Thomas Delrue on 17 Oct 2017 11:50:14 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Microsoft Bug Tracking hacked


On 10/17/2017 02:21 PM, Will wrote:
> If you haven't had enough of security related news this week, there
> is one more for all our friends using Microsoft products.
> 
> https://hackaday.com/2017/10/17/microsoft-bug-tracking-hacked/
> 
> Who needs a drink after this week?

Thanks for sharing!

Color me skeptical on this particular reporting (disclaimer: in a
previous life, I was on the inside of The Empire, so there's that...)
The article (including over at Reuters:
https://in.reuters.com/article/us-microsoft-cyber-insight/microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idINKBN1CM0D0)
does not address a couple of important questions and makes wild claims
towards sensationalism.

Let's unpack it a little...

1. The first 5 words are just already wrong: "Microsoft Corp’s secret
internal database"
	a) There is no such thing as a secret database with bugs, these things
are not secret if you're on CorpNet
	b) There is no such thing as a single database for bugs
		b.1) There is no such thing as the one DB server for all bug DBs

2) Product Studio or Team Foundation Server?
	(I'm inclined to lean towards TFS, because IIRC, getting access to a PS
database was always a pain in the friggin' backside, whereas TFS was a
bit ... less hard)
Depending on the answer here, we'll know more about which products are
affected since at that time, not everyone was on TFS yet.

3) This 'highly sophisticated hacking group' is likely to have been one
or more insiders, or individuals directed by insiders because they knew
exactly what to look for. You don't just connect to "data
source=bug_db_server;Initial Catalog=all_the_bugs;username=sa".
If it was just an outsider, then CSAM (Corporate Security & Access
Management) has much bigger fish to fry than a bug db being stolen and
CorpNet (their corporate Intranet) has some really big problems. There's
all sorts of nifty tricks applied within corpNet to make sure you can
access what you have permissions to access and nothing more.

4) "The database contained descriptions of critical and unfixed
vulnerabilities in some of the most widely used software in the world,
including the Windows operating system. Spies for governments around the
globe and other hackers covet such information because it shows them how
to create tools for electronic break-ins."
Yes, this is what a bug db is, there is no need to sensationalize this.
In fact, any good bug report should contain at least the following:
	- Title
	- Description
	- Repro steps
	- Expected result
	- Actual result
	- Impact
	- Priority (how urgently do we need a fix)
	- Severity (how bad is this if we don't fix)
	- Ease of reproduction
	- Justifications for any made decision
(this concludes today's lesson)
BUT... they keep mentioning 'multiple products' which mean multiple
databases were stolen and allude to 'it includes windows'. However, they
never confirm this nor which other products' databases are involved.

5) "Microsoft tightened up security after the breach, the former
employees said, walling the database off from the corporate network and
requiring two authentications for access."
and
"They said the database was poorly protected, with access possible via
little more than a password."
This makes no sense to me, they've had 2FA for these things since at
least 2012, well before this breach.

6) While many of these bug reports will be interesting, I highly doubt
that there are real gold nuggets in there. You just don't ship with any
P0's or P1's (and usually, not even P2's) active. And things that'd give
you the equivalent of root on a winbox will most certainly be a P0 or P1
after shiproom was done with them.
That being said, in this case, I'm talking about back in the 'boxed
software' days, when you went 'gold' or RTM with a particular build, I'm
specifically not talking about their on-line stuff. (I have opinions on
that, strong opinions...)

All in all, this is shoddy and sensationalist reporting... but I'll keep
an ear out for more on this.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug