Wise person once said: "Trust is the necessary precondition for betrayal."
Big organizations like Microsoft cannot be more secure than one individual's systems; someone runs their servers and they wear pants and make mistakes, just like we do.
What the big shop can do is cover up their mistakes and confuse responsibility once they're made. As well as providing an easy one stop shop for bad actors with things like GitHub ("subvert the world's infrastructure all at once!").
A) only a handful of companies can even afford to secure their infra as much as MS. Security is relative to threat actors, not absolute. One individual cannot defend themselves against an APT team (P=persistent).
B)I don't know if you heard about infamous mass-exploitations like the recent moveit or russia with solarwinds but an APT will still pwn everyone. One stop shop or not. Having one place is actually good because you won't have 1000+ incident responses and remediation is also a one stop action as is figuring out scope and impact.
I'm not really sure about this logic. Is an APT going to use anything but old vulnerabilities against an off cloud shop that might have unique auditing to burn them? Are they going to develop a new one for such a shop when the payout couldn't be a fraction of what a success would return from even a minor cloud vendor?
On top of that you also have all the same regular vectors of desktop/mobile OSes, etc. So the cloud isn't really an adequate defense if you are a real target and is just one much more handy cookie cutter vector that will almost certainly trawl your data accidentally to an APT group when a mistake makes it practically free.
Going back to moveit as an example, they used a zeroday and mass-ransomed people.
The cloud isn't an adequate defense, it is just better than the defense less resourced companies and people can put together. With APTs it is all a competition of resources. If you can self-host and spend more resources than say Microsoft or Google on securing it, go for it. There is nothing more or less secure about doing cloud or self-hosting, what matters is how much money you can put into it but more importantly, how much talent you can attract. Not only do MS and Google have hefty bounties for finding vulns, skilled people flock to them for the opportunity to work there, even at lower salaries! Likewise, intel agencies and gov/mil units are coveted by skilled people.
To use a real world analogy, a chinese specialops unit might invade your small town and the argument here is to buy guns and practice shooting using the locals (self-host) vs calling in the army (NSA -- i blame them!) or paying a mercenary group (because the army won't dedicate a unit to your small town only). It doesn't matter if everyone in your town is ex-military, even if you defeat the chinese specialops unit, their mission will remain,they will just keep sending more people and more firepower and better strategies until they win. And just because a mercenary group lost to a chinese specialops unit does not mean you should have been using civilians to begin with, that's a false equivalency.
Doesn't a service like moveit just blur the lines between cloud and on premises? I mean how exactly did they find these 400 orgs fast enough, was it a centralized command center?
You lost me entirely on the second paragraph. Some kind of militia attitude or trusting private armies probably means you are getting well beyond normal civilian behavior. You buy locks, you compare lock manufacturers, if you aren't the easiest of targets or the most valuable you represent a waste of time.
They scanned the internet, they were testing their exploit for 1-2yrs before "d-day".
> you are getting well beyond normal civilian behavior
That is precisely my point, the threat actors are not civilians, so you can't defend them with the resources you have as a civilian.
> if you aren't the easiest of targets or the most valuable you represent a waste of time.
The internet changed power dynamics so that anyone on it can try to break the lock of your front door, including nation state sponsored theives. The lock in this case was more like a vault door keeping companies' secrets. Cloud vs self-host does not change who will target you, the difference is an in-house vault vs fort knox.
> That is precisely my point, the threat actors are not civilians, so you can't defend them with the resources you have as a civilian
But this is leading to a crazy generalization. Microsoft can't defend itself as a civilian with a physical presence all over the globe that hires thousands of workers. Nonetheless, the sequence from solarwinds to this breach represents a terrific amount of China's focus.. Tearing through old data to find an expired key, probably also encrypted, and combining it with an active config error for it is a bit more than scanning for a standard attack against a class of old routers.
If your data is pooled without e2e encryption it is in the middle of a capture the flag game and will be owned. For Microsoft to make a cloud that doesn't have to be secure from the most sophisticated resources of China they would have to stop assembling all that data so that it would have to be assembled with the boring and endless botnet scans on hundreds of thousands of different end points.
