RISKS-LIST: Risks-Forum Digest Thursday 4 April 2024 Volume 34 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.13>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Review of the Summer 2023 Microsoft Exchange Online Intrusion (CISA)
China's Advancing Efforts to Influence U.S. Election (NYTimes)
RMV warning customers of scams amid statewide outage (The Boston Globe)
Missouri county declares state of emergency amid suspected ransomware attack
(ArsTechnica)
Tech Glitch Upends Financial Aid for About a Million Students (WSJ)
Did One Guy Just Stop a Huge Cyberattack? (NYTimes)
Carmakers give up on software that avoids kangaroos (ArsTechnica)
Browsing in Google Chrome's incognito mode doesn't protect you as much as
you might think (The Boston Globe)
Google Deepmind CEO says AI industry is full of 'hype' and 'grifting'
(ReadWrite)
The wonders of AI! (Lauren Weinstein)
AI that targets civilians: 'The machine did it coldly': Israel used
AI to identify 37,000 Hamas targets (The Guardian via Lauren Weinstein)
Washington state judge blocks use of AI-enhanced video as evidence
in possible first-of-its-kind ruling (NBC News)
Amazon's AI-powered "Just Walk Out" checkout option turns out to be 1000
workers watching you shop (BoingBoing)
This tool makes AI models hallucinate cats to fight copyright infringement
(NBC News)
An unending array of jailbreaking attacks could be the death of LLMs
(Gary Marcus)
When AI Meets Toast (Lauren Weinstein)
Medicare forced to expand forms to fit 10-digit bill a penny shy of $100M
(ArsTechnica)
The FTC is trying to help victims of impersonation scams get their money
back (The Verge)
Google Maps for CarPlay is a disaster compared to the Android Auto app
(9-to-5 Google)
Indian company sold contaminated shrimp to U.S. grocery stores,
'whistleblower' says (NBC News)
CA Governor to install 480 new Flock LPR cameras (ACLU via Henry Baker)
Your boss could forward a mail message to you that shows you text
he won't see, but you will (Lutrasecurity)
Should we be rethinking using Outlook at work? (Victor Miller)
Man pleads guilty to stealing former coworker's identity for 30 years?
(ArsTechnica)
Re: xz (Victor Miller et al.)
Re: Ross Anderson (Wendy M. Grossman)
Re: The race between positive and negative applications of GenAI
(Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 3 Apr 2024 09:43:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Review of the Summer 2023 Microsoft Exchange Online Intrusion
(CISA)

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

[This is a remarkably well-constructed multilateral analysis,
and well worthy of running extensively in RISKS. PGN]

In May and June 2023, a threat actor compromised the Microsoft Exchange
Online mailboxes of 22 organizations and over 500 individuals around the
world. The actor—known as Storm-0558 and assessed to be affiliated with the
People’s Republic of China in pursuit of espionage objectives—accessed the
accounts using authentication tokens that were signed by a key Microsoft had
created in 2016. This intrusion compromised senior United States government
representatives working on national security matters, including the email
accounts of Commerce Secretary Gina Raimondo, United States Ambassador to
the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.

Signing keys, used for secure authentication into remote systems, are the
cryptographic equivalent of crown jewels for any cloud service provider. As
occurred in the course of this incident, an adversary in possession of a
valid signing key can grant itself permission to access any information or
systems within that key’s domain. A single key’s reach can be enormous, and
in this case the stolen key had extraordinary power. In fact, when combined
with another flaw in Microsoft’s authentication system, the key permitted
Storm-0558 to gain full access to essentially any Exchange Online account
anywhere in the world. As of the date of this report, Microsoft does not
know how or when Storm-0558 obtained the signing key.

This was not the first intrusion perpetrated by Storm-0558, nor is it the
first time Storm-0558 displayed interest in compromising cloud providers or
stealing authentication keys. Industry links Storm-0558 to the 2009
Operation Aurora campaign that targeted over two dozen companies, including
Google, and the 2011 RSA SecurID incident, in which the actor stole secret
keys used to generate authentication codes for SecurID tokens, which were
used by tens of millions of users at that time. Indeed, security researchers
have tracked Storm-0558’s activities for over 20 years.

On August 11, 2023, Secretary of Homeland Security Alejandro Mayorkas
announced that the Cyber Safety Review Board (CSRB, or the Board) would
“assess the recent Microsoft Exchange Online intrusion . . . and conduct a
broader review of issues relating to cloud-based identity and authentication
infrastructure affecting applicable cloud service providers and their
customers.”

The Board conducted extensive fact-finding into the Microsoft intrusion,
interviewing 20 organizations to gather relevant information (see Appendix
A). Microsoft fully cooperated with the Board and provided extensive
in-person and virtual briefings, as well as written submissions. The Board
also interviewed an array of leading cloud service providers to gain insight
into prevailing industry practices for security controls and governance
around authentication and identity in the cloud.

The Board finds that this intrusion was preventable and should never have
occurred. The Board also concludes that Microsoft’s security culture was
inadequate and requires an overhaul, particularly in light of the company’s
centrality in the technology ecosystem and the level of trust customers
place in the company to protect their data and operations. The Board
reaches this conclusion based on:

1. the cascade of Microsoft’s avoidable errors that allowed this intrusion
to succeed;

2. Microsoft’s failure to detect the compromise of its cryptographic crown
jewels on its own, relying instead on a customer to reach out to identify
anomalies the customer had observed;

3. the Board’s assessment of security practices at other cloud service
providers, which maintained security controls that Microsoft did not;

4. Microsoft’s failure to detect a compromise of an employee's laptop from a
recently acquired company prior to allowing it to connect to Microsoft’s
corporate network in 2021;

5. Microsoft’s decision not to correct, in a timely manner, its inaccurate
public statements about this incident, including a corporate statement that
Microsoft believed it had determined the likely root cause of the intrusion
when in fact, it still has not; even though Microsoft acknowledged to the
Board in November 2023 that its September 6, 2023 blog post about the root
cause was inaccurate, it did not update that post until March 12, 2024, as
the Board was concluding its review and only after the Board’s repeated
questioning about Microsoft’s plans to issue a correction; 6. the Board's
observation of a separate incident, disclosed by Microsoft in January 2024,
the investigation of which was not in the purview of the Board’s review,
which nation-state actor to access highly-sensitive Microsoft corporate
email accounts, source code repositories, and internal systems; and 7. how
Microsoft’s ubiquitous and critical products, which underpin essential
services that support national security, the foundations of our economy, and
public health and safety, require the company to demonstrate the highest
standards of security, accountability, and transparency.

Throughout this review, the Board identified a series of Microsoft
operational and strategic decisions that collectively point to a corporate
culture that deprioritized both enterprise security investments and rigorous
risk management. To drive the rapid cultural change that is needed within
Microsoft, the Board believes that Microsoft’s customers would benefit from
its CEO and Board of Directors directly focusing on the company’s security
culture and developing and sharing publicly a plan with specific timelines
to make fundamental, security-focused reforms across the company and its
full suite of products. The Board recommends that Microsoft’s CEO hold
senior officers accountable for delivery against this plan. In the meantime,
Microsoft leadership should consider directing internal Microsoft teams to
deprioritize feature developments across the company’s cloud infrastructure
and product suite until substantial security improvements have been made in
order to preclude competition for resources. In all instances, security
risks should be fully and appropriately assessed and addressed before new
features are deployed.