Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation."
The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.
Arthur T Knackerbracket has processed the following story:
Yoran has more to add to the senator’s arguments, writing in his post that Microsoft has demonstrated a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government. He also revealed Tenable’s discovery of an additional cybersecurity flaw in Microsoft Azure and says the company took too long to address it.
Tenable initially discovered the flaw in March and found that it could give bad actors access to a company’s sensitive data, including a bank. Yoran claims Microsoft took “more than 90 days to implement a partial fix” after Tenable notified the company, adding that the fix only applies to “new applications loaded in the service.” According to Yoran, the bank and all the other organizations “that had launched the service prior to the fix” are still affected by the flaw — and are likely unaware of that risk.
Yoran says Microsoft plans to fix the issue by the end of September but calls the delayed response “grossly irresponsible, if not blatantly negligent.” He also points to data from Google’s Project Zero, which indicates that Microsoft products have made up 42.5 percent of all discovered zero-day vulnerabilities since 2014.
“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” Yoran writes. “How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?”
(Score: 5, Insightful) by Runaway1956 on Saturday August 05 2023, @03:11PM (2 children)
I can't argue your additional points, but I think you can't heap enough blame upon Microsoft. Perhaps I could be more forgiving of their monopolistic history, if they actually offered a superior product. Perhaps. But, the fact is, MS has a long history of putting competitors out of business, some, or even all, of whom offered better products, with better security. A complete view of Microsoft's history condemns them as unfit to do business in this, or any other country. Seriously, how many times have they put a competitor out of business (or bought the competitor out in some cases) only to offer a crippled, less secure version of their own making? Embrace, extend, extinguish. They tried that with Java, unsuccessfully.
But, the rest of your post is on target. Given MS history, decision makers who decide to invest in MS products are just too damned stupid to be decision makers.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 5, Insightful) by RS3 on Saturday August 05 2023, @03:37PM
That is the core problem.
Far too many critical technical decisions are made by business-types. It has haunted me all of my professional life. Being problem-solvers who are pretty much always up for a challenge, we technical-types accept the challenge (sometimes reluctantly) of making things work, staying on top of patches, updates, best security practices, etc. I often comment, cynically, that MS has created a huge number of jobs, that if they ever made a truly secure product, many IT workers would be laid off.
I'll give them credit for two things: their software development tools, example code, developer network, helps, APIs, etc., are pretty good. I don't happen to like them, but obviously tons of people do. I'll argue it's a bit of a "pile-on" / follow the crowd / they never really tried anything else.
Also MS is known for "innovation". Whether by their own ideas or stealing / buying others', they have always tried to make computers useful to the average person. But that's part of the problem: pushing (unnecessary) gadgets and "features" out to the market without truly testing them. But that's not MS- most companies I've worked for had that attitude: a race to the market, we'll worry about problems later. Sigh.
(Score: 5, Interesting) by Common Joe on Saturday August 05 2023, @04:25PM
Assuming it is backed by the Chinese government, this should surprise no one, as any place the U.S. government resides with data is a prime candidate for being a target.
It would not surprise me if Microsoft has some kind of back door for the U.S. government. I agree we can't ever heap enough blame upon Microsoft, but I think there is also a U.S. government component too.