hacker7 Posted October 17, 2017 Share Posted October 17, 2017 Microsoft Kept Secret That Its Bug-Tracking Database Was Hacked In 2013 Tuesday, October 17, 2017 It was not just Yahoo among "Fortune 500" companies who tried to keep a major data breach incident secret.Reportedly, Microsoft had also suffered a data breach four and a half years ago (in 2013), when a "highly sophisticated hacking group" breached its bug-reporting and patch-tracking database, but the hack was never made public until today. According to five former employees of the company, interviewed separately by Reuters, revealed that the breached database had been "poorly protected with access possible via little more than a password." This incident is believed to be the second known breach of such a corporate database after a critical zero-day vulnerability was discovered in Mozilla's Bugzilla bug-tracking software in 2014. As its name suggests, the bug-reporting and patch-tracking database for Windows contained information on critical and unpatched vulnerabilities in some of the most widely used software in the world, including Microsoft's own Windows operating system. The hack was believed to be carried out by a highly-skilled corporate espionage hacking group known by various names, including Morpho, Butterfly and Wild Neutron, who exploited a JAVA zero-day vulnerability to hack into Apple Mac computers of the Microsoft employees, "and then move to company networks." With such a database in hands, the so-called highly sophisticated hacking group could have developed zero-day exploits and other hacking tools to target systems worldwide. There's no better example than WannaCry ransomware attack to explain what a single zero-day vulnerability can do. "Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world," said Eric Rosenbach, who was American deputy assistant secretary of defence for cyber at the time of the breach. When Microsoft discovered the compromised database in earlier 2013, an alarm spread inside the company. Following the concerns that hackers were using stolen vulnerabilities to conduct new attacks, the tech giant conducted a study to compare the timing of breaches with when the bugs had entered the database and when they were patched. Although the study found that the flaws in the stolen database were used in cyber attacks, Microsoft argued the hackers could have obtained the information elsewhere, and that there's "no evidence that the stolen information had been used in those breaches." Former employees also confirmed that the tech giant tightened up its security after the 2013 hacking incident and added multiple authentication layers to protect its bug-reporting system. However, three of the employees believes the study conducted by Microsoft did not rule out stolen vulnerabilities being used in future cyber attacks, and neither the tech giant conducted a thorough investigation into the incident. On being contacted, Microsoft declined to speak about the incident, beyond saying: "Our security teams actively monitor cyber threats to help us prioritise and take appropriate action to keep customers protected." Source: https://thehackernews.com/2017/10/microsoft-bug-tracking-breach.html Link to comment Share on other sites More sharing options...
steven36 Posted October 17, 2017 Share Posted October 17, 2017 The joys of closed source Link to comment Share on other sites More sharing options...
hacker7 Posted October 17, 2017 Author Share Posted October 17, 2017 Quote Although the study found that the flaws in the stolen database were used in cyber attacks Somebody Should sue there A.s.s for this 9 hours ago, steven36 said: The joys of closed source Yet Another Linux Kernel Privilege-Escalation Bug Discovered Monday, October 16, 2017 Link to comment Share on other sites More sharing options...
steven36 Posted October 17, 2017 Share Posted October 17, 2017 10 minutes ago, hacker7 said: Somebody Should sue there A.s.s for this Yet Another Linux Kernel Privilege-Escalation Bug Discovered Monday, October 16, 2017 The difference is in when they find bugs in the Linux Kernel by the time the news gets posted its being patched they push out security patches almost every day.. so if you don't do updates it's on you. .. You most always never get no security patches patches tell 30 days latter on Windows and they have up tell 90 days to patch before its made public and been busted many times for not patching before 90 days. Link to comment Share on other sites More sharing options...
hacker7 Posted October 17, 2017 Author Share Posted October 17, 2017 @steven36 i get you! But what i meant is there is no where safe to go MS is using those flues that if thy r not creating them self To spy on us. and other highly-skilled corporate espionage take advantage of that. So it's win/win for them ether way ! Link to comment Share on other sites More sharing options...
hacker7 Posted October 17, 2017 Author Share Posted October 17, 2017 9 hours ago, 0bin said: @steven36 is right. Link to comment Share on other sites More sharing options...
steven36 Posted October 17, 2017 Share Posted October 17, 2017 9 minutes ago, hacker7 said: @steven36 i get you! But what i meant is there is no where safe to go I use Windows a lot but I don't try too take up for for there shit security by pointing out bugs in a other OS that the patch is already most likely on live updates . Me using Linux and Windows both knows this most the time when a vulnerability in Linux comes up on the news many times I booted intoo Linux and the update was there already . That's the difference in open source were it's all public knowledge. Link to comment Share on other sites More sharing options...
