Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Microsoft Security IT Technology

Microsoft Overhauling Its Software Security After Major Azure Cloud Attacks (theverge.com) 40

Posted by msmash from the moving-forward dept.
An anonymous reader shares a report: Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we've ever seen. Then, 30,000 organizations' email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren't enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year. Something had to give.

Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It's the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.

Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands. In an internal memo to Microsoft's engineering teams today, the company's leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of "blatantly negligent" cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.
This discussion has been archived. No new comments can be posted.

Microsoft Overhauling Its Software Security After Major Azure Cloud Attacks More

Microsoft Overhauling Its Software Security After Major Azure Cloud Attacks

Comments Filter:
  • Seems like that may well be the fastest way to achieve their (stated) goal.

    • Re:Switch kernel to Linux? (Score:5, Informative)

      by Shakrai ( 717556 ) on Thursday November 02, 2023 @11:58AM (#63974380) Journal

      Dude, this is a cheap comment. There's nothing magical about Linux that hardens it against determined attackers. Linux is already prevalent within the Azure ecosystem and much of the underlying infrastructure. Azure is a big fat juicy target and like all big fat juicy targets these days it attracts a literal metric fuckton of attention from black, gray, and white hats. Some of the black hats have nation-state level resources behind them. If you've paid attention to the security space over the last few years, no platform is invulnerable to targeted attacks, regardless of underlying OS/kernel. I love Linux, this isn't an anti-Linux rant, but it is just as vulnerable as every other OS out there [github.com].

      There are ~30M lines of code in the Linux kernel. Tens of millions more in the GNU and other FOSS tools you need to complete a Linux system. There are ~50M lines of code in Windows 11, ~80M in macOS, ~12 million in iOS and Android, with additional for the bundled services/tools/apps you need to complete those ecosystems.

      It doesn't matter how many eyeballs you throw at something on that scale. Something will be overlooked. There are at least as many (very likely more) black hat eyeballs as white hat eyeballs. Even if your software is perfect (it never is) you still have to worry about hardware vulnerabilities. Or the combination of the two. Read the iLeakage research paper [ileakage.com], that's the kind of stuff you're up against if confronted with a well resourced black hat team, and if you think 'Linux' is the answer you don't understand the problem.

      Linux is great but I'm under no illusions that it's a panacea for modern day cyberthreats. The above doesn't even touch on the biggest threat, social engineering. MGM got pwned because their own help desk fell for a social engineering attack. Linux won't help you when your IT Team gets scammed into surrendering root privileges.

      • but.... Micro$oft!

        • It's a cheap comment in the sense it endears a false sense of security that will bite big time in the ass. That's the kind of advocacy open source doesn't need.

          • Re: (Score:2)

            by Shakrai ( 717556 )

            That's the kind of advocacy open source doesn't need.

            This. There are lots of reasons to use FOSS. Out of the box security isn't one of them. Linux will screw you over just as quickly as Windows if you don't do your job correctly. And if you don't train your users to recognize social engineering neither will save you. A typewriter can screw you over if your users get socially engineered.

      • Re: (Score:1)

        by gweihir ( 88907 )

        There's nothing magical about Linux that hardens it against determined attackers.

        Sure. But there is a lot of non-magic that makes Microsoft a lot easier to attack for not that determined attackers. The problem is that MS is just a continued serial failure in the security space.

      • When you provision a Linux VM on Azure you have to remember that the Azure agent will be on there too.

        ~2016 that included setup that created a swapfile that was 644 in /mnt/resource.

        The problem with these systems is the corporate software. In some organisations there are dedicated teams that want access to manage a particular component of the software stack, so of course they will argue for root to manage it, because upstream didn't design their software to operate any other way.

        That's where the problems st

        • Re: (Score:2)

          by Shakrai ( 717556 )

          As it has to be internet reachable (because cloud) these things matter a bit more than private data centres where not everything can reach the internet.

          That matters less than you think these days. I've certainly done incident response that came out as a consequence of some flawed/buggy service exposed to the Internet, Fortinet has had at least two of these zero days in the last twelve months (sigh), but in recent years I've done a lot more incident responses where "Internet facing" had nothing to do with it. Generally there's a jumping off point past the firewall, on a trusted network, obtained via bug or social engineering -- doesn't really matter how -

          • There's that, but there's also things like the VM extensions that call home for a command list.

            Normally the reason it was put on was for something that didn't need high levels of privilege.

      • Does Windows have something equivalent to SELinux?

  • Mostly fair, but not email! (Score:3, Interesting)

    by Murdoch5 ( 1563847 ) on Thursday November 02, 2023 @11:50AM (#63974360) Homepage
    The problem with email security is that 9X% of people don't care or think about email security. If you don't encrypt and sign your emails, with something like PGP, then you have no right or ground to stand on when you get hacked. What's the argument? The plain text thing you sent, got read, because it's plain text?

