Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.
posted by requerdanos on Saturday August 05 2023, @11:30AM   Printer-friendly
from the negligent-cybersecurity-practices dept.

https://arstechnica.com/security/2023/08/microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation/

Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation."

The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

Arthur T Knackerbracket has processed the following story:

Yoran has more to add to the senator’s arguments, writing in his post that Microsoft has demonstrated a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government. He also revealed Tenable’s discovery of an additional cybersecurity flaw in Microsoft Azure and says the company took too long to address it.

Tenable initially discovered the flaw in March and found that it could give bad actors access to a company’s sensitive data, including a bank. Yoran claims Microsoft took “more than 90 days to implement a partial fix” after Tenable notified the company, adding that the fix only applies to “new applications loaded in the service.” According to Yoran, the bank and all the other organizations “that had launched the service prior to the fix” are still affected by the flaw — and are likely unaware of that risk.

Yoran says Microsoft plans to fix the issue by the end of September but calls the delayed response “grossly irresponsible, if not blatantly negligent.” He also points to data from Google’s Project Zero, which indicates that Microsoft products have made up 42.5 percent of all discovered zero-day vulnerabilities since 2014.

“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” Yoran writes. “How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?”


Original Submission #1Original Submission #2

Related Stories

Chinese Malware Removed From SOHO Routers After FBI Issues Covert Commands 15 comments

https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/

The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.

The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what's known as KV Botnet malware, Justice Department officials said.

[...] "To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9. "This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel.

[...] The takedown disclosed Wednesday isn't the first time the FBI has issued commands to infected devices without the owners' knowledge ahead of time. In 2021, authorities executed a similar action to disinfect Microsoft Exchange servers that had been compromised by a different China-state group tracked as Hafnium.

[...] In 2018, researchers reported that more than 500,000 SOHO routers had been compromised by sophisticated malware dubbed VPNFilter. The mass hack was later revealed to be an operation by a Russian-state group tracked as Sofacy. In that event, the FBI issued an advisory urging people to restart their routers to remove any possible infections. The agency also seized a domain used to control VPNFilter.

[...] This month's takedown comes as the Chinese government has stepped up attacks in recent years to compromise routers, cameras, and other network-connected devices to target critical infrastructure. warned of the trend in May last year. Researchers in the private sector have issued similar warnings.

Previously on SoylentNews:
Backdoored Firmware Lets China State Hackers Control Routers With "Magic Packets" - 20230930
Microsoft Comes Under Blistering Criticism for "Grossly Irresponsible" Security - 20230805
Malware Turns Home Routers Into Proxies for Chinese State-Sponsored Hackers - 20230518
US Warns of Govt Hackers Targeting Industrial Control Systems - 20220415
State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide - 20211111
Microsoft Exchange Server Zero Day Hack Roundup - 20210316
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
Iranian Spies Accidentally Leaked Videos of Themselves Hacking - 20200716
Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say - 20200215
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group - 20191231

"state actors" search on SoylentNews for even more: https://soylentnews.org/search.pl?threshold=0&query=state+actors


Original Submission

This discussion was created by requerdanos (5997) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Gaaark on Saturday August 05 2023, @01:45PM (13 children)

    by Gaaark (41) on Saturday August 05 2023, @01:45PM (#1319244) Journal

    You can only blame MS for so much: at some point there is personal responsibility. Everyone knows MS sucks at everything they do, and Windows is, at best, a gaming platform.

    Own up and reverse the trend. What is the TCO now?

    Get off MS products. Cold turkey. It's not hard; it just takes being fed up enough.

    Or, which will happen because people are weak, go as per usual.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 5, Insightful) by Runaway1956 on Saturday August 05 2023, @03:11PM (2 children)

      by Runaway1956 (2926) Subscriber Badge on Saturday August 05 2023, @03:11PM (#1319250) Journal

      You can only blame MS for so much:

      I can't argue your additional points, but I think you can't heap enough blame upon Microsoft. Perhaps I could be more forgiving of their monopolistic history, if they actually offered a superior product. Perhaps. But, the fact is, MS has a long history of putting competitors out of business, some, or even all, of whom offered better products, with better security. A complete view of Microsoft's history condemns them as unfit to do business in this, or any other country. Seriously, how many times have they put a competitor out of business (or bought the competitor out in some cases) only to offer a crippled, less secure version of their own making? Embrace, extend, extinguish. They tried that with Java, unsuccessfully.

