back to article Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

A review of the June 2023 attack on Microsoft's Exchange Online hosted email service – which saw accounts used by senior US officials compromised by a China-linked group called "Storm-0558" – has found that the incident would have been preventable save for Microsoft's lax infosec culture and sub-par cloud security precautions …

  1. Anonymous Coward
    Anonymous Coward

    No surprise to anyone here

    The big question is can CISA actually do anything to change Microsoft's behavior? Or is this just a case of saying "Microsoft sux" like everybody has been doing for years?

    It's like at work they say "don't say anything proprietary on Teams 'cuz it's cloud and Microsoft" and so it's like "then WTF good is it? discussing business & collaborating on products is what it's FOR!! why the hell are we paying money for this?"

    1. Lurko

      Re: No surprise to anyone here

      Well, it's a public naming and shaming, which helps a tiny bit. Our voices and opinions here (largely a shared view that Microsoft are shit at security*) clearly don't carry weight. And whilst I'll wager the balance of our opinion is that Microsoft are not going to pause adding new features nobody asked for, or their pel mel rush for cloudy-webby-shite, at least CISA's recommendations can be used as a stick to beat the company when their next screw up happens - and in particular it's the sort of thing that lawyers will be able to throw at juries.

      * Unless anybody wishes to claim otherwise - without the cloak of anonymity

    2. Charlie Clark Silver badge

      Re: No surprise to anyone here

      In other areas of industry, fines and even criminal procedures might be the result, but for software all you need to do is not look too smug in front of the cameras, as you pocket your bonus and promise to do better.

    3. Anonymous Coward
      Anonymous Coward

      Re: No surprise to anyone here

      Bbbbuuuttt…. AI innit.

  2. Doctor Syntax Silver badge

    It'll end up as a tick box on some business-wide project document.

    "Security has been taken into account [ ]"

  3. Dan 55 Silver badge

    Ten years ago...

    ... Microsoft fired their QA and decided to crowdsource testing. Nobody could have foreseen what happened next.

    1. Claptrap314 Silver badge

      Re: Ten years ago...

      Umm... the general perception is that that happened in the '80s.

      Microsoft has used the customers as beta testers since DOS.

      1. steviebuk Silver badge

        Re: Ten years ago...

        But they had those quite cool testing sessions (I don't know the name but can be seen on the training for Windows 95 that is archived on YouTube and archive.org) where users would come into an office, sit at a computer and do what was asked BUT they'd talk as they were doing it. If they were looking for an icon but couldn't find it etc, so they could use that it making an application better.

      2. Michael Wojcik Silver badge

        Re: Ten years ago...

        Sigh.

        The changes wrought by Trustworthy Computing were considerable. Microsoft developed an in-house team of software security experts — people such as Howard and LeBlanc — and gave them the authority to establish and enforce security policies and practices. Most feature development was largely paused for a time while developers were educated, tooling was developed or acquired, development procedures were updated, bugs were fixed, and security features were implemented. The result was a huge improvement in security, despite internal (developers, product managers, sales and marketing) and external (whinging users) resistance.

        Of course, they were starting from terribly far back, with an enormous code base (much of it ancient and awful) and a huge attack surface, not to mention the legacy of terrible design failures. And attackers got better, quickly.

        And now, of course, after a couple of decades, we see that (thanks in no small part to the leadership of SatNad) they've regressed badly. This time it's not the CEO writing the memo, it's an outside agency, because the exec team are no longer interested in actually critiquing their own firm. It's sad to reflect that in some ways Bill Gates was by far the best leader Microsoft ever had.

        But pretending that nothing ever changed at Microsoft is historically naive, and, worse, implicitly endorses the idea that nothing can ever change. It's cynical passivity, and it's one of the great failings of the software industry, an excuse not to try to make anything better.

  4. Vincent van Gopher

    Lax security from Microsoft . . .

    . . . who knew?

    In other news:

    The Pope is Catholic.

    Bears defecate in the woods.

  5. doublerot13

    masterclass in lowering expectations

    Amazes me how Microsoft have lowered expectations to the extent that most of the industry - from CTOs downward - just ignore their outages and security issues.

    Any other tech company would be blown out the water.

    1. Charlie Clark Silver badge

      Re: masterclass in lowering expectations

      Nope, all other software companies are the same because they're protected from liability by law.

      1. Anonymous Coward
        Anonymous Coward

        Re: masterclass in lowering expectations

        Ah, no they aren't. They might be protected by contract, or by size of legal team, or most likely of all, the total absence of cojones on the customer side.

        The gummint should take a leaf out of El Musko's book, and assert that they were negligent and failed to deliver the contracted service, and refuse to pay. Make MS fight it out in court, and take the publicity and reputational damage if they want to do so.

        The underlying problem is supine customers, who are too lazy and fearful to enforce competitive performance, and who think that they actually save money by being all in on one supplier/sw/tech instead of having a plan B ready for a warm start.

        I don't know how many times I heard "We have no choice" "They have us over a barrel" etc etc over the years from people who were too lazy to make a change and ride it to make sure it worked.

