{"id":753,"date":"2024-05-21T09:28:20","date_gmt":"2024-05-21T09:28:20","guid":{"rendered":"https:\/\/isog.xyz\/?p=753"},"modified":"2024-05-21T09:28:20","modified_gmt":"2024-05-21T09:28:20","slug":"google-says-microsoft-cant-be-trusted-after-email-security-blunders","status":"publish","type":"post","link":"https:\/\/isog.xyz\/?p=753","title":{"rendered":"Google says Microsoft cannot be trusted after email security blunders"},"content":{"rendered":"<div id=\"article-body\">\n<p>Google has published a paper directly challenging Microsoft over a series of security flaws in recent months, showing that businesses and public sector organizations need a more secure alternative. <\/p>\n<p>The tech giant looks to take advantage of what has been a tough year for Microsoft from a security perspective, after the company suffered a litany of high-profile security flaws affecting its enterprise solutions.<\/p>\n<aside class=\"hawk-nest\" data-render-type=\"fte\" data-skip=\"dealsy\" data-widget-type=\"seasonal\"\/>\n<p>The article criticizes Microsoft for the &#8220;inadequate security culture&#8221; identified in a study by the US Cyber \u200b\u200bSecurity Review Board (CSRB), aiming to present itself as the enterprise option with a culture that prioritizes security.<\/p>\n<p>The CSRB report focused specifically on the Microsoft Exchange Online Breach in summer 2023, in which China-affiliated threat actors known as Storm-0558 were able to gain access to the email accounts of top US government officials.<\/p>\n<p>The attack was carried out using a stolen signature key that allowed \u201cStorm-0558 to gain full access to virtually any Exchange Online account anywhere in the world.\u201d<\/p>\n<p>US lawmakers described a \u201ccascade of security failures\u201d that led to the incident, which taken together \u201cpoint to a failure of Microsoft&#8217;s organizational controls and governance, and of its corporate culture around security.\u201d<\/p>\n<p>Google also pointed to another cyber incident that occurred just a few months later, in which a Russia-linked threat group \u2013 Midnight Blizzard \u2013 compromised a range of Microsoft corporate email accounts, including those of senior leaders, as well as their security and legal teams .<\/p>\n<div id=\"slice-container-newsletterForm-articleInbodyContent-jeeqnViTXFwrchd7EVnRXF\" class=\"slice-container newsletter-inbodyContent-slice newsletterForm-articleInbodyContent-jeeqnViTXFwrchd7EVnRXF slice-container-newsletterForm\">\n<div data-hydrate=\"true\" class=\"newsletter-form__wrapper newsletter-form__wrapper--inbodyContent\">\n<div class=\"newsletter-form__container\">\n<section class=\"newsletter-form__top-bar\"\/>\n<section class=\"newsletter-form__main-section\">\n<p class=\"newsletter-form__strapline\">Get our latest news, industry updates, recommended resources and more.  Sign up today and receive our FREE report on AI cybercrime and security &#8211; updated again for 2024.<\/p>\n<\/section>\n<\/div>\n<\/div>\n<\/div>\n<p>It highlighted the fact that Microsoft stated that the attack was still ongoing five months after the initial breach, citing the tech company&#8217;s own security update that gave no timeline for resolving the incident. <\/p>\n<h2 id=\"google-smells-blood-in-the-water-3\">Google smells blood in the water<\/h2>\n<p>In terms of specific criticism of Microsoft&#8217;s actions, the CSRB article was particularly scathing about the company&#8217;s inability to provide details on how exactly the group was able to infiltrate its systems and gain access to this &#8220;master key.&#8221;<\/p>\n<p>Google showed that it had no qualms about attacking Microsoft in a similar manner, and wondered whether Microsoft could ensure that these types of incidents don&#8217;t happen again if it still doesn&#8217;t know how Storm-0558 affected the MSA obtained key from 2016.<\/p>\n<p>It also raised the other two major criticisms of the report regarding Microsoft&#8217;s failure to prioritize security and risk management, which described the company&#8217;s security culture as &#8216;inadequate&#8217;, and inability to correct inaccurate public statements.<\/p>\n<p>Microsoft appeared to have made a \u201cdecision not to timely correct its inaccurate public statements about this incident,\u201d only noting after repeated questions from the Board of Directors that the tech giant planned to make a correction.<\/p>\n<p>In contrast to this response to its own response to a major cyber attack, Operation Aurora was carried out in 2009 by a state-affiliated threat actor, where it was the only company to confirm that it had been the victim of a cyber attack and disclose to the public that certain Gmail accounts had been hacked.<\/p>\n<p>\u201cWhile no organization is immune from being targeted by highly sophisticated adversaries, there is a clear pattern of evidence indicating that Microsoft is failing to keep their systems, and therefore their customers&#8217; data, secure,\u201d Google said. <\/p>\n<h2 id=\"google-says-it-should-be-the-trusted-security-partner-3\">Google says it should be the trusted security partner<\/h2>\n<p>Google argued that it has already learned lessons from this event, such as being more transparent around security incidents, as well as some basic do&#8217;s and don&#8217;ts regarding its security architecture.<\/p>\n<p>The primary purpose of the article is to make a case for Google&#8217;s own business productivity suite, Workspace, which the company claims offers a fundamentally different and more secure approach than Microsoft&#8217;s.<\/p>\n<p>\u201cWe believe Google Workspace is a more secure alternative, with a proven track record of technical excellence, deep investments in advanced defenses, and a transparent culture that views providing security for our customers as a profound responsibility,\u201d it said company.<\/p>\n<p>The tech giant launched its Secure Alternative Program on May 20, 2024 alongside this document, which will offer organizations that make the switch discounted rates on its Google Workspace Enterprise Plus package and on its Mandiant incident response service. <\/p>\n<p>This appears to be a direct challenge to Microsoft&#8217;s Secure Future Initiative, which it initially unveiled in November 2023. <\/p>\n<p>Microsoft outlined plans to overhaul its security practices in the wake of the email security breach. <\/p>\n<p><em>ITPro<\/em> has reached out to Microsoft for comment.<\/p>\n<\/div>\n<p><script>\nwindow.reliableConsentGiven.then(function(){\n!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function()\n{n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}\n;if(!f._fbq)f._fbq=n;\nn.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;\nt.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,\ndocument,'script','https:\/\/connect.facebook.net\/en_US\/fbevents.js');\nfbq('init', '2482549652030483');\nfbq('track', 'PageView');\n})\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google has published a paper directly challenging Microsoft over a series of security flaws in recent months, showing that businesses [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":754,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[409,407,338,335,408,406],"class_list":["post-753","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-blunders","tag-email","tag-google","tag-microsoft","tag-security","tag-trusted"],"_links":{"self":[{"href":"https:\/\/isog.xyz\/index.php?rest_route=\/wp\/v2\/posts\/753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/isog.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/isog.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/isog.xyz\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/isog.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=753"}],"version-history":[{"count":0,"href":"https:\/\/isog.xyz\/index.php?rest_route=\/wp\/v2\/posts\/753\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/isog.xyz\/index.php?rest_route=\/wp\/v2\/media\/754"}],"wp:attachment":[{"href":"https:\/\/isog.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/isog.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/isog.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}