US Senator accuses Microsoft of gross cybersecurity negligence
pSonicWall Firewall configs stolen for all cloud backup customersppNew FileFix attack uses cache smuggling to evade security softwareppHackers claim Discord breach exposed data of 55 million usersppGoogles new AI bug bounty program pays up to 30000 for flawsppHarvard investigating breach linked to Oracle zeroday exploitppThe 380 refurbished Surface Laptop 3 with i7 performance and 16GB RAMppFake Inflation Refund texts target New Yorkers in new scamppGet your first year of Sams Club membership for 15 MSRP 50ppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppUS Senator Ron Wyden has sent a letter to the Federal Trade Commission FTC requesting the agency to investigate Microsoft for failing to provide adequate security in its products which led to ransomware attacks against healthcare organizationsppThe Senator started the formal asking by saying that Microsoft should be held responsible for its gross cybersecurity negligence resulting in ransomware attacks against critical infrastructure including US health care organizationsppThe Senator highlights Microsofts prolonged failure to take decisive action to effectively mitigate welldocumented security risks in its products resulting in attacks such as the 2024 Ascension Health ransomware breach which compromised data of 56 million patientsppThe incident which occurred in May 2024 unfolded when a contractor clicked a malicious Bing Search result in Microsoft Edge allowing hackers to carry out a Kerberoasting attackppKerberos is a network authentication protocol that gives users and services access to network resources by verifying their identity without a password exchangeppKerberoasting is a postcompromise technique that lets attackers steal encrypted service account credentials from Microsoft Active DirectoryppIt takes advantage of weak or easytoguess passwords sometimes encrypted with the insecure and deprecated RC4 algorithm that can be decrypted with readily available bruteforce toolsppAfter decrypting the password the attacker can use it to escalate privileges and move laterally on the compromised network as in the case of the Ascension Health breachppThe Senator says his team spoke with Microsoft in July 2024 urging the tech giant to warn customers of the dangers of using RC4 instead of more robust options like AES 128256 and to make the latter the default settingppMicrosoft responded with a blog post published in October which the Senator said was highly technical and failed to clearly convey the warning to decisionmakers within companiesppThe RC4 encryption algorithm is still an option in Kerberos despite being a weak cipher with vulnerabilities that allow recovering plaintext informationppIt is worth noting that Microsoft pledged to strengthen security in its products RC4 continues to be present in Kerberos to suport older systems that do not accept newer safer algorithmsppWyden explicitly frames Microsofts practices as a serious national security risk expressing certainty that more highimpact incidents will occur unless the FTC intervenesppWithout timely action Microsofts culture of negligent cybersecurity combined with its de facto monopolization of the enterprise operating system market poses a serious national security threat and makes additional hacks inevitable Senator Ron WydenppBleepingComputer has contacted Microsoft with a request for a comment on this development and a spokesperson sent us the following statementppRC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers which is why it makes up less than 1 of our traffic However disabling its use completely would break many customer systemsppThe company is actively working to gradually remove the algorithm without creating any disruption to customers and is warning against it as well as providing advice for using the algorithm in the safest ways possibleppWe have it on our roadmap to ultimately disable its use Weve engaged with the Senators office on this issue and will continue to listen and answer questions from them or others in government a Microsoft spokesperson told BleepingComputerppThe FTC has not publicly responded to Wydens request yetppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppWindows 11 23H2 Home and Pro reach end of support in 30 daysppWindows 11 23H2 Home and Pro reach end of support in 60 daysppCopilot on Windows can now connect to email create Office docsppMicrosoft Hackers target universities in payroll pirate attacksppMicrosoft Defender bug triggers erroneous BIOS update alertsppGo Ron go
Make m pay for known holes they didnt plugppTotally agree but lets be honest you dont get better security without breaking a few things People already freaked out when MS pushed TPM 20 and Secure Boot If they start ditching stuff thats considered outdated or insecure its gonna be a riot
Im not ignoring stuff that can be improved without affecting users too much but neither software companies or the general public want some changes that would change how their use their system ppThey break a few things every month with Windows update This would just be a drop in the bucket The reason everyone freaked out about the Windows 11 requirements is they were completely opaque in reasoning and cut off hardware that many people did not consider to be very old Even worse they actively killed workaround solutions This problem is different because these protocols were deprecated decades ago I would hope Nobody wrote a system requiring RC4 in at least 20 years
Leaving ancient tech in place to accommodate 5 or less of the market at the expense of the 95 just makes no sense Obsolete tech should be optin only and modern OSes should reject it by default like with SMBv1 It should break things that rely on obsolete protocols and admins should be forced to actually address the issues underneath This is what will make security actually happen ppId rather have things broken because of increased security than that everything breaks because of a hack ppWell the senator has stock holdings in Apple and NVIDIA Not to mention 2 major pharma companies Nice stunt though ppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppMake the leapget certified with VMUG Advantage Start your career journey todayppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppThe role of Artificial Intelligence in todays cybersecurity landscapeppRedefine security validation with Picus AIdriven Breach and Attack SimulationppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
Make m pay for known holes they didnt plugppTotally agree but lets be honest you dont get better security without breaking a few things People already freaked out when MS pushed TPM 20 and Secure Boot If they start ditching stuff thats considered outdated or insecure its gonna be a riot
Im not ignoring stuff that can be improved without affecting users too much but neither software companies or the general public want some changes that would change how their use their system ppThey break a few things every month with Windows update This would just be a drop in the bucket The reason everyone freaked out about the Windows 11 requirements is they were completely opaque in reasoning and cut off hardware that many people did not consider to be very old Even worse they actively killed workaround solutions This problem is different because these protocols were deprecated decades ago I would hope Nobody wrote a system requiring RC4 in at least 20 years
Leaving ancient tech in place to accommodate 5 or less of the market at the expense of the 95 just makes no sense Obsolete tech should be optin only and modern OSes should reject it by default like with SMBv1 It should break things that rely on obsolete protocols and admins should be forced to actually address the issues underneath This is what will make security actually happen ppId rather have things broken because of increased security than that everything breaks because of a hack ppWell the senator has stock holdings in Apple and NVIDIA Not to mention 2 major pharma companies Nice stunt though ppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppMake the leapget certified with VMUG Advantage Start your career journey todayppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppThe role of Artificial Intelligence in todays cybersecurity landscapeppRedefine security validation with Picus AIdriven Breach and Attack SimulationppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
