[HN Gopher] SolarWinds hacking campaign puts Microsoft in hot seat
___________________________________________________________________
SolarWinds hacking campaign puts Microsoft in hot seat
Author : mikece
Score : 37 points
Date : 2021-04-17 13:32 UTC (9 hours ago)
(HTM) web link (apnews.com)
(TXT) w3m dump (apnews.com)
| edrobap wrote:
| > Many security experts believe Microsoft's single sign-on model,
| emphasizing user convenience over security, is ripe for retooling
| to reflect a world where state-backed hackers now routinely run
| roughshod over U.S. networks.
|
| I believe convenience is not coming at the cost of security. SSO
| certainly has a single-node-failure problem. If it's down, it
| causes DoS. If it's hacked, the hackers can get access to the
| data user is authorised to view across multiple systems. But
| given the widespread use of the same passwords across multiple
| systems, this argument against SSO is weak.
|
| Besides that, the convenience of SSO is only for the user. It is
| for the organisation as well.
| soarfourmore wrote:
| > Risks in Microsoft's foreign dealings also came into relief
| when the Biden administration imposed sanctions Thursday on a
| half-dozen Russian IT companies it said support Kremlin hacking.
| Most prominent was Positive Technologies, which was among more
| than 80 companies that Microsoft has supplied with early access
| to data on vulnerabilities detected in its products. Following
| the sanctions announcement, Microsoft said Positive Tech was no
| longer in the program and removed its name from a list of
| participants on its website.
|
| What?! Microsoft gave vulnerability data to a Russian company
| that hacked the USA? Why was that company even in this program to
| begin with?
| Hiopl wrote:
| Isn't it obvious? Tech has a clear blind spot for geopolitics.
| Saying anything critical of China or Russia, even if well-
| founded, is a great way to get downvotes and be stamped as
| propaganda or parroting propaganda. It's representative for how
| these companies and their employees view these issues.
|
| So it's funny and depressing to see a comment here questioning
| why a Russian company was allowed to join a program like this
| after a massive hack by Russian entities, when Russian efforts
| in this sphere are more than well-documented.
| helsinkiandrew wrote:
| It is a, presumably successful, billion dollar cyber security
| company, that did lots of legitimate work too.
|
| As were talking about state intelligence agencies, I would
| guess several of the other 80 companies are also leaking
| information, either through the company or employees.
| helsinkiandrew wrote:
| > But it [Microsoft] also seeks to deflect blame, saying it is
| customers who do not always make security a priority.
|
| > ...Microsoft was itself compromised by the SolarWinds intruders
|
| Microsoft need to take responsibility for the security of their
| products. Vulnerabilities need to be fixed not sent to other
| companies for add-on virus scanners to detect.
|
| Applications shouldn't be able to run amok with admin passwords.
| I'd guess a more sandboxed bespoke permission is needed (do you
| give application x permission to access this part of the file
| system)
| CyberRage wrote:
| Windows is a mess. I don't expect it to be any secure in the
| following years.
|
| It is unlikely that non-admin permissions were able to stop the
| attack. the amount of 0-day EOP's within windows is ridiculous,
| truly unbelievable.
| pjmlp wrote:
| Modern Windows is more secure by default than most GNU/Linux
| distributions.
|
| The only Linux distribution that beats it is Android, with
| LinuxSE, seccomp, userspace drivers (Treble), hardned access
| to native code, one user per app and sandbox enabled by
| default.
| CyberRage wrote:
| Respectable linux distros(not just android!) use SE,
| sandboxing etc.
|
| Windows lags far behind OS's like Android, iOS and even
| ChromeOS when it comes to security.
| pjmlp wrote:
| Pity that CVE database proves otherwise.
|
| Where are the driver validation tools with a Z3 theorem
| prover for Linux drivers?
|
| Where is the SAL static analysis for C and C++ kernel
| code like Windows has since XP SP2?
|
| Where is the majority of userspace code implemented in
| managed languages like .NET?
| CyberRage wrote:
| Also Android\iOS in general as a platform is more secure,
| Android\iOS are far more restrictive when it comes to
| users. narrowing the attack surface for casual users.
|
| For instance, rooting in order to install custom
| drivers\software is very difficult.
|
| A single place to download content(App store) which
| provide tremendous control over content. detection of
| rogue apps, removal once they turn rogue, check
| assurance.
|
| Seamless updates through a single pane of glass.(App
| Store again)
| pjmlp wrote:
| Pity that almost no one uses them as desktop platforms.
|
| Windows store and Windows Sandbox is way more advanced
| than any GNU/Linux offering, including kernel and
| hardware sandoxing with help of hardware protections.
|
| Still waiting for snap and flatpak to finally fix their
| security holes.
| amluto wrote:
| The Windows sandbox infrastructure may well be more
| advanced than seccomp in the sense of being more
| complicated, but I would argue that makes it worse, not
| better. There are many sandbox escapes based on the
| insane complexity of Windows integrity levels. In
| contrast, there have been maybe 5 known Linux kernel bugs
| allowing a breakout from a strict seccomp policy in the
| last few years.
| RyanPringnitz wrote:
| I work on a use case that leverages Samsung DeX and
| secondary displays with keyboard/mouse. Applications are
| refactored to run on native Android, or accessed on HTML5
| sites. What Win32 is left is accessed on VDI.
|
| The solution supports MFA step-up auth to login to
| device, local print, proxy's traffic, per app vpn.
| Endpoint threat detection products for Android have more
| capabilities than ever. You can specify approved IP
| addresses, countries that traffic can communicate with.
| You can provide a list of approved WiFi BSSID.
|
| With these mobile security SDK's embedded in native
| Android apps, functionality with the apps can be limited
| based on threat infractions.
|
| E.g. - if the device magically became rooted while
| authenticated in android native app, or connects to rogue
| BSSID; the app performs whatever actions (terminates vpn
| to intranet, logs threat event on public facing endpoint,
| force re-authenticate with MFA.)
| CyberRage wrote:
| You can clearly see that from data. looking at 0-day
| disclose, black market exploit prices and attacks in the
| wild.
|
| 0-day exploits for both iOS and Android are 3 times as
| costly as windows.
|
| You're looking at linux as it is but linux as it is not
| what you should compare it to. Android\iOS or even
| something like Red Hat should be the comparison point.
| pjmlp wrote:
| I see it from CVE database.
|
| Naturally I look at GNU/Linux, that is what average Joe
| gets on their computers.
|
| iOS is not Linux thus not even part of this conversation.
| [deleted]
| grumpyautist wrote:
| They shouldn't blame Microsoft. They should blame themselves for
| using microsoft
| tuwtuwtuwtuw wrote:
| I am not really following the article, somehow I mostly see
| ads. Not sure if it's some content is missing for me.
|
| If you install a piece of software which does monitoring of
| your IT infrastructure in your servers, and that software has
| malware in it which collects info it shouldn't, wouldn't you
| have the same issue regardless of what OS you are using?
| Craighead wrote:
| solarwinds exists because of its ability to bridge gaps in
| Microsoft products more so than any other platform
___________________________________________________________________
(page generated 2021-04-17 23:02 UTC)