Mastodawn

Aad100

@aad100@ioc.exchange

1 Followers

52 Following

657 Posts

Raphael Mimoun רפאל מימון Mar 15

Thank you to the Daily Show, we need this right now

Aad100 Dec 7, 2024

Eugen Rochko Dec 6, 2024

I'm a bit sad that last.fm isn't more popular. To preempt, yes, it's still a centralized commercial company, but at least it's agnostic about where you listen to music. Instead, most people have their listening habits locked within specific streaming platforms like Spotify or YouTube Music, and rely on them to make that information available to them once a year...

Aad100 Jan 17, 2024

deb829 Jan 17, 2024

#sunset was spectacular on the #Chesapeakebay tonight!
#photography #waves

Aad100 Dec 1, 2023

Drew Harwell Dec 1, 2023

No matter what you think about TikTok, a state outlawing an app based on vague concerns and no evidence was always an alarming precedent for the First Amendment.

Montana's ban was also "technically incompetent," as one expert told me, and would have required the app stores to track whenever anyone crosses state lines. Addressing a privacy issue by mandating more surveillance by government decree

https://www.washingtonpost.com/technology/2023/05/19/montana-tik-tok-ban-challenges/

Montana can ban TikTok, but it probably can’t enforce it

The law is supposed to protect users' private data, but enforcing it, experts say, would require more data collection, not less.

The Washington Post

Aad100 Jul 22, 2023

Sherrilyn Ifill Jul 21, 2023

Yes @emptywheel. Thank you. Now let’s ask why& what the consequences are of the media & expert analysts on cable TV constantly whitewashing Trump’s targeting of Black voters.Below are my tweets from the KKK Act suit the NAACP LDF filed right after the election. It was there in plain sight.
https://www.emptywheel.net/2023/07/20/trumps-attack-on-black-votes-was-there-the-whole-time-we-just-didnt-call-it-a-crime/

https://twitter.com/sifill_/status/1341420795520831488?s=46&t=zr8OwjRATtdNOqo_RsX0eQ

Trump's Attack on Black Votes Was There the Whole Time, We Just Didn't Call It a Crime - emptywheel

Trump deployed threats of violence to make it harder to count the votes of Black and Latino voters but no one treated it as a crime.

emptywheel

Aad100 Jul 22, 2023

Kevin Beaumont Jul 13, 2023

🎶 regulation 🎶

I agree with CISA here (and have publicly for years) - security access logs for customers own services shouldn't be locked behind E5 per user licensing.

Yes, it will cost Microsoft money in upsell. They're more profitable than a large portion of the UK economy; they can afford it.

I should also point out the reason Microsoft was able to tell orgs specifically that they'd be targeted even when they didn't have E5 is MS already store the logs anyway.

https://archive.ph/MFnxP

Aad100 Jul 21, 2023

BrianKrebs Jul 20, 2023

Staring down 2 full pages of starred emails (i.e., "respond to this person") from just the last 5 days. Was just thinking how badly I need some time off. This is not helping.

Aad100 Apr 25, 2023

Molly White Apr 24, 2023

John Oliver did a crypto episode on Last Week Tonight! 😁

(I'm not in it, I just helped a little with the content and fact-checking)

https://www.youtube.com/watch?v=o7zazuy_UfI

Cryptocurrencies II: Last Week Tonight with John Oliver (HBO)

John Oliver discusses cryptocurrency, three of the biggest crypto companies to collapse over the past year, and what to do when your office is giving off “cr...

YouTube

Aad100 Apr 25, 2023

Judd Legum Apr 25, 2023

Link: https://theintercept.com/2023/03/28/twitter-modi-india-punjab-amritpal-singh/

Elon Musk’s Twitter Widens Its Censorship of Modi’s Critics

Two months ago, Musk said he had been too busy to look into his company’s role in mass censorship in India. It’s only gotten worse.

The Intercept

Aad100 Apr 22, 2023

John W. Little Apr 22, 2023

Transforming the Battlefield: Hypersonic
Weapons in a Potential China-US Conflict Over Taiwan

This analysis delves into the impact of #hypersonic weapons on warfare, using a potential #China-US conflict over #Taiwan as a case study. Key aspects discussed include speed, stealth, and lethality, along with challenges in decision-making, stability, and diplomacy.

https://blogsofwar.com/transforming-the-battlefield-hypersonic-weapons-in-a-potential-china-us-taiwan-conflict/

Transforming the Battlefield: Hypersonic Weapons in a Potential China-US Conflict Over Taiwan

This analysis delves into the impact of hypersonic weapons on warfare, using a potential China-US conflict over Taiwan as a case study. Key aspects discussed include speed, stealth, and lethality, along with challenges in decision-making, stability, and diplomacy.

