Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

Astonishing Incompetence: The Microsoft Way

March 11, 2021 by Marc Handelman in Incompetence, Security Cruft, Lazy Security Engineering, Blatant Stupidity

As a former corporate customer, and, after experiencing the excruciatingly ponderous level of incompetence exhibited by Microsoft Corporation (NASDAQ: MSFT) Security, Service & Systems engineers, we've terminated our contracts with the company, and moved to proven, fundamentally more secure platforms to facilitate our business. This move included our enterprise messaging infrastructure, CMS, Office 365 and Data Storage, and Lab Environment; accomplished several months ago, we are quite pleased with the landscape, free of the MSFT two-step. Absolutely no Microsoft bits in our business.

At this point, in the Microsoft Litany of Incompetence that is playing out, perhaps you might take a couple of minutes and read a story, gathered by the highly respected security author and bon vivant Richi Jennings (a fellow author at Security Boulevard), in which, the Right Honorable Mr. Jennings details (with the assistance of those with knowledge of the situation) the enormity of the nearly complete lack of competencey within the twin realms of Information and Cyber Security exhibited by the scurrying about of the attendants to the Redmond Leviathan's highfalutin' demands. Richi's story begins below, with a link to that litany's completion at Security Boulevard).

Now, briefly, the issue of leadership raises it's noggin' - in this instance - personified by an individual whom I generally refer to as 'The Great Apologizer', Satya Narayana Nadella, CEO of Microsoft Corporation. Don't think of this as an ad hominem diatribe, rather, focus on the physics of the situation, dammit... Just remember, whilst most solids and liquids flow downhill, the chunky detritus of a company which fails to successfully execute it's mission with exquisite competence possesses a tendency to perform in the opposite, that is to say, to flow uphill, flouting gravity and whatnot, directly focusing that faliure of leadership - to the very topmost leader - in this case - CEO Nadella. Thus, those individuals caught by what I like to call the failure tsunami, are typically found on the lecture circuit within a couple of years. To sum up, closing my one-good eye, I can see it now, a short & sweet 15 minutes at TEDx Seattle for Mr. Nadella, and his version of Code Complete. Avoid that - me buckos - at all cost.

........

via the inimitable Richi Jennings, writing at Security Boulevard:

"If you thought last week’s news was bad, you ain’t seen nothin’ yet. Countless organizations using Microsoft Exchange are scrambling to undo the damage caused by Chinese “Hafnium” hackers over the past two months. And many more don’t even know they’ve been penetrated. It’s all Microsoft’s fault. Let’s not sugar-coat it: Microsoft knew about this vulnerability more than two months ago, yet didn’t tell anyone, for fear of … what? Damaging shareholder returns? Microsoft should be ashamed of itself. In today’s SB Blogwatch, we watch Redmond reap the whirlwind."

March 11, 2021 /Marc Handelman
Incompetence, Security Cruft, Lazy Security Engineering, Blatant Stupidity

Oops! Oracle Corporation's BlueKai Exposes Billions Of Records On Interwebs

June 19, 2020 by Marc Handelman in Information Insecurity, Security Incompetence, Blatant Stupidity

via Zack Whittaker, writing at TechCrunch (and, via an appreciated H/T), comes a report of the most egregiously enormous data leak this year: This time, it's Oracle Corporations' (NYSE: ORCL) BlueKai's (BlueKai's claim-to-fame is the enormous damage it's dataloss can cause due to the sheer size of the data it stores on many, if not all US, UK, AUS, NZ and Canadian (and other nationalities) persons that traverse our beloved interwebs) turn to take a bow. Don't fret, I'm relatively certain there will be bigger screw-ups before the proverbial ball drops in Times Square - as there is still plenty of time to grab the Security Incompetence Award for 2020).

"BlueKai uses website cookies and other tracking tech to follow you around the web. By knowing which websites you visit and which emails you open, marketers can use this vast amount of tracking data to infer as much about you as possible — your income, education, political views, and interests to name a few — in order to target you with ads that should match your apparent tastes. If you click, the advertisers make money." - via Zack Whittaker, writing at TechCrunch

June 19, 2020 /Marc Handelman
Information Insecurity, Security Incompetence, Blatant Stupidity

Bad News For Google: Google Play Chrome Extensions Steal More User Data

June 18, 2020 by Marc Handelman in Google Play Incompetence, Application Insecurity, Blatant Stupidity

And removed the offensive application extensions only when told (privately) of the disaster. Read Dan Goodin's superlative reporting and commence weeping for your data my friends - but first - change all of your passwords, then commence with the waterworks. I also strongly suggest readers examine the report from security researchers Awake, and take appropriate action.

