Microsoft Comes Under Blistering Criticism For 'Grossly Irresponsible' Security (arstechnica.com) 55
An anonymous reader quotes a report from Ars Technica: Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation." The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.
On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a "critical" issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday's disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.
"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank," Yoran wrote. "They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft." He continued: "Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix -- and only for new applications loaded in the service." In response, Microsoft officials wrote: "We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption." Microsoft went on to say that the initial fix in June "mitigated the issue for the majority of customers" and "no customer action is required."
In a separate email, Yoran responded: "It now appears that it's either fixed, or we are blocked from testing. We don't know the fix, or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."
On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a "critical" issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday's disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.
"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank," Yoran wrote. "They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft." He continued: "Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix -- and only for new applications loaded in the service." In response, Microsoft officials wrote: "We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption." Microsoft went on to say that the initial fix in June "mitigated the issue for the majority of customers" and "no customer action is required."
In a separate email, Yoran responded: "It now appears that it's either fixed, or we are blocked from testing. We don't know the fix, or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."
Blistering criticism (Score:3)
I think Microsoft is fairly used to 'blistering criticism'.
Re: (Score:2)
I think they like it, in fact.
Re: (Score:3)
I think Microsoft is fairly used to 'blistering criticism'.
Ya, but I think they use a lotion or ointment for that now.
Re: Blistering criticism (Score:2)
Re: (Score:2, Insightful)
'blistering criticism' doesn't effect the bottom line, so really it's all for naught, just fodder for the tabloids
Those that fail to learn from history ... (Score:5, Insightful)
... something, something doomed.
It's scary how many corporations assume Microsoft is good at security when we have 40 years of evidence to the contrary.
Re:Those that fail to learn from history ... (Score:4, Insightful)
It's not just Microsoft, either. In this case, it's the nature of centrally-hosted Cloud services to be massively insecure.
All too many people fell for the lie that Cloud service providers are better at keeping your data secure than you are. They're not. They have no incentive to care about your data more than you do. They will pretend that they do, but only long enough to lock you into paying large sums of money indefinitely. Once you're locked in, the truth will be laid bare.
Re:Those that fail to learn from history ... (Score:5, Insightful)
In my my experience the decision isn't "which is more secure", it's "which reduces my personal liability" more. If Microsoft cloud gets hacked you probably won't lose your job.
It's the modern equivalent of the old saying "Nobody ever got fired for buying IBM" except replace "fired" with "sued" and IBM with "cloud".
Re: (Score:2)
"The truth will be laid bare"?!?
Not at all. I expect that they will start to act as a BOFH, as described in so many stories all over the internet. They know they shouldn't. We know they shouldn't. Yet, they will do it, simply because they can. And, of course, now that we, willingly and trustfully handed over the reigns of our wallets to them, they have an economic incentive as well.
In Dutch, there is a saying: dat is hetzelfde als een kat op het spek binden. Literal translation: that is the same as tying a
Re:Those that fail to learn from history ... (Score:4, Insightful)
You may be right, but I'm not aware of AWS or GCP having any of their customers data being exfiltrated because of something that can't be called "customer configuration error". Not that either of those companies are upstanding pillars of society, but they do seem pretty competent at running servers for people.
What we do see in abundance is every man and his dog with a web app getting hacked. There's the difference (IMHO) - the "Microsoft Cloud" isn't just a general purpose cloud service (like AWS/GCP), it's also a series of apps (like Exchange, Office, etc) - SaaS, if you like. Those apps have a long a very checkered history, and there I couldn't see how Microsoft would suddenly be able to secure them, when for decades they seemed unable to do so when they used to ship product.
Either way, trusting Microsoft is always a dangerous move. This just gives me more justification when I tell my clients that "everything you do with Microsoft incurs a cost penalty over and above any other option".
Grossly Irresponsible (Score:1)
Re:Grossly Irresponsible (Score:5, Insightful)
MS's entire history from day 1, more like. It wasn't much of an issue when it was MSDOS running on un-networked PCs in the '80's, but when networking and then the Internet became common, MS never adapted.
Hell, MS is still behind the curve for multi-user.
Re: (Score:2)
It wasn't much of an issue when it was MSDOS running on un-networked PCs in the '80's
The 1986 Brain virus would like to have a word with you, as would 1987's Stoned virus.
It was a huge issue back then.
Re: (Score:2)
Brain didn't get around much and Stoned didn't reach most of the world until the '90s. By today's standards, they were almost benign.