        1. fg_swe Bronze badge
          Thumb Up

          Bingo

          Most users are too lazy to search for an alternative. Tons out there, from DeltaChat to Postfix.

          Too lazy to consult with a local Linux shop to obtain an actually secure solution for email and calendar.

    2. ecofeco Silver badge

      Re: masterclass in lowering expectations

      Amazes me how Microsoft have lowered expectations to the extent that most of the industry

      This right here. Even worse, pointing it out invites criticism and even job loss.

  6. Anonymous Coward
    Anonymous Coward

    The dangers of a monoculture ..

    Cyberinsecurity: the cost of monopoly

    • Without change, Microsoftʹs history predicts its future.

    • We must take conscious steps to counter the security threat of Microsoft’s monopoly dominance of computing.

    • Unless Microsoftʹs applications and interfaces are available on non-Microsoft platforms it will be impossible to defeat user lock-in.

    • Governments by their own example must ensure that nothing they deem important is dependent on a monoculture of IT platforms; the further up the tree you get the more this dictum must be observed.

    • Competition policy is tangled with security policy from this point on.

    1. fg_swe Bronze badge
      Stop

      Linux, FreeBSD, DeltaChat, ...

      There exist a boatload of alternatives.

      Companies are too slow, to sluggish to do the right thing and dump the unsecure supplier.

  7. This post has been deleted by its author

  8. This post has been deleted by its author

  9. This post has been deleted by its author

  10. Mike 137 Silver badge

    Not just M$

    From the CSRB report (page 6) "Cloud service providers (CSPs) do not always register and publicly disclose common vulnerabilities and exposures (CVEs) in their cloud infrastructure when mitigating those vulnerabilities does not require customer action.82 This lack of disclosure, which is counter to accepted norms for cybersecurity more generally, makes it difficult for CSP customers to understand the risks posed by their reliance on potentially vulnerable cloud infrastructure."

    'Customer flying blind' seems to be becoming the universal vendor approach as systems get ever more complex and thus more vulnerable.

  11. cob2018
    FAIL

    "Microsoft doesn't do that any more"

    Just for the record .... WHEN DID THEY EVER ???

    Someone please enlighten me.

    1. Version 1.0 Silver badge
      Facepalm

      Re: "Microsoft doesn't do that any more"

      When the early Microsoft products were being released worldwide there was a discussion in the background that Microsoft had been given a number of NSA workers, creating access. But this was America just acting normally and quietly back then, so there's absolutely no evidence that the NSA has ever done any hacking, just quite a lot of discussions that the NSA created hacking back in the old days.

      Nowadays so many countries are complaining about hacking but since no countries ever start to work to make hacking impossible, I suspect that the ability to perform hacking is normal virtually everywhere. And we're told that the latest update to everything will prevent hacking ... but then there's another update later that we're told will prevent hacking but that will get updated again in a while ... so it only prevented a "hack" ... not hacking.

    2. Michael Wojcik Silver badge

      Re: "Microsoft doesn't do that any more"

      Oh, for the love of... It's right in TFA.

      This business of pretending Microsoft has always been exactly the same is intellectual laziness. Make a real argument.

  12. navarac Silver badge

    Computing in General

    Reading this, and after last weekends XZ problem in Linux, I think everyone needs to take step back, and pause. Before we introduce "new shiny things" in the code (any code), security needs to come first and last. Most of the "features" spouted are generally not really wanted. There is always some nefarious miscreant looking for a way to exploit a system.

    1. Sudosu Bronze badge

      Re: Computing in General

      That is why I am a fan of OpenBSD.

    2. steviebuk Silver badge

      Re: Computing in General

      Watching a video on the XZ problem, that was sadly a product of the open source community. Again, I enjoy open source and the movement is great and so is the community. But with this package, apparently the developer was just burnt out. Loads of people were apparently using the package but, as always, it was a thankless task that I believe he never made money from it. You can always have a donate button up, everyone will say how great your app is but never get any money for it. So he got exploited by an arse that took over his package but using guilt trips and exploiting the guys mental health.

      1. cyberdemon Silver badge
        Mushroom

        Communism and Capitalism don't mix

        The Open Source community (which I love) is based on fundamentally Communist ideals - everyone works for the good of everyone, and if literally everyone did that then there would be little need for money and everybody would be happy.

        But then it only takes someone to come along and say "Ooo, free stuff, people working for free, I can exploit that to my own end." to disrupt the whole ideal. Basically this is why there are so few good open-source Android/iOS apps for example, because the Android/iOS systems are so heavily monetised that as soon as anyone releases a good open source app, someone is immediately coming along to clone it and release it as their own paid and/or data-slurping app.

        Microsoft is the mother of all open-source exploiters, buying GitHub and using it to build a code-plagiarising bullshit machine, stealing every commit and comment any open source dev has ever made, and using them to both put future programmers out of work and simultaneously pollute the entire ecosystem with autogenerated shite, because managers who want a quick buck would rather use autogenerated shite full of security holes but which "seems to work", than pay actual engineers to do stuff properly.