Attackers will always get better at automating distributed scans but it is always a small percentage game that isn't as great as owning 3 clouds that each have equally good copies of about a third of this data.
Its almost like centralizing software to mayor clouds is not such a good idea after all ;)
Governments should own their own datacenters and access should be highly regulated.
If you can spend billions on military projects that go nowhere, you should be able to spend a couple of million on people that create a networking structure for your that is based on RBAC, that is not owned by somebody else
The federal government should absolutely have their own software development department that exists entirely to make software for governments. I'm so tired of us saying "nononono government can't do it efficiently" just so we can spend 10x as much on a "contractor" who works only ever for the government and spends all their R&D on circumventing government procurement contract clauses.
At least do some research my friend. Hackers compromised a digitally signed SolarWinds Orion network monitoring component, opening a backdoor into the networks of thousands of SolarWinds government and enterprise customers.
Solarwinds was the exact same problem. the cloud service was centralized and thousands of server where hacked because of it.
just because you install something yourself does not make it self hosted.
Lastly this was a supply chain attack. which means too that if the government is able to roll their own stuff, or use open source products that can be reviewed properly, this would not have happened.
"digitally signed SolarWinds Orion network monitoring component"
Do you even know what that is? It's a .net dll. It was absolutley self hosted. Updating the self-hosted software meant that included the backdoored dll. There is no cloud involved. Do you even know what solarwinds does?
> just because you install something yourself does not make it self hosted
It does when you install it on your own server that you manage.
> Lastly this was a supply chain attack. which means too that if the government is able to roll their own stuff, or use open source products that can be reviewed properly, this would not have happened.
So now you moved to every company and government should write their own software? And you think opensource means it will get reviewed because unpaid people who are not responsible for review will review it no matter what? Opensource is an even bigger nightmare, I am sure you must have heard of the log4j mess.
Perhaps you should look into what security professionals have to say about the subject instead of presuming things.
What do you think the networking component was used for? I give you a hint its in the name.
They attacker injected their own control server communication into the dll that is used by solarflare to actually report back to the main system. sooo their own control server. They literally had their control server communication use the same kind of json objects that solarwinds uses for themselves.
and if you tell me that this would have gotten by a regular pull request review on any project that uses a protected main branch, I am laughing.
> Log4Shell.
Log4Shell would most likely not have been possible if the project receives actual funding. I know its a krass idea to spend money on things that are free but you know someone needs to be paid to review things.
I am of the opinion that if the government uses these things, they could spend the same amount of money on open source.
Do you even realize how much money that ends up being?
>So now you moved to every company and government should write their own software?
no but when my government pais for its development, they should use open source projects.
So yeah my original point still stands. If they would have used an open solution to this, which does not require a centralised control server itself, this would not have happened. Its literally what people like me get paid for to review and if you tell me that a pull request with encoded code without reason or feature ticket would have been approved and implemented, i strongly disagree.
This would have been found by any tool using static code analysis for security simply because its encoded. At least flagged.
> self hosted
self hosted does not mean you install it. otherwise slack is self hosted. or that facebook is self hosted just because i install the app on my phone.
Finally i leave you with the definition of self hosted from wikipedia:
>> Self-hosting is the practice of running and maintaining a website or service using a private web server, instead of using a service outside of someone's own control.
There was no reason for the firewall to even allow this in the first place unless they were using a service outside of their control.
Are you arguing for the sake of it? I am so confused. What does CIS controls have to do with it(and I feel for you with all that box checking).
> As part of C2 communication, attackers have tried to mimic SolarWinds communication method by using JSON format for the HTTP communication. Following is the code for creating JSON format
The threat actors used their own C2 infra, they merely mimicked solarwinds' traffic!
> and if you tell me that this would have gotten by a regular pull request review on any project that uses a protected main branch, I am laughing
Why would I tell you that, what does this have to do with cloud vs self hosting. Is that a random comment?
