Tag: Microsoft

1
Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word
2
Aqua-man goes hi-tech – Microsoft’s Plunge into Deep Sea Data Storage
3
US Government reaches for data stored on foreign soil
4
Tech giants scramble as gigantic vulnerability revealed
5
Update everything: Discovery of Wi-Fi flaw in connected devices
6
Have I been pwned?
7
Microsoft welcomes big win against government information requests
8
Hacked accounts anyone?
9
Microsoft cuts support for Internet Explorer 8, 9 and 10

Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word

By Cameron Abbott and Colette Légeret

Cymulate, a leading provider of Breach and Attack Simulation solutions and a Gartner 2018 Cool Vendor, announced last week that its Security Research Team had uncovered a security flaw in the Microsoft Office Suite (Office) that may affect Microsoft Word (Word) users.

The Office security flaw identified is a JavaScript code execution within the embedded video component of Word. This has the potential to impact all users of Office 2016 and users of older Office versions. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening the document with Word.

Read More

Aqua-man goes hi-tech – Microsoft’s Plunge into Deep Sea Data Storage

By Cameron Abbott and Georgia Mills

In addition to all things cyber security related, we here at CyberWatch love to see new technologies being developed and Microsoft’s latest data storage project has us all excited.

Microsoft has leveraged the technologies of submarines and renewable energy to plunge an experimental 12 metre long datacentre into the sea near Scotland’s Orkney Islands.  The project, known as Project Natick, seeks to understand the benefits and difficulties in deploying subsea datacentres powered by offshore renewable energy.

Read More

US Government reaches for data stored on foreign soil

By Cameron Abbott and Harry Crawford

A significant case for digital privacy is currently before the US Supreme Court, with the US Justice Department fighting it out against Microsoft in a bid to gain access to emails held on Microsoft’s servers in Dublin. The US Justice Department is seeking to use a search warrant to access the emails in Ireland in a drug trafficking case. If a precedent is set which allows the US government to access data stored on foreign soil, that could have a significant impact on privacy rights on a global scale.

Read More

Tech giants scramble as gigantic vulnerability revealed

By Cameron Abbott and Harry Crawford

In one of the largest cybersecurity scares in history, researchers revealed two CPU vulnerabilities for practically all computers manufactured in the last two decades which could allow hackers to gain access to stored data.

Read More

Update everything: Discovery of Wi-Fi flaw in connected devices

By Cameron Abbott, Rob Pulham and Olivia Coburn

A Belgian researcher has discovered a weakness in WPA-2, the security protocol used in the majority of routers and devices including computers, mobile phones and connected household appliances, to secure internet and wireless network connections.

The researcher, Mathy Vanhoef, has named the flaw KRACK, for Key Reinstallation Attack.

Any device that supports Wi-Fi is likely to be affected by KRACK, albeit devices will have different levels of vulnerability depending on their operating systems. Linux and Android are believed to be more susceptible than Windows and iOS, and devices running Android 6.0 are reportedly particularly vulnerable.

Read More

Have I been pwned?

By Cameron Abbott and Rebecca Murray

Information security blog {ride the lightning} has featured Troy Hunt’s “Have I been pwned” website which identifies whether your online account has ever been compromised in a data breach when you enter your account’s login ID.

Troy Hunt describes himself on his website as a Microsoft Regional Director, a Microsoft Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight. While we don’t know much about his site, it is reported to be safe and provides a very handy tool to determine if you have been unknowingly hacked. Of course, even if the site is legitimate, who is to say it won’t be breached? It’s just that it’s so useful.

See if you have been pwned here…and yes…we both have been.

 

Microsoft welcomes big win against government information requests

By Cameron Abbott and Simon Ly

Last week, the US Court of Appeals for the Second Circuit reversed a previous lower court decision and found in favour of Microsoft in a long running dispute over a government information request.

In 2014, the US government successfully received a warrant for email records sought in connection with a drug case. Microsoft refused to comply with the orders and was subsequently found to be in contempt of court. However, the Court of Appeal has now ruled that the US government could not force Microsoft to hand over customer emails stored in an offshore server in Ireland because, amongst other things, the Stored Communications Act did not intend to legislate to allow for such warrant provisions. This decision comes hot off the heels of the EU-approved Privacy Shield, and it will be interesting to see how a similar decision will be dealt with moving forward in light of this regime.

This represents a big win for Microsoft and the tech sector more broadly as service providers now have a basis for maintaining the position of protecting its users’ privacy. This decision also highlights that legal regimes are territorial notwithstanding the global nature of new technology offerings.

To read Microsoft’s news release following the decision, please see here.

Hacked accounts anyone?

By Cameron Abbott and Giles Whittaker

Have you been hacked? If you are the user of a Google, Yahoo or Microsoft e-mail account then it is a possibility. Alex Holden, the founder and Chief Information Officer of Hold Security who discovered the hack has identified 272.3 million account credentials have been stolen. The majority of these accounts are users of Mail.ru which is Russia’s most popular e-mail service.

57 million Mail.ru account credentials had been hacked and Mail.ru “are now checking any combinations of usernames/passwords match users’ e-mails and are still active”, from initial checks there were no live combinations.

Google and Yahoo are yet to provide any response.

This recent hack, which was performed by a young Russian hacker who is more determined to become famous than rich from his recent efforts after only asking for 50 roubles (less than $1) for the entire dataset, is one of the biggest collection of stolen credentials since the attacks on major US banks and retailers two years ago. The information which was stolen, as suggest by Holden in an interview with Reuters is “potent [and] it is floating around in the underground…which can be abused multiple times.”

Some of the stolen credentials include those for employees of large US banking, manufacturing and retail companies. When considering that 22 percent of big data breaches come from stolen online credentials (according to a recent survey of 325 computer professional) and hacks of this nature typically allow for further break-ins or phishing attacks by accessing the contacts of each hacked account, the domino effect of a hack such as this is substantial. Furthermore, individuals that like to re-use their preferred passwords across multiple accounts have exposed themselves to additional hacks.

So what is the take away message? According to Will Harwood, founder and Chief Technology Officer of Silicon SAFE, the solution as he told Infosecurity is to put the “password data in a dedicated hardware supported database that only allows data to be stored and compared, never revealed.”

For more of Will Harwood’s security suggestions and the Infosecurity article click here.

To read more about Alex Holden’s discovery of the Russian hacker click here.

Microsoft cuts support for Internet Explorer 8, 9 and 10

By Cameron Abbott and Meg Aitken

Today, Microsoft will initiate the ‘end-of-life’ phase for the company’s older Web browsers, Internet Explorer 8, 9, and 10. Customers using the outdated browsers will be sent an ‘end-of-life upgrade notification’ as technical support and security updates have now ceased.

Microsoft has encouraged the several hundred million users who currently operate the outdated browsers to upgrade to Internet Explorer 11 or Microsoft Edge, which they suggest offers better-quality security and improved performance.

While users currently running Internet Explorer 8, 9 and 10 will still be able to use their browsers, Microsoft has warned there is a significant security risk of continuing to run the outdated versions. Without the periodic security updates and routine technical support, the outdated browsers will be vulnerable to cyber-attacks, malware and other security threats.

Australian Corporations have an obligation to keep materials secure under the Privacy Act 1988 (Cth) and should therefore consider the risk that using the unsupported browsers may not be sufficient to meet this requirement.

Access the Microsoft release here.

Copyright © 2018, K&L Gates LLP. All Rights Reserved.