June 18, 2020 /Marc Handelman
Google Play Incompetence, Application Insecurity, Blatant Stupidity

Image Credit: Fox Broadcasting

Ladies and Gentlemen, Let the Throttling and Blockage Commence

April 05, 2019 by Marc Handelman in Blatant Stupidity, Incompetence, The Interwebs

A License To Abuse Users And Competitors, Just Don't Forget The Disclosure Piece.

April 05, 2019 /Marc Handelman
Blatant Stupidity, Incompetence, The Interwebs

via Reddit

UPnP'd: The Litany Of Ports 139 and 445

November 30, 2018 by Marc Handelman in Routerland, Blatant Stupidity

Why in the world is this still a problem. Just say no to UPnP, and move on, dammit.

November 30, 2018 /Marc Handelman
Routerland, Blatant Stupidity

Image Credit: Microsoft Corporation

Rather Than Focusing On Fixing Lame Windows Update System, Microsoft CEO Targets New Electronic Cricket Bat

October 12, 2018 by Marc Handelman in Blatant Stupidity, Corporate Evil, Cruft, Operating Systems, Operating System Security, Operability

Smart Move - Satya - Smart Move Now, what was it you were going to do about the October Creators Update for Windows 10 nagging problem of deleting user documents and other files en mass? Was this a redirection marketing tactic to deflect attention from the recent rash of Microsft Windows Update failures plaguing Redmond; or is it a Lack of Focus Mr. Nadella? (Update: News from Martin Brinkmann at GHacks that the file deletion issue is reportedly fixed). To be fair, an inability to service operating system updates robustly is not just a Microsoft Corporation (Nasdaq: MSFT) failure, this SNAFU is a hallmark of the so-called Android 'ecosystem' as well. Oh, and I'm a cricket fan as well. Enjoy.

October 12, 2018 /Marc Handelman
Blatant Stupidity, Corporate Evil, Cruft, Operating Systems, Operating System Security, Operability

Wait, What, Why? Google Takes WWW Away... →

September 11, 2018 by Marc Handelman in Blatant Stupidity, Information Security, Confusion

News, via Lawrence Abrams, writing at Bleeping Computer, of the latest hare-brained scheme popping out of the roiling, hot, bubbling diverse-cultural motile known as the Chrome development teaam. Read and Weep my friends, for the Minimlization that apparently never ends.

September 11, 2018 /Marc Handelman
Blatant Stupidity, Information Security, Confusion

Black Hat: The Exposed

August 23, 2018 by Marc Handelman in Blatant Stupidity, Cyber Cyber Cyber Cyber

News, via Ionut Ilascu, writing at Bleeping Computer, of an apparent Black Hat Attendee Data Leakage SNAFU. Who needs so-called Cyberthis or Cyberthat, when information security's premier event can't safeguard the attending information security professional's data? The flaw was discovered by NinjaStyle in a superb blog post: 'How I Hacked BlackHat 2018: Enumerating registered BlackHat attendees with the BCard API'. Security: Heal Thyself. H/T

August 23, 2018 /Marc Handelman
Blatant Stupidity, Cyber Cyber Cyber Cyber

Facebook+CambridgeAnalytica = Facebookery At It's Finest

July 07, 2018 by Marc Handelman in Data Theft, Information Security, Blatant Stupidity, Crime, Criminal Enterprise

via Graham Cluely's timely security blog, comes the story of Carole Cadwalladr whom, in her day job, is famous for her highly competent reportage at The Guardian. The specific reporting series is here. Detailing not-so-secret fundamental security and privacy flaws; all combined into a porridge with both blatant stupudity and greed as spices, in which, the aforementioned porridge turns out to be a not-so-tasty dish for Facebook Inc. (NASDAQ: FB) and Cambridge Analytica (now in receivership)... If you spend any time contemplating the evil that is Facebook, read Carole Cadwalladr's work and you'll experience a Silicon Valley revelation (perhaps some avocado toast will calm you down). Today's Must Read!

