24 comments

[ 1.8 ms ] story [ 64.2 ms ] thread
Now, or back circa 1995-2005?
> Microsoft’s Threat Intelligence team has said that Storm-0558, a China-based hacking outfit that conducts espionage on behalf of that country’s government, exploited them starting on May 15. Microsoft drove out the attackers on June 16 after a customer tipped off company researchers of the intrusion. By then, Storm-0558 had breached accounts belonging to 25 organizations.

Looks like it was a couple of months ago.

> Wyden went on to say some blame also falls on the Biden administration. In 2021 Biden issued an executive order that created a Cyber Safety Review Board and tasked it, among other things, with studying the SolarWinds attack. The SolarWinds review never took place.

Microsoft messed up and their key was stolen, wtf does the solarwinds hack have to do with this?

> Microsoft messed up and their key was stolen, wtf does the solarwinds hack have to do with this?

Let me guess : Solar Winds used Microsoft ?

I cannot understand how Microsoft products or any proprietary software is acceptable in DOD or National Security provisioning
They have sequestered environmentd for that, check out Fedramp. They basically have their own DC and security requirements met. Every cloud provider has a fedramp version of services. Even the CIA uses this. Cost-benefit analysis wins.
Most cyber breaches would stop if governments levied fines of a level commensurate with the breaches. For instance, if companies were fined on a pro rata basis that equaled or exceeded profit from storing people's data then those companies that couldn't guarantee security wouldn't take the risk and get out of the business.

If there are objections to this fines model then there are others. It seems to me the real problem with cyber security is lobbying pressure from corporate interests on politicians, hence no appropriate laws with enough deterrent value in place.

while I agree that fines for breaches should be more frequent and severe, it's impossible to guarantee security
It's also impossible to guarantee a building won't collapse or a plane won't fall out of the sky. Someone needs to be accountable.
> It's also impossible to guarantee a building won't collapse or a plane won't fall out of the sky.

Breaches aren't random accidents, they're deliberate acts of espionage.

"...it's impossible to guarantee security"

I agree, but with the right laws in place that have appropriate sanctions that cover both corporations and their employees then we'd see a dramatic reduction.

A solution won't be found by just prosecuting corporations alone, for as we've seen with Google, Facebook etc. they've billions at their disposal so fines are just part of the cost of doing business. Their employees also have to be held accountable at the risk of being jailed. Few employees would risk jail just to support corporate profits.

Carefully-worded law could make this work without being too punitive. Security breaches will still happen and some unavoidable given the state of art etc. In those circumstances employees who could demonstrate their bona fides etc. would be immune from prosecution.

It's a matter of political will, cyber security can be greatly improved if the citizenry wants it badly enough.

That is such a presumtive baseless statement, what data do you have to back that up?

What would fines do? People don't use azure ad because it's optional, it's how most companies these days authenticate users instead of onprem ad which has its own suite of issues.

"Most crime wouldn't happen if home owners stopped storing valuables in their homes" yeah right.

This is not a result if MS being negligent. You're victim blaming for karma points without even knowing how exactly the vuln works or was exploited.

Except using azure ad is storing your valuables in someone else's house
No, using azuread is storing your valuables in someone else's safety deposit box! The service exists not just for convenience because it is more secure than azure ad. 90%+ ransomwared orgs in my estimate are vicitims of onprem AD abuse!
"without even knowing how exactly the vuln works or was exploited."

If you're offering a service you damn-well ought to know and fix it or it's not fit for purpose. QED.

Read my caveat in respect of the above in my other post—re state of the art, employees bona fides etc. There is no logical difference between the rules for cyber security and any other industry. For instance, the Boeing 737 Max fuck-up was because of corporate greed and negligence. For some reason the software industry seems to assume a God-given right to be exempted.

It's about time that changed.

(If the software industry wants to be considered an engineering profession and treated as such then it has to obey standards as set by law and regulation like every other engineering profession on the planet.)

> There is no logical difference between the rules for cyber security and any other industry

That's the problem with the way tech people who don't get infosec think. There is a huge difference! The entire purpose of cybersecurity is malicious human beings not bugs in software! To use your analogy this attack would be how that malaysian plane was shot down by a russian missile as opposed a malfunction in the 737. A chinese military/intel unit attacked microsoft, the real world equivalent would make you ask why the US military did not defend MS not why MS couldn't defend against a nation state actor that next to the US is the most resourced on the planet!

