    “I was just staring at my screen. I was like, ‘No, this shouldn’’t really happen,’” says Mollema, who runs the Dutch cybersecurity company Outsider Security and specializes in cloud security. “It was quite bad. As bad as it gets, I would say.”

    “From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else’s tenant,” Mollema adds. “That means you could modify other people’s configuration, create new and admin users in that tenant, and do anything you would like.”

    Given the seriousness of the vulnerability, Mollema disclosed his findings to the Microsoft Security Response Center on July 14, the same day that he discovered the flaws. Microsoft started investigating the findings that day and issued a fix globally on July 17. The company confirmed to Mollema that the issue was fixed by July 23 and implemented extra measures in August. Microsoft issued a CVE for the vulnerability on September 4.

    “We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative,” Tom Gallagher, Microsoft’s Security Response Center vice president of engineering, told WIRED in a statement. “We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem.”

    Gallagher says that Microsoft found “no evidence of abuse” of the vulnerability during its investigation.

    Both vulnerabilities relate to legacy systems still functioning within Entra ID. The first involves a type of Azure authentication token Mollema discovered known as Actor Tokens that are issued by an obscure Azure mechanism called the “Access Control Service.” Actor Tokens have some special system properties that Mollema realized could be useful to an attacker when combined with another vulnerability. The other bug was a major flaw in a historic Azure Active Directory application programming interface known as “Graph” that was used to facilitate access to data stored in Microsoft 365. Microsoft is in the process of retiring Azure Active Directory Graph and transitioning users to its successor, Microsoft Graph, which is designed for Entra ID. The flaw was related to a failure by Azure AD Graph to properly validate which Azure tenant was making an access request, which could be manipulated so the API would accept an Actor Token from a different tenant that should have been rejected.

    [ad_2]

    Matt Burgess, Lily Hay Newman

    Source link