Stories
Slash Boxes
Comments

SoylentNews is people

posted by requerdanos on Saturday August 05 2023, @11:30AM   Printer-friendly
from the negligent-cybersecurity-practices dept.

https://arstechnica.com/security/2023/08/microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation/

Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation."

The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

Arthur T Knackerbracket has processed the following story:

Yoran has more to add to the senator’s arguments, writing in his post that Microsoft has demonstrated a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government. He also revealed Tenable’s discovery of an additional cybersecurity flaw in Microsoft Azure and says the company took too long to address it.

Tenable initially discovered the flaw in March and found that it could give bad actors access to a company’s sensitive data, including a bank. Yoran claims Microsoft took “more than 90 days to implement a partial fix” after Tenable notified the company, adding that the fix only applies to “new applications loaded in the service.” According to Yoran, the bank and all the other organizations “that had launched the service prior to the fix” are still affected by the flaw — and are likely unaware of that risk.

Yoran says Microsoft plans to fix the issue by the end of September but calls the delayed response “grossly irresponsible, if not blatantly negligent.” He also points to data from Google’s Project Zero, which indicates that Microsoft products have made up 42.5 percent of all discovered zero-day vulnerabilities since 2014.

“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” Yoran writes. “How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?”


Original Submission #1Original Submission #2

 
This discussion was created by requerdanos (5997) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by mhajicek on Saturday August 05 2023, @08:00PM (6 children)

    by mhajicek (51) on Saturday August 05 2023, @08:00PM (#1319278)

    Windows is the ONLY option for professional level CADCAM. That ties a few hands.

    --
    The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Gaaark on Saturday August 05 2023, @08:19PM (5 children)

    by Gaaark (41) on Saturday August 05 2023, @08:19PM (#1319279) Journal

    Does it HAVE to be connected to the internet? That's where the attack vector usually is.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 4, Interesting) by RS3 on Saturday August 05 2023, @10:44PM (4 children)

      by RS3 (6367) on Saturday August 05 2023, @10:44PM (#1319298)

      A friend of mine does a lot of work in Solid Works. Years ago you could install it on stand-alone computers. He said now it won't run unless it can "phone home to mommy". I'm not sure if you can unplug the 'net after it's started up.

      All that said, everyone should be behind some kind of firewall. No Windows machine should ever be directly connected to the 'net with no firewall. Most router/gateways have built-in firewall, and are usually default with all 'net-side ports are closed.

      But that doesn't stop someone from checking email on said machine, and maybe receiving malware in an email that automatically opens the attachment. Or visiting a website that has javascript malware.

      • (Score: 3, Funny) by Gaaark on Saturday August 05 2023, @11:51PM (3 children)

        by Gaaark (41) on Saturday August 05 2023, @11:51PM (#1319306) Journal

        You and your friend and everyone you know should contact the software makers and tell them you want to run their software on linux.

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
        • (Score: 2) by RS3 on Sunday August 06 2023, @01:16AM

          by RS3 (6367) on Sunday August 06 2023, @01:16AM (#1319311)

          And then we'll place bets on how long they'll laugh at us?

          Even if they did produce a Linux version, it'd still phone home.

          Oh, and I don't use Solid Works, and hope I never have to. Not because of the aforementioned problem, but it's very very complex 3D CAD and that's not my jam. Jamb?

        • (Score: 2) by mhajicek on Sunday August 06 2023, @02:47AM

          by mhajicek (51) on Sunday August 06 2023, @02:47AM (#1319321)

          If you pay them less than $100,000/year for license maintenance, your not even a bug on their windshield.

          --
          The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
        • (Score: 2) by Freeman on Monday August 07 2023, @04:07PM

          by Freeman (732) on Monday August 07 2023, @04:07PM (#1319485) Journal

          Makes me kind of wonder, if you could run it via WINE.

          Ah, so I guess the answer to that question is generally "No", because it is garbage. At least that's the rating it's generally getting on WINEHQ "Garbage."
          https://appdb.winehq.org/objectManager.php?sClass=application&iId=318 [winehq.org]

          It did accidentally get a Silver rating in 2008 and 2010. They fixed that later, though.

          --
          Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"