|Thomas Delrue on 17 Oct 2017 11:50:14 -0700|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|Re: [PLUG] Microsoft Bug Tracking hacked|
On 10/17/2017 02:21 PM, Will wrote: > If you haven't had enough of security related news this week, there > is one more for all our friends using Microsoft products. > > https://hackaday.com/2017/10/17/microsoft-bug-tracking-hacked/ > > Who needs a drink after this week? Thanks for sharing! Color me skeptical on this particular reporting (disclaimer: in a previous life, I was on the inside of The Empire, so there's that...) The article (including over at Reuters: https://in.reuters.com/article/us-microsoft-cyber-insight/microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idINKBN1CM0D0) does not address a couple of important questions and makes wild claims towards sensationalism. Let's unpack it a little... 1. The first 5 words are just already wrong: "Microsoft Corp’s secret internal database" a) There is no such thing as a secret database with bugs, these things are not secret if you're on CorpNet b) There is no such thing as a single database for bugs b.1) There is no such thing as the one DB server for all bug DBs 2) Product Studio or Team Foundation Server? (I'm inclined to lean towards TFS, because IIRC, getting access to a PS database was always a pain in the friggin' backside, whereas TFS was a bit ... less hard) Depending on the answer here, we'll know more about which products are affected since at that time, not everyone was on TFS yet. 3) This 'highly sophisticated hacking group' is likely to have been one or more insiders, or individuals directed by insiders because they knew exactly what to look for. You don't just connect to "data source=bug_db_server;Initial Catalog=all_the_bugs;username=sa". If it was just an outsider, then CSAM (Corporate Security & Access Management) has much bigger fish to fry than a bug db being stolen and CorpNet (their corporate Intranet) has some really big problems. There's all sorts of nifty tricks applied within corpNet to make sure you can access what you have permissions to access and nothing more. 4) "The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins." Yes, this is what a bug db is, there is no need to sensationalize this. In fact, any good bug report should contain at least the following: - Title - Description - Repro steps - Expected result - Actual result - Impact - Priority (how urgently do we need a fix) - Severity (how bad is this if we don't fix) - Ease of reproduction - Justifications for any made decision (this concludes today's lesson) BUT... they keep mentioning 'multiple products' which mean multiple databases were stolen and allude to 'it includes windows'. However, they never confirm this nor which other products' databases are involved. 5) "Microsoft tightened up security after the breach, the former employees said, walling the database off from the corporate network and requiring two authentications for access." and "They said the database was poorly protected, with access possible via little more than a password." This makes no sense to me, they've had 2FA for these things since at least 2012, well before this breach. 6) While many of these bug reports will be interesting, I highly doubt that there are real gold nuggets in there. You just don't ship with any P0's or P1's (and usually, not even P2's) active. And things that'd give you the equivalent of root on a winbox will most certainly be a P0 or P1 after shiproom was done with them. That being said, in this case, I'm talking about back in the 'boxed software' days, when you went 'gold' or RTM with a particular build, I'm specifically not talking about their on-line stuff. (I have opinions on that, strong opinions...) All in all, this is shoddy and sensationalist reporting... but I'll keep an ear out for more on this.
Description: OpenPGP digital signature
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug