fsebugoutzone.org:9999

       Post AYNmTt4qaIbeDsSNoe by agrantler@mastodon.social
 (DIR) More posts by agrantler@mastodon.social
 (DIR) Post #AYK53MzTbZdWtGo8Fk by briankrebs@infosec.exchange
       2023-08-02T14:24:11Z
       
       2 likes, 4 repeats
       
       The CEO of Tenable just ripped Microsoft a new one. It&#39;s bad enough that cloud vulnerabilities rarely get CVEs or any kind of external documentation.&quot;Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about.In March 2023, a member of Tenable’s Research team was investigating Microsoft’s Azure platform and related services. The researcher discovered an issue (detailed here) which would enable an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets. To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.  Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers&#39; networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service. That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions. Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t. &quot;https://www.linkedin.com/pulse/microsoftthe-truth-even-worse-than-you-think-amit-yoran%3FtrackingId=hE4qd2mSSwmpSoVPqfWAAw%253D%253D/?trackingId=hE4qd2mSSwmpSoVPqfWAAw%3D%3D
       
 (DIR) Post #AYK7Iz6sMOnbMqqGXY by ParadeGrotesque@mastodon.sdf.org
       2023-08-02T14:50:14Z
       
       0 likes, 0 repeats
       
       @briankrebs I have said it before and I will say it again (and again and again and again...)Use Microsoft, get hacked.It&#39;s not a question of &#39;if&#39;, it&#39;s a question of &#39;when&#39;.
       
 (DIR) Post #AYKGMsbvMiAdxMIT1U by seanking@kazv.moe
       2023-08-02T16:31:49.864822Z
       
       0 likes, 0 repeats
       
       @briankrebs B r u hThat&#39;s like major trust issues kind of bad.
       
 (DIR) Post #AYKRP1NgpLDvESrXI8 by fedops@fosstodon.org
       2023-08-02T18:35:23Z
       
       0 likes, 0 repeats
       
       @ParadeGrotesque just waiting for &quot;the big one&quot; where a couple hundree high profile targets get a ton of data stolen simultaneously.The m365 monoculture has the potential to bring the entire world economy down. We&#39;ve learned absolutely nothing from the windows monoculture...@briankrebs
       
 (DIR) Post #AYNmTt4qaIbeDsSNoe by agrantler@mastodon.social
       2023-08-04T06:48:02Z
       
       0 likes, 0 repeats
       
       @fedops @ParadeGrotesque @briankrebs No one responsible for Busines or IT has ever been fired because of using Microsoft products or infrastructure.
       
 (DIR) Post #AYNmTtqLjgbUbCgJrE by ParadeGrotesque@mastodon.sdf.org
       2023-08-04T09:15:44Z
       
       0 likes, 0 repeats
       
       @agrantlerAnd this is the issue.@fedops @briankrebs
       
 (DIR) Post #AYNor7Iy3HbCuzGY6q by fedops@fosstodon.org
       2023-08-04T09:42:21Z
       
       0 likes, 0 repeats
       
       @ParadeGrotesque @agrantler correct. Or, as previous generations used to say, &quot;Nobody ever got fired for buying IBM&quot;.
       
 (DIR) Post #AYPWDw4IUBZbuqUVhA by Kals_Els@mastodon.social
       2023-08-02T14:33:53Z
       
       0 likes, 0 repeats
       
       @briankrebsSo should Microsoft be informing everyone of every patch they come up with, implement in a controlled environment and found problems with/broke programs all the time? Or are we just thinking they&#39;re not even doing anything at all/making it low priority during the time it takes to fix the problem?
       
 (DIR) Post #AYPWDwszRi7gS4Czi4 by strypey@mastodon.nzoss.nz
       2023-08-05T05:22:57Z
       
       0 likes, 0 repeats
       
       @Kals_Els&gt; are we just thinking they&#39;re not even doing anything at all during the time it takes to fix the problem?Yes. Relying on security by obscurity is baked into BorgSoft&#39;s DNA. Which is why they still won&#39;t publish Windows source code under Free Code licenses. Even the ancient, unsupported versions.This applies to reputation security too. They think that being opaque about their vulnerabilities makes them seem more trustworthy. It doesn&#39;t.@briankrebs