Microsoft and Windows TCO
-
Aptos, Microsoft’s New Default Font for Office Documents
The kerning is rather awful in all of these PDF specimens, at times jarringly so. I suspect, or at least hope, the problem is with the web version of Word (which I presume has its own text rendering engine), not the fonts themselves. Look, for example, at the words milliner and Uncle (which looks like “Unde” in some of them) in the sample text. If these fonts were available for download, I’d have typeset the specimens using better software, but they’re not, so I can’t. I suppose I could fish out the web fonts used by Microsoft 365, but this whole endeavor has consumed enough of my time as it is.
-
OpenAI Trust and Security Lead resigns
OpenAI has suffered severe staff losses. Dave Willner, an industry veteran who has led the AI Trust and Security team for the past year and a half, has announced that he is leaving the company and moving into a consulting role. He plans to spend more time with his family. His departure comes at a critical time for AI as questions arise around the world about how to regulate AI and how to minimize its potentially harmful impact.
-
Microsoft Cloud [Breach] Exposed More Than Exchange, Outlook Emails
Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft Azure AD enterprise signing key gave Chinese [attackers] access to data beyond Exchange Online and Outlook.com.
“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive,” Wiz researcher Shir Tamari said in a document posted online.
-
Stolen Microsoft key may have opened up a lot more than US govt email inboxes
Incredibly as it sounds, and it really does deserve wider coverage, someone somehow obtained one of Microsoft's internal private cryptographic keys used to digitally sign access tokens for its online services. With that key, the snoops were able to craft tokens to grant them access to Microsoft customers' email systems and, crucially, sign those access tokens as the Windows giant to make it look as though they were legitimately issued.
With those golden tokens in hand, the snoops – believed to be based in China – were able to log into Microsoft cloud email accounts used by US government officials, including US Commerce Secretary Gina Raimondo. The cyber-trespassing was picked up by a federal government agency, which raised the alarm.
-
That Chinese attack on Microsoft’s Azure cloud? It’s worse than it first looked
Well, almost. The original reports of the breach centered on a set of compromised encryption keys for Microsoft’s Exchange online email services. But Microsoft’s latest blog post still doesn’t completely connect all the dots of what happened. That has led some reporters, such as Andy Greenberg of Wired magazine, to speculate on several scenarios on how the keys were stolen or mishandled.
“The threat actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw,” the new report from Wiz says, though it has since been fixed. These tokens were used to access emails from Outlook Web Access and Outlook.com services.
However, the report from Wiz goes further. “The compromised signing key was more powerful than it may have seemed and was not limited to just those two services,” Wiz reports. It found this key could be used to obtain access to a variety of services that use Azure Active Directory or AAD for authentication using the “login with Microsoft” sequence.
-
The FBI’s Cynthia Kaiser on how the bureau fights ransomware
Ransomware is obviously a significant threat, and it’s been for the last several years. Now, we know that ransomware actors don’t care who they target. In fact, they’re looking to target entities that have little tolerance for downtime. So that includes hospitals or just critical infrastructure entities. If they think you can’t live without your networks or you can’t operate without your networks, they’re going to go after you. And I think that’s what makes it so insidious and difficult is because they’re just constantly targeting. There’s new variants all the time. There’s new actors, affiliates going between the different variants, which makes it a really difficult ecosystem. As we get into talking about what the FBI is doing about it, it’s that ecosystem concept that we really need to think about. It’s not just a person developing something and then deploying it. It’s a lot of different people working across variants, working across services, cryptocurrency exchanges, marketplaces. And I think that’s that broader effort among all of the criminals that’s really putting a lot of U.S. networks at risk.