Blogs of War

×

Kevin Beaumont Jul 13, 2023

🎶 regulation 🎶

I agree with CISA here (and have publicly for years) - security access logs for customers own services shouldn't be locked behind E5 per user licensing.

Yes, it will cost Microsoft money in upsell. They're more profitable than a large portion of the UK economy; they can afford it.

I should also point out the reason Microsoft was able to tell orgs specifically that they'd be targeted even when they didn't have E5 is MS already store the logs anyway.

https://archive.ph/MFnxP

Kevin Beaumont Jul 14, 2023

On how the USG, European govs and Microsoft have been threat hunting the MS 365 breach, per Microsoft documentation on the logs... "If a mailbox is throttled, you can probably assume there was MailItemsAccessed activity that wasn't recorded in the audit logs."

Kevin Beaumont Jul 14, 2023

Really good new MS blog on the MS compromise - contains IOCs etc. I'll put MSPaint.exe down. https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog

Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.

Microsoft Security Blog

Kevin Beaumont Jul 14, 2023

“We don’t have any evidence that the actor exploited a 0day." say Microsoft. Their first blog on this says “exploit” - so are MS saying they don’t patch vulnerabilities in their cloud? 🤔

Their latest blog also says “This was made possible by a validation error in Microsoft code” - which is a vulnerability. Which is a 0day as it was under exploitation before Microsoft knew of it existing.

Microsoft lying to media and customers is not a good look.

https://arstechnica.com/security/2023/07/microsoft-takes-pains-to-obscure-role-in-0-days-that-caused-email-breach/

Microsoft takes pains to obscure role in 0-days that caused email breach

Critics also decry Microsoft's "pay-to-play" monitoring that detected intrusions.

Ars Technica

Kevin Beaumont Jul 15, 2023

Kevin Beaumont Jul 19, 2023

All it took was Exchange Online in GCC and GCC High getting breached

Non-E5 users to get some security log availability finally.

https://www.wsj.com/articles/microsoft-to-offer-some-cybersecurity-tools-free-after-suspected-china-hack-6db94221

WSJ News Exclusive | Microsoft to Offer Some Cybersecurity Tools Free After Suspected China Hack

Company says it will make security logs available to customers with lower-cost cloud services

WSJ

Kevin Beaumont Jul 21, 2023

More details about the Microsoft 365 Exchange Online breach in this article.

Although not stated, orgs are struggling to understand the scope of the breach due to audit log limits on MailItemsAccessed - it stops recording after 1k items. https://www.wsj.com/articles/u-s-ambassador-to-china-hacked-in-china-linked-spying-operation-f03de3e4

U.S. Ambassador to China Hacked in China-Linked Spying Operation

Spying campaign also compromised State Department official who oversees East Asia

The Wall Street Journal

Kevin Beaumont Jul 21, 2023

Just to loop this thread into this thread - I took a look at the attack path used in the M365 customer data breach.

A key part of the attack chain was documented by Microsoft at BlackHat in 2019.

https://cyberplace.social/@GossiTheDog/110736594147931759

Kevin Beaumont (@GossiTheDog@cyberplace.social)

Attached: 2 images Been looking at Microsoft 365 email breach some more - it looks like Microsoft were aware of issues in same token validation space in Exchange Online 4 years ago. MS did a talk at BlackHat about it, after somebody external pointed out an invalid token allowed any email box to be accessed via consumer Outlook.com. They fixed that issue - but still allowed any valid MS token to access any email, so the threat actor stole one of the MSA certs. Talk: https://www.youtube.com/watch?v=KN6e1mqcB9s

Cyberplace

Kevin Beaumont Jul 21, 2023

Wiz have an in-depth look at what they think happened at Microsoft over the Microsoft 365 breach.

They nail a new detail - one of the 'acquired' signing keys expired in 2021, but apparently it was still valid in Microsoft's cloud services. https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog

Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impact.

wiz.io

Kevin Beaumont Jul 22, 2023

YOU MUST ONLY READ THE OFFICIAL BLOGS

there is no breach
there is no vulnerability
there are no zero days
*jedi wave*

https://therecord.media/microsoft-disputes-report-on-chinese-hacking

Microsoft disputes report that Chinese hackers could have accessed suite of programs

Microsoft is disputing a new report that claims hackers may have had access to more parts of victims’ systems than previously known in a campaign that targeted dozens of organizations, including government agencies.

Kevin Beaumont Sep 6, 2023

The Microsoft write up on how Microsoft 365 got owned to steal customer emails is out. It’s really good and honest from a technical level I think, if you’ve been following the details closely. Top points to the US Gov for forcing public disclosure originally btw.

https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/

Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center

Results of Major Technical Investigations for Storm-0558 Key Acquisition

Dan Goodin Sep 6, 2023

@GossiTheDog Kevin, do you think Microsoft should disclose how the corporate account of its engineer got hacked? This seems like an important detail assuming Microsoft's goal is transparency.

