Microsoft Kept Secret That Its Bug-Tracking Database Was Hacked In 2013

[hacker7]

 

 

Microsoft Kept Secret That Its Bug-Tracking Database Was Hacked In 2013

Tuesday, October 17, 2017

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

It was not just Yahoo among "Fortune 500" companies who tried to keep a major data breach incident secret.

Reportedly, Microsoft had also suffered a data breach four and a half years ago (in 2013), when a "highly sophisticated hacking group" breached its bug-reporting and patch-tracking database, but the hack was never made public until today.

According to five former employees of the company, interviewed separately by Reuters, revealed that the breached database had been "poorly protected with access possible via little more than a password."

This incident is believed to be the second known breach of such a corporate database after a critical zero-day vulnerability was discovered in Mozilla's Bugzilla bug-tracking software in 2014.

As its name suggests, the bug-reporting and patch-tracking database for Windows contained information on critical and unpatched vulnerabilities in some of the most widely used software in the world, including Microsoft's own Windows operating system.

 

The hack was believed to be carried out by a highly-skilled corporate espionage hacking group known by various names, including Morpho, Butterfly and Wild Neutron, who exploited a JAVA zero-day vulnerability to hack into Apple Mac computers of the Microsoft employees, "and then move to company networks."

With such a database in hands, the so-called highly sophisticated hacking group could have developed zero-day exploits and other hacking tools to target systems worldwide.

There's no better example than WannaCry ransomware attack to explain what a single zero-day vulnerability can do.
 

"Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world," said Eric Rosenbach, who was American deputy assistant secretary of defence for cyber at the time of the breach.

When Microsoft discovered the compromised database in earlier 2013, an alarm spread inside the company.

Following the concerns that hackers were using stolen vulnerabilities to conduct new attacks, the tech giant conducted a study to compare the timing of breaches with when the bugs had entered the database and when they were patched.

 

Although the study found that the flaws in the stolen database were used in cyber attacks, Microsoft argued the hackers could have obtained the information elsewhere, and that there's "no evidence that the stolen information had been used in those breaches."

Former employees also confirmed that the tech giant tightened up its security after the 2013 hacking incident and added multiple authentication layers to protect its bug-reporting system.

However, three of the employees believes the study conducted by Microsoft did not rule out stolen vulnerabilities being used in future cyber attacks, and neither the tech giant conducted a thorough investigation into the incident.

On being contacted, Microsoft declined to speak about the incident, beyond saying: "Our security teams actively monitor cyber threats to help us prioritise and take appropriate action to keep customers protected."

 

Source: https://thehackernews.com/2017/10/microsoft-bug-tracking-breach.html

[steven36]

The joys of closed source

[hacker7]

Quote

Although the study found that the flaws in the stolen database were used in cyber attacks

Somebody Should sue there A.s.s for this

9 hours ago, steven36 said:

The joys of closed source

Yet Another Linux Kernel Privilege-Escalation Bug Discovered 

Monday, October 16, 2017

[steven36]

10 minutes ago, hacker7 said:

Somebody Should sue there A.s.s for this

Yet Another Linux Kernel Privilege-Escalation Bug Discovered 

Monday, October 16, 2017

The difference is in when they find bugs in the Linux Kernel  by the time the news gets posted its being patched they push out security patches almost every day.. so if you don't do updates it's on you. .. You most always never get no security patches  patches tell 30 days latter on Windows and they have up tell 90 days to patch before its made public and been busted many times for not patching  before 90 days.

[hacker7]

@steven36 i get you!

But what i meant is there is no where safe to go 

MS is using those flues that if thy r not creating them self To spy on us.

and other highly-skilled corporate espionage take advantage of that.

So it's win/win for them ether way !

[hacker7]

9 hours ago, 0bin said:

@steven36 is right.

[steven36]

9 minutes ago, hacker7 said:

@steven36 i get you!

