Microsoft is feeling the heat in the wake of the Azure breach.
There's been a string of security blunders in Azure in the last couple years but leaking a signing key and then trying to downplay it is really beyond the pale
On July 12th, Microsoft disclosed a major breach targeting its Azure platform, which it traced to a Chinese hacking group known as Storm-0558.
Last week, Senator Ron Wyden (D-OR) sent a letter to the US Department of Justice, asking it hold Microsoft accountable for “negligent cybersecurity practices.”
Yoran has more to add to the senator’s arguments, writing in his post that Microsoft has demonstrated a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government.
Tenable initially discovered the flaw in March and found that it could give bad actors access to a company’s sensitive data, including a bank.
The security firm Wiz reported last week that the hack on Azure may have been more far-reaching than originally thought, although Microsoft has since disputed its findings.
Microsoft has been involved in numerous recent data breaches, including the infamous Solar Winds hack that affected agencies across the US government.
(FYI - in hear this excuse all the time at a large company. Somehow our complexity and scale is always an excuse people reach toward. And, as you say, our job from infosec is to shut that whining down.
It can be if you don’t have the staff. If humans are the most vulnerable part of the system, you can’t stretch them too thin and expect them to be as effective in their role.
I don’t know what the US government runs on its most secure systems but with all the money we pay in taxes, I hope it’s not Windows, Linux, or macOS. I hope they scooped up some 80’s operating system no one would ever suspect and kept it going in parallel. Good luck hacking into a system with a fully custom version of Business Operating System that runs on 64 bit Motorola processors no one knows about but the CIA’s sysadmins.
I know in reality they probably run Windows Vista on 12 year-old laptops or some shit and get hacked all the fucking time but I’d like to think someone had enough sense to not do that.
When someone reports a glaring hole in an MS product, they probably ask nicely at the CIA and NSA if they want to buy the security vulnerability for their own nefarious causes, or, if they know it already, whether MS is allowed to close the hole in the foreseeable future.
And then they basically do nothing, as finding, fixing, and patching all costs money. And admitting that ones product has more holes than a pair of nylon pantyhose after a run though the brambles is bad for marketing, too.
And despite that most customers will stay and Microsoft will learn they don't need to put more effort into security. They maybe even can get away with reducing security...