Microsoft engages in damage limitation at congressional hearing (13.6.2024): Safety takes priority over AI

Posted on 2024-06-16 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]Microsoft has had little to laugh about when it comes to security in recent months. The security disasters and the lack of a security culture have fallen on Redmond's shoulders in the form of veritable security incidents. In a hearing held by a US Congressional Homeland Security Committee on June 13, 2024, it became clear that Microsoft was responsible for a cascade of cybersecurity breaches that degenerated into cyber incidents. Microsoft's President, Brad Smith, tried to limit the damage. The statement to Congress: Microsoft's CEO, Satya Nadella, has taken personal responsibility for cyber security at the company. And security would take priority over AI in future – a remarkable statement, given that just a short time ago it was "the end of the world if a customer wasn't fully up and running with Microsoft's AI by three".".

Advertising

Cyber security disasters non-stop

Regarding the above statement "Microsoft has had little to laugh about in terms of security in recent months", perhaps a brief review. A few hours ago, in the article Whistleblower: Microsoft ignored warnings about AD bug; was exploited in 2020 SolarWinds hack, I revealed that Microsoft can be accused of failing to act in the context of the SolarWinds supply chain attack. A vulnerability (Golden XAML) in the single sign-on of the Microsoft Cloud pointed out by an employee was not closed in order "not to unsettle customers". But there is more.

Desaster Storm-0558 Hack

In May 2023, Exchange Online and Outlook accounts were hacked by the suspected Chinese hacker group Storm-0558. The attackers were able to access any account in Exchange Online or Outlook. The hack was discovered by a customer (US State Department) after they noticed unusual access to accounts.

I reported on this in the blog post China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud, Outlook Online accounts and in other posts linked at the end of the article. The hack was announced by Microsoft on July 11, 2023 in the article Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email. The hack was made possible by an incredible chain of errors via a stolen AAD key (see my article Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services).

The US Cyber Safety Review Board found in its final report (see Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack) that the intrusion by Storm-0558, a hacking group believed to be linked to the People's Republic of China, could have been avoided. The Board identified a number of operational and strategic decisions by Microsoft that indicate a corporate culture that neglects investment in corporate security and rigorous risk management.

Midnight Blizzard hack

Since 2023, hackers from the Russian group Midnight Blizzard have been roaming Microsoft's networks and extracting source code and internal information. In January 2024, it became known that suspected Russian hackers from the Midnight Blizzard group had managed to penetrate Microsoft's email system via a test tenant and access the email accounts of certain Microsoft executives. I reported on this in the blog post Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023. This case was also played down by Microsoft (we noticed it and stopped everything immediately).

Advertising

But the case has taken on another dimension, as on the one hand it became known that Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023 – whether there is a connection with the Microsoft case is unknown to me. And Microsoft had to admit a few days ago that Midnight Blizzard was still able to launch attacks on the company after January 2024. I had confirmed some information in the post Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems.

Damage limitation remains

Now, on June 13, 2024, the US Congressional Homeland Security Committee held a hearing entitled A Cascade of Security Failures: Assessing Microsoft Corporation's Cybersecurity Shortfalls and the Implications for Homeland Security. Microsoft Vice Chairman and President, Brad Smith, had to appear. The recording of the hearing can be viewed as a video on YouTube.

Homeland Security House Committee testify on MS Security
AHomeland Security Committee hearing on Microsoft cybersecurity, Source: YouTube

The transcript of this hearing can be downloaded as a 9-page PDF document. The colleagues from Arstechnica have extracted the key statements from Brad Smith in this article.

  • Microsoft promised to change its corporate culture to make security a top priority.
  • Security is even more important than the company's work on artificial intelligence.
  • Satya Nadella, the CEO of Microsoft, has taken personal responsibility for the security of Microsoft products

Smith is quoted as saying "We recognize that we can and must do better" at the congressional hearing. Then comes some more platitudes (in my eyes) from Smith: " As a company, we must strive for perfection in protecting this nation's cybersecurity. Every day we fail is a bad day for cybersecurity and a terrible moment for Microsoft."

Mention is also made of Nadella's email to all employees (see also my blog post Microsoft declared security as a top priority), in which the Microsoft boss says:

"If you are faced with a choice between security and another priority, your answer is clear: go for security. In some cases, this means prioritizing security over other things, such as releasing new features or ongoing support for existing systems."

To make sure everyone is on board, Microsoft has also begun tying executive pay to meeting security goals, according to Microsoft. I hear the words, I just don't believe them and the message hasn't gotten through yet, those are the two thoughts that crossed my mind in light of the above.

Meme: Microsoft's customer relation ship

A few weeks later, Microsoft presented its Copilot+PC approach with the AI function Recall, which was actually due to be rolled out next week. The Recall function was described by security experts as a "setback for cyber security for 10 years" because it records everything the user does and makes it searchable. I had a few posts on the blog about this (see links at the end of the article Copilot+AI: Recall, a security disaster – AI-assisted theft).

The meme in the picture above sums it up: Users only want to do a few things with Windows, but Microsoft puts a fat instrument called AI on top of them. Just let it melt in your mouth: Nadella makes his announcement on security in early May 2024 (I had it on the blog on May 4, 2024). On May 20, 2024, Microsoft presents its "Copilot+PC" approach (hardware with AI support and Copilot), and Nadella defends the criticized Recall function in an interview. It is secure and everything runs locally.

In the blog post Copilot+AI: Recall, a security disaster – AI-assisted theft, I touched on the experts' verdict and in articles in the English media I came across the question of whether there was no one at Microsoft who told the management "Stop, that's not how it works". It seems to be a club of lickspittles where dissent is not tolerated (this is also evident from documents according to which employees are hired and evaluated, see my German blog post Vertraulicher Leitfaden: Wie Microsofts Management eigene Mitarbeiter bewertet). Only those who are committed to the "goals of the company get good ratings.

Nadella doesn't seem to have read his own email, otherwise he would have had to prevent the introduction of Recall in Copilot+PC. After all, it has now become known that Microsoft wants to deliver the Copilot+PC models without Recall (see Windows 11 Copilot+PC will be released without recall).

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)
Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack

Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2

Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems

Whistleblower: Microsoft ignored warnings about AD bug; was exploited in 2020 SolarWinds hack
Microsoft declared security as a top priority

Microsoft's AI PC with Copilot – some thoughts – Part 1
Microsofts Copilot+PC, a privacy and security nightmare – Part 2
Copilot+AI: Recall, a security disaster – AI-assisted theft
Microsoft improves AI feature Recall and adds "security measures" – is that enough?

 

Advertising
This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).