“Like an arsonist selling firefighting services,” quips  this  76-year-old.

Roasting Redmond for Kerberoasting

What’s the craic? A.J. Vicens reports: Senator Wyden pushes FTC to investigate Microsoft

“Trying to provide warnings and guidance”
Wyden … requested the Federal Trade Commission … “hold Microsoft responsible” for its role in a string of high-profile cybersecurity incidents in recent years. … Wyden wrote in a September 10 letter to FTC Chairman Andrew Ferguson that [it] resulted in ransomware attacks against critical infrastructure … in part due to default configurations in … Windows.
…
Widen said a prime example was the May 2024 ransomware attack on hospital operator Ascension: … A malicious link served up by Microsoft’s Bing search engine … allowed the hackers to gain access to … the organization’s Microsoft Active Directory server. … Microsoft’s support for outdated encryption technology and default configuration settings … allowed for the attack approach, … according to Wyden, and Microsoft has not done enough to educate companies about how to mitigate the threat.
…
A Microsoft spokesperson said … RC4, the encryption standard referenced by Wyden, is old … and that the company discourages customers from using it: … “Disabling its use completely would break many customer systems,” … and the company is gradually reducing the extent to which customers can use it while trying to provide warnings and guidance on the safest way to use it.

Gradually? Trying? This seems like a weaksauce PR response. Jeffrey Burt keeps a straight face: Wyden Asks FTC to Investigate

“Hold Microsoft accountable for the hack”
The hackers used the Kerberoasting technique to access privileged accounts on the AD server, [where] bad actors exploit the Kerberos authentication protocol to access service account credentials, giving them wider access into a target’s networks. Wyden blamed Microsoft’s default support of an older and insecure encryption technology, RC4, rather than the more secure AES256 as the key reason the attackers were able to launch their attack.
…
This isn’t Wyden’s first run-in with Microsoft. The senator in 2023 sent a letter to CISA, the FTC, and the U.S. Attorney General’s Office urging them to hold Microsoft accountable for the hack by a Chinese threat group, Storm-0558, which stole a Microsoft signing key and hacked its way into Microsoft 365 and Exchange Online, … stealing email from government and corporate accounts.

Horse’s mouth? Sen. Ronald L. Wyden (D-Ore.): Letter to FTC

“Microsoft … benefiting from this status quo”
Microsoft has a de facto monopoly over the operating systems used by most companies and government agencies. Microsoft chooses the default settings, including the security features that are enabled automatically and the required security settings (e.g., minimum password length). While organizations can change these settings, in practice most do not.
…
Microsoft Windows is incredibly vulnerable to ransomware infections, because of dangerous software engineering decisions by Microsoft [that] the company has largely hidden. … Hackers exploited a technique called Kerberoasting to gain access to … Ascension’s Microsoft Active Directory server. [It] leverages Microsoft’s continued support … for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts … have for more than a decade warned is dangerous. … Microsoft is clearly not treating Kerberoasting as a serious threat: [It] published … a highly technical blog post on an obscure area of the company’s website [and] took no meaningful steps to publicize [it]. Eleven months later, Microsoft has yet to release that promised security update.
…
There is one company benefiting from this status quo: Microsoft. [It] has become like an arsonist selling firefighting services to their victims.

Utterly garbage PR aside, is there a case for the defense? EvanAnderson is “a little irritated”:

The mitigations are there, but it takes time for Microsoft’s Customers to move to the new versions. I don’t think that’s Microsoft’s problem. That’s just their market.
…
I guess one could argue that Microsoft should backport the new code to older products and give it to customers who aren’t … paying for maintenance or subscription licensing. [But] they made the business decision not to.

Would you care for a little nominative determinism? Defenestrar has an strange affinity for windows:

I can’t really blame Microsoft given the level of screaming which would come from their customers for “breaking” their systems by fully deprecating RC4. … Frankly the multi-billion-dollar healthcare company responsible for … patients’ most intimate medical details should have a better … system than, “One person misclicked a button.”

But isn’t that victim blaming? ShanghaiBill calls it something else:

This is the Fox News defense: “It’s not our fault. Because if someone’s stupid enough to trust us, they deserve what they get.”

OK, so Windows still permits RC4. Got it. But it’s actually worse than that, as hotsauceror discovered:

Recently in our environment, we configured a bunch of database service SPNs and immediately all Kerberos auth failed. Rolled it back and talked to our support provider. They said that the expected behavior was to default to AES but that for some reason our environment wasn’t honoring that. We ended up having to manually enable AES support on each service account, which is a minor pain. … And since no one in the IAM team was involved in the original domain setup, no one could explain why this happened or whether there was a manual RC4/DES config lurking out there in the shadows.

What a mess. But a slightly sarcastic Fred Duck quacks thuswise:

No, no. In 2024, they said, “We are making security our top priority at Microsoft, above all else—over all other features.” So that can’t be.

Do you enjoy an opportunity to bash Microsoft? Murdoch5 does:

I like to Microsoft bash as much as the next Unix / Linux loving nerd, but, is this really their fault? It’s possible to deploy containerization security standards on Windows, to make it high security, so, … in this case it appears to be more of a security blunder by the contractor.
…
The same issue could have happened on Linux, or Unix. It doesn’t really depend on the OS, it’s down to bad practices.

Are you feeling some déjà vu? Give us a Martin Blank look: [You’re fired—Ed.]

Kerberoasting is not new: It’s been around for ten years. I don’t have a whole lot of sympathy for companies that fall prey to it at this point.

Meanwhile, naranha cuts to the chase:

[Active Directory] is a relic of the 90s that should be retired.

And Finally:

Uncanny but fun

Hat tip: bonnie_prince_bob

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Mobilus In Mobili (cc:by-sa; leveled and cropped)