MBeim letzten SRE Meetup gab es einen Vortrag über Post Mortems und deren Wichtigkeit.
Bester Kommentar aus dem Publikum beim Thema Post Mortem und öffentliche Transparenz: Ist jemand von Microsoft da?
PrivacyDigestThe Comedy of Errors That Let China-Backed Hackers Steal Microsoft’s #SigningKey
After leaving many questions unanswered, #Microsoft explains in a new postmortem the series of slipups that allowed attackers to steal and abuse a valuable #cryptographic key.
#privacy #security #encryption #china
https://www.wired.com/story/china-backed-hackers-steal-microsofts-signing-key-post-mortem/
NewkEvery single news source and comment I read accepts #Microsoft 's blogpost about the "stolen" signing key as truth.
How can you believe anything they say months later? This blogpost was written by lawyers and noone else.
Wow, I can't imagine how much overtime the Microsoft legal department had to work for this blog post on the signing key. They are the real heroes here!
Marcel WaldvogelGood to know:
1️⃣ Without the US government, we probably wouldn't know about the #Microsoft #SigningKey #Leak at all.
2️⃣ The report ⬆️ seems to be accurate
3️⃣ Apparently, the only piece missing from the report is that the Signing Key had expired in 2021 and that the expiration time wasn't (still isn't?) checked.
https://cyberplace.social/@GossiTheDog/111019616937055010
1️⃣ Without the US government, we probably wouldn't know about the #Microsoft #SigningKey #Leak at all.
2️⃣ The report ⬆️ seems to be accurate
3️⃣ Apparently, the only piece missing from the report is that the Signing Key had expired in 2021 and that the expiration time wasn't (still isn't?) checked.
https://cyberplace.social/@GossiTheDog/111019616937055010
Kevin Beaumont (@[email protected])
The Microsoft write up on how Microsoft 365 got owned to steal customer emails is out. It’s really good and honest from a technical level I think, if you’ve been following the details closely. Top points to the US Gov for forcing public disclosure originally btw. https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/
ceelightHabt Ihr von dem entwendeten #SigningKey von #Microsoft gehört? Wir haben das einmal (halbwegs ;-) verständlich zusammengefasst. Ein bisschen IT-Verständnis braucht man schon...
Der entscheidende Satz aus meiner Sicht:
"Der entwendete Signing Key ist für alle #Azure #ActiveDirectory Applikationen gültig, die sowohl persönliche Microsoft Accounts als auch sogenannte gemischte Accounts (sprich: persönliche Konten und Konten in Organisationsverzeichnissen) nutzen."
1/2
#Microsoft Signing Key Stolen by #Chinese - #Schneier on #Security
Actually, two things went badly wrong here. The first is that #Azure accepted an expired signing key, implying a #vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s #HardwareSecurityModule —and not be in software
#privacy #China #signingkey
https://www.schneier.com/blog/archives/2023/08/microsoft-signing-key-stolen-by-chinese.html
Mosfet CorleyBruce #Schneier hält den gestohlenen #Microsoft #signingkey für Nachwirkungen des #SolarWinds hacks: "I think we are grossly underestimating the long-term results of the SolarWinds attacks. That backdoored update was downloaded by over 14,000 networks worldwide."
https://www.schneier.com/blog/archives/2023/08/microsoft-signing-key-stolen-by-chinese.html
ai 
@syui {
"handle": "syui.bsky.social",
"did": "did:plc:uqzpqmrjnptsxezjx4xuh2mn",
"didDoc": {
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/secp256k1-2019/v1"
],
"id": "did:plc:uqzpqmrjnptsxezjx4xuh2mn",
"alsoKnownAs": [
"https://syui.bsky.social"
],
"verificationMethod": [
{
"id": "#signingKey",
"type": "EcdsaSecp256k1VerificationKey2019",
"handle": "syui.bsky.social",
"did": "did:plc:uqzpqmrjnptsxezjx4xuh2mn",
"didDoc": {
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/secp256k1-2019/v1"
],
"id": "did:plc:uqzpqmrjnptsxezjx4xuh2mn",
"alsoKnownAs": [
"https://syui.bsky.social"
],
"verificationMethod": [
{
"id": "#signingKey",
"type": "EcdsaSecp256k1VerificationKey2019",
ITSEC NewsFacebook loses control of key used to sign Android app - What should be a private key used to vouch for the 'Free Basics by Facebook' app was used to sign ... more: https://nakedsecurity.sophos.com/2019/09/04/facebook-loses-control-of-key-used-to-sign-android-app/ #androidpackagekit #securitythreats #apkrepository #internet.org #walledgarden #freebasics #privatekey #signingkey #dataloss #facebook #android #google #mobile #apk