Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Cloud Microsoft Privacy

Microsoft Comes Under Blistering Criticism For 'Grossly Irresponsible' Security (arstechnica.com) 55

An anonymous reader quotes a report from Ars Technica: Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation." The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a "critical" issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday's disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.

"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank," Yoran wrote. "They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft." He continued: "Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix -- and only for new applications loaded in the service."
In response, Microsoft officials wrote: "We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption." Microsoft went on to say that the initial fix in June "mitigated the issue for the majority of customers" and "no customer action is required."

In a separate email, Yoran responded: "It now appears that it's either fixed, or we are blocked from testing. We don't know the fix, or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."
This discussion has been archived. No new comments can be posted.

Microsoft Comes Under Blistering Criticism For 'Grossly Irresponsible' Security

Comments Filter:
  • by OnceWas ( 187243 ) on Thursday August 03, 2023 @07:19PM (#63738500)

    I think Microsoft is fairly used to 'blistering criticism'.

  • by illogicalpremise ( 1720634 ) on Thursday August 03, 2023 @07:26PM (#63738528)

    ... something, something doomed.

    It's scary how many corporations assume Microsoft is good at security when we have 40 years of evidence to the contrary.

    • by StormReaver ( 59959 ) on Thursday August 03, 2023 @08:14PM (#63738640)

      It's not just Microsoft, either. In this case, it's the nature of centrally-hosted Cloud services to be massively insecure.

      All too many people fell for the lie that Cloud service providers are better at keeping your data secure than you are. They're not. They have no incentive to care about your data more than you do. They will pretend that they do, but only long enough to lock you into paying large sums of money indefinitely. Once you're locked in, the truth will be laid bare.

      • by illogicalpremise ( 1720634 ) on Thursday August 03, 2023 @08:24PM (#63738666)

        In my my experience the decision isn't "which is more secure", it's "which reduces my personal liability" more. If Microsoft cloud gets hacked you probably won't lose your job.

        It's the modern equivalent of the old saying "Nobody ever got fired for buying IBM" except replace "fired" with "sued" and IBM with "cloud".

      • "The truth will be laid bare"?!?

        Not at all. I expect that they will start to act as a BOFH, as described in so many stories all over the internet. They know they shouldn't. We know they shouldn't. Yet, they will do it, simply because they can. And, of course, now that we, willingly and trustfully handed over the reigns of our wallets to them, they have an economic incentive as well.

        In Dutch, there is a saying: dat is hetzelfde als een kat op het spek binden. Literal translation: that is the same as tying a

      • by coofercat ( 719737 ) on Friday August 04, 2023 @07:55AM (#63739692) Homepage Journal

        You may be right, but I'm not aware of AWS or GCP having any of their customers data being exfiltrated because of something that can't be called "customer configuration error". Not that either of those companies are upstanding pillars of society, but they do seem pretty competent at running servers for people.

        What we do see in abundance is every man and his dog with a web app getting hacked. There's the difference (IMHO) - the "Microsoft Cloud" isn't just a general purpose cloud service (like AWS/GCP), it's also a series of apps (like Exchange, Office, etc) - SaaS, if you like. Those apps have a long a very checkered history, and there I couldn't see how Microsoft would suddenly be able to secure them, when for decades they seemed unable to do so when they used to ship product.

        Either way, trusting Microsoft is always a dangerous move. This just gives me more justification when I tell my clients that "everything you do with Microsoft incurs a cost penalty over and above any other option".

  • âoeGrossly Irresponsibleâ pretty much sums up the company as a whole under Nadella.
    • by sjames ( 1099 ) on Thursday August 03, 2023 @07:51PM (#63738584) Homepage Journal

      MS's entire history from day 1, more like. It wasn't much of an issue when it was MSDOS running on un-networked PCs in the '80's, but when networking and then the Internet became common, MS never adapted.

      Hell, MS is still behind the curve for multi-user.

