Dec 30, 2015 - "Microsoft Corp experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular – but it decided not to tell the victims, allowing the hackers to -continue- their campaign, according to former employees of the company. On Wednesday, after a series of requests for comment from Reuters, Microsoft said it will change its policy and in the future tell its email customers when it suspects there has been a government hacking attempt. The company also confirmed for the first time that it had not called, emailed or otherwise told the Hotmail users that their electronic correspondence had been collected. The company declined to say what role the exposure of the Hotmail campaign played in its decision to make the policy shift. The first public signal of the attacks came in May 2011, though no direct link was immediately made with the Chinese authorities. That's when security firm Trend Micro Inc announced it had found an email sent to someone in Taiwan that contained a miniature computer program. The program took advantage of a previously undetected flaw in Microsoft’s own web pages to direct Hotmail and other free Microsoft email services to secretly forward copies of all of a recipient’s incoming mail to an account controlled by the attacker.
Trend Micro found more than a thousand victims, and Microsoft patched the vulnerability before the security company announced its findings publicly. Microsoft also launched its own investigation that year, finding that some interception had begun in July 2009 and had compromised the emails of top Uighur and Tibetan leaders in multiple countries, as well as Japanese and African diplomats, human rights lawyers and others in sensitive positions inside China, two former Microsoft employees said. They spoke separately and on the condition that they not be identified. Some of the attacks had come from a Chinese network known as AS4808, which has been associated with major spying campaigns, including a 2011 attack on EMC Corp's security division RSA that U.S. intelligence officials publicly attributed to China. To see the report click here here*. Microsoft officials did not dispute that most of the attacks came from China, but said some came from elsewhere. They did not give further detail...
After a vigorous internal debate in 2011 that reached Microsoft’s top security official, Scott Charney, and its then-general counsel and now president, Brad Smith, the company decided -not- to alert the users clearly that anything was amiss, the former employees said. Instead, it simply forced users to pick new passwords without disclosing the reason. The employees said it was likely the hackers by then had footholds in some of the victims' machines and therefore saw those new passwords being entered. One of the reasons Microsoft executives gave internally in 2011 for not issuing explicit warnings was their fear of angering the Chinese government, two people familiar with the discussions said. Microsoft’s statement did -not- address the specific positions advocated by Smith and Charney. A person familiar with the executives’ thinking said that fear of Chinese reprisals did play a role given the company's concerns about the potential impact on customers. Microsoft said the company had believed the password resets would be the fastest way to restore security to the accounts..."
Dec 31, 2015 - "Microsoft Corp said on Wednesday it will begin warning users of its consumer services including Outlook .com email when the company suspects that a government has been trying to hack into their accounts. The policy change comes nine days after Reuters asked the company why it had decided not to tell victims of a hacking campaign, discovered in 2011, that had targeted international leaders of China's Tibetan and Uighur minorities in particular. According to two former employees of Microsoft, the company's own experts had concluded several years ago that Chinese authorities had been behind the campaign but the company did not pass on that information to users of its Hotmail service, which is now called Outlook .com. In its statement, Microsoft said neither it nor the U.S. government could pinpoint the sources of the hacking attacks and that they didn't come from a single country. The policy shift at the world's largest software company follows similar moves since October by Internet giants Facebook Inc, Twitter Inc and most recently Yahoo Inc. Google Inc pioneered the practice in 2012 and said it now alerts tens of thousands of users every few months. For two years, Microsoft has offered alerts about potential security breaches -without- specifying the likely suspect... Microsoft had told the targets to reset their passwords but did -not- tell them that they had been hacked. Five victims interviewed by Reuters said they had not taken the password reset as an indication of hacking..."
Dec 30, 2015
:ph34r: :ph34r: :ph34r:
Edited by AplusWebMaster, 31 December 2015 - 12:47 PM.