backtop


Print


Some of Microsoft's business users went "to the cloud" only to find their contact information leaked due to a configuration bug.  (Source: Microsoft via YouTube)
Configuration bug allowed some users unauthorized access to others' data

Microsoft's bid to move Office and its messaging software to the cloud hit a road bump this week when the company was forced to announce that it had accidentally share the private data of users of its Business Productivity Online Suite (BPOS) Standard suite.

BPOS is a messaging software used primarily by corporate users.  Clint Patterson, director of BPOS Communications at Microsoft, admitted in an interview with Webwereld, a Dutch IDG publication, that some users have discovered a trick to access and download other users' contact lists.

He states, "We recently became aware that, due to a configuration issue, Offline Address Book information for Business Productivity Online Suite (BPOS)--Standard customers could be inadvertently downloaded by other customers of the service, in a very specific circumstance."

The breach was widespread, with BPOS hosting in North America, Europe and Asia.  Microsoft quickly spotted the suspicious activity and fixed the issue within two hours.  However, "a very small number" of users downloaded other users' data illegitimately before the problem was fixed.  Microsoft has reached out to those who appear to have illegitimately obtained other users data.  States Mr. Patterson, "We are working with those few customers to remove the files."

The only thing fortunate about the situation for Microsoft and those involved is that the data lost wasn't terribly valuable -- it was merely a list of business contacts and did not contain personal information.

However, the move casts questions on Microsoft's push to move its Office suite "to the cloud" (as its ad actors are fond of saying).  It also offers some vindication for GNU project president and founder Richard Stallman who has vocally criticized cloud computing and recently blasted Google's upcoming cloud-based Chrome OS.

The Microsoft data loss was similar to recent scraping efforts, which included a collection of 100 million Facebook users profile information and the release of 114,000+ iPad owners email addresses and device IDs.  

The common thread in all these incidents has been poor handling of access/permissions in cloud data storage schemes.  Information from these kinds of scraping campaigns tends not to be particularly dangerous, but it likely will offer hackers or less scrupulous business people a key source of information in the future.  And it will be hard to prosecute those involved, because they did not "hack" into any systems.

Ultimately, though, it's important not to get caught up in a rush to condemn cloud computing as "insecure".  While less tech-savvy members of the public may do this, after incidents like this one, cloud computing is inherently no more or less secure than traditional computing.

While the cloud does give hackers an easy route to steal information from businesses that are possibly a world away, it's important to recall that there's always a finite number of experienced hackers with the know-how to discover and exploit these kinds of holes.  Despite the new access they enjoy today, little has changed -- in the past these individuals likely would have conducted social engineering campaigns against local businesses.  Either way, the outcome is the same -- no system can truly be considered secure, and some data will always be lost/stolen by someone.





"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein













botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki