“We’ll do anything to fix cybersecurity – except build software correctly”.
22 January 2024 (Madrid, Spain) – To be an informed citizen is a daunting task. Never mind war and geopolitics. Just to try and understand the digital technologies associated with Silicon Valley — social media platforms, big data, mobile technology and artificial intelligence that are increasingly dominating economic, political and social life – has been an even more daunting task. And when it comes to cybersecurity … fuhgeddaboudit!! Who in hell has the time??!!
Last Friday my team and I published a story on the “revelation” that Microsoft Outlook has become a surveillance tool for targeted advertising. Microsoft is using the app to harvest personal data and selling it advertisers that use it to display targeted ads both inside and outside the app. It’s a data collection mechanism for Microsoft’s 772 external partners and an ad delivery system for Microsoft itself.
Your response was huge: a 32% read-rate (at the high end of the “open-read-rate” social media metric) and 336 email comments/follow-ups.
But many readers missed the “Big Picture”. Dinosaurs like Rick Woodward (a very cool chap you should follow) and I have been in this game a very long time. We well remember (as I am sure many of my readers do) that before it was a nefarious CSO Group product, Pegasus was simply an email program – back in the days before cloud-based email, which Rick Woodward always thought was a seriously bad idea and going to take us down mean streets. The key takeaway is this:
Data privacy, data “protection” is dead dead dead. And it has been for a very long time. What we are seeing is Facebook, Google and Microsoft have combined both kinds of Pegasus into a single product.
Or as Rick signed off in a recent post: WeAreAllKhashoggi.
And I note Facebook (yet again) as it was revealed last week (yet again) that Facebook users are monitored by thousands of companies. And that Meta continues to earn thousands of dollars from an ad campaign, seen by millions, that pushed pro-Kremlin talking points and undermined local elections in Moldova – run by Russian users sanctioned by the U.S. government. Oops.
All of this came BEFORE the real fun news – the real purpose of this post – that the Microsoft network was breached through “password-spraying” by Russian-state hackers. It turns out the attack was successful because of a misconfiguration that resulted in the compromise of a test tenant account – which somehow had extremely broad access privileges. As Steve King noted (and more from him in a moment)
As with most cobbler’s children who go without shoes, MS constantly preaches MFA – but there was no MFA required on this login.
If this sort of thing happened occasionally, I suppose one would be tempted to issue a pass to the biggest software company in the world.
But . it . happens . all . the time.
And whether it is due to vulnerabilities in the company’s products or just bad hygiene, they are no longer a software-only company. We covered much of this with Andy Jenkinson last week.
It really begs to be set to music. I am thinking about Chubby Checker and his hit “Let’s Twist Again.” One lyric change. Twist becomes “hacked.” So “let’s hack again like we did last summer.” A hit, yes?
Did you ever wonder why a door falls off a Seattle-linked aircraft and security breaches occur at Seattle’s big software outfit? A desire for profits, laziness, indifference, or some other factor is causing these rather high-profile issues? It must be the Seattle water or the rain. That’s it. The rain! No senior manager can do anything about the rain. Perhaps a solar wind will blow and make everything better?
There is a maxim in the cybersecurity industry, best articulated by Elio Grieco, one of my team’s brilliant, creative “must follow” chaps on Linkedin. Elio has superb computer skills from programming to usage, and a deep knowledge of cybersecurity issues. As Elio has noted:
“We’ll do anything to fix cybersecurity – except build software correctly”.
It is the same old story. As I have noted numerous times, in software developers don’t have a choice. Speed becomes a business imperative for survival and to stay competitive. Software development is in this grinding environment. Forces always seem to be pulling in opposite directions, between management, client, and developer ideologies. We have developed a culture of “agility” without always retaining the appropriate balance with quality and security.
We should – but never will – look back to basics and ensure fundamental steps in development, even if accelerated.
And a bigger issue, again calling on Elio Grieco:
It’s also helped that between ToS, EULA, and other custom vendor contracts software companies have been able to completely shift liability to the customer. Software is delivered “as is” with “no warranties, express or implied”. No other engineering profession has been as successful in abdicating their responsibilities to their customers.
