Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Security IT Technology

Microsoft Overhauling Its Software Security After Major Azure Cloud Attacks (theverge.com) 40

An anonymous reader shares a report: Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we've ever seen. Then, 30,000 organizations' email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren't enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year. Something had to give.

Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It's the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.

Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands. In an internal memo to Microsoft's engineering teams today, the company's leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of "blatantly negligent" cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.

This discussion has been archived. No new comments can be posted.

Microsoft Overhauling Its Software Security After Major Azure Cloud Attacks

Comments Filter:
  • Seems like that may well be the fastest way to achieve their (stated) goal.
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Thursday November 02, 2023 @10:58AM (#63974380)
      Comment removed based on user account deletion
      • Comment removed based on user account deletion
      • by gweihir ( 88907 )

        There's nothing magical about Linux that hardens it against determined attackers.

        Sure. But there is a lot of non-magic that makes Microsoft a lot easier to attack for not that determined attackers. The problem is that MS is just a continued serial failure in the security space.

      • When you provision a Linux VM on Azure you have to remember that the Azure agent will be on there too.

        ~2016 that included setup that created a swapfile that was 644 in /mnt/resource.

        The problem with these systems is the corporate software. In some organisations there are dedicated teams that want access to manage a particular component of the software stack, so of course they will argue for root to manage it, because upstream didn't design their software to operate any other way.

        That's where the problems st

        • Comment removed based on user account deletion
          • There's that, but there's also things like the VM extensions that call home for a command list.

            Normally the reason it was put on was for something that didn't need high levels of privilege.

      • Does Windows have something equivalent to SELinux?

  • by Murdoch5 ( 1563847 ) on Thursday November 02, 2023 @10:50AM (#63974360) Homepage
    The problem with email security is that 9X% of people don't care or think about email security. If you don't encrypt and sign your emails, with something like PGP, then you have no right or ground to stand on when you get hacked. What's the argument? The plain text thing you sent, got read, because it's plain text?

    If you don't secure your email, then why do you think it's secure? If you don't understand email, then why is it someone else's issue? If the IT, DevOps, InfoSec people in your company aren't telling you to encrypt your email, they're making a gross negligent mistake.

    Regarding the other work Microsoft is doing, cool, let's see what comes of it.
    • > The problem with email security is that 9X% of people don't care or think

      You could have stopped there, and you would've been right.

    • Perhaps the gross negligence, is more to blame on those that know.

      After proving how insecure HTTP was years ago, a planet embarked on an HTTPS-everything push, which for the most part worked. So, you're going to tell the people we hounded to get on HTTPS-secured webmail portals, push 2FA on that portal so they now need a secondary auth to simply login to the Inbox, using the same security and technology that they would use to access their banking institutions with, and somehow the end user is still left co

      • You are exactly right! I deal with this confusion constantly, where people tell me it uses SSL, when they mean TLS, so the data is secure.

        What's really stopping PGP?

        The tooling, and the 10, 20, 30, 40 years old software that keeps getting updated but can't break.

        The hardware, the switches, the routers, the spam filters don't support encrypted mail.

        Should we talk about OSes lacking support? Windows doesn't have it by default, so why would anyone use it?

        Users? Users are STUPID! Oh boy, a user
  • I understand it's difficult to find every possible way of breaking into the service but maybe Microsoft should consider creating a honey pot and then observe how it's attacked.

    Or, maybe, Azure is the honey pot.

    • by Tablizer ( 95088 )

      It's possible they do that already, but a few percent won't be caught that way, and maybe the Big Hack was just such a critter.

  • by willkane ( 6824186 ) on Thursday November 02, 2023 @11:13AM (#63974416)
    They can't have a straight face when selling their products/services as secure after having the SolarWinds attack in their back.

    Two funny curiosities:

    1) Implicitly they're acknowledging they suck at securing their software. That they kind of fall asleep after the SDL implementation or that SDL solved shit or even worse they didn't learned from past experiences.

    I mean... it's called "Security Development Lifecycle". Which part of life-cycle they didn't understand? Not to mention that "Security Development" should have touched not only NT's kernel but the whole areas around it.

    2) What is a PR stunt without buzzwords? Nothing. That's why they're attaching AI in it. I mean, AI today is no more than automation in steroids. So, they're not doing nothing new.

    Bottom line: PR stunt to keep selling their services.
  • They would still be patching 7 and XP for the legacy businesses that depend on it. They would also still be fixing IE and Edge to be non spyware instead of letting Google do what they did to Netscape.
    • by Zak3056 ( 69287 ) on Thursday November 02, 2023 @12:56PM (#63974702) Journal

      They would still be patching 7 and XP for the legacy businesses that depend on it. They would also still be fixing IE and Edge to be non spyware instead of letting Google do what they did to Netscape.

      Do you realize that Windows XP was released 22 years ago? The contemporary Linux kernel at the time was 2.4, which saw its last update in 2010. XP's final update was four years later than that in 2014.

      Your demand that you must be supported forever (and, presumably, for free) is an absurdity.

  • Then every bit of software 'audited' by the hacked AI is suddenly untrustworthy, which is hopefully caught before it is released (yes I am not typing this with a straight face).
  • Nooow worry about cloud security, MS? Get ready to see lots of backward compatibility get shot bloody dead as MS reworks the contraption.

  • What actually happened was that Microsoft got extremely lucky repeatedly. They could have gone out of business due to their continued shoddy, incompetent and half-assed security practices. Instead they are still alive.

  • You know what would improve Azure security?

    * Stop changing the names of services every six months.
    * Update your documentation to reflect changes in Azure user interfaces
    * Stop burying security settings on five different websites with constantly changing service names
    * Make it a lot more obvious which role permissions affect which specific services

    It's next to impossible for the average Azure user to apply even basic security principles to their tenant because of the constant change and terrible documentatio

    • by Z00L00K ( 682162 )

      Maybe it's because all that is designed in a place of the world where weed is legal.

    • While I agree with your assessment overall. Microsoft created Sentinel to put all of that behind a single pane of glass. Otherwise I totally agree, I never liked that they called it Azure Active Directory and Azure Active Directory Domain Services as that confused a whole lot of people, then suddenly naming it Entra?

      Stop making Azure a moving target and there's a good chance security will improve. Amazon with AWS is more stable in that regard and has had their own security issues however.

  • by Chas ( 5144 )

    They're going to steal the servers, slap fat tires on there, set the ride height to toboggan, have Chip Foose do a tacky paint job and then do a reveal?

  • ... to the 21st Century, hope you stay.

Fast, cheap, good: pick two.

Working...