this post was submitted on 03 Aug 2023
348 points (97.3% liked)

Technology

57933 readers
4197 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
348
Microsoft called out for “blatantly negligent” cybersecurity practices (www.theverge.com)
submitted 1 year ago by Bishma@discuss.tchncs.de to c/technology@lemmy.world
24 comments fedilink hide all child comments
 

There's been a string of security blunders in Azure in the last couple years but leaking a signing key and then trying to downplay it is really beyond the pale

all 25 comments
sorted by: hot top controversial new old
[–] autotldr@lemmings.world 95 points 1 year ago (2 children)

This is the best summary I could come up with:

On July 12th, Microsoft disclosed a major breach targeting its Azure platform, which it traced to a Chinese hacking group known as Storm-0558.

Last week, Senator Ron Wyden (D-OR) sent a letter to the US Department of Justice, asking it hold Microsoft accountable for “negligent cybersecurity practices.”

Yoran has more to add to the senator’s arguments, writing in his post that Microsoft has demonstrated a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government.

Tenable initially discovered the flaw in March and found that it could give bad actors access to a company’s sensitive data, including a bank.

The security firm Wiz reported last week that the hack on Azure may have been more far-reaching than originally thought, although Microsoft has since disputed its findings.

Microsoft has been involved in numerous recent data breaches, including the infamous Solar Winds hack that affected agencies across the US government.

I'm a bot and I'm open source!

[–] objectionist@lemmy.world 29 points 1 year ago

man i see this bot everywhere. its awesome, and it looks like its gonna turn into a staple of lemmy's army of neat bots!

[–] sebinspace@lemmy.world 31 points 1 year ago (4 children)

Not surprising, MS probably have one of the largest attack surfaces of any entity

[–] stevedidwhat_infosec@infosec.pub 13 points 1 year ago (2 children)

It the job of responsible company (especially one Microsoft’s size) to know that and plan for it accordingly.

Risk management is hard baked into the infosec responsibility set, size isn’t an excuse

[–] Phlogiston@lemmy.world 4 points 1 year ago

Did you say, “Size doesn’t matter”?

(FYI - in hear this excuse all the time at a large company. Somehow our complexity and scale is always an excuse people reach toward. And, as you say, our job from infosec is to shut that whining down.

[–] sebinspace@lemmy.world 0 points 1 year ago (1 children)

It can be if you don’t have the staff. If humans are the most vulnerable part of the system, you can’t stretch them too thin and expect them to be as effective in their role.

[–] stevedidwhat_infosec@infosec.pub 1 points 1 year ago

That’s part of another issue which should’ve been handled prior to getting too big.

Manageability is #1 when considering your growth, can’t imagine Microsoft chose to keep a “small staff” out of necessity.

Perhaps fucking private Sting concerts for higher ups should be scrapped in favor of the employees they fired days prior to attending

[–] ShittyBeatlesFCPres@lemmy.world 11 points 1 year ago (1 children)

I don’t know what the US government runs on its most secure systems but with all the money we pay in taxes, I hope it’s not Windows, Linux, or macOS. I hope they scooped up some 80’s operating system no one would ever suspect and kept it going in parallel. Good luck hacking into a system with a fully custom version of Business Operating System that runs on 64 bit Motorola processors no one knows about but the CIA’s sysadmins.

I know in reality they probably run Windows Vista on 12 year-old laptops or some shit and get hacked all the fucking time but I’d like to think someone had enough sense to not do that.

[–] average650@lemmy.world 15 points 1 year ago (1 children)

The OS they choose is really not the most important part of its most secure systems.

[–] ShittyBeatlesFCPres@lemmy.world 6 points 1 year ago (1 children)

Ok, fine. Then I hope they use paper and guns to protect secrets.

[–] KairuByte@lemmy.world 15 points 1 year ago* (last edited 1 year ago)

You can have the most secure and secret OS in existence, and you’re failing miserably the moment it has unfettered access to the internet.

On the flip side, literally any OS can be secure if it’s airgapped in a sealed room.

There’s a happy medium in there, and that’s where most governments want to be.

[–] Zorque@kbin.social 2 points 1 year ago

Yeah, but the NFL kept calling them attack ipads.

[–] Zeth0s@lemmy.world 1 points 1 year ago

Guy is talking about cloud. Azure is not the first cloud provider, it's simply tha laziest

[–] lwuy9v5@lemmy.world 14 points 1 year ago (1 children)

For the comments - this is currently referring to their cloud service, Microsoft Azure. But, yea same story as Microsoft ever was

[–] Treczoks@lemmy.world 10 points 1 year ago

How I see Microsoft "Security":

When someone reports a glaring hole in an MS product, they probably ask nicely at the CIA and NSA if they want to buy the security vulnerability for their own nefarious causes, or, if they know it already, whether MS is allowed to close the hole in the foreseeable future.

And then they basically do nothing, as finding, fixing, and patching all costs money. And admitting that ones product has more holes than a pair of nylon pantyhose after a run though the brambles is bad for marketing, too.

[–] AlmightySnoo@lemmy.world 8 points 1 year ago

Microsoft hidden backdoors are a feature, not a bug

[–] Pokadots@kbin.social 7 points 1 year ago

They can’t even figure out how to get vTAPs working in Azure

[–] GreatBlue@infosec.pub 7 points 1 year ago* (last edited 1 year ago)

And despite that most customers will stay and Microsoft will learn they don't need to put more effort into security. They maybe even can get away with reducing security...

[–] GustavoM@lemmy.world 4 points 1 year ago (1 children)

Something something "it's fine when WE do it".

[–] igorlogius@lemmy.world 1 points 1 year ago

ha ha ha ... i was expecting this comment +1

[–] CookieJarObserver@sh.itjust.works 2 points 1 year ago (1 children)

Linux anyone?

We have free linux in different variations!

[–] lanbanger@kbin.social 13 points 1 year ago

You can run Linux on Azure, and it will still be compromised by Microsoft's lax security practices.