Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation."
The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.
Arthur T Knackerbracket has processed the following story:
Yoran has more to add to the senator’s arguments, writing in his post that Microsoft has demonstrated a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government. He also revealed Tenable’s discovery of an additional cybersecurity flaw in Microsoft Azure and says the company took too long to address it.
Tenable initially discovered the flaw in March and found that it could give bad actors access to a company’s sensitive data, including a bank. Yoran claims Microsoft took “more than 90 days to implement a partial fix” after Tenable notified the company, adding that the fix only applies to “new applications loaded in the service.” According to Yoran, the bank and all the other organizations “that had launched the service prior to the fix” are still affected by the flaw — and are likely unaware of that risk.
Yoran says Microsoft plans to fix the issue by the end of September but calls the delayed response “grossly irresponsible, if not blatantly negligent.” He also points to data from Google’s Project Zero, which indicates that Microsoft products have made up 42.5 percent of all discovered zero-day vulnerabilities since 2014.
“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” Yoran writes. “How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?”
(Score: 4, Interesting) by RamiK on Saturday August 05 2023, @02:02PM (8 children)
Microsoft's obfuscation is the security theater their customers want, are paying for and it's clearly what they're getting. If governments want banks, hospitals and infrastructure to use actual security, they should regulate proper software engineering practices and specific guidelines to cloud services like every other engineering fields are held against instead of letting EULAs and other contract shenanigans remove the most basic liabilities.
compiling...
(Score: 5, Insightful) by Gaaark on Saturday August 05 2023, @02:25PM (4 children)
Yeah; MS says "Don't use Linux... there's no one to turn to if anything goes wrong", but MS will say "It's your fault" if anything goes wrong, so there's no one to turn to there, either.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Disagree) by RamiK on Saturday August 05 2023, @04:54PM (3 children)
Eh, that's not quite right nowadays: https://azure.microsoft.com/en-us/solutions/linux-on-azure [microsoft.com] https://www.theregister.com/2023/05/26/microsoft_azure_linux_container/ [theregister.com]
compiling...
(Score: 4, Insightful) by Gaaark on Saturday August 05 2023, @05:04PM (2 children)
And when something goes wrong, will MS back you up? You lose data worth millions of dollars because MS fucked something up, will you get your data back absolutely or when you sue, will MS just say "We have billions in the bank and the best lawyers who will drag this case through the courts for years.... how much money YOU got?"
This is the company that sues little companies like Tom-Tom for their linux use that "violates all kinds of our patents that you won't find out about unless it goes to court...how much money YOU got?", but it won't sue Google for linux use because Google HAS money.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by RamiK on Sunday August 06 2023, @11:13AM (1 child)
Of course they won't. They're a major software vendor and service provider with layers of EULAs to shrug their responsibilities and an armies of lawyers and lobbyists on retention to keep it that way.
That's the whole point: It's not a technical problem nor is it specific to Microsoft or any other major vendor since Red Hat/IBM does the exact same thing with linux and Amazon does the same thing with their cloud services. Fundamentally, it's a market problem where hosting costs only go down at scales but, in the absence of goverment intervention, getting to those scales means cutting at reliability and security.
So, we can play the blame game and point fingers at the suppliers for giving the customers what they want or try aiming at their customers saying how they should do more to secure the customers' data... But, practically speaking, just like with seat belts and air bags, the only solution here is for the legislator and regulator to step in.
compiling...
(Score: 2) by Gaaark on Sunday August 06 2023, @12:02PM
Which comes down to personal responsibility: they don't HAVE to use any of the MS/Amazon/Red Hat/IBM/? products. They CAN host/do it yourself, they just CHOOSE not to.
So, they DO have to take SOME responsibility.
But YES: legislate the F*CK out of them. PLEASE.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Interesting) by GloomMower on Saturday August 05 2023, @06:43PM (2 children)
I believe there are software security standards, often listed in the contracts companies bid for. Something that is so interconnected and ever changing like software, the standards don't really mean all that much. It is just something you point at when something goes wrong and to not get in trouble (well we did the best we could as we followed these standards).
But in the contracts are often ISO/IEC, NIST, HIPPA standards listed, but also their own that they add. There is stuff like:
* Must use approved software dependency and code scanning tools and resolve any critical vulnerability in no longer than 1 week.
* Must install security patches within 1 week
* Must have 2 form authentication to access all systems.
* Any interconnected computer system must use peer to peer encryption.
* All data at rest must be encrypted
* Any password must be changed every 6 weeks.
* All employees must go through security training every 6 months
Microsoft does get sued, but I don't think that matters.
(Score: 2) by RamiK on Sunday August 06 2023, @11:22AM (1 child)
Industry standards are only guaranteed contractually where armies of lawyers do away with them. GDPR and the various other EU regs proved that for any of this to work, it has to come from the regulator and involve heavy fines.
Again, the fundamental issue here isn't the identity of the companies. The problem is that major American corporation can afford to out-litigate everyone else. It's not a novel problem as we've been there with automakers so we should already know better than saying nonsense like "Don't be evil".
The only fix is to get the regulator on board and to make sure that door isn't rotating. There never has been a market solution to this problem and there never will be since it's the unavoidable outcome of scale-of-production and how the legal system works.
compiling...
(Score: 2) by GloomMower on Monday August 07 2023, @04:52AM
By clicking "Accept all security flaws", you agree Microsoft can have a security flaw on your device or remote service in accordance with our Security Policy.