Microsoft security failings, NIST NVD backlog, Chrome DBSC beta

Report criticizes Microsoft’s Chinese hack response

The Washington Post obtained early access to a report from the Cyber Safety Review Board on a breach of Microsoft Exchange Online by Chinese threat actors. We’ve covered the specifics of the attack previously so I’ll spare the specifics. But the report concluded the attack “should never have occurred” and found Microsoft’s “security culture was inadequate and requires an overhaul.” The board chided Microsoft’s inconsistent public messaging, which lagged for months with inaccurate statements referring to the attack as a “crash dump,” only updating public statements on March 12th. The report found Microsoft still remains unsure what led to the breach. The report also found failure with Mcirosot key rotation system, maintaining signing keys that operated across business and consumer networks, and failures with employee offboarding.?

(WaPo )

NIST needs help with vulnerability backlog

Back in February, the National Institute of Science and Technology, NIST, admitted to delays in updating the National Vulnerability database. Now the agency says it needs additional resources to clear the backlog. Right now, NIST will prioritize analysis of the most significant vulnerabilities and work with agency partners to bring on more support. As part of a longer-term solution, NIST will investigate forming “a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.”

(Dark Reading , NIST )

Chrome tests feature to prevent session hijacking?

Google began a test of a new Chrome feature called Device Bound Session Credentials, or DBSC on some Beta versions of the browser. The idea being this feature would cryptographically bind authentication sessions to a device. This would prevent session hijack techniques where threat actors use infostealers and other malware to steal cookies to bypass MFA. DBSC requires storing a key pair on a Trusted Platform Module, with the browser given access to that hardware. Google plans to expand trials of DBSC and potentially make it an open standard.?

(The Hacker News )

Microsoft announces quantum error correction breakthrough

The current state of quantum computing has been typically referenced as using Noisy Intermediate Scale Quantum machine. This means machines limited to a few thousand qubits and losing accuracy due to small environmental changes. Researchers at Microsoft and Quantinuum claim an advance to move the industry beyond that state, using ion-trap hardware and a qubit-virtualization system to run over 14,000 tests without errors. This technique combined 30 physical qubits into four reliable logical qubits in terms of performance. Logical qubits aren’t new but this result still marks a big leap in qubit accuracy. Micrsoft said machines with 100 logical qubits could be relevant to some applications, while 1000 qubit machines would “unlock commercial advantage.”?

(TechCrunch )

Huge thanks to our sponsor, Vanta

FCC set to vote on net neutrality

Back in July 2021, President Biden signed an executive order encouraging the Federal Communications Commission to reinstate net neutrality rules initially adopted under President Obama but repealed in 2017. Now the FCC confirmed it will vote on April 25th to reclassify broadband providers from information services to common carriers. The delay in the vote largely came from a delay in confirming a fifth FCC commissioner, with the commission locked in a 2-2 partisan stalemate. The Senate confirmed FCC commissioner Anna Gomez on September 7th.

(Reuters )

Researchers jailbreak AI ethics

Researchers from the AI startup Anthropic published a paper on an approach to get around AI safeguards called “many-shot jailbreaking.” The researchers found that the larger context window of LLMs, essentially the amount of data they can hold in a prompt, results in model’s performing better at answering questions. Essentially the more context provided, the better it did. However this also applied at getting better at answering inappropriate questions. An example being asking it to build a bomb will always get a hard no, but asking a model 99 other innocuous questions and then asking it to make a bomb has a higher chance of success. The researcher shared its research with competitors, although the only mitigation seems to be reducing the context window at this point.??

(TechCrunch )

Opera adds local LLM support

The makers of the Opera browser announced this feature, initially coming to Opera One users opting into developer updates. Users can select from over 150 models including Meta’s Llama and Gemma from Google. All models will initially run on the Ollama open source framework, although Opera hopes to expand sources over time. Each model takes at least 2 gigabytes of storage, and the company isn’t optimizing downloads to save space.?

(TechCrunch )

Microsoft announces Windows 10 security update pricing

Windows Extended Security Updates, or ESU are nothing new in the enterprise. But for the first time Microsoft will offer ESU updated to consumers on Windows 10. That OS goes out of support on October 14, 2025. The first year of updates costs $61, doubling annually the next two years. Buying in after the first year retroactively will also require paying the year one fee. Business using Intune or Windows Autopatch can purchase ESL at a 25% discount. Microsoft characterized the ESL updates as a bridge to switching to Windows 11, rather than a long term solution.?

(The Verge )