> It's about time that changed

It's about time you and others put the blame on threat actors and hold your military/intel apparatus accountable. Bugs happen, it is only MS's fault if they failed to follow best practices in securing their infra and code. No matter how hard you try or what process you use, things made by fallinle humans have a vulnerability waiting to be discovered.

"It's about time you and others put the blame on threat actors"

Over the years we built mechanical safes for banks etc. Fort Knox still has its gold. We engineered that and it's largely worked well.

Are you now telling me that this is beyond the capability of software engineering? If so, then we need to drop the word 'engineering' from 'software' and start completely a fresh.

Talk about a defeatist attitude. This negative attitude is the real problem.

OK, what's your solution to bring down cyber attacks from the billions per year to about the same tolerable level we have for banks and security for other physical objects?

Fact: cyber security is not fit for purpose. Reality check: it's NOT working—the loss of millions of data records per day to cyber attacks attests to that.

You solution please....

PS: 'engineering', by definition, is about finding solutions to problems.

> Are you now telling me that this is beyond the capability of software engineering? If so, then we need to drop the word 'engineering' from 'software' and start completely a fresh.

No. I am telling you that china sending a military specialops unit to break into fort knox is not a sign that fort knox was negligent.

> Talk about a defeatist attitude. This negative attitude is the real problem.

There is a difference between understanding real world dynamics and planning for them and being defeatist. Acknowledging disparities in resources and capabilities is not defeatist, it is risk assesment which you can plan around. In the infosec world it is one of the first rules for APTs that prevention is a failing strategy. There are entire courses and certifications you cam take and countless compromise case studies you can lean from. You cannot prevent an APT compromise but you can detect it and reduce dwell time. You can setup deception tech, collect a ton of logs and hunt for them (MS makes this difficult btw -- blame them on that if anything) and creat the most hostile environment for them to give you enough time to detect them before they do damage but you cannot prevent a compromise as a strategy. This is because they have more resources than even a company like MS and they are persistent (not neccesarily sophisticated). This is apt 101, they may get bored and move on to the next vicitim but that aside if China wants to hack MS, it will happen (as well the US and tencent)". The problem is you disagree with decades of infosec school of thought because as SWE (if I may presume -- or other non-infosec tech person) you are used to solving problems of a technical nature and evem though I clearly tried to explain that this isn't a technology problem, you don't get it, and a lot of people (even newbies in infosec) don't get this. Lookip the "$5 wrench" xkcd for a humorous take in this.

> OK, what's your solution to bring down cyber attacks from the billions per year to about the same tolerable level we have for banks and security for other physical objects?

I don't need to solve it, how to slow down and catch apts is a solved problem. Look up twitter infosec threads on this compromise, many, self includes, are hoping MS will finally get their heads out their greedy arses and expose logs and apis that are usually very expensive to all their customers because of this for example. More logs, more/better detections from the infosec end of things is what everyone in infosec agrees on afaik. But in reality, our country needs to retaliate in kind and publicly against China as a detterrent (even if it means escalsting conflict), that is what is normally done when a foreign state attacks your private companies, the US military/IC are supposed to be our ultimate deterrent but people like you expect MS to do that when hacking back in retaliation by private companies is illegal (as it should be).

> Fact: cyber security is not fit for purpose.

Understand what "cybet security" means in this context first before you make generalist statements like that.

> You solution please....

See above and other comments on thread from me

> PS: 'engineering', by definition, is about finding solutions to problems.

You should first understand the root cause of the problem (malicious humans, resource disparity and missing visibility) before trying to solve it. For example, the threat actors accessed outlook on government accounts right? Did the government have logs that could detect that? Did MS ? Was there enough detail in the logs? There are so many unanswered questions about the attack.

We've been fighting apts for roughly 20yrs now, how to catch them and make life harder for them a discipline that is taught in detail. There is no silver bullet or magical perfectly impenetrable yet at the same time highly useful and complex system. Hats off to you though if you can replace azure ad with such a system and prove many wrong.

Thank you for your reply, sorry I didn't replied earlier, I got sidetracked and forgot about it.