Also, what do you think of the repeated use of the word "issue" in the post? Isn't "vulnerability" the correct term here?

@dangoodin @GossiTheDog yes, I want to know how they just happened to have access when this crashdump just happened to come across the fence. Smells like persistent access to me. For how long? What else did they do or see? What other systems inside MS are at risk as a result?

i.grok Sep 7, 2023

@daedalus @dangoodin @GossiTheDog if the crash dump had been exposed for years, they wouldn't need to lie in wait

Alesandro Ortiz 🇵🇷🏳️‍🌈Sep 6, 2023

@GossiTheDog Since this was detected by an enterprise customer, I wonder if the key leak would have been detected by Microsoft if the attacker had only used it to access consumer accounts (as intended). That would have been quite bad by itself.

DoesSec 🔐 🪪 ☕

So the attackers discovered key material in Microsoft's super secure corporate environment that Microsoft itself didn't know had left the production environment, were able to exfiltrate the key material, and Microsoft doesn't want to have noticed any of this?

That sounds very unbelievable to me.

Dave from accounting Sep 6, 2023

@doessec @GossiTheDog
My mind was like "Riiiiight 🤫" APT just so happen to compromise an account and miraculously happen to find the proverbial needle in the haystack. And of course the log retention deleted all traces of this.

If I were to write the movie script, I would make it more believable, and put an insider threat in place that, when this person found that key just thought 💰💰💰 jackpot, retirement secured 😎

But, these guys would most likely have had that account compromised a long time and sifted through dumps on a regular basis looking for exactly something like this.

I would... 🤗

JaxxAI Sep 6, 2023

@GossiTheDog soooo... they're using 2 keys for everything and they don't rotate them? Eh?

@GossiTheDog @briankrebs what I still find strange is the TA managed to find the key. Seems like they would have had access to a lot of things. So what’s the likelihood they just so happen to find the key in the crash dumps.

Steffen Christensen Sep 6, 2023

@GossiTheDog It's a masterwork in incident reporting.

Preston de Guise 🏳️‍🌈✍🏼Jul 22, 2023

@GossiTheDog “Do not look at the man behind the curtain!"

C-rich Jul 22, 2023

@GossiTheDog
Smilyanets and Cimpanu both always provide intriguing content

Christoph Stoettner Jul 22, 2023

https://de.web.img3.acsta.net/r_1024_576/medias/nmedia/18/66/75/86/18953144.jpg only faith is required @GossiTheDog

Simonoid Jul 22, 2023

𝖋𝖑𝖔𝖗𝖎𝖓 🇨🇦Jul 22, 2023

@GossiTheDog Don’t look up!

Tim Hergert Jul 22, 2023

@GossiTheDog New MS Press lead

Sam Varghese Jul 22, 2023

@GossiTheDog https://itwire.com/open-sauce/azure-breach-microsoft-okays-wiz-post-on-continued-danger,-then-denies-it.html

iTWire - Azure breach: Microsoft okays Wiz post on continued danger, then denies it

Microsoft is continuing to obfuscate about a recent attack on its Azure cloud infrastructure, saying a post, that claims danger from the attack still exists, is speculative and not evidence-based. The company is mentioned in that same post as having checked the content for technical accuracy. Shir T...

Fritz Adalis Jul 21, 2023

@GossiTheDog
I wonder if they only checked that it was signed by the right ca?

Fritz Adalis Jul 21, 2023

@GossiTheDog
Or I could read the article which describes what happens.

Tanawts Jul 21, 2023

@GossiTheDog Not Surprised <Surprised-Pikachu-Face>

The Emperor's New Certs

Certificate lifecycle management is tedious and hard at scale; shortcuts will be found in lots of places across the industry regardless of banner waving best practices :|

Tindra Jul 21, 2023

MemoryLeech Jul 21, 2023

https://archive.ph/eAlWa

Same article but just in case they edit or you're a scrub like me

ocdtrekkie Jul 21, 2023

@GossiTheDog I love when things like this make it really obvious moving Exchange to the cloud was an absolutely massive mistake.

starbuck3000 Jul 21, 2023

@GossiTheDog : I noticed that powershell tends to return up to 1'000 events but I hadn't heard about this limitation. Do you have more information about this? If this is true, the "audit log" should never be called as such.

Jim Jul 19, 2023

@GossiTheDog This sounded very serious indeed.

Ricky Boone Jul 19, 2023

@GossiTheDog oh, how gracious of them. 🙄

B-rad 🏳️‍🌈👨‍💻Jul 19, 2023

Pär Björklund Jul 15, 2023

@GossiTheDog with all the layoffs and worsening economy Microsoft probably couldn't afford E5

Jim Jul 14, 2023

@GossiTheDog They should be generating new private keys every 24 hours. And have the previous keys be valid for 72-96 hours.