> Log4Shell would most likely not have been possible if the project receives actual funding...
I agree but again I ask, why are you talking about the root cause for it? How does that help your self-hosting argument?
> no but when my government pais for its development, they should use open source projects
Who cares? Hoe is being opensource relevant?
> So yeah my original point still stands. If they would have used an open solution to this, which does not require a centralised control server itself, this would not have happened
Ok, I think I see the problem, in your opinion, anything not opensource is cloud???
Just for context, I use/support opensource in a corporate environment, it is hell. Begging opensource devs when your livelihood depends on their cooperation is very unpleasant. Commercial orgs demand reliability, hiring skilled people to support opensource (especially given crappy gov salaries) isn't viable and opensource devs nearly always refuse to provide paid support and SLA.
I would like to see you backup your argument by comparing the number of abandoned opensource projects vs companies abandoning their products. I am currently spending time I don't have supporting opensource sofware abandoned by its creators. Nothing says you don't know the state of foss security more than claiming it is more secure simply by being opensource.
> This would have been found by any tool using static code analysis for security simply because its encoded. At least flagged.
Maybe, that's a big maybe, I see encoded content in .net code all the time. And someone needs to actually review what is flagged. Simply reviewing commits would have caught it too. But what's your point? This thread is not RCA analysis. You are distracting with that to avoid the fact that it was self hosted!
> self hosted does not mean you install it. otherwise slack is self hosted. or that facebook is self hosted just because i install the app on my phone
It means you manage and operate infra it is hosted on. You don't run slack infra but you run solarwinds infra.
> There was no reason for the firewall to even allow this in the first place unless they were using a service outside of their control.
You realize you contradicted your own claims there right? The fact that the self-hosted firewall on random companies needed to block the traffic is why it is called self-hosted, exactly as your wikipedia quote is telling you.
I fear you have picked this hill to die on though.
Solarwinds has centralized metrics collection and the attack mimicked the normal json payload, therefore the attacker was hiding in regular traffic.
In our topic Microsoft has the keys to thousands of orgs which have been leaked because they are all "in the same cloud"
case Solarwinds would have been resolvable because it should have been noticeable that there is traffic going out externally to a cloud which it doesn't with truly self hosted software
case Microsoft would have been resolvable by hosting your own exchange.
In both cases the default firewall should be deny all and whitelisted by use case
I am not anti cloud, i am however anti "central control servers"
I am not claiming that FOSS is necessarily more secure, but as you noticed yourself, you are able to self service and therefore check also im not claiming it has to be free.
My claim in concern with the government is simply that when they pay for something the result should be open source and public, as all of us pay for it.
Most government data should be on local in-country leased infrastructure. Government should not be building palaces and isolated from the people. It's my government and for the most part should be open.
I would go even further and say that governments should consider having their own OS. There is no reason why Windows 10 and 11, with their ever increasing number of ads and information sieve, would belong there.
Microsoft really needs to split like Google and Alphabet. Having the top leadership rush full on into AI and Low Code / No Code solutions is counter to running a successful cloud business.
I don't understand, is this a breach in MS Azure accounts or personal accounts or both? I mean, I use Authenticator to log in from my phone and I have disabled the password as a way to log in; am I also a potential victim of this attack?
Senator Wyden thinks that the Solarwinds breach could have provided valuable insight to prevent incidents like this one.
" On May 12, 2021, President Biden issued Executive Order 14028, which among other things, created a Cyber Safety Review Board, whose first task would be to study the SolarWinds incident. That review never took place — the Board was subsequently directed by the Department of Homeland Security to study another hacking incident. I have repeatedly pushed CISA and DHS to direct the Board to study the SolarWinds incident, but have been rebuffed. Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted. "
Big organizations like Microsoft cannot be more secure than one individual's systems; someone runs their servers and they wear pants and make mistakes, just like we do.
What the big shop can do is cover up their mistakes and confuse responsibility once they're made. As well as providing an easy one stop shop for bad actors with things like GitHub ("subvert the world's infrastructure all at once!").