Re: (Score:1)
There is a youtube channel where a guy takes DOS and early windows virii, then executes them on win 10/11 to see what gets stopped.
The results are simply shocking.
Re: Grossly Irresponsible (Score:1)
Re: (Score:1)
You dont "lock" a DOS machine. You probably walked away or switched off
special CCP and NSA friends (Score:1)
They will care from now on (Score:2)
Well, as it just so happened, that CEO made some noise about this weakness on the internet, and once the internet knows that there is something to be found, the global hunt for this vulnerability will commence. At least a few bad actors will find the vuln, trust me. Some companies will get their data heisted and a lot of hand waving will ensue.
Not sure, whether this will actually lead to actual loss of customers and more responsible behavior on Microsoft's side, but there's a chance. The hunt is open now.
Re: (Score:3)
I see you have no clue about IT security. Hence I cannot prove you wrong because you just do not know enough.
This can be done right. Even notoriously incompetent MS could do a lot better. It is just that they value short-term profits more.
Re: (Score:2)
No dude you’re just wrong flat out wrong. People tried it your way. It’s the naive approach so it took a long time to shake it out.
Maybe you’re thinking of confidentiality which is a different thing.
Re: (Score:2)
Indeed. I think this person tried to use a big word (i.e. "obscurity") without understanding what it means. Classical attempt to simulate insight to impress others. Failed due to the presence of some people with actual insight into the matter.
Re: (Score:2)
Try me. I was looking for a deep philosophical answer not "your so wrong I don't even have to give an example of why"
I've been in IT for 15+ years so I ask again. What aspect of Computer security is not better defined by the term "obscurity"
Re: (Score:2)
Over-reliance on the "security through obscurity" principle made Microsoft the security nightmare that it have been during the last 30 years till now. "Security through obscurity" may give you a sense of security for a time, but time and again, it only postpones the inevitable calamity.
It might work well for some businesses though, like gaming, where a breach an year or two after launch isn't a calamity.
Re: (Score:1)
> Over-reliance on the "security through obscurity" principle made Microsoft the security nightmare that it have been during the last 30 years till now
Most Microsoft stuff isnt obscure.
Thats because there is not much (that can be networked) that is obscure if it is from Microsoft. Even DOS is not that obscure really.
Any kid with a working knowledge of the Windows Terminal will find their way round DOS still.
Most will have little trouble figuring out how to navigate Program Manager.
Security via obscureit
Re: (Score:2)
Indeed. MS has now even had a (much too) high-powered cloud cert stolen from them. What more do you need to prove utter incompetence in the security space on their part?
Re: (Score:2)
What in the fuck is going on here. I’m a bit of a radical for saying obscurity has a place in security in some situations like reducing discoverability.
This is downright like what the fuck are you guys even doing here? Where did you come from?
Re: (Score:2)
Security by obscurity does have a place. But it always must never be more than an additional mechanism on an already reliably secured system. I.e. its must not actually be a security mechanism, but a mechanism to drive attack cost up more and the system must remain secure if that obscurity fails. As it always does sooner or later.
Re: (Score:2)
I've been in IT for 15+ years so I ask again. What aspect of Computer security is not better defined by the term "obscurity"
I think you’re confusing confidentiality with obscurity and even then it’s considered 1/3.5th of computer security. These terms are all arguable philosophically but for the purposes of reading security texts and having professional computer security discussions “Confidentiality” and “Obscurity” have very specific meanings and they’re fairly fundamental to these discussions so this whole post is for your education and it’s very clear you don’t know enoug
Re: (Score:2)
Indeed. In addition, the Dunning-Kruger effect nicely explains why people that do not even know enough to understand the basics often think themselves experts and consider their invalid opinions (close to) absolute truth. "I cannot think about any way to do it" is not the same as "It is impossible".
Re: (Score:2)
You have not heard of Kerckhoffs's principle, I take it then?
Now, I take your claim as "everything can be attacked successfully", which is an obviously wrong claim. It cannot be proven wrong, because you cannot argue over the "set of all possible attacks" due to incompleteness. Hence while your claim is wrong, there cannot be a proof that it is wrong. And that makes the question basically a lie because it is not a question.
The reason I do not give examples is that for anybody actually competent in this spac
Re: (Score:2)
If you know the private keys or passwords, you aren't hacking it but using it as designed.
Kerckhoffs' principle is that the only thing you should need to keep secret is the key. But "obscurity" has connotations of "allowing only partial visibility", and allowing partial visibility of the key is a vulnerability in itself.