    If you don't secure your email, then why do you think it's secure? If you don't understand email, then why is it someone else's issue? If the IT, DevOps, InfoSec people in your company aren't telling you to encrypt your email, they're making a gross negligent mistake.

    Regarding the other work Microsoft is doing, cool, let's see what comes of it.

    • > The problem with email security is that 9X% of people don't care or think

      You could have stopped there, and you would've been right.

    • Perhaps the gross negligence, is more to blame on those that know.

      After proving how insecure HTTP was years ago, a planet embarked on an HTTPS-everything push, which for the most part worked. So, you're going to tell the people we hounded to get on HTTPS-secured webmail portals, push 2FA on that portal so they now need a secondary auth to simply login to the Inbox, using the same security and technology that they would use to access their banking institutions with, and somehow the end user is still left co

      • You are exactly right! I deal with this confusion constantly, where people tell me it uses SSL, when they mean TLS, so the data is secure.

        What's really stopping PGP?

        The tooling, and the 10, 20, 30, 40 years old software that keeps getting updated but can't break.

        The hardware, the switches, the routers, the spam filters don't support encrypted mail.

        Should we talk about OSes lacking support? Windows doesn't have it by default, so why would anyone use it?

        Users? Users are STUPID! Oh boy, a user

  • I understand it's difficult to find every possible way of breaking into the service but maybe Microsoft should consider creating a honey pot and then observe how it's attacked.

    Or, maybe, Azure is the honey pot.

    • Re: (Score:1)

      by Tablizer ( 95088 )

      It's possible they do that already, but a few percent won't be caught that way, and maybe the Big Hack was just such a critter.

  • Looks Like A Full Fledged PR Stunt (Score:3, Insightful)

    by willkane ( 6824186 ) on Thursday November 02, 2023 @12:13PM (#63974416)
    They can't have a straight face when selling their products/services as secure after having the SolarWinds attack in their back.

    Two funny curiosities:

    1) Implicitly they're acknowledging they suck at securing their software. That they kind of fall asleep after the SDL implementation or that SDL solved shit or even worse they didn't learned from past experiences.

    I mean... it's called "Security Development Lifecycle". Which part of life-cycle they didn't understand? Not to mention that "Security Development" should have touched not only NT's kernel but the whole areas around it.

    2) What is a PR stunt without buzzwords? Nothing. That's why they're attaching AI in it. I mean, AI today is no more than automation in steroids. So, they're not doing nothing new.

    Bottom line: PR stunt to keep selling their services.
  • They would still be patching 7 and XP for the legacy businesses that depend on it. They would also still be fixing IE and Edge to be non spyware instead of letting Google do what they did to Netscape.

    • Re:If Microsoft really cared (Score:5, Insightful)

      by Zak3056 ( 69287 ) on Thursday November 02, 2023 @01:56PM (#63974702) Journal

      They would still be patching 7 and XP for the legacy businesses that depend on it. They would also still be fixing IE and Edge to be non spyware instead of letting Google do what they did to Netscape.

      Do you realize that Windows XP was released 22 years ago? The contemporary Linux kernel at the time was 2.4, which saw its last update in 2010. XP's final update was four years later than that in 2014.

      Your demand that you must be supported forever (and, presumably, for free) is an absurdity.

  • Then every bit of software 'audited' by the hacked AI is suddenly untrustworthy, which is hopefully caught before it is released (yes I am not typing this with a straight face).

  • Nooow worry about cloud security, MS? Get ready to see lots of backward compatibility get shot bloody dead as MS reworks the contraption.

  • What actually happened was that Microsoft got extremely lucky repeatedly. They could have gone out of business due to their continued shoddy, incompetent and half-assed security practices. Instead they are still alive.

  • You know what would improve Azure security?

    * Stop changing the names of services every six months.
    * Update your documentation to reflect changes in Azure user interfaces
    * Stop burying security settings on five different websites with constantly changing service names
    * Make it a lot more obvious which role permissions affect which specific services

    It's next to impossible for the average Azure user to apply even basic security principles to their tenant because of the constant change and terrible documentatio

    • Re: (Score:2)

      by Z00L00K ( 682162 )

      Maybe it's because all that is designed in a place of the world where weed is legal.

    • While I agree with your assessment overall. Microsoft created Sentinel to put all of that behind a single pane of glass. Otherwise I totally agree, I never liked that they called it Azure Active Directory and Azure Active Directory Domain Services as that confused a whole lot of people, then suddenly naming it Entra?

      Stop making Azure a moving target and there's a good chance security will improve. Amazon with AWS is more stable in that regard and has had their own security issues however.

  • So... (Score:2)

    by Chas ( 5144 )

    They're going to steal the servers, slap fat tires on there, set the ride height to toboggan, have Chip Foose do a tacky paint job and then do a reveal?

  • ... to the 21st Century, hope you stay.

Slashdot Top Deals

Life is a healthy respect for mother nature laced with greed.

Close