Microsoft Overhauling Its Software Security After Major Azure Cloud Attacks (theverge.com) 40
An anonymous reader shares a report: Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we've ever seen. Then, 30,000 organizations' email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren't enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year. Something had to give.
Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It's the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.
Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands. In an internal memo to Microsoft's engineering teams today, the company's leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of "blatantly negligent" cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.
Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It's the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.
Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands. In an internal memo to Microsoft's engineering teams today, the company's leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of "blatantly negligent" cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.
Switch kernel to Linux? (Score:1, Troll)
Comment removed (Score:5, Informative)
Re: (Score:1)
Re: (Score:2)
It's a cheap comment in the sense it endears a false sense of security that will bite big time in the ass. That's the kind of advocacy open source doesn't need.
Re: (Score:2)
Re: (Score:1)
There's nothing magical about Linux that hardens it against determined attackers.
Sure. But there is a lot of non-magic that makes Microsoft a lot easier to attack for not that determined attackers. The problem is that MS is just a continued serial failure in the security space.
Re: (Score:2)
When you provision a Linux VM on Azure you have to remember that the Azure agent will be on there too.
~2016 that included setup that created a swapfile that was 644 in /mnt/resource.
The problem with these systems is the corporate software. In some organisations there are dedicated teams that want access to manage a particular component of the software stack, so of course they will argue for root to manage it, because upstream didn't design their software to operate any other way.
That's where the problems st
Re: (Score:2)
Re: (Score:2)
There's that, but there's also things like the VM extensions that call home for a command list.
Normally the reason it was put on was for something that didn't need high levels of privilege.
Re: (Score:2)
Does Windows have something equivalent to SELinux?
Re: (Score:1)
There's a PR problem with cloud hacks because lots of customers become vulnerable at the same time. It's like plane crashes versus car crashes. The second kill more than the first, but they usually don't make news because they kill piecemeal.
Nuclear power has a similar problem: the alternatives cause asthma and other ailments arguably worse on average than nuke risk, but because the damage is spread out, it doesn't make news. A bursting nuke plant does.
Yes, the top local server shops are probably safer than
Re: (Score:2)
I just wait for the first major incident that can't be hidden from the public.
The employment of AIs can also backfire due to false positives.
Mostly fair, but not email! (Score:3, Interesting)
If you don't secure your email, then why do you think it's secure? If you don't understand email, then why is it someone else's issue? If the IT, DevOps, InfoSec people in your company aren't telling you to encrypt your email, they're making a gross negligent mistake.
Regarding the other work Microsoft is doing, cool, let's see what comes of it.
Re: (Score:2)
> The problem with email security is that 9X% of people don't care or think
You could have stopped there, and you would've been right.
Re: (Score:2)
Re: (Score:2)
Perhaps the gross negligence, is more to blame on those that know.
After proving how insecure HTTP was years ago, a planet embarked on an HTTPS-everything push, which for the most part worked. So, you're going to tell the people we hounded to get on HTTPS-secured webmail portals, push 2FA on that portal so they now need a secondary auth to simply login to the Inbox, using the same security and technology that they would use to access their banking institutions with, and somehow the end user is still left co
Re: (Score:2)
What's really stopping PGP?
The tooling, and the 10, 20, 30, 40 years old software that keeps getting updated but can't break.
The hardware, the switches, the routers, the spam filters don't support encrypted mail.
Should we talk about OSes lacking support? Windows doesn't have it by default, so why would anyone use it?
Users? Users are STUPID! Oh boy, a user
Re: (Score:2)
Re: (Score:2)
honeypot (Score:2)
I understand it's difficult to find every possible way of breaking into the service but maybe Microsoft should consider creating a honey pot and then observe how it's attacked.
Or, maybe, Azure is the honey pot.
Re: (Score:1)
It's possible they do that already, but a few percent won't be caught that way, and maybe the Big Hack was just such a critter.
