179
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 07 Sep 2023
179 points (100.0% liked)
Technology
58108 readers
3705 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
This is the best summary I could come up with:
Such keys, Microsoft said, are entrusted only to employees who have undergone a background check and then only when they are using dedicated workstations protected by multi-factor authentication using hardware token devices.
To safeguard this dedicated environment, email, conferencing, web research, and other collaboration tools aren’t allowed because they provide the most common vectors for successful malware and phishing attacks.
The hack of a Microsoft engineer’s corporate account allowed Storm-0558 to access the crash dump and, with it, the expired Exchange signing key.
Addressing the second mystery, the post explained how an expired signing key for a consumer account was used to forge tokens for sensitive enterprise offerings.
Human errors prevented a programming interface designed to cryptographically validate which environment a key from working properly.
Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key (this issue has been corrected using the updated libraries).
The original article contains 734 words, the summary contains 154 words. Saved 79%. I'm a bot and I'm open source!