Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Nine Takeaways From Our Investigation Into Microsoft’s Cybersecurity Failures

ProPublica: “After Russian hackers exploited a flaw in a widely used Microsoft product duringone of the largest cyberattacks in U.S. history, the software giant downplayed its culpability. However, a recent ProPublica investigation revealed that a whistleblower within Microsoft’s ranks had repeatedly attempted to convince the company to address the weakness years before the hack — and that the company rebuffed his concerns at every step. Here are the key things you need to know about that whistleblower’s efforts and Microsoft’s inaction. Years before the SolarWinds hack was discovered in 2020, a Microsoft engineer found a security flaw these hackers would eventually exploit. In 2016, while researching an attack on a major tech company, Microsoft engineer Andrew Harris said he discovered a flaw in the company’s Active Directory Federation Services, a product that allowed users to sign on a single time for nearly everything they needed. As a result of the weakness, millions of users — including federal employees — were left exposed to hackers. Harris said the Microsoft team responsible for handling reports of security weaknesses dismissed his concerns. The Microsoft Security Response Center determines which reported security flaws need to be addressed. Harris said he told the MRSC about the flaw, but it decided to take no action. The MSRC argued that, because hackers would already need access to an organization’s on-premises servers before they could take advantage of the flaw, it didn’t cross a so-called “security boundary.” Former MSRC members told ProPublica that the center routinely rejected reports of weaknesses using this term, even though it had no formal definition at the time…”

Sorry, comments are closed for this post.