But what i meant is there is no where safe to go 

I use Windows a lot but I don't try too  take up for for there shit security  by pointing  out bugs in a  other OS that  the patch is already most likely on live updates . Me using Linux and Windows both knows  this most the time when a vulnerability in Linux comes up on the news  many times  I booted intoo Linux and the update was there already . That's the difference  in open source were it's all public knowledge.

[hacker7]

@steven36 @0bin i'm not criticizing linux at all

I know that they re much better then Ms in updatng and patching too

and most likely they don't spy on users like Ms do

[steven36]

There is no such thing as a OS without  unknown bugs  if there was there would be no need for security patches .  I don't really see nothing wrong with keeping them hidden from public for a short time if Microsoft patched like Linux did but the fact is they don't. Keep in mind no 0day in recent years  has infected  as many people  as  virus use too . The worse one in recent years was CC Cleaner  and really that was  not a problem if you kept the thing blocked from the internet  and it only infected x86 systems in a world were most everyone in the last  10 years owns a x64 PC  . Many Linux Distros  have stop making x86 OS and there is very few x86 apps on x64 Linux . Ive not  used x86 since 2010  but  there so many old windows laptops out there that do is the reason M$ still even bothers too make that version.

[hacker7]

9 hours ago, 0bin said:

 

What is your favoured linux distro hacker7?

1- Ubuntu

[hacker7]

9 hours ago, steven36 said:

 The worse one in recent years was CC Cleaner  and really that was  not a problem if you kept the thing blocked from the internet  and it only infected x86 systems in a world were most everyone in the last  10 years owns a x64 PC  . Many Linux Distros  have stop making x86 OS and there is very few x86 apps on x64 Linux . Ive not  used x86 since 2010  but  there so many old windows laptops out there that do is the reason M$ still even bothers too make that version.

And this is bad news now

 

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices

Monday, October 16, 2017

[steven36]

6 minutes ago, hacker7 said:

1- Ubuntu

I like Ubuntu based  ones the most  because they have the most software  . Linus Torvalds even once said people don't use a OS they use the software on a OS when they start talking a about a OS itself that means the OS has problems . My 2nd favorite one is Manjaro  just because  of certain software ARCH don't have it's not my favorite    .

[hacker7]

9 hours ago, steven36 said:

I like Ubuntu based  ones the most  because they have the most software  . Linus Torvalds even once said people don't use a OS they use the software on a OS when they start talking a about a OS itself that means the OS has problems . My 2nd favorite one is Manjaro  just because  of certain software ARCH don't have it's not my favorite    .

1++≧◠‿◠≦✌

[steven36]

19 minutes ago, hacker7 said:

And this is bad news now

 

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices

Monday, October 16, 2017

This is Microsoft patched it only took them 5 years to do something about  it ..  Instead patching the bug 5 years ago they waited  tell researchers showed it could be used to exploit certain model computers that has the  Infineon Technologies semiconductor.

[hacker7]

9 hours ago, steven36 said:

This is Microsoft patched it only took them 5 years to do something about  it ..  Instead patching the bug 5 years ago they waited  tell researchers showed it could be used to exploit certain model computers that has the  Infineon Technologies semiconductor.

Do you now witch certain computers they talking about.?

[steven36]

19 minutes ago, hacker7 said:

Do you now witch certain computers they talking about.?

Microsoft, Google, HP, Lenovo, and Fujitsu brands  but it already been mitigated by Microsoft already  this past patch Tuesday ..They cant post info like this too the public tell 90 days  after the researchers proved it , or it  has been patched witch ever comes 1st.

 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

Vendors also released firmware updates you do them too  if you have any.

[steven36]

I don't even think it effected windows 7 or older  they not listed Windows 7 didn't need a update .

 

The effected  keys are  RSA 1024 and 2048 .

 

I always use a RSA-4096 key when i use my VPN  for handshake .

[hacker7]

@steven36@0bin any one can verify this https://www.krackattacks.com/.?