But the biggest issue right now is that the increasing complexity of cloud, multi-cloud, and hybrid network environments and the rapidly evolving nature of adversary threats has exposed the Achilles heel of traditional network cybersecurity defenses. In a recent chat I had with my main “go to” cybersecurity maven Steve King:
Traditional defenses with multiple layers of disjointed security technologies are ineffective against modern threat actors. We need a better way to provide secured, unified-yet-granular access control to data, services, applications, and infrastructure. Some skeptics may not want to hear this, but with impaired visibility, risk-ignorant access decisions, and manual detection and response, we cannot prevent breaches.
Size and complexity are the enemies of cybersecurity. In cybersecurity we are always faced with the chance that our system harbors some, unknown vulnerability – especially in code – and the possibility that vulnerability will be discovered by some malicious actor who will then use it against our system, as well as other, similar systems. Cybersecurity vulnerabilities are the result of two kinds of errors or defects: design errors and implementation errors.
A design error is where the functionality of a system or component is not properly and comprehensively analyzed and understood so that the resulting design does not cover all possible use cases. Analysis of a system requires understanding and capturing all the possible ways that a system will be used, as well as the limits of how the system will be used such that only the planned functionality is enabled by the system. The design is the plan for how the system will implement the functionality that satisfies the analysis results. The design captures the structure of a system or component and the breakdown of the partitioning of the major functionality.
Implementation is the realization of the design. The development of the system or component using software development tools such as editors and compilers in the specified languages and frameworks. All configurations are also included in the implementation. The development process often includes: a build and integration processes, coding standards, design patterns, code reviews, and testing as methods to increase the likelihood that the resulting implementation is as true to the design and has the least number of defects possible.
I asked Steve to specifically address this Microsoft breach and he said:
Look, Microsoft really needs to do a deep assessment of all security flaws in every product they acquire or attempt to build. LinkedIn is loaded with vulnerabilities. SharePoint is a joke. Azure has been successfully breached dozens of times, Same with Outlook. With big revenue and big market dominance comes big responsibility.
As a 365 user, I am forced onto a field of fire every day, because no one holds the Giant accountable. While I agree with CISA Director Jen Easterly, who has emphasized that the burden of maintaining software security needs to shift to software manufacturers, who have the funding, expertise and personnel to invest in software security, that sentiment doesn’t take the end user off the hook either.
We do the same thing the Giant does every day. We avoid implementing MFA. We accept shoddy passwords. We don’t invest in training and education, so what we end up with is a bunch of practitioners left increasingly behind by advances in technology that they have no way of understanding.
We never conduct access reviews, we don’t monitor privileged accounts. We keep staring at network-centric solutions that leave us far right of bang, and will never work. We talk about Zero Trust a lot but we don’t implement it. We fail to apply patches for known high value vulnerabilities. We constantly misconfigure containers, and software access. We clutter our networks so heavily that we have no idea what the topology looks like anymore.
And we do development based largely on 3rd party code that is littered with undetectable transitive dependencies.
To increase the likelihood of breach, we recently decided that all employees could fool around with LLMs and GPTs, and while they do so without any training or understanding of impact or consequences, we have created the largest shadow IT environment in history.
We act like we don’t know what we’re doing.
So, with Microsoft’s next Azure breach, don’t blame the Giant, look in the mirror yourself and explain to the board why all of those assets were sitting out in that cloud unprotected.
We . must . get . smarter.
I will leave the last word to Ron Ross at NIST (the U.S. National Institute of Standards and Technology which is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness):
The real cyberwar is being fought on the field of complexity. It cannot be won with cybersecurity frameworks, tools, controls, assessments, zero trust concepts, or artificial intelligence alone. It will take a bare-knuckled, pound it out on the ground a yard at a time, systems and security engineering approach — applying rigorous design principles and architectures that minimize complexity and maximize assurance and trust.
If you cede control of critical components such as operating systems to adversaries by failing to address complexity and assurance, they will use subversion to own the cyber battle space and turn your high-tech into no-tech.