I think you'll find I'm a little closer to your view than it seems. Although I'd been in IT before then, I first got into the surveillance game at a government level in the mid 1990s—no it wasn't the NSA, CIA or such but it involved me having to sign secrecy agreements which is a nuisance because I can't talk about instances. I can say however my main work was to protect assets—not tracking down attackers.

The reason for my acerbic comments is that I'm annoyed the situation has gotten as bad has it has because it was obvious years ago we could have done much more to make cyber security better but we failed to act early on.

It's worth reviewing why things have degenerated so far, and for that we have to examine history. Before the 1990s most of those in computers were professionals or keen hobbyists and everything was more low-key, there wasn't much for attackers to attack. That changed and the rot set in when Microsoft popularized the internet with Windows 95, suddenly there were millions of new users who had never previously used computers let alone had access to the internet.

As Microsoft's principal motive was (and is) profit, making computers very easy to use was a key objective from the outset, everything had to work with a click and do so without complicated intermediate procedures. Security was given a backseat even though it was obvious to security processional that (a) security was already inadequate and (b) that both commercial operations like Microsoft and government were not considering security with necessary diligence.

So by about 2000 we have a whole world of new users who—because of deliberate ease-of-use policies by the commercial operators, MS etc.—had never developed any cyber security habits of note. And because good cybersecurity habits required extra work which these new users had never gotten used to doing it was essentially impossible to retrofit them in any meaningful way. The opportunity had escaped.

The other fly in the ointment were governments, for various reasons too complex to discuss here, they took a hands-off approach and let security matters get out of hand. When social media took off a few years later, governments were faced with another dilemma. By then 9/11 had happened and the world was a different place. So governments were faced with having to learn much more about their citizens. They could strengthen information associated with ID cards and such, or in countries where there were none, they'd introduce them. As previous efforts to do this by governments had always been very unpopular (calls of authoritarian government etc.), governments didn't want to go down this route unless strictly necessary.

Then the god-gift of social media arrived, what people were very reluctant to give government they freely gave to the likes of Google, Facebook etc. in return for a few glistening baubles, governments couldn't be happier as they could go down this route to get the data and it wouldn't even cost them anything! Just wonderful.

Thus, governments weren't concerned about corporations stripping citizens of personal data because they could then get access to it whenever necessary. If laws were introduced to make access to personal data much harder it would also be harder for governments to gain access. Forcing tighter security on these large corporates could and would bite governments as they too would find access to data harder (hence the current debate over encryption).

Because, early on, like Pontius Pilate, governments washed their hands of security matters, and later on relied on weakened security through social media, we ended up with a broken weakened system and yet governments still like and want it this way. For instance the FBI's call to have Section 702 renewed despite its dubious usage/legality:

so let me get this straight. One of the world's largest targets fell victim to one of the world's largest, best resourced, and practiced state sponsored groups, and they kept the dwell time down to ONLY one month?

who the fuck does this senior think he is saying negligent. if they were negligent they would have ignored the tip of, or would not have been able to find them, or not be able to give them the boot with confidence, or not be able to identify scope of impact.

if anything, this makes me MORE comfortable storing my shit with MS

Is this the same Microsoft handling United States primaries?
If you think MS doesn't have bug bounties and more red teaming and appsec auditing than most orgs you'd be mistaken. The fact is, this is victim blaming plain and simple with a logic error (likely) in code that was exploited by a nation state. It was the government who does not retaliate against China. I have seen no evidence of negligence or anything MS could have done better. Or any evidence that similar vulns in gcp iam, okta,etc... isn't possible.

Americans are scared shitless of a conflict with China and here you have politicians following suit, blaming MS and Biden for getting attacked instead of finding ways to retaliate -- not in kind but in an escalating, public and humiliating manner. Even if it means seeding an armed conflict.

Ask yourself wtf the NSA and CIA are doing other than spying on us and doing their best to help make minorities' lives unpleasant. If the US IC is capable and potent then they are absolutley incompetent by the fact that they keep their exploits secret because they very damn well know how pulic knowledge of a hack affects mass paychology, diplomatic relations and people's confidence in their government. CCP party members should be blaming Xi and tencent for a retaliation instead of our own politicians against our victims.