Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Businesses Microsoft

Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account (threatpost.com) 59

Reader msm1267 writes: A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. "The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote -- depending on what the company has paid for in terms of licensing)," Kakavas and Bratec told Threatpost via email. "And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. )." Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.
This discussion has been archived. No new comments can be posted.

Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account

Comments Filter:
  • by Anonymous Coward

    Why the fuck are these authentication/authorization systems so goddamn complex?! Anyone who has worked with PAM or Kerberos or OAuth will know what I'm talking about. This is the kind of stuff that needs to be extremely simple so that it's easily understand, easily implemented, and easily verified. But what we end up with are terribly complex systems that end up being difficult for anyone to get a good grasp of, and this results in all kinds of problems.

    • Because every company wants to have their own internal authentication system integrated with your service. That's assuming they want to use your service, of course.
    • by jellomizer ( 103300 ) on Thursday April 28, 2016 @02:26PM (#52007805)

      Design by committee.
      An attempt to cover all cases in one protocol = one bad protocol.

      This complexity is part of the problem of not getting more secure systems. Because the business makers ask if this or that has the feature that the other has. And you will say No it doesn't it gets nixed. Even if you never ever use such feature.

    • Well anyone who's worked with PAM or Kerberos would understand why Federated Services are pretty much required. Or are you ok with trusting every domain you want your company to interact with?
    • The NSA put a lot of effort into undermining open security standards, having people turn up and propose things that make it more complex, leading to inevitable security holes. I've worked in standards and seen it in action myself, with individuals who never deviate from proposing things that work against simplicity or ease of implementation, or sound algorithm choices "But what about all the legacy devices that only support RC4? Here's take this cipher suite negotiation mechanism that's guaranteed to ensure

  • by bravecanadian ( 638315 ) on Thursday April 28, 2016 @01:27PM (#52007283)

    Convenience and security are always opposed. Having all your eggs in one basket sure is convenient but Office365 covers a wide variety of services in complex configurations and this sort of thing is bound to happen. It will happen to all of these big services (iCloud, Google, AWS etc.) if it hasn't already.

    A simple configuration mistake can also be amplified into a very big problem.

    And I say that as someone who thinks Office365 is helpful for my business.

    • by jopsen ( 885607 ) <jopsen@gmail.com> on Thursday April 28, 2016 @02:08PM (#52007667) Homepage

      Convenience and security are always opposed.

      No, not really... Because if it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox :)

      Humans are the worst security risk... If you can't eliminate the humans, your best bet is to make it as convenient as possible for them.

      We all know how to send emails safely with GPG, but unless it's very very secret we never do this, because it's inconvenient.
      The best thing we can do for security is making it convenient and to do the right thing..

      In the end, it's not the zero day software issues that's going to get you... Most of the time, it's those pesky humans that will make a mistake :)
      When talking security of systems I'm building, I always enjoy joking about how I am the biggest security threat, he he... If only I was joking.

      • If it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox.

        The best method is to write passwords on a post-it note attached to your monitor. Hackers will never be able to read those.

        • by dbIII ( 701233 )

          If it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox.

          The best method is to write passwords on a post-it note attached to your monitor. Hackers will never be able to read those.

          For best security attach the note to a 120 inch monitor:
          https://en.wikipedia.org/wiki/... [wikipedia.org]

    • by Anonymous Coward

      The list includes..Microsoft...

      That's really strange. Microsoft, of all companies, should know how buggy and insecure Microsoft products are.

  • Oh look, the federated model fails yet again.
    Can the "single sign on" zealots be tarred and feathered yet?

    "But federation works if you know what you're doing!" Sure, it (mostly) works IF there are people who know what they're doing and IF you pay them to do it and IF this is true at the end of both providers and IF you keep paying them to maintain it.

    • SAML is so overly complicated it crazy... Of course it's full of security issues like this... Give it a few years and someone might finally do a simple spec...
    • How is that different than any other authentication system? I think you are misunderstanding what happened and the implications. Not everyone leverages office 365. TONS of companies have implemented Federation Services. They are not the same thing.
    • Still beats having separate passwords (and account management) for external services. As we've seen countless times, even simple user/pass logon systems are compromised thanks to sloppy configuration.
      • I disagree. Having one account (with unique credentials) per service is more secure. Any fuckups are limited to the scope of that service.
        For a federated model, you have to trust the implementation of the IdP and the SP. Fuckups on the SP end (usually) don't result in major problems, but fuckups on the IdP end are a spectacle for the ages.

        • by LDAPMAN ( 930041 )

          This one is completely on the SP. Since the largest SAML implementations are all single SP with many IDPs like this one, an IDP fuckup is the lesser problem.

    • by Anonymous Coward

      SAML isn't even remotely complicated.

      IdP = identity provider (your company)
      SP = service provider (microsoft in this case)

      you go to microsoft and try to log in, as joe@acme.comthey see if you have a cookie because you are already authenticated and you don't, so they say "well, need to auth this guy, ok, acme.com is federated to federation.acme.com/o365/", so they send you a 302 to redirect you to federation.acme.com/0365 (which can be some otehr url, it is just unique per SP since your idp probably has lots

  • by phantomfive ( 622387 ) on Thursday April 28, 2016 @01:28PM (#52007301) Journal
    If Microsoft builds a self-driving car, I will leave the road for a few years until they all crash. At a minimum until version 3.11.
    • by Krojack ( 575051 )

      We all know how Microsoft doesn't follow industry standards now. The cars won't even follow the standard laws such as, they will drive on the opposite side of the road because Microsoft thinks it knows whats best.

    • by Anonymous Coward

      If Microsoft builds a self-driving car, it will hunt you down until you "upgrade" to one.

  • by 110010001000 ( 697113 ) on Thursday April 28, 2016 @01:44PM (#52007433) Homepage Journal
    The executives in charge of Office 365 were sacked immediately. No wait, they were given bonuses. Never mind.
  • Friends don't let friends use online applications to do offline jobs like text processing. Standalone office applications have no account hacking problems.

  • To rain on your security.
  • by Anonymous Coward

    "If Microsoft builds a vacuum cleaner it will be the only MS product that wouldn't suck" :)

  • by Lumpy ( 12016 ) on Thursday April 28, 2016 @05:03PM (#52009145) Homepage

    Honestly any business using the "cloud" is utterly insane. Quit being cheapskates and buy servers and software, hire an IT person at high 5 figures and take it out of the CEO's pay.

    Honestly you have to be insane to trust all your businesses secrets to a freaking cloud service.

    • Agreed - I've been saying this for years and will continue to say this.

    • Honestly any business using the "cloud" is utterly insane. Quit being cheapskates and buy servers and software, hire an IT person at high 5 figures and take it out of the CEO's pay.

      Honestly you have to be insane to trust all your businesses secrets to a freaking cloud service.

      Thus the rise of the 'hybrid cloud'.

  • MS reiterates the private data they're stealing from Win 10 machines is perfectly safe and professionally stored on secure servers.

  • I am hearing a lot of snark here about a problem that was fixed about seven hours after it was properly and privately disclosed early in January --- and not much said about it publicly until the last week of April.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...