hacker7 Posted October 17, 2017 Author Share Posted October 17, 2017 @steven36 @0bin i'm not criticizing linux at all I know that they re much better then Ms in updatng and patching too and most likely they don't spy on users like Ms do Link to comment Share on other sites More sharing options...
steven36 Posted October 17, 2017 Share Posted October 17, 2017 There is no such thing as a OS without unknown bugs if there was there would be no need for security patches . I don't really see nothing wrong with keeping them hidden from public for a short time if Microsoft patched like Linux did but the fact is they don't. Keep in mind no 0day in recent years has infected as many people as virus use too . The worse one in recent years was CC Cleaner and really that was not a problem if you kept the thing blocked from the internet and it only infected x86 systems in a world were most everyone in the last 10 years owns a x64 PC . Many Linux Distros have stop making x86 OS and there is very few x86 apps on x64 Linux . Ive not used x86 since 2010 but there so many old windows laptops out there that do is the reason M$ still even bothers too make that version. Link to comment Share on other sites More sharing options...
hacker7 Posted October 17, 2017 Author Share Posted October 17, 2017 9 hours ago, 0bin said: What is your favoured linux distro hacker7? 1- Ubuntu Link to comment Share on other sites More sharing options...
hacker7 Posted October 17, 2017 Author Share Posted October 17, 2017 9 hours ago, steven36 said: The worse one in recent years was CC Cleaner and really that was not a problem if you kept the thing blocked from the internet and it only infected x86 systems in a world were most everyone in the last 10 years owns a x64 PC . Many Linux Distros have stop making x86 OS and there is very few x86 apps on x64 Linux . Ive not used x86 since 2010 but there so many old windows laptops out there that do is the reason M$ still even bothers too make that version. And this is bad news now Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices Monday, October 16, 2017 Link to comment Share on other sites More sharing options...
steven36 Posted October 17, 2017 Share Posted October 17, 2017 6 minutes ago, hacker7 said: 1- Ubuntu I like Ubuntu based ones the most because they have the most software . Linus Torvalds even once said people don't use a OS they use the software on a OS when they start talking a about a OS itself that means the OS has problems . My 2nd favorite one is Manjaro just because of certain software ARCH don't have it's not my favorite . Link to comment Share on other sites More sharing options...
hacker7 Posted October 17, 2017 Author Share Posted October 17, 2017 9 hours ago, steven36 said: I like Ubuntu based ones the most because they have the most software . Linus Torvalds even once said people don't use a OS they use the software on a OS when they start talking a about a OS itself that means the OS has problems . My 2nd favorite one is Manjaro just because of certain software ARCH don't have it's not my favorite . 1++≧◠‿◠≦✌ Link to comment Share on other sites More sharing options...
steven36 Posted October 17, 2017 Share Posted October 17, 2017 19 minutes ago, hacker7 said: And this is bad news now Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices Monday, October 16, 2017 This is Microsoft patched it only took them 5 years to do something about it .. Instead patching the bug 5 years ago they waited tell researchers showed it could be used to exploit certain model computers that has the Infineon Technologies semiconductor. Link to comment Share on other sites More sharing options...
hacker7 Posted October 17, 2017 Author Share Posted October 17, 2017 9 hours ago, steven36 said: This is Microsoft patched it only took them 5 years to do something about it .. Instead patching the bug 5 years ago they waited tell researchers showed it could be used to exploit certain model computers that has the Infineon Technologies semiconductor. Do you now witch certain computers they talking about.? Link to comment Share on other sites More sharing options...
steven36 Posted October 17, 2017 Share Posted October 17, 2017 19 minutes ago, hacker7 said: Do you now witch certain computers they talking about.? Microsoft, Google, HP, Lenovo, and Fujitsu brands but it already been mitigated by Microsoft already this past patch Tuesday ..They cant post info like this too the public tell 90 days after the researchers proved it , or it has been patched witch ever comes 1st. https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012 Vendors also released firmware updates you do them too if you have any. Link to comment Share on other sites More sharing options...
steven36 Posted October 17, 2017 Share Posted October 17, 2017 I don't even think it effected windows 7 or older they not listed Windows 7 didn't need a update . The effected keys are RSA 1024 and 2048 . I always use a RSA-4096 key when i use my VPN for handshake . Link to comment Share on other sites More sharing options...
hacker7 Posted October 19, 2017 Author Share Posted October 19, 2017 @steven36@0bin any one can verify this https://www.krackattacks.com/.? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.