        But a secondary effect of that is that the entire open source community is demoralised, anything we contribute is going to be appropriated by some dickheads who want to make money and then blame us when it all goes wrong..

        Frankly I hope that when WWIII kicks off, the ultra-wideband fibres will all be chopped and we all have to go back to 56k dialup speeds. Messageboards like The Register will work perfectly fine, but "social" media, data-slurping, AI, ransomware etc would become that much harder again...

  13. Rich 2 Silver badge

    Ha ha ha ha….

    Microsoft? Focus on security?

    That’s the best one I’ve heard all week - thank you SO much

    Here - have an irritating talking paper clip as a token of my appreciation

    In other news, “we take the security and privacy of our customers very seriously….”

    1. Claptrap314 Silver badge

      Re: Ha ha ha ha….

      “we take the security and privacy of our customers, very seriously….” FIFY

  14. RedGreen925 Bronze badge

    Gee, did they use some ground breaking AI model for the study in that report? It has been blindingly obvious for the past four DECADES, Microsoft has not one single clue how to do security properly.

  15. ecofeco Silver badge
    Devil

    LOL!

    What say you, MS fanbois?

  16. steviebuk Silver badge

    But the Cloud is more secure

    So they keep saying. Bullshit.

    Anyway.

    "That state of affairs, the report notes, suggests Microsoft has forgotten the lessons imparted by its founding CEO Bill Gates in his 2002 companywide memo on Trustworthy Computing. In that memo he told developers "When we face a choice between adding features and resolving security issues, we need to choose security. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first.""

    Yep. And now SatNav is involved its all gone out the window. More reason I dislike Office 365 because we deploy it, everyone uses Outlook and you do the odd training guide, then a week or so later they fucking move everything because of "new features" that no one fucking asked for. We want to go back to the good old days of installing an ISO and that's it. It stays the same for years until WE decide we want the "new features". It would be fine with Office 365 if they gave you the option to turn off all the new features when a patch is pushed, but they don't. Such as clicking on links in Outlook to find they now open in Edge with the e-mail to the right? What the fuck? When did that happen. So now I have to change it on every machine I build to not open in Edge until I can find the time to look to see if there is a group policy.

    About "other providers are better" who's that then? Google are notorious with their shitty sessions tokens. You'll sign in and then close the browser. Someone has stolen your session host and signs in from across the country 5mins later. Google doesn't ask you to sign in to make sure you are you, considering you've just travelled 100s of miles in 5mins, no it just lets you in with the stolen session.

    Then we have GAM (which, granted, may have changed). When I had to manager GSuite as it was then, we had to use GAM for Google drive management as there is no other GUI tool. When you create your GAM token for your admin account you stick all in a folder on your laptop and you're good to go, managing to Google Drive from the commandline. Giving people permissions to other docs when someone is off sick etc. Along comes a rogue engineer who copies your GAM folder and that's it, you're fucked. That user can now use your GAM login to do all the admin with no password prompty or check.

    1. storner
      FAIL

      Re: But the Cloud is more secure

      At least Microsoft does patch their cloudservers. A lot of people don't. https://www.theregister.com/2024/03/28/germany_microsoft_exchange_patch/

      1. Paul Crawford Silver badge

        Re: But the Cloud is more secure

        But Microsoft are responsible for the horribly difficult/risky path process for Exchange. If patching "just worked" then there would be so few left in that state.

        1. BartyFartsLast

          Re: But the Cloud is more secure

          No, systems have been left unpatched forever, it's far from solely an MS problem, never has been, never will be, it's a people problem

      2. fg_swe Bronze badge
        Mushroom

        Re: But the Cloud is more secure

        Looks like the rest of M$FT cloudy processes is a hopeless mess. They have lost security keys and dont know how it happened.

  17. fg_swe Bronze badge
    Go

    The Free Enterprise Response

    0.) Stop using Outlook and Exchange. They cannot even secure it when they run it themselves.

    1.) Linux Email Server, On Premise in a DMZ

    2.) DeltaChat Messenger, doing GNUpg End2End encryption via 1.

    https://delta.chat/de/

    3.) Contract with actually competent Linux Administrators to perform any change and maintenance. The local LUG can give you leads for this. Hourly rates from 80 to 300 USD, depending on location. Less than you pay for a lawyer.

    https://en.wikipedia.org/wiki/Linux_user_group

    1. Anonymous Coward
      Anonymous Coward

      Re: The Free Enterprise Response

      Oh sure, yeah, 'all you have to do is find actual, real competent people, change your entire email architecture and then hope the software you rely on is secure, has no zero days and hasn't been infiltrated by various state actors at a source code level.

      Sounds really simple, don't know why nobody thought of it before you mentioned it.

  18. fg_swe Bronze badge
    Go

    Open Source Calendar Software

    https://opensource.com/alternatives/google-calendar

    https://apps.nextcloud.com/apps/calendar

  19. Anonymous Coward
    Anonymous Coward

    I am sure nhs.net etc. are fine

    What could go wrong?

  20. fg_swe Bronze badge
    Go

    Memory Safe Email Server

    https://crates.io/crates/samotop-server

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like