      But, the rest of your post is on target. Given MS history, decision makers who decide to invest in MS products are just too damned stupid to be decision makers.

      • (Score: 5, Insightful) by RS3 on Saturday August 05 2023, @03:37PM

        by RS3 (6367) on Saturday August 05 2023, @03:37PM (#1319254)

        decision makers who decide to invest in MS products are just too damned stupid to be decision makers.

        That is the core problem.

        Far too many critical technical decisions are made by business-types. It has haunted me all of my professional life. Being problem-solvers who are pretty much always up for a challenge, we technical-types accept the challenge (sometimes reluctantly) of making things work, staying on top of patches, updates, best security practices, etc. I often comment, cynically, that MS has created a huge number of jobs, that if they ever made a truly secure product, many IT workers would be laid off.

        I'll give them credit for two things: their software development tools, example code, developer network, helps, APIs, etc., are pretty good. I don't happen to like them, but obviously tons of people do. I'll argue it's a bit of a "pile-on" / follow the crowd / they never really tried anything else.

        Also MS is known for "innovation". Whether by their own ideas or stealing / buying others', they have always tried to make computers useful to the average person. But that's part of the problem: pushing (unnecessary) gadgets and "features" out to the market without truly testing them. But that's not MS- most companies I've worked for had that attitude: a race to the market, we'll worry about problems later. Sigh.

      • (Score: 5, Interesting) by Common Joe on Saturday August 05 2023, @04:25PM

        by Common Joe (33) <reversethis-{moc ... 1010.eoj.nommoc}> on Saturday August 05 2023, @04:25PM (#1319257) Journal

        Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce

        Assuming it is backed by the Chinese government, this should surprise no one, as any place the U.S. government resides with data is a prime candidate for being a target.

        I can't argue your additional points, but I think you can't heap enough blame upon Microsoft.

        It would not surprise me if Microsoft has some kind of back door for the U.S. government. I agree we can't ever heap enough blame upon Microsoft, but I think there is also a U.S. government component too.

    • (Score: 2) by mcgrew on Saturday August 05 2023, @06:54PM (1 child)

      by mcgrew (701) <publish@mcgrewbooks.com> on Saturday August 05 2023, @06:54PM (#1319274) Homepage Journal

      That's like demanding personal responsibility from auto drivers without having any drivers' tests or rules of the road.

      You can't damn everyone for their ignorance, nobody knows everything and most people don't know jack shit about computers.

      --
      mcgrewbooks.com mcgrew.info nooze.org
      • (Score: 0) by Anonymous Coward on Saturday August 05 2023, @10:41PM

        by Anonymous Coward on Saturday August 05 2023, @10:41PM (#1319296)

        Fetch. Execute.

        That's all a computer can do.

        It just follows orders. To the letter. Unless it is faulty.

        Just like most of us who obediently follow orders.

        The problem lies in not holding the makers of orders accountable.

    • (Score: 2) by mhajicek on Saturday August 05 2023, @08:00PM (6 children)

      by mhajicek (51) on Saturday August 05 2023, @08:00PM (#1319278)

      Windows is the ONLY option for professional level CADCAM. That ties a few hands.

      --
      The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
      • (Score: 2) by Gaaark on Saturday August 05 2023, @08:19PM (5 children)

        by Gaaark (41) on Saturday August 05 2023, @08:19PM (#1319279) Journal

        Does it HAVE to be connected to the internet? That's where the attack vector usually is.

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
        • (Score: 4, Interesting) by RS3 on Saturday August 05 2023, @10:44PM (4 children)

          by RS3 (6367) on Saturday August 05 2023, @10:44PM (#1319298)

          A friend of mine does a lot of work in Solid Works. Years ago you could install it on stand-alone computers. He said now it won't run unless it can "phone home to mommy". I'm not sure if you can unplug the 'net after it's started up.

          All that said, everyone should be behind some kind of firewall. No Windows machine should ever be directly connected to the 'net with no firewall. Most router/gateways have built-in firewall, and are usually default with all 'net-side ports are closed.

          But that doesn't stop someone from checking email on said machine, and maybe receiving malware in an email that automatically opens the attachment. Or visiting a website that has javascript malware.

          • (Score: 3, Funny) by Gaaark on Saturday August 05 2023, @11:51PM (3 children)

            by Gaaark (41) on Saturday August 05 2023, @11:51PM (#1319306) Journal

            You and your friend and everyone you know should contact the software makers and tell them you want to run their software on linux.

            --
            --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
            • (Score: 2) by RS3 on Sunday August 06 2023, @01:16AM

              by RS3 (6367) on Sunday August 06 2023, @01:16AM (#1319311)

              And then we'll place bets on how long they'll laugh at us?

              Even if they did produce a Linux version, it'd still phone home.

              Oh, and I don't use Solid Works, and hope I never have to. Not because of the aforementioned problem, but it's very very complex 3D CAD and that's not my jam. Jamb?

            • (Score: 2) by mhajicek on Sunday August 06 2023, @02:47AM

              by mhajicek (51) on Sunday August 06 2023, @02:47AM (#1319321)

              If you pay them less than $100,000/year for license maintenance, your not even a bug on their windshield.

              --
              The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
            • (Score: 2) by Freeman on Monday August 07 2023, @04:07PM

              by Freeman (732) on Monday August 07 2023, @04:07PM (#1319485) Journal

              Makes me kind of wonder, if you could run it via WINE.

              Ah, so I guess the answer to that question is generally "No", because it is garbage. At least that's the rating it's generally getting on WINEHQ "Garbage."
              https://appdb.winehq.org/objectManager.php?sClass=application&iId=318 [winehq.org]

              It did accidentally get a Silver rating in 2008 and 2010. They fixed that later, though.

              --
              Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    • (Score: 2) by DannyB on Tuesday August 08 2023, @02:41PM

      by DannyB (5839) Subscriber Badge on Tuesday August 08 2023, @02:41PM (#1319558) Journal

      Get off MS products. Cold turkey. It's not hard; it just takes being fed up enough.

      Or, which will happen because people are weak, go as per usual.

      It's like asking people to get off of Oracle.

      Or asking them to get off of crack.

      --
      With modern TVs you don't have to worry about braking the yolk on the back of the picture tube.
  • (Score: 4, Interesting) by RamiK on Saturday August 05 2023, @02:02PM (8 children)

    by RamiK (1813) on Saturday August 05 2023, @02:02PM (#1319245)

    Microsoft's obfuscation is the security theater their customers want, are paying for and it's clearly what they're getting. If governments want banks, hospitals and infrastructure to use actual security, they should regulate proper software engineering practices and specific guidelines to cloud services like every other engineering fields are held against instead of letting EULAs and other contract shenanigans remove the most basic liabilities.

    --
    compiling...
    • (Score: 5, Insightful) by Gaaark on Saturday August 05 2023, @02:25PM (4 children)

      by Gaaark (41) on Saturday August 05 2023, @02:25PM (#1319248) Journal

      Yeah; MS says "Don't use Linux... there's no one to turn to if anything goes wrong", but MS will say "It's your fault" if anything goes wrong, so there's no one to turn to there, either.

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 2, Disagree) by RamiK on Saturday August 05 2023, @04:54PM (3 children)

        by RamiK (1813) on Saturday August 05 2023, @04:54PM (#1319258)
        --
        compiling...
        • (Score: 4, Insightful) by Gaaark on Saturday August 05 2023, @05:04PM (2 children)

          by Gaaark (41) on Saturday August 05 2023, @05:04PM (#1319261) Journal

          And when something goes wrong, will MS back you up? You lose data worth millions of dollars because MS fucked something up, will you get your data back absolutely or when you sue, will MS just say "We have billions in the bank and the best lawyers who will drag this case through the courts for years.... how much money YOU got?"

