Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account (threatpost.com) 59
Reader msm1267 writes: A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. "The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote -- depending on what the company has paid for in terms of licensing)," Kakavas and Bratec told Threatpost via email. "And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. )." Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.
Why the fuck is it so complicated?! (Score:2, Insightful)
Why the fuck are these authentication/authorization systems so goddamn complex?! Anyone who has worked with PAM or Kerberos or OAuth will know what I'm talking about. This is the kind of stuff that needs to be extremely simple so that it's easily understand, easily implemented, and easily verified. But what we end up with are terribly complex systems that end up being difficult for anyone to get a good grasp of, and this results in all kinds of problems.
Re: (Score:2)
Re: (Score:2)
You kids and your need to give old things new names. We simply called that "Vaporware".
Re:Why the fuck is it so complicated?! (Score:4, Insightful)
Design by committee.
An attempt to cover all cases in one protocol = one bad protocol.
This complexity is part of the problem of not getting more secure systems. Because the business makers ask if this or that has the feature that the other has. And you will say No it doesn't it gets nixed. Even if you never ever use such feature.
Re: (Score:2)
Re: (Score:2)
The NSA put a lot of effort into undermining open security standards, having people turn up and propose things that make it more complex, leading to inevitable security holes. I've worked in standards and seen it in action myself, with individuals who never deviate from proposing things that work against simplicity or ease of implementation, or sound algorithm choices "But what about all the legacy devices that only support RC4? Here's take this cipher suite negotiation mechanism that's guaranteed to ensure
Re: (Score:3)
"I can point to events in the last 6 months"
please do
This is only the beginning.. (Score:5, Interesting)
Convenience and security are always opposed. Having all your eggs in one basket sure is convenient but Office365 covers a wide variety of services in complex configurations and this sort of thing is bound to happen. It will happen to all of these big services (iCloud, Google, AWS etc.) if it hasn't already.
A simple configuration mistake can also be amplified into a very big problem.
And I say that as someone who thinks Office365 is helpful for my business.
Humans are the worst :) (Score:4, Insightful)
Convenience and security are always opposed.
No, not really... Because if it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox :)
:)
Humans are the worst security risk... If you can't eliminate the humans, your best bet is to make it as convenient as possible for them.
We all know how to send emails safely with GPG, but unless it's very very secret we never do this, because it's inconvenient.
The best thing we can do for security is making it convenient and to do the right thing..
In the end, it's not the zero day software issues that's going to get you... Most of the time, it's those pesky humans that will make a mistake
When talking security of systems I'm building, I always enjoy joking about how I am the biggest security threat, he he... If only I was joking.
Re: (Score:2)
The best method is to write passwords on a post-it note attached to your monitor. Hackers will never be able to read those.
Re: (Score:2)
The best method is to write passwords on a post-it note attached to your monitor. Hackers will never be able to read those.
For best security attach the note to a 120 inch monitor:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Dogfood (Score:1)
The list includes..Microsoft...
That's really strange. Microsoft, of all companies, should know how buggy and insecure Microsoft products are.
SAML and Federation (Score:2, Flamebait)
Oh look, the federated model fails yet again.
Can the "single sign on" zealots be tarred and feathered yet?
"But federation works if you know what you're doing!" Sure, it (mostly) works IF there are people who know what they're doing and IF you pay them to do it and IF this is true at the end of both providers and IF you keep paying them to maintain it.
SAML is sketchy... (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
I disagree. Having one account (with unique credentials) per service is more secure. Any fuckups are limited to the scope of that service.
For a federated model, you have to trust the implementation of the IdP and the SP. Fuckups on the SP end (usually) don't result in major problems, but fuckups on the IdP end are a spectacle for the ages.
Re: (Score:2)
This one is completely on the SP. Since the largest SAML implementations are all single SP with many IDPs like this one, an IDP fuckup is the lesser problem.
Re: (Score:1)
SAML isn't even remotely complicated.
IdP = identity provider (your company)
SP = service provider (microsoft in this case)
you go to microsoft and try to log in, as joe@acme.comthey see if you have a cookie because you are already authenticated and you don't, so they say "well, need to auth this guy, ok, acme.com is federated to federation.acme.com/o365/", so they send you a 302 to redirect you to federation.acme.com/0365 (which can be some otehr url, it is just unique per SP since your idp probably has lots
Re: (Score:2)
So simple one of the largest IdPs fucked it up royally.
If Microsoft builds a self-driving car (Score:4, Funny)
Re: (Score:1)
We all know how Microsoft doesn't follow industry standards now. The cars won't even follow the standard laws such as, they will drive on the opposite side of the road because Microsoft thinks it knows whats best.
Re: (Score:1)
If Microsoft builds a self-driving car, it will hunt you down until you "upgrade" to one.
Executives (Score:3)
Well, duh (Score:2)
Friends don't let friends use online applications to do offline jobs like text processing. Standalone office applications have no account hacking problems.
Re: (Score:2)
Really?
https://www.google.ca/search?q... [google.ca]
Re: (Score:2)
There's no such thing as a Office 365 install. It's web only. Are you sure you're not confusing it with Microsoft Office 201*?
Re: (Score:2)
But IT'S SO FLUFFY!!!!!
That's what the 'Cloud' is for (Score:2)
To quote from my boss... (Score:1)
"If Microsoft builds a vacuum cleaner it will be the only MS product that wouldn't suck" :)
Keep it off the cloud. (Score:4, Insightful)
Honestly any business using the "cloud" is utterly insane. Quit being cheapskates and buy servers and software, hire an IT person at high 5 figures and take it out of the CEO's pay.
Honestly you have to be insane to trust all your businesses secrets to a freaking cloud service.
Re: (Score:1)
Agreed - I've been saying this for years and will continue to say this.
Re: (Score:2)
Honestly any business using the "cloud" is utterly insane. Quit being cheapskates and buy servers and software, hire an IT person at high 5 figures and take it out of the CEO's pay.
Honestly you have to be insane to trust all your businesses secrets to a freaking cloud service.
Thus the rise of the 'hybrid cloud'.
In other news... (Score:2)
MS reiterates the private data they're stealing from Win 10 machines is perfectly safe and professionally stored on secure servers.
Typical. (Score:1)