Stories
Slash Boxes
Comments

SoylentNews is people

posted by requerdanos on Saturday August 05 2023, @11:30AM   Printer-friendly
from the negligent-cybersecurity-practices dept.

https://arstechnica.com/security/2023/08/microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation/

Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation."

The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

Arthur T Knackerbracket has processed the following story:

Yoran has more to add to the senator’s arguments, writing in his post that Microsoft has demonstrated a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government. He also revealed Tenable’s discovery of an additional cybersecurity flaw in Microsoft Azure and says the company took too long to address it.

Tenable initially discovered the flaw in March and found that it could give bad actors access to a company’s sensitive data, including a bank. Yoran claims Microsoft took “more than 90 days to implement a partial fix” after Tenable notified the company, adding that the fix only applies to “new applications loaded in the service.” According to Yoran, the bank and all the other organizations “that had launched the service prior to the fix” are still affected by the flaw — and are likely unaware of that risk.

Yoran says Microsoft plans to fix the issue by the end of September but calls the delayed response “grossly irresponsible, if not blatantly negligent.” He also points to data from Google’s Project Zero, which indicates that Microsoft products have made up 42.5 percent of all discovered zero-day vulnerabilities since 2014.

“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” Yoran writes. “How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?”


Original Submission #1Original Submission #2

 
This discussion was created by requerdanos (5997) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by psa on Saturday August 05 2023, @09:14PM (2 children)

    by psa (220) on Saturday August 05 2023, @09:14PM (#1319287) Homepage

    They've been dinged pretty hard for having charged (a lot of) money for the logs that would have been needed to even see if you've been hacked this way, but there's been a lot less discussion of the fact that Microsoft should have been paying attention to the logs as well. I think they're finally waking up to the hand-waving that Microsoft does when it comes to every security breach in Azure, but I can't tell yet if it's going to make a difference.

    Having been a cloud engineer in GCP and AWS before, and somehow, through an unlikely series of events, becoming an Azure Enterprise Architect, I'm still amazed at how everything in Azure seems to be inherently less secure, less monitorable, and less enterprise-ready than their counterparts in other clouds. Microsoft has been scrambling to provide "feature-parity" for Azure, but in true Microsoft style, everything is a bolt-on. Private endpoints, forced routing with lots of holes for native services, firewalls for basic routing, automation resources to add missing functionality from services, highly-throttled metrics from every resource that you have to pay to ingest, pay to store, pay to analyse, pay to do anything about, and still don't measure as many things as come automatically in AWS. After a ridiculous amount of extra complexity and cost we still don't get to the basic vpc functionality that's been in AWS for many years, we still don't get the same visibility into traffic, authentication, secondary deployments, etc. And we're constantly running into arbitrary limits because nothing in Azure scales to the large enterprise or natively takes into account regulatory requirements.

    The article here says Azure, but mostly this is about their Office backend and frontend offerings which they've bundled into Azure so they can pull their monopoly customers over to pad "Azure" profits and make it hard for businesses not to use Azure. Azure can be completely unfit for purpose and it's still going to see high adoption because so much of modern IT infrastructure is completely dependent on things you can only get in Azure today.

    I hear all the time that this isn't the old Microsoft, that they long ago started taking security seriously, that they're not the evil monopolist they used to be, etc., but I don't see it. I think this is and has been business as usual for them all along, and they just got better PR people and more public-friendly leadership.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Informative=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   3  
  • (Score: 2) by Freeman on Monday August 07 2023, @04:13PM (1 child)

    by Freeman (732) on Monday August 07 2023, @04:13PM (#1319486) Journal

    I mean, Microsoft isn't the Monopoly they once were. Google yoinked the web browser away from them. Microsoft literally missed the boat on mobile devices. All the while their desktop share is slowly eroding. Partly due to the fact that some people, just don't have desktops anymore. They make due with a phone or tablet. Which in all honesty are full fledged computers. The interface just sucks. Still it doesn't necessarily suck so much, if you don't know how to touch type anyway.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    • (Score: 2, Interesting) by psa on Wednesday August 09 2023, @09:01AM

      by psa (220) on Wednesday August 09 2023, @09:01AM (#1319651) Homepage

      The monopoly I referred to is in their business apps. Exchange handles most business email in the world. Sharepoint is the primary intranet platform. Active Directory is the authentication root in most enterprises. Etc. All of these have been or are being moved to "Azure" (in quotes, because, as I said, M365 Azure has little to do with classic cloud deployments, though it is lumped in for reporting and market share advertisements). Large enterprises, especially, end up in Azure whether they've made a choice to operate in that cloud or not. For the few server products from Microsoft that you are allowed to run in selected other clouds, the licensing is higher than if you run it in Azure.