July 07, 2018 /Marc Handelman
Data Theft, Information Security, Blatant Stupidity, Crime, Criminal Enterprise

Facebookery: The Fourteen Million →

June 10, 2018 by Marc Handelman in Blatant Stupidity, Business of Exploitation, Code, Use At Your Own Risk, Detritus

News, via Dan Goodin - writing at ArsTechnica - of an apparent dev team screwup at Facebook Inc. (Nasdaq: FB). In which, the crack-dev-team at the purveyor of user data managed to introduce a pernicious flaw in the Detritus (also known as the Company's 'Code', or 'Intellectual Property') that happily exposed the posts of 14 million of the company's 'Subjects'(also known as 'Users') to one and all. What happended to 'Code Review' (also known as 'Looking for Developer Screwups' or 'Application Testing' also known as 'Testing for Developer Screwups'? Nary a peep from the Facebook Security Team on this one; and in summation: Where's the Apology, Chairman Zuckerberg?

"The bug occurred as Facebook developers were creating a new way to share photos and other featured items in user profiles. In the process, the developers accidentally suggested all new posts be set to public, rather than just the featured items." - via Dan Goodin writing at ArsTechnica

June 10, 2018 /Marc Handelman
Blatant Stupidity, Business of Exploitation, Code, Use At Your Own Risk, Detritus

Buys your location data, doesn't seek permission... Time to call your attorney!

AT&T, Verizon, T-Mobile, AT&T, Sprint: We're Selling Your Location Data To Prison Tech Company. Nothing To See Here!

May 17, 2018 by Marc Handelman in Blatant Stupidity, Privacy, Or Lack Thereof, Demise of Privacy, Information Security

via Zack Whittaker, writing at ZDNet's Zero Day, exposes the selling of mobile device location data (for all customers) to a prison technology-focused organization monikered 'Securus. Where's the consent? H/T

May 17, 2018 /Marc Handelman
Blatant Stupidity, Privacy, Or Lack Thereof, Demise of Privacy, Information Security

Microsoft Now Supports Cryptomining In Excel... →

May 15, 2018 by Marc Handelman in Blatant Stupidity, Information Security

via Graham Cluley, comes news of a highly questionable decision made by Microsoft Corporation (Nasdaq: MSFT) developers to begin offering JavaScript support in the company's flagship spreadsheet bits.

'Right now, JavaScript in Excel custom functions is only supported in the Developer Preview edition to Office 365 subscribers enrolled in the Office Insiders program. But it seems inevitable that in the not too distant future it will be available in more widely-used versions of Excel as well.' - via Graham Cluley

May 15, 2018 /Marc Handelman
Blatant Stupidity, Information Security

RSAC 2018, The Leakage →

April 24, 2018 by Marc Handelman in Blatant Stupidity, Application Security, Security Incompetence

Security, Heal Thyself

April 24, 2018 /Marc Handelman
Blatant Stupidity, Application Security, Security Incompetence

Starbucks Moves From Coffee Purveyor to Surveillance Company →

April 19, 2018 by Marc Handelman in Blatant Stupidity, Information Security, PII

via Bob Sullivan, reporting for Geekwire, comes news of Starbucks Corporation (Nasdaq: SBUX) efforts to collect personal data from WiFi users. In reality, you can be certain the company has been collecting personally identifiable data (PII) for years... Soon, your caffiene mantra will be - 'I'll have a Caramel Macchiato, Venti, Skim, Extra Shot, Extra-Hot, Extra-Whip, Sugar-Free, extra PII to go'...

April 19, 2018 /Marc Handelman
Blatant Stupidity, Information Security, PII

Blatant & Pervasive Incompetencies, Recent History of →

April 17, 2018 by Marc Handelman in Data Security, Blatant Stupidity, Bulk Data Collection, Information Security, Consumer Abuse, Environmental Security, Animals, Animal Abuse

Recalling other crisis management fails - in the wake of Facebook's stunning (and probably feigned) ignorance of data exfiltration on their own platform: Via the obviously talented Michael Grothaus, whilst writing at Fast Company, comes this interesting recent history of crisis management at companies-of-note. You will - I am certain - notice a recurring theme of fathomless lack of intellectual capacity. Today's Must Read and filed under 'Blatant Stupidity'. Enjoy!

