Microsoft failed to shore up defenses that could have limited SolarWinds hack: U.S. senator

[DearWallstreet.com] DWS Daily on Feb 25, 2021 EMAIL}/redirect [Microsoft failed to shore up defenses that could have limited SolarWinds hack: U.S. senator Joseph Menn]( Image]( By Joseph Menn SAN FRANCISCO (Reuters) - Microsoft Corp's failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of U.S. Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers' cloud services. The technique was one of many used in the SolarWinds hack. Wyden, who has faulted tech companies on security and privacy issues as a member of the Senate Intelligence Committee, blasted Microsoft for not doing more to prevent forged identities or warn customers about it. “The federal government spends billions on Microsoft software,” Wyden told Reuters ahead of a SolarWinds hearing on Friday in the House of Representatives. “It should be cautious about spending any more before we find out why the company didn't warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017,” he said. Microsoft President Brad Smith will testify on Friday before the House committee investigating the SolarWinds hacks. U.S. officials have blamed Russia for the massive intelligence operation that penetrated SolarWinds, which makes software to manage networks, as well as Microsoft and others, to steal data from multiple governments and about 100 companies. Russia denies responsibility. Microsoft disputed Wyden's conclusions, telling Reuters that the design of its identity services was not at fault. In a response to Wyden's written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.” But in a public advisory after the SolarWinds hack, on Dec. 17, the National Security Agency called for closer monitoring of identity services, noting, “This SAML forgery technique has been known and used by cyber actors since at least 2017.” In response to additional questions from Wyden this week, Microsoft acknowledged its programs were not set up to detect the theft of identity tools for granting cloud access. Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, said the failure showed cloud security risks should be a higher priority. The hackers’ sophisticated abuse of identities “exposes a concerning weakness in how cloud computing giants invest in security, perhaps failing to adequately mitigate the risk of high impact, low probability failures in systems at the root of their security model,” Herr said. In congressional testimony on Tuesday, Microsoft's Smith said that only about 15% of the victims in the Solar Winds campaign were hurt via Golden SAML. Even in those cases the hackers had to have already gained access to systems before deploying the method. But Wyden's staff said one of those victims was the U.S. Treasury, which lost emails from dozens of officials. (Reporting by Joseph Menn; editing by Jonathan Weber and Howard Goller) [EOG Resources hikes dividend by 10% after profit nearly doubles]( (Reuters) - Oil and gas producer EOG Resources Inc on Thursday boosted its annual dividend by 10...([Continue Reading]( EMAIL}/redirect [AT&T, TPG to form new company for U.S. video unit]( (Reuters) - Private equity firm TPG Capital and AT&T Inc said on Thursday they will form a n...([Continue Reading]( ) [Airbnb bookings rebound as lockdown-weary Americans step out for short trips]( (Reuters) - Airbnb Inc reported better-than-expected gross bookings on Thursday in its first qua...([Continue Reading]( EMAIL}/redirect GENERAL NOTICE AND DISCLAIMER - PLEASE READ CAREFULLY THE FOLLOWING NOTICE AND DISCLAIMER MUST BE READ AND UNDERSTOOD AND YOU MUST AGREE TO THE TERMS CONTAINED THEREIN BEFORE USING THIS WEBSITE OR SUBSCRIBING TO OUR NEWSLETTER.This is a PAID ADVERTISEMENT provided to customers/subscribers of dearwallstreet. Although we have sent you this email, dearwallstreet does NOT specifically endorse this product nor is it responsible for the content of this message. Furthermore, we make no guarantee or warranty about what is advertised above. DISCLAIMER: In accordance with Section 17(b) of the Securities Act of 1933, you are hereby advised that dearwallstreet. "DWS" is receiving a fee of over $1000.00 in cash, from an independent third party as compensation for the distribution of this message. DWS has not determined if the statements and opinions of the advertiser are accurate, correct or truthful. The purpose of this message, like any advertising, is to provide publicity for the advertising company, its products or services. You should not rely on the information presented; you should do independent research to form your own opinion and decision. Information contained in our disseminated emails does not constitute investment, legal or tax advice upon which you should rely. The purchase of high-risk securities may result in the loss of your entire investment. Advertisements received by you are not a solicitation or recommendation to buy securities of the advertised company. An offer to buy or sell securities can be made only by a disclosure document that complies with applicable securities laws and only in the States or other jurisdictions in which the security is eligible for sale. Advertisements distributed through disseminated emails are not disclosure documents. If you are considering purchasing any securities of an advertised company, you should call your State Securities Administrator to determine if the security may be sold in your State. Many companies have information filed with State securities regulators who may be able to supply you with additional information. You also should read and review, if and to the extent available, any information concerning an advertised company available at the web sites of the U.S. Securities and Exchange Commission (the "SEC") at and the Financial Industry Regulatory Authority (the "FINRA") at . We also strongly recommend that you read the SEC advisory to investors concerning Internet Stock Fraud at as well as related information published by the NASD on how to invest carefully. You are responsible for verifying all claims and conducting your own due diligence. You agree and acknowledge that any hyperlinks to the website of (1) an advertised company, (2) the party issuing or preparing the information for the advertised company, or (3) other information contained in our disseminated emails is provided only for your reference and convenience. We are not responsible for the accuracy or reliability of these external sites, nor are we responsible for the content, advertising, opinions, products or other materials on external sites or information sources. If you use, act upon or make decisions in reliance on information contained in any disseminated email or any hyperlink, you do so at your own risk and agree to hold us, our officers, directors, shareholders, affiliates and agents harmless. You acknowledge that you are not relying on us, and we are not liable for, any actions taken by you based on any information contained in any disseminated email or hyperlink. You also acknowledge that we are not an investment advisory service, a broker-dealer or an investment adviser. You acknowledge that you will consult with your own advisers regarding any decisions as to any advertised company. dearwallstreet.com is affilated with interactiveoffers.com. Rua Frei Tomé de Jesus n. 18 1 dto. Lisboa Lisboa 1700-215 PORTUGAL [Unsubscribe]( | [Change Subscriber Options](