Looks Like A Full Fledged PR Stunt (Score:3, Insightful)
Two funny curiosities:
1) Implicitly they're acknowledging they suck at securing their software. That they kind of fall asleep after the SDL implementation or that SDL solved shit or even worse they didn't learned from past experiences.
I mean... it's called "Security Development Lifecycle". Which part of life-cycle they didn't understand? Not to mention that "Security Development" should have touched not only NT's kernel but the whole areas around it.
2) What is a PR stunt without buzzwords? Nothing. That's why they're attaching AI in it. I mean, AI today is no more than automation in steroids. So, they're not doing nothing new.
Bottom line: PR stunt to keep selling their services.
If Microsoft really cared (Score:2, Interesting)
Re:If Microsoft really cared (Score:5, Insightful)
They would still be patching 7 and XP for the legacy businesses that depend on it. They would also still be fixing IE and Edge to be non spyware instead of letting Google do what they did to Netscape.
Do you realize that Windows XP was released 22 years ago? The contemporary Linux kernel at the time was 2.4, which saw its last update in 2010. XP's final update was four years later than that in 2014.
Your demand that you must be supported forever (and, presumably, for free) is an absurdity.
Re: (Score:2)
People would have happily upgraded to Windows 7 from XP for free, if they could have.
Allow me to repeat myself: "Your demand that you must be supported forever (and, presumably, for free) is an absurdity."
Ironically, though, Microsoft has actually done what you are demanding: The upgrade from 7 to 10 was free, presuming you did so in the upgrade window. The upgrade from 10 to 11 is free, period.
I forced myself to commit to using only Linux and that decision has worked out better and better as the years went on.
Glad that worked out for you. I've started using Linux in the mid 90s, professionally in the late 90s, and always suggest people choose the best platform for their requirements. I have no interest
This plan is great until the AI itself is hacked. (Score:2)
"Move fast and break customers" (Score:1)
Nooow worry about cloud security, MS? Get ready to see lots of backward compatibility get shot bloody dead as MS reworks the contraption.
Re: (Score:2)
You likely won't get much blowback from anyone that has actually had to operate IN Azure before for any length of time on any "real" scale.
Re: (Score:2)
That bad? Why am I not surprised.
Re: (Score:1)
Indeed. I think that by now MS has accumulated so much technological debt that their stuff simply cannot be fixed anymore and patching things becomes less and less effective and often causes additional problems. They just made way too many bad decisions and never really fixed them. And at this time they basically risk collapsing the whole house of cards if they touch one part. There is a reason basically all Microsoft things have serious bugs that should have been fixed a long time ago, but never were. I th
Not a "few rough years" (Score:1)
What actually happened was that Microsoft got extremely lucky repeatedly. They could have gone out of business due to their continued shoddy, incompetent and half-assed security practices. Instead they are still alive.
Azure security (Score:2)
You know what would improve Azure security?
* Stop changing the names of services every six months.
* Update your documentation to reflect changes in Azure user interfaces
* Stop burying security settings on five different websites with constantly changing service names
* Make it a lot more obvious which role permissions affect which specific services
It's next to impossible for the average Azure user to apply even basic security principles to their tenant because of the constant change and terrible documentatio
Re: (Score:2)
Maybe it's because all that is designed in a place of the world where weed is legal.
Re: (Score:2)
While I agree with your assessment overall. Microsoft created Sentinel to put all of that behind a single pane of glass. Otherwise I totally agree, I never liked that they called it Azure Active Directory and Azure Active Directory Domain Services as that confused a whole lot of people, then suddenly naming it Entra?
Stop making Azure a moving target and there's a good chance security will improve. Amazon with AWS is more stable in that regard and has had their own security issues however.
So... (Score:2)
They're going to steal the servers, slap fat tires on there, set the ride height to toboggan, have Chip Foose do a tacky paint job and then do a reveal?
Welcome... (Score:1)
... to the 21st Century, hope you stay.