💾 Archived View for feldspaten.org › pages › the-clown.gmi captured on 2024-07-08 at 23:08:54. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-02-05)
-=-=-=-=-=-=-
This page is under construction. For now I just want to save and store some links for future usage
CIOs still waiting for the cloud investments to pay off
Microsoft takes pains to obscure role in 0-days that caused email breach
Results of Major Technical Investigations for Storm-0558 Key Acquisition
Basecamp saving about 7 million over five years by leaving the cloud
This happened in July/August 2023. Azure allowed unauthorized access to CROSS-TENANT (!!) applications and sensitive data, as reported by Tenable (and verified by others).
The big Azure credential fuckup
Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform
Microsoft cloud security blasted for its culture of toxic obfuscation
Microsoft test account was assigned admin privileges, major email leak
/stuff/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf
The CISA Report is devastating. I quote from section 2 Findings and Recommendations:
The Board concludes that Microsoft’s security culture was inadequate. The Board reaches this conclusion based on:
1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a
customer to reach out to identify anomalies the customer had observed;
3. the Board’s assessment of security practices at other CSPs, which maintained security controls that Microsoft
did not;
4. Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to
allowing it to connect to Microsoft’s corporate network in 2021;
5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident,
including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion
when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its
September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12,
2024, as the Board was concluding its review and only after the Board’s repeated questioning about
Microsoft’s plans to issue a correction;
6. the Board’s observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of
which was not in the purview of the Board’s review, which revealed a compromise that allowed a different
nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and
internal systems; and
7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national
security, the foundations of our economy, and public health and safety, require the company to demonstrate
the highest standards of security, accountability, and transparency