back to article Sensitive DoD emails exposed by unsecured Azure server

A hole in a US military email server operated by Microsoft left more than a terabyte of sensitive data exposed to the internet less than a month after Office 365 was awarded a higher level of government security accreditation. According to security researcher Anurag Sen, who discovered the blunder and reported it, the openly …

  1. elsergiovolador Silver badge

    BlameShift

    Sounds like a good idea for the new SaaS product that could keep blame resolutions in the blockchain and give NFT certificates to the interested parties with how has been assigned the blame for what.

  2. Black Label1
    Black Helicopters

    Fools (+1)

    Fools.

    Running secret / top-secret / military stuff on someone`s else computer (the cloud).

    Use ON-PREM hardware / software for classified stuff. Or else.

    1. NoneSuch Silver badge
      Coat

      Re: Fools (+1)

      It isn't just the military. Put core data in the hands of another company and you will ultimately be disappointed.

      My jacket's the one with the "I told you so." lapel button.

    2. Claptrap314 Silver badge

      Re: Fools (+1)

      If you think the DoD has the technical chops to build it's own distributed, resilient network, you're the fool. The military doesn't build it's own tanks. Or make its own uniforms, bullets, or toilets.

      Now, if in fact this was done on Azure proper, and not some isolated, dedicated network purpose-built for the DoD, then yeah, that's a problem.

    3. Anonymous Coward
      Anonymous Coward

      Re: Fools (+1)

      Er...no.

      Doesn't matter where it is, at some point a meatbag with an opinion might get access to it and leak it.

      The best kind of security is the kind that restricts the amount of data collected in one place and the access required to access all of it at a given time.

      Person: I needs only to find out someones blood type.

      Same Person: *pulls the whole fucking file*

  3. M.V. Lipvig Silver badge

    Back when I was in

    Top secret information was hosted only on computers behind secure doors, and only connected to each other over direct link circuits that were encrypted on either side of the circuit before it hit a circuit access point. And, the crypto key was changed very regularly. And now they're using the regular internet and Microsoft servers maintained by foreigners? Somebody put their wallets ahead of national security, and it's already been compromised. How special. Whoever authorized this should be put away and never see the light of day again.

  4. JassMan
    Trollface

    I may be under a misaprehension

    But don't proper OSes prevent acess over the internet for any username that has no password set. ie, you can login without a password but only from a seat in front of the box?

    How does Windows get issued any sort of security certificate if it lets you be so stupid as to allow remote access to insecure accounts.

    1. gryphon

      Re: I may be under a misaprehension

      Nothing to say it was Windows that I could see.

      I thought Azure actually ran more Linux stuff than Windows?

      1. JassMan

        Re: I may be under a misaprehension @gryphon

        "I thought Azure actually ran more Linux stuff than Windows?"

        So did I. But, if they don't offer Office365 Server standlone for Linux (as far as I can see when googling how to set it up) are they likely to run it on the Cloud?

        Maybe someone administering Office365 could help out here.

    2. Captain Scarlet
      Trollface

      Re: I may be under a misaprehension

      :O MS Dos and Windows 3.0 without Networking are now "Proper Job" OSes!

      Wow

      Congratulations Microsoft!

    3. Anonymous Coward
      Anonymous Coward

      Re: I may be under a misaprehension

      Because for the likes of of the DoD there exists a pre-hardened version of Windows and some super hardened GPOs that can be deployed, they are locked down by default to the point that all you can do is login, you can't even launch notepad. They are made specifically for organisations like DoD and are produced by a consortium of companies...Cisco, Microsoft, Oracle et al. They are not publically available and provide a much deeper level of control over the OS.

      Those of us that have worked with these GPOs before know how much of a pain in the ass they are...to allow an application to even launch through them you have to use a bunch of sysinternals tools to figure out each and every file the application needs to run (DLLs, assets etc), which registry keys they need access to etc etc...it's a long, boring and tedious exercise. I would bet my left nut that in situations where high pressure management exists, to get things done quickly, corners are cut.

  5. MrZoolook
    FAIL

    So...

    They used the same level of security, albeit digital, that they used with the documents in Biden's garage.

  6. Anonymous Coward Silver badge
    Pirate

    Skillset

    "it was sitting there without a password, allowing anyone who had its IP address and a browser to access the data."

    Surely that should say that it was only accessible by a highly skilled hacker with specialist tools - that's the usual spin they put on this type of SNAFU

  7. Anonymous Coward
    Anonymous Coward

    "Unsecured Azure server"

    .. but I repeat myself..

    Trusting Microsoft with your sensitive information is a bit like asking a drug user to guard your stash: ill advised at best.

  8. Ball boy Silver badge

    Using the cloud for DoD data is madness anyway

    First rule of keeping anything secure is that you minimise the number of people who have access. When buildings like the Pentagon are constructed, that means the electricians, the plasterers - even the bloke pouring the concrete for the foundations - all have to be vetted to some level. This is done because the information contained therein is sensitive. To then outsource the storage or manipulation of said data to a cloud platform means that all their people need to be security vetted too - from the foundation-builders through to the daily ops teams and all in between.

    Errors in configuration that do things like, say, expose sensitive data are that much more difficult to manage when the host platform is outside your control.

  9. Dan from Chicago

    Here's what happens:

    Going with a public (well, GovCloud) provisioning approach has the following effects:

    Costs may or may not be lower.

    Availability may improve.

    Integrity may improve.

    Confidentiality will be almost certainly be less.

    - All connections, including administrative connections, will be remote and they'll be controlled by external 3rd party admins.

    - As you outsource your cyber and administrative expertise and experience, your internal cyber competence will be less.

    1. martinusher Silver badge

      Re: Here's what happens:

      >As you outsource your cyber and administrative expertise and experience, your internal cyber competence will be less.

      So justifying more spending on outsourcing. Its a Death Spiral.

      The equivalent in the commercial sector results in a situation where the people that do the outsourced work wake up one morning and realize that they don't really need the operation that's outsourcing the work, you can just take it over.

  10. FirstTangoInParis Bronze badge

    So …..

    …. Nobody thought to pen test the setup prior to granting accreditation? The person who signed off on this has a lot to answer for.

  11. Dinanziame Silver badge
    Windows

    I'm gonna blame Microsoft on this one

    If you're selling a secure cloud service to the DoD, it's on you to make sure that everything is properly secured by default, and that it's damn near impossible to remove those security measures.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like