      • It wasn't much of an issue when it was MSDOS running on un-networked PCs in the '80's

        The 1986 Brain virus would like to have a word with you, as would 1987's Stoned virus.

        It was a huge issue back then.

        • by sjames ( 1099 )

          Brain didn't get around much and Stoned didn't reach most of the world until the '90s. By today's standards, they were almost benign.

        • There is a youtube channel where a guy takes DOS and early windows virii, then executes them on win 10/11 to see what gets stopped.

          The results are simply shocking.

      • For the record, win95 had afterdark 3.0 locking the pc once the screensaver activated. Msdos, i dont remember. I think we just got up and walked away without locking. So their is progress.
  • it's a feature, not a bug...
  • Hey, I wouldn't be surprised if Microsoft was actually negligent here.

    But when a national government is after you and tries to break your security, with enough money and time, they are *going* to get in, I don't care who you are or how well your systems are guarded.

    • by gweihir ( 88907 )

      Nope. They do not. What MS does is they make it _easy_. State actors are not magic and it is not a question of just throwing more money at the problem.

      • You're right, state actors are not magic. What they do have is very deep pockets. It takes money, and lots of it, to breach a secure system. With enough money and persistence, there is no kind of security, physical or digital, that will hold up.

        I challenge you to produce actual evidence of the "easy" with which Microsoft's services can be breached. If it's so easy, YOU try it! Good luck!

        • by gweihir ( 88907 )

          With enough money and persistence, there is no kind of security, physical or digital, that will hold up.

          While true, this is irrelevant. Just set the amount of money needed to "more than available under any circumstances" and the claim becomes true, because "A implies B" is a true claim when A is false. The fundamental problem is that you ignore all other relevant aspects, like time, attacker skill, defender reaction, etc. You know, what experts call "the real world" and what amateurs consistently ignore because it does not support their flawed view of things.

          And your "challenge" just shows you are clueless, n

    • ...with enough money and time, they are *going* to get in....

      For the sake of argument, let's assume that's true. It's still better for us if they have to target millions of disparate systems rather than one centralized system.

      • I would argue that it's not actually a centralized system, but millions of separately-managed systems. The Chinese in this incident did not attack the central system, they attacked individual accounts. This is an indication that it was easier to attack each account, than any "central" system.

  • by gweihir ( 88907 ) on Thursday August 03, 2023 @11:09PM (#63739028)

    Their products are just about good enough to sell, but are not really fit for any other purpose. Hence while accurate, the criticism from the story is neither new nor surprising.

    • Well put!

      I sometimes get asked about my appreciation of open source software, usually by the name of Linux (you don't use Windows? You're an Apple user then? What, you use amateur stuff?), and I typically explain that Microsoft Windows is coded to make money, whereas the "amateur stuff" is coded for functionality and made to be used by anyone, and be maintained, enhanced and debugged by any expert users. Smart people tend to get it, even if they're not technically inclined.

  • That is why we (my workplace) do everything on-prem and dont use "the cloud".

    The best defense is to unplug entirely but it will be hard to do that completley.

    At home I also backup my critical stuff to bd-rw. I have a HDD snapshot script that snapshots my home directory to a HDD using rsync and hardlinks. Then I burn the latest snapshot to bd-rw as an airgapped and immutable (well not easily) copy, just in case the ransomeware finds its way in.

    I personally do upload parts of my archival data to the cloud,

  • When it comes to security and Microsoft, why should this day be different from any other day?

  • Microsoft DOES NOT CARE about your security, privacy, your products privacy or security, or compliance that stops them making money. Microsoft NEVER wants to put privacy in front of, or in the way of, profit, which is why you never see strong encryption, identity validation, proactive security recommendations, or a privacy first approach to anything.

    Let's take Azure AD as an example, where, or how, do you generate a client side PGP key and tie it back into your identity? Can I generate any kind of fully

No spitting on the Bus! Thank you, The Mgt.

Working...