Biometrics aren't obscurity. However, I won't disagree if you say that they're highly problematic.
Re: (Score:1)
Security through obscurity is a valid and widely (or should be) practiced concept. However there is a problem in WHAT is being kept obscure.
The primary thing to obscure is the details of your implementation. Everything from model numbers and IP addresses should be on a need to know basis. Yes, once "they" are in, they can find some of this stuff out as they explore, the point is you WANT them to realise they have to do that work. You want them to decide if you are truly the target, or you are less attrac
Re: (Score:2)
I know a guy who is sitting on 20 year old 0-day and I myself once exploited an known vulnerability in an EOSL product by attacking where they would likely go.
Gotta be careful with that old stuff though I have some old stuff of my own.
When state actors are involved (Score:2)
Hey, I wouldn't be surprised if Microsoft was actually negligent here.
But when a national government is after you and tries to break your security, with enough money and time, they are *going* to get in, I don't care who you are or how well your systems are guarded.
Re: (Score:3)
Nope. They do not. What MS does is they make it _easy_. State actors are not magic and it is not a question of just throwing more money at the problem.
Re: (Score:2)
You're right, state actors are not magic. What they do have is very deep pockets. It takes money, and lots of it, to breach a secure system. With enough money and persistence, there is no kind of security, physical or digital, that will hold up.
I challenge you to produce actual evidence of the "easy" with which Microsoft's services can be breached. If it's so easy, YOU try it! Good luck!
Re: (Score:2)
With enough money and persistence, there is no kind of security, physical or digital, that will hold up.
While true, this is irrelevant. Just set the amount of money needed to "more than available under any circumstances" and the claim becomes true, because "A implies B" is a true claim when A is false. The fundamental problem is that you ignore all other relevant aspects, like time, attacker skill, defender reaction, etc. You know, what experts call "the real world" and what amateurs consistently ignore because it does not support their flawed view of things.
And your "challenge" just shows you are clueless, n
Re: (Score:2)
It seems your response has degenerated to insults, which is an indication that you are out of logical arguments. I'll respond to the meat of your actual argument.
What specific other (non-Microsoft) system requires more time and attacker skill, than Azure or Office 365? Certainly not AWS or Google Cloud.
https://www.bleepingcomputer.c... [bleepingcomputer.com]
https://www.channelfutures.com... [channelfutures.com]
https://www.itpro.com/cloud/cl... [itpro.com]
There are plenty more links where those came from.
Re: (Score:2)
I see you cannot be reached. Well, not unexpected for an amateur with an oversized ego.
Re: (Score:2)
You're right, insults don't "reach" me, just logical arguments.
Re: (Score:2)
...with enough money and time, they are *going* to get in....
For the sake of argument, let's assume that's true. It's still better for us if they have to target millions of disparate systems rather than one centralized system.
Re: (Score:2)
I would argue that it's not actually a centralized system, but millions of separately-managed systems. The Chinese in this incident did not attack the central system, they attacked individual accounts. This is an indication that it was easier to attack each account, than any "central" system.
MS is not an IT company. They do marketing. (Score:4, Insightful)
Their products are just about good enough to sell, but are not really fit for any other purpose. Hence while accurate, the criticism from the story is neither new nor surprising.
Re: (Score:2)
I sometimes get asked about my appreciation of open source software, usually by the name of Linux (you don't use Windows? You're an Apple user then? What, you use amateur stuff?), and I typically explain that Microsoft Windows is coded to make money, whereas the "amateur stuff" is coded for functionality and made to be used by anyone, and be maintained, enhanced and debugged by any expert users. Smart people tend to get it, even if they're not technically inclined.
Aaaaand (Score:1)
That is why we (my workplace) do everything on-prem and dont use "the cloud".
The best defense is to unplug entirely but it will be hard to do that completley.
At home I also backup my critical stuff to bd-rw. I have a HDD snapshot script that snapshots my home directory to a HDD using rsync and hardlinks. Then I burn the latest snapshot to bd-rw as an airgapped and immutable (well not easily) copy, just in case the ransomeware finds its way in.
I personally do upload parts of my archival data to the cloud,
Friends don't let friends use Microsoft... (Score:2)
When it comes to security and Microsoft, why should this day be different from any other day?
This is news? (Score:2)
Let's take Azure AD as an example, where, or how, do you generate a client side PGP key and tie it back into your identity? Can I generate any kind of fully