          This is the company that sues little companies like Tom-Tom for their linux use that "violates all kinds of our patents that you won't find out about unless it goes to court...how much money YOU got?", but it won't sue Google for linux use because Google HAS money.

          --
          --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
          • (Score: 2) by RamiK on Sunday August 06 2023, @11:13AM (1 child)

            by RamiK (1813) on Sunday August 06 2023, @11:13AM (#1319356)

            Of course they won't. They're a major software vendor and service provider with layers of EULAs to shrug their responsibilities and an armies of lawyers and lobbyists on retention to keep it that way.

            That's the whole point: It's not a technical problem nor is it specific to Microsoft or any other major vendor since Red Hat/IBM does the exact same thing with linux and Amazon does the same thing with their cloud services. Fundamentally, it's a market problem where hosting costs only go down at scales but, in the absence of goverment intervention, getting to those scales means cutting at reliability and security.

            So, we can play the blame game and point fingers at the suppliers for giving the customers what they want or try aiming at their customers saying how they should do more to secure the customers' data... But, practically speaking, just like with seat belts and air bags, the only solution here is for the legislator and regulator to step in.

            --
            compiling...
            • (Score: 2) by Gaaark on Sunday August 06 2023, @12:02PM

              by Gaaark (41) on Sunday August 06 2023, @12:02PM (#1319361) Journal

              Which comes down to personal responsibility: they don't HAVE to use any of the MS/Amazon/Red Hat/IBM/? products. They CAN host/do it yourself, they just CHOOSE not to.

              So, they DO have to take SOME responsibility.

              But YES: legislate the F*CK out of them. PLEASE.

              --
              --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 3, Interesting) by GloomMower on Saturday August 05 2023, @06:43PM (2 children)

      by GloomMower (17961) on Saturday August 05 2023, @06:43PM (#1319269)

      I believe there are software security standards, often listed in the contracts companies bid for. Something that is so interconnected and ever changing like software, the standards don't really mean all that much. It is just something you point at when something goes wrong and to not get in trouble (well we did the best we could as we followed these standards).

      But in the contracts are often ISO/IEC, NIST, HIPPA standards listed, but also their own that they add. There is stuff like:

      * Must use approved software dependency and code scanning tools and resolve any critical vulnerability in no longer than 1 week.
      * Must install security patches within 1 week
      * Must have 2 form authentication to access all systems.
      * Any interconnected computer system must use peer to peer encryption.
      * All data at rest must be encrypted
      * Any password must be changed every 6 weeks.
      * All employees must go through security training every 6 months

      Microsoft does get sued, but I don't think that matters.

      • (Score: 2) by RamiK on Sunday August 06 2023, @11:22AM (1 child)

        by RamiK (1813) on Sunday August 06 2023, @11:22AM (#1319357)

        Microsoft does get sued, but I don't think that matters.

        Industry standards are only guaranteed contractually where armies of lawyers do away with them. GDPR and the various other EU regs proved that for any of this to work, it has to come from the regulator and involve heavy fines.

        Again, the fundamental issue here isn't the identity of the companies. The problem is that major American corporation can afford to out-litigate everyone else. It's not a novel problem as we've been there with automakers so we should already know better than saying nonsense like "Don't be evil".

        The only fix is to get the regulator on board and to make sure that door isn't rotating. There never has been a market solution to this problem and there never will be since it's the unavoidable outcome of scale-of-production and how the legal system works.

        --
        compiling...
        • (Score: 2) by GloomMower on Monday August 07 2023, @04:52AM

          by GloomMower (17961) on Monday August 07 2023, @04:52AM (#1319434)

          By clicking "Accept all security flaws", you agree Microsoft can have a security flaw on your device or remote service in accordance with our Security Policy.

