[ad_1]
Friday night, Microsoft has sent e-mail notifications to an unknown number of individual e-mail users, via Outlook, MSN, and Hotmail, to warn them of a data breach. Between January 1 and March 28 this year, hackers used a set of stolen identification information to allow a Microsoft support platform to access account data, such as email addresses in messages, message subject lines, and folder names in accounts. On Sunday, he acknowledged that the problem was much worse.
After the Motherboard tech news site showed Microsoft evidence from a source indicating that the scope of the incident was more extensive, the company revised its initial statement, claiming instead, about 6% of notified users could also access the text of their message. messages and attachments. Microsoft has previously denied TechCrunch that full e-mail messages are affected.
"In general, the" support "is a serious security breach on hold."
Dave Aitel, Cyxtera
It may seem strange that a single set of customer support identification information can be the key to such a gigantic realm. However, within the security community, customer and internal support mechanisms are increasingly seen as a potential source of exposure. On the one hand, support agents need sufficient access to an account or device to actually help users. But, as Microsoft's incident shows, too much access into the wrong hands can result in a dangerous situation.
"We solved this problem, which affected a limited subset of consumer accounts, disabling compromised credentials and blocking authors' access," said a Microsoft spokesman at WIRED. The company said that "for the sake of prudence", it has reinforced the monitoring of the threat for the accounts affected by the violation. Microsoft would not comment to WIRED about the scale of the attack and would not provide the total number of accounts impacted.
Without more information from Microsoft, it is difficult to characterize the purpose of the attack. Email accounts can be extremely valuable to criminals; people often use them to set up other accounts, which means that attackers can use the email account itself to reset passwords and compromise multiple services. The motherboard reported that the attackers had actually used their access to access iCloud accounts in order to disable iPhone activation locks. But with nearly three months of access available to them, it is still unclear whether the attackers were focused on small-scale targeted intrusions or widespread fraud.
"We found that Microsoft's technical support agent identification information was compromised, allowing people outside of Microsoft to access information from your Microsoft email account," Microsoft said in a statement. a statement, stating that the attack did not result from an internal threat. But that raises even more questions.
"Sometimes it's very difficult to diagnose a problem over the phone just by explaining. So you want a privileged user to access the account, "said Jeremiah Grossman, head of information security at Yahoo for two years. in the early 2000s and is now CEO of the enterprise security company Bit Discovery. "But this customer support representative system should not be accessible remotely via the Internet, it should be an exclusively internal system.How exactly does the adversary stand? is he even connected to [the Microsoft portal], let alone connect? "
Grossman also notes that Microsoft should have forced customer support accounts with broad access to use two-factor or multi-factor authentication, which could have helped to avoid this problem. Unfortunately, Microsoft does not seem to be the exception.
"We organize many consulting assignments where we call a machine from a company, call tech support, and then grab the technical engineers' identification information when they log on." to the machine and use them to access other servers, such as the The Director 's server, "said Dave Aitel, director of security technologies at the secure infrastructure provider Cyxtera. "In general, the" support "is a serious security breach on hold."
According to Grossman, the key to maintaining a customer support system is to create control over the number of people with privileged access to an account and to carefully record all instances in which an account User is used for auditing. Engineering teams are already using systems such as this one for situations in which the identification information needs to be closely monitored, such as debugging or satisfying data requests from the forces in charge. ;order.
If you have received a notification email from Microsoft, you must change the password for your email account and enable two-factor authentication if it is not already enabled. But it is difficult for users to protect themselves when they are at the mercy of a customer support security that they can not control. The least that Microsoft can do is offer a clear picture of what happened – and why.
More great cable stories
[ad_2]
Source link