April 17, 2018 /Marc Handelman
Data Security, Blatant Stupidity, Bulk Data Collection, Information Security, Consumer Abuse, Environmental Security, Animals, Animal Abuse

Arthur Dent and His Towel

Eurononsense: Hitchhikers Guide To The End Of Planet WHOIS →

March 19, 2018 by Marc Handelman in Eurononsense, Privacy, Blatant Stupidity, GDPR

Pending Evidence to the Contrary, the end of Planet WHOIS is slated for 2018/05/25 ostensibly due to nonsensical GPDR legislation, crafted by those Braniacs in Brussels. Better find that copy of Doug Adam's mantra to mankind - The Hitchhikers Guide to the Galaxy, your towel, and perhaps some stout as it shall be a bumptious ride when traveling with Arthur Dent, Esq. ICANN attempted with amusing futility to fix things rightup, but failed to acquire consensus on WHOIS usage in the Wacky Age of EU Mandated Privacy. Via the outstanding reportage of Kieren McCarthy writing at El Reg. Discombobulated? You and me both, Pal!

March 19, 2018 /Marc Handelman
Eurononsense, Privacy, Blatant Stupidity, GDPR

MoviePass Screws-the-Pooch →

March 11, 2018 by Marc Handelman in Blatant Stupidity, Information Security, Privacy, Demise of Privacy

Well - dammit - I was wrong... Early last week I made the error in a post on Monday 2018/03/05, in which I managed to scribble this diatribe: To Wit, "Easily the most egregiously moronic idea I've heard this month (and it's only 5 days in(!)" ...

Well, that declaration has been overshadowed in our highly-read Observed-Stupidity-In-Security-And-Privacy-News-Department by a bottom-of-the-sea-deeply-ignorant statement uttered by MoviePass CEO Mitch Lowe regarding his extraordinary pleasure at tracking users within the company's MoviePass iPhone and Android apps (see below).

'The update comes after CEO Mitch Lowe made comments at the Entertainment Finance Forum in Los Angeles last week, claiming that the company was tracking users’ locations. “We watch how you drive from home to the movies. We watch where you go afterwards,” commented Lowe, according to a report from Media Play News. - via Chaim Gartenberg, writing at The Verge

Bravado? Misplaced Confidence? Hairplugs too-tight? Too Much Campari before dinner? I think not, just simple, unmitigated and blatant stupidity...

Perhaps a leadership change is in order, eh MoviePass? At least, the company did manage to (allegedly) remove the tracking-bits from the product and resissue the apps in the apropos app stores. Of course, there is always bad news with this type of mea culpa: In a statement made to Engadget, the company claimed they are still planning to use location data marketing to enhance their revenue stream. Ah, yes, the old Give It To 'Em, Then Take It Away gambit. Oh Joy!

March 11, 2018 /Marc Handelman
Blatant Stupidity, Information Security, Privacy, Demise of Privacy

Stunning Stupidity To Start The Week: Selling Your DNA Via A Blockchain Controlled Marketplace →

March 05, 2018 by Marc Handelman in Cryptocurrency, Bitcoin, Blatant Stupidity, Information Security, Blockchain

Easily the most egregiously moronic idea I've heard this month (and it's only 5 days in(!) - stay tuned - pretty sure there will be others)... Would you sell your DNA data on the Blockchain? Enjoy!

'It is not easy putting a dollar value on the human genome, so only time will tell if these innovative, blockchain approaches to genetic data trading will pay off for individuals.' via James Levenson, writing at Bitcoinist

March 05, 2018 /Marc Handelman
Cryptocurrency, Bitcoin, Blatant Stupidity, Information Security, Blockchain

Intel, The Hider →

February 23, 2018 by Marc Handelman in Blatant Stupidity

via Peter Cao - writing at 925Mac, details a Reuters screed of Intel's efforts to hide the true scope of Meltdown/Spectre from Federal investigators at US-CERT. Good to know.

February 23, 2018 /Marc Handelman
Blatant Stupidity

Sounds Legit, Mullahs On Guard Due To Rogue Lizard(s) Soaking Up Atomicals →

February 16, 2018 by Marc Handelman in Blatant Stupidity, Espionage, Physical Security, Physical Sciences

Sean Gallagher - writing at ArsTechnica, details lizard espionage, targeting the Iranians...

February 16, 2018 /Marc Handelman
Blatant Stupidity, Espionage, Physical Security, Physical Sciences
  • Newer
  • Older