  • (Score: 3, Insightful) by GloomMower on Saturday August 05 2023, @06:00PM (1 child)

    by GloomMower (17961) on Saturday August 05 2023, @06:00PM (#1319262)

    Yeah company I've been working for only lets you use "approved" software and web services because of "security", and it is mostly only microsoft products. Perception still isn't reality. What a joke.

    • (Score: 0) by Anonymous Coward on Saturday August 05 2023, @11:02PM

      by Anonymous Coward on Saturday August 05 2023, @11:02PM (#1319301)

      The execs aren't paying for security.

      For the execs, Microsoft just charges a "scapegoat" fee so as to shield execs from the responsibility of ignorance.

  • (Score: 3, Insightful) by psa on Saturday August 05 2023, @09:14PM (2 children)

    by psa (220) on Saturday August 05 2023, @09:14PM (#1319287) Homepage

    They've been dinged pretty hard for having charged (a lot of) money for the logs that would have been needed to even see if you've been hacked this way, but there's been a lot less discussion of the fact that Microsoft should have been paying attention to the logs as well. I think they're finally waking up to the hand-waving that Microsoft does when it comes to every security breach in Azure, but I can't tell yet if it's going to make a difference.

    Having been a cloud engineer in GCP and AWS before, and somehow, through an unlikely series of events, becoming an Azure Enterprise Architect, I'm still amazed at how everything in Azure seems to be inherently less secure, less monitorable, and less enterprise-ready than their counterparts in other clouds. Microsoft has been scrambling to provide "feature-parity" for Azure, but in true Microsoft style, everything is a bolt-on. Private endpoints, forced routing with lots of holes for native services, firewalls for basic routing, automation resources to add missing functionality from services, highly-throttled metrics from every resource that you have to pay to ingest, pay to store, pay to analyse, pay to do anything about, and still don't measure as many things as come automatically in AWS. After a ridiculous amount of extra complexity and cost we still don't get to the basic vpc functionality that's been in AWS for many years, we still don't get the same visibility into traffic, authentication, secondary deployments, etc. And we're constantly running into arbitrary limits because nothing in Azure scales to the large enterprise or natively takes into account regulatory requirements.

    The article here says Azure, but mostly this is about their Office backend and frontend offerings which they've bundled into Azure so they can pull their monopoly customers over to pad "Azure" profits and make it hard for businesses not to use Azure. Azure can be completely unfit for purpose and it's still going to see high adoption because so much of modern IT infrastructure is completely dependent on things you can only get in Azure today.

    I hear all the time that this isn't the old Microsoft, that they long ago started taking security seriously, that they're not the evil monopolist they used to be, etc., but I don't see it. I think this is and has been business as usual for them all along, and they just got better PR people and more public-friendly leadership.

    • (Score: 2) by Freeman on Monday August 07 2023, @04:13PM (1 child)

      by Freeman (732) on Monday August 07 2023, @04:13PM (#1319486) Journal

      I mean, Microsoft isn't the Monopoly they once were. Google yoinked the web browser away from them. Microsoft literally missed the boat on mobile devices. All the while their desktop share is slowly eroding. Partly due to the fact that some people, just don't have desktops anymore. They make due with a phone or tablet. Which in all honesty are full fledged computers. The interface just sucks. Still it doesn't necessarily suck so much, if you don't know how to touch type anyway.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
      • (Score: 2, Interesting) by psa on Wednesday August 09 2023, @09:01AM

        by psa (220) on Wednesday August 09 2023, @09:01AM (#1319651) Homepage

        The monopoly I referred to is in their business apps. Exchange handles most business email in the world. Sharepoint is the primary intranet platform. Active Directory is the authentication root in most enterprises. Etc. All of these have been or are being moved to "Azure" (in quotes, because, as I said, M365 Azure has little to do with classic cloud deployments, though it is lumped in for reporting and market share advertisements). Large enterprises, especially, end up in Azure whether they've made a choice to operate in that cloud or not. For the few server products from Microsoft that you are allowed to run in selected other clouds, the licensing is higher than if you run it in Azure.

(1)