Microsoft Employees Exposed Internal Passwords In Security Lapse (techcrunch.com) 24
Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet. Security researchers Can Yoleri, Murat Ozfidan and Egemen Kochisarli with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft's Azure cloud service that was storing internal information relating to Microsoft's Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.
Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.
Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.
History Repeating (Score:2)
Didn't we already go through this on Amazon S3 years ago... people storing credentials in a bucket that has "publicly accessible" enabled?
Funny how we just keep repeating the same mistakes over and over...
Re: (Score:2, Funny)
repeating the same mistakes over and over...
"Why do you keep beating your head against the wall?"
"Because it feels so good when I stop."
Re: (Score:1)
MS could leak everything on 5th Ave. and still be the dominant business platform. Entrenchment runs deep.
MS complexity increasing caused this (Score:1)
Microsoft self-admits that its cloud is too complex, too easy to miss security issues, .....
Azure Aspire is their attempt to rebrand Azure services and cut off the trail of bad news about Azure security and configuration (DLL) hell.
https://learn.microsoft.com/en... [microsoft.com]
The cloud means that any full-stack developer eventually is forced to be, pick your career path, on a project: 1) a developer, 2) A back-end developer, 3) A network admin, 4) A firewall admin, 5) A database administrator, 6) An IT operations guru,
Re: (Score:3)
Yes and for quite some time already it's been VERY difficult to 'accidentally' make your bucket public. You literally have to make about 5 explicit clicks to do so.
So in this case, questions have to be asked about how it is possible? Either Azure doesn't have such default settings, in which case - why not? But if it does, then how the fuck do MS engineers be so moronic to go and make it public? (yes the last one is a rhetorical question :P )
Re: (Score:1)
See the cisa link below for the why.
The answer is a bit similar to why Boeing design aircrafts that fly towards the ground and fall apart mid flight: safety and security are not the things that get the projects out of the door on time, especially when the original planning did not explicitly account for them because they add cost.
At some point cyber insurance companies will refuse to insure companies relying on Microsoft stack due to the abysmal security culture. For those that refuse to give money to AWS t
Re: (Score:2)
At some point cyber insurance companies will refuse to insure companies relying on Microsoft stack due to the abysmal security culture.
That has already started to happen. At the moment it is quietly done, but I talked to the risk modeller responsible for IT insurance at a major insurance provider a few months back. If your infrastructure is pure MS at least they look very carefully at your capabilities to keep that secure and they likely will give you additional requirements in order to get an offer. They also have quite a few requests for insurance now where they do _not_ make an offer.
Re: (Score:2)
Oh, not everybody does this right. But some have working models and what the people I talked to is do is more like an abbreviated audit than a simple exposure test. And, as I said, they do not make offers to an increasing number of potential customers and they are increasing premiums and excluding things from coverage where they do.
Now, for a medical company, it is possible that they have a large insurance package that is profitable enough that the insurer just transfers the cyber-risk cost to the other ins
Re: (Score:2)
However they are not anonymous access by default and you need to explicitly configure them to be so.
*In Azure, storage accounts are SaaS as they don't actually 'run' in the
Re: (Score:2)
Didn't you get the memo? Instead of doing something risky like putting your passwords in a file on your cloud, you're supposed to securely record them on a sticky note stuck to your monitor.
"Microsoft security lapse" = Business as usual (Score:5, Informative)
These days, it is an exception if MS gets something right in the security space. Or any space, really. I reccomend reading
https://www.cisa.gov/sites/def... [cisa.gov]
for a chronicle of incompetence, arrogance, incapability, non-understanding and lying to customers. It contains such gems as MS still not knowing how the keys to their kingdom got stolen last year.
Whoops (Score:3)
Pretty sure I've seen scans catch stuff like this, kind of curious. Although.. I've seen a password on a whiteboard that nobody seemed to care about for weeks too. Anybody passing by outside could easily see it looking from the sidewalk. When I asked about it, I got shrugged at. After the boss finally noticed, it quickly disappeared.
Having seen how projects ramp up at MS, perhaps this speaks to a need for mandatory templating of scaffolding, locking in some settings, for stuff like this. Very likely that if it doesn't show profit potential immediately and obviously, it's not on the radar there.
Re: (Score:1)
Re: (Score:2)
It probably violates a number of policies. But security is not about having policies, it is about caring about security and having the understanding and education to do it right. MS does not have that.
Re: (Score:2, Insightful)
MS does not have that.
Always with the FUD. Never with the facts.
There is nothing anyone can do abouit intentional idiots, except for cripping their access in such a way that they simply cannot do anything. Which is not going to get anything delivered.
But mayb e in the magical Utopia you reside in this is sorted using... fairy dust?
Re: (Score:2)
MS has time and again proven that they have no security culture (and no reliability culture either). That is not FUD. That is observable fact. Oh, sure, they _pretend_ to care about security and those weak of mind get fooled by that bunch of lies, but the facts tell a different story.
Re:Whoops (Score:4, Funny)
How can it be so easy? (Score:2)
Domain Renewal (Score:2)
Anyone else remember back when Microsoft used to regularly forget and let their domain registrations lapse and make a joke and even a contest of it when "regular civilians" would renew the registrations for them? Good times. This is the company you're expecting security from. lol.