Nils Goroll 🕊️

@toyotabedzrock @GossiTheDog on that matter: https://fosstodon.org/@slink/110729194847294335

Nils Goroll (@slink@fosstodon.org)

In the context of the latest #microsoft #breach https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/ : We run a daily job checking azure jwks from https://login.microsoftonline.com/<AUD>/discovery/v2.0/keys into git. Here's the history of key ids added and removed since 2022-12-05 (- removed, + added): 2023-06-01: -"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-02: +"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-03: -"nOo3ZDrODXEK1jKWhXslHR_KXEg" 2023-06-22: -"l3sQ-50cCH4xBVZLHTGwnSR7680" 2023-07-13: -"Mr5-AUibfBii7Nd1jBebaxboXW0" more in 🧵#infosec

Fosstodon

Jim Jul 17, 2023

@slink @GossiTheDog Hmm so they aren't actually rotating just removing abused ones as if they attacker didn't grab them all.

Sam Varghese Jul 14, 2023

@GossiTheDog They have been doing it since 1975. What's new? Only the language used and Gates' whiny voice isn't there anymore.

Fritz Adalis Jul 15, 2023

@GossiTheDog
Maybe E5 was too expensive and they just don't have logs.

Dan Goodin Jul 14, 2023

@GossiTheDog What does this tell us that we didn't already know? Is it just the IoCs, or are there other new and helpful details?

Kevin Beaumont Jul 14, 2023

@dangoodin from a reporting point of view I don't think anything new, but good from customer point of view as it gives new things to look at

Will Smart Jul 14, 2023

@GossiTheDog @dangoodin did we know this little tidbit before?

"Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."

Dan Goodin Jul 14, 2023

@GossiTheDog I have been on the sidelines when it comes to this event, but my impression has been that Microsoft is dancing around the precise role of its own cloud service in this breach. It's a vulnerability in their own cloud service. that is the root cause, yes? If so, shouldn't Microsoft say that?

Dan Goodin Jul 14, 2023

@GossiTheDog As Will notes, they say the "issue" has been corrected, when, in fact, the thing that has been corrected is a zeroday. They also reference consumer accounts in the "public cloud," when they should say OWA accounts. Do you agree with my read of today's post?

Kevin Beaumont Jul 14, 2023

@dangoodin I don't think Microsoft ever acknowledges vulnerabilities in their cloud services (also there's no CVEs for cloud), and you don't say breach at Microsoft.

So if you Ctrl+F I doubt you will find vulnerability or breach in relation to Microsoft.

They did say "exploit" in the original MSRC blog in relation to Microsoft's cloud services, and you exploit a vulnerability. So I think it's fair to say that, yes, they had vuln(s).

Dan Goodin Jul 14, 2023

@GossiTheDog Yeah, but the earlier post says only that the threat actor "exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail." Microsoft never says whose "issue" it was.

Advanced Persistent Teapot Jul 14, 2023

@dangoodin @GossiTheDog surely Azure AD isn't letting anyone else perform token validation on their behalf?

Kevin Beaumont Jul 14, 2023

@dangoodin it is Microsoft’s issue. They are the only party that validate Azure AD tokens.

Jon (now at neuromatch.social)Jul 14, 2023

@GossiTheDog and they mention a "validation error in Microsoft code" which has since been fixed.

@dangoodin

Cirio Jul 15, 2023

@dangoodin @GossiTheDog Honestly the IoCs are a substantial addition to this case. I'm pleasantly surprised, I thought they would never publish them.

Brian Clark Jul 14, 2023

@GossiTheDog uhhhhhhmmmmm…why would they do this?

faebudo Jul 14, 2023

@deepthoughts10 @GossiTheDog Maybe you can buy additional logs per entry as an add-on just like with Teams Chat scanning?

Chester Wisniewski Jul 13, 2023

@GossiTheDog Could we also not charge extra for BitLocker? All editions of Windows must include FDE

HcInfosec Jul 13, 2023

@GossiTheDog I think this is a very important issue. #microsoft365 should include security logs in every license for free. Because otherwise they knowingly sell an insecurable system.
#gdpr basic rights for customers.

Mike Jul 13, 2023

@GossiTheDog given how much Azure fraud is a result of credential stuffing, I’ve long argued that MSFT might very well save money by taking the account protection features currently gated by E3/E5/AAD P1/P2 and making them free for everyone.

Even if they didn’t save money on that, like you said: they could afford it.

Corey Gilmore Jul 13, 2023

@GossiTheDog I *hate* using security features as an upsell opportunity instead of a baseline requirement. Years ago Auth0 quoted us more for 2FA for identity users - I pushed back hard (and made it clear that they would be named in any breach comms), and they capitulated.

Josh Soref Apr 4, 2024

@cfg @GossiTheDog thank you for your service