backtop


Print 16 comment(s) - last by EricMartello.. on Jan 1 at 5:45 PM


Some of Microsoft's business users went "to the cloud" only to find their contact information leaked due to a configuration bug.  (Source: Microsoft via YouTube)
Configuration bug allowed some users unauthorized access to others' data

Microsoft's bid to move Office and its messaging software to the cloud hit a road bump this week when the company was forced to announce that it had accidentally share the private data of users of its Business Productivity Online Suite (BPOS) Standard suite.

BPOS is a messaging software used primarily by corporate users.  Clint Patterson, director of BPOS Communications at Microsoft, admitted in an interview with Webwereld, a Dutch IDG publication, that some users have discovered a trick to access and download other users' contact lists.

He states, "We recently became aware that, due to a configuration issue, Offline Address Book information for Business Productivity Online Suite (BPOS)--Standard customers could be inadvertently downloaded by other customers of the service, in a very specific circumstance."

The breach was widespread, with BPOS hosting in North America, Europe and Asia.  Microsoft quickly spotted the suspicious activity and fixed the issue within two hours.  However, "a very small number" of users downloaded other users' data illegitimately before the problem was fixed.  Microsoft has reached out to those who appear to have illegitimately obtained other users data.  States Mr. Patterson, "We are working with those few customers to remove the files."

The only thing fortunate about the situation for Microsoft and those involved is that the data lost wasn't terribly valuable -- it was merely a list of business contacts and did not contain personal information.

However, the move casts questions on Microsoft's push to move its Office suite "to the cloud" (as its ad actors are fond of saying).  It also offers some vindication for GNU project president and founder Richard Stallman who has vocally criticized cloud computing and recently blasted Google's upcoming cloud-based Chrome OS.

The Microsoft data loss was similar to recent scraping efforts, which included a collection of 100 million Facebook users profile information and the release of 114,000+ iPad owners email addresses and device IDs.  

The common thread in all these incidents has been poor handling of access/permissions in cloud data storage schemes.  Information from these kinds of scraping campaigns tends not to be particularly dangerous, but it likely will offer hackers or less scrupulous business people a key source of information in the future.  And it will be hard to prosecute those involved, because they did not "hack" into any systems.

Ultimately, though, it's important not to get caught up in a rush to condemn cloud computing as "insecure".  While less tech-savvy members of the public may do this, after incidents like this one, cloud computing is inherently no more or less secure than traditional computing.

While the cloud does give hackers an easy route to steal information from businesses that are possibly a world away, it's important to recall that there's always a finite number of experienced hackers with the know-how to discover and exploit these kinds of holes.  Despite the new access they enjoy today, little has changed -- in the past these individuals likely would have conducted social engineering campaigns against local businesses.  Either way, the outcome is the same -- no system can truly be considered secure, and some data will always be lost/stolen by someone.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Unpossible
By Motoman on 12/24/2010 11:36:59 AM , Rating: 5
Oh, who could possibly have ever seen that coming? I mean, the cloud is our savior right? It's all unicorns and double rainbows! The best possible solution! These must be LIES spread by the anti-cloud radical groups to discredit our dear leaders!




RE: Unpossible
By Mike Acker on 12/25/2010 6:42:02 AM , Rating: 2
yup. we all knew this was gonna happen.</p>Would we do better managing our own database? Some of us, might, I think, but we all need to think carefully about what Bruce Schneier calls the "attack surface": what part of the system is exposed to attack? A good analysis must start from this question.


RE: Unpossible
By Motoman on 12/25/2010 4:37:29 PM , Rating: 3
Any assertion about "attack srufaces" is stupid.

If you retain your data to your own systems, you can secure your own systems and if said system is breached, only your data is at risk.

In the cloud, there's nothing you can do about your data's security...all you can do is put your digital life in the hands of some 3rd party and hope they don't screw up. When that system is breached, the data of every subscriber is at risk - thousands, maybe millions of people.


RE: Unpossible
By EricMartello on 1/1/2011 5:45:42 PM , Rating: 2
I agree that we should eliminate all srufaces due to excessive stupidditty.


Please Hack My Data ...
By DatabaseMX on 12/27/2010 4:03:08 PM , Rating: 3
Cloud computing is the most insane idea ever. If you store data in the cloud, you are basically saying: "Please hack my data - here is is."

If it's not already bad enough just having a local 'ground data'(new term?) frequently hacked, lets put it out in the cloud on some server that we have NO idea where it's physically located, like in China.

I wonder who is reeeeeally behind the cloud concept? I'm going to have Jesse Ventura look into this matter.

mx




RE: Please Hack My Data ...
By Yames on 12/28/2010 1:07:42 PM , Rating: 2
It's more of a trust situation. Business wise, with no security in mind, cloud computing makes a lot of sense. But when you move your data to the could you are basically trusting someone else to secure your data, and from what I have seen there is little insight for a customer to know how well their data is being secured; kind of like trusting your Dr's office with your social security number.


RE: Please Hack My Data ...
By DatabaseMX on 12/28/2010 5:34:02 PM , Rating: 2
I call it naive.

RE "and from what I have seen there is little insight for a customer to know how well their data is being secured"

Or where in the World it's being stored. There was a report sometime back wherein an 'investigative report' (may have been on this site) and it was not good news. And even beyond that, to me ... conceptually it's just a bad idea in today's World. And Yes, the doctor's office is questionable also.

mx


RE: Please Hack My Data ...
By DatabaseMX on 12/28/2010 5:37:20 PM , Rating: 2
"wherein an 'investigative report' (may have been on this site)" >>

wherein an 'investigative report' (may have been on this site) was done wherein the report attempted to check out / visit / communicate with several cloud storage companies, even large, well known companies ... >>> and it was not a pretty picture ...

mx


BPOS
By cditty on 12/24/2010 8:10:11 PM , Rating: 5
Am I the only one that thinks the BPOS acronym is hilarious.




Cloud == Overrated
By Akrovah on 12/24/2010 12:14:10 PM , Rating: 3
The cloud is overratted. It has its uses and even good point sure, but this idea that whole business should move to the cloud is risky at best.




Inherently no less secure?
By zmatt on 12/24/2010 1:16:09 PM , Rating: 3
Yeah right. You are putting everyone's data in one spot for them to get. That opens you up for your data to be inaccessible through a DDOS attack, or better yet if their servers are compromised then everyone's data is gone. Having it on your own machine at the very least spreads the data around so any one breach doesn't give whoever the guilty party is all of the data of a large swath of people.




looks like
By Etern205 on 12/24/2010 11:52:32 PM , Rating: 2
this is a very BFD.




Source Link
By AlphaVirus on 12/27/2010 9:59:14 AM , Rating: 2
Am I the only one that can't read the source link?
It looks like it's hosted in the Netherlands, so probably Dutch?

Jason do you have an English source link?

On topic:
My company is currently debating moving all servers, or backup servers, to off-site data centers (the cloud). I'm not a big fan of it but some of my counterparts think it's a good idea. I plan to bring this incident to our next meeting to show that while yes "the cloud" has many good features, as a business we don't need to risk a security breach.
While the same information could be obtained while in our possession, I feel much more secure at least knowing I've done everything possible to increase security unