Russian hackers accessed Microsoft's corporate network for a month

[m4a4]

A true brute-force attack uses automated tools to guess all possible passwords until the correct input is identified.

A dictionary attack systematically enters every word in a dictionary / word file as a password until the correct input is identified.

A lot of web sites will group these together as the same type but they are completely different methods. The major difference is one generates password attempts on the fly and the other uses a file of predetermined words to try.

I know what the difference is. Hence it's "a type of brute force attack".

It's still brute forcing combinations, but with a more narrow set of parameters. Nobody implied it was a dumb/true version of it. And it would be disingenuous to imply otherwise.

 

[dangh]

I am not sure why you think it is not hard work to steal and why your hard work is worth more than mine. If my only way to get fruit is to steal it from you by working harder than you then Darwin Law of Nature says I am right and will survive and you are wrong and will die - I am fitter than you. The laws of Nature are well above the laws of man.

... as I said, 'civilized'.
That surely do not apply to orcs, and, clearly, is not limited to them either.

 

[bviktor]

That is your opinion, not factual statement.

It's not "opinion", it's basic logic.

Part of that is right. The first point isn't very important and would not have stopped the breach nor very much of the access.

Please explain how the TEST account NOT having access to PRODUCTION data (like in any sane environment) would have NOT prevented the breach.

The last point is very much more annoyance than it is an actual security measure. It's also easily hacked/defeated.

Now THAT is an opinion (that has nothing to do with reality). It's just plain wrong. How is a TOTP, ON TOP OF a password NOT more secure than just the password?
The fact that 2FA prompts seem to annoy you doesn't mean they're not preventing attacks.

I hate to seem like I'm defending Microsoft, but you have no idea how those hackers got in. Those hackers are some of the best in the world and "standard" or even "enhanced" security practices likely wouldn't have held them back.

Dude. Password spraying is not a sophisticated attack as you'd like to paint, it's literally the dumbest of the dumbest methods that's out there.

It's not that the hackers were so smart, it's that MS was so extremely, unbelievably ignorant.

And I've already explained that if MS did ANY of those 4 points, these dumb hackers wouldn't have gotten in. MS failed to adhere to the ABSOLUTE BASIC measures that anyone should adhere to. Yet here you are, trying to be the smart contrarian, while you clearly don't have the slightest idea what you're talking about.

Disclaimer: professional information security officer at a self-driving car company.

 

[WhoCaresAnymore]

Meh. This is nothing. When the power grid gets hacked, we are toast.

 

[plambert2015]

"The company also reiterates that the attack wasn't the result of a vulnerability in its products or services,"

This sounds far worse than if it were. If you don't even need a vulnerability to break in, just how secure can the system be?

 

[QuaZulu]

The culprits will all be in somewhere like Russia, Belarus, North Korea, Iran, China etc. So if you find them, what are you going to do about it?

"Western digital security. A concept barely alive. Oscar Goldman: We can rebuild it. We have the technology. We can make it better than it was. Better, stronger, faster."

 

[lazer]

Microsoft is not really a tech company, It is a sales company that sells tech stuff.
That's why the tech from M$ is at best second rate.
Sooo, you gonna use MicroSlop's anti virus??

 

[ZedRM]

It's not "opinion", it's basic logic.

Logic limited to one person does not qualify as anything other than an opinion.

Please explain how the TEST account NOT having access to PRODUCTION data (like in any sane environment) would have NOT prevented the breach.

Because ANY basic access can be converted into full access using the correct attack methods.

Now THAT is an opinion (that has nothing to do with reality). It's just plain wrong. How is a TOTP, ON TOP OF a password NOT more secure than just the password?
The fact that 2FA prompts seem to annoy you doesn't mean they're not preventing attacks.

No, it's a proven fact. 2FA is a good security measure, it is NOT fool-proof or invulnerable to somewhat easy attacks.

Disclaimer: professional information security officer at a self-driving car company.

My disclaimer: IT admin/security professional with 21 years of experience in PREVENTING breaches. ZERO failures.

You see, you claim to understand this profession. I actually KNOW it.