Data breach, but no security vulnerability?
-
I came across this article: Microsoft data breach exposes customers’ contact info, emails[^] And the following sentence caught my eye: "Redmond added that the leak was caused by the 'unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem' and not due to a security vulnerability." How is a misconfigured endpoint that exposes customer info not a security vulnerability? Someone explain it to me like I'm five :confused:
Because customer info is a commodity. Company info is a security issue.
-
I came across this article: Microsoft data breach exposes customers’ contact info, emails[^] And the following sentence caught my eye: "Redmond added that the leak was caused by the 'unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem' and not due to a security vulnerability." How is a misconfigured endpoint that exposes customer info not a security vulnerability? Someone explain it to me like I'm five :confused:
-
I came across this article: Microsoft data breach exposes customers’ contact info, emails[^] And the following sentence caught my eye: "Redmond added that the leak was caused by the 'unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem' and not due to a security vulnerability." How is a misconfigured endpoint that exposes customer info not a security vulnerability? Someone explain it to me like I'm five :confused:
StatementTerminator wrote:
Someone explain it to me like I'm five
When a mommy computer and a daddy computer love each other very much ... :-D
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
:laugh: :laugh: :laugh: :laugh: The worst part is... I know (and have suffered in my flesh) a couple of Daves. :doh: :doh: :sigh: :sigh:
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
I came across this article: Microsoft data breach exposes customers’ contact info, emails[^] And the following sentence caught my eye: "Redmond added that the leak was caused by the 'unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem' and not due to a security vulnerability." How is a misconfigured endpoint that exposes customer info not a security vulnerability? Someone explain it to me like I'm five :confused:
StatementTerminator wrote:
How is a misconfigured endpoint that exposes customer info not a security vulnerability? Someone explain it to me like I'm five
A data leak is not a security problem per se. If you leave the door of your house open is not the same as if someone breaks in... isn't it? The results are the same, but the insurances response or the punishment if they get caught is totally different.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Is there any other kind?
StatementTerminator wrote:
Is there any other kind?
That may not be true in the near future. Or even in the present, what with self-driving cars.
Latest Article:
Create a Digital Ocean Droplet for .NET Core Web API with a real SSL Certificate on a Domain -
StatementTerminator wrote:
How is a misconfigured endpoint that exposes customer info not a security vulnerability? Someone explain it to me like I'm five
A data leak is not a security problem per se. If you leave the door of your house open is not the same as if someone breaks in... isn't it? The results are the same, but the insurances response or the punishment if they get caught is totally different.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
Yeah but if my data gets compromised I don't really care if it's a misconfiguration or a zero-day, the data got compromised. I get that MS is trying to point out that it wasn't due to some code vulnerability in their software, but I feel like there's some PR spin here in trying to minimize the fact that they failed to keep their customer data secure. Security is only as good as the weakest link, and a wide-open endpoint is a pretty weak link.
-
Yeah but if my data gets compromised I don't really care if it's a misconfiguration or a zero-day, the data got compromised. I get that MS is trying to point out that it wasn't due to some code vulnerability in their software, but I feel like there's some PR spin here in trying to minimize the fact that they failed to keep their customer data secure. Security is only as good as the weakest link, and a wide-open endpoint is a pretty weak link.
StatementTerminator wrote:
I feel like there's some PR spin here in trying to minimize the fact that they failed to keep their customer data secure. Security is only as good as the weakest link, and a wide-open endpoint is a pretty weak link.
Have you ever tried to use something that is so locked down, with barriers every step of the way, that you decided to open up everything just to get things to work, with the intent to figure out later how you were supposed to do things correctly in the first place and then lock things back down? And then that never gets done? I'm sure this happens all the time. Microsoft is rightfully pointing out here that they provide the infrastructure - it's up to the admins employed by their customers to use it correctly. The Linux fanbois say the same thing, Linux is super-secure if you do it correctly, but a misconfigured OS is still going to be as vulnerable as anything else. And now the bad analogy...how far should a chainsaw manufacturer go to ensure their customers don't do something completely stupid?
-
StatementTerminator wrote:
I feel like there's some PR spin here in trying to minimize the fact that they failed to keep their customer data secure. Security is only as good as the weakest link, and a wide-open endpoint is a pretty weak link.
Have you ever tried to use something that is so locked down, with barriers every step of the way, that you decided to open up everything just to get things to work, with the intent to figure out later how you were supposed to do things correctly in the first place and then lock things back down? And then that never gets done? I'm sure this happens all the time. Microsoft is rightfully pointing out here that they provide the infrastructure - it's up to the admins employed by their customers to use it correctly. The Linux fanbois say the same thing, Linux is super-secure if you do it correctly, but a misconfigured OS is still going to be as vulnerable as anything else. And now the bad analogy...how far should a chainsaw manufacturer go to ensure their customers don't do something completely stupid?
So it was a client who did the misconfiguration? I was assuming it happened on the MS end.
-
So it was a client who did the misconfiguration? I was assuming it happened on the MS end.
MS application authors are customers of MS Azure's products.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius
-
StatementTerminator wrote:
Someone explain it to me like I'm five
When a mommy computer and a daddy computer love each other very much ... :-D
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
Yeah but if my data gets compromised I don't really care if it's a misconfiguration or a zero-day, the data got compromised. I get that MS is trying to point out that it wasn't due to some code vulnerability in their software, but I feel like there's some PR spin here in trying to minimize the fact that they failed to keep their customer data secure. Security is only as good as the weakest link, and a wide-open endpoint is a pretty weak link.
StatementTerminator wrote:
I don't really care if it's a misconfiguration or a zero-day, the data got compromised.
Your jewels, your electronic equipment, your art and other valuables in your house get stolen anyways... But it is still a big difference if you forgot to close your door, or someone forced it to break in.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
So it was a client who did the misconfiguration? I was assuming it happened on the MS end.
I certainly don't know the details about this particular story, but if I sign up for Azure and build an app on top of it, but my app is so badly designed/configured someone finds a flaw and data leaks...the fault's with me, not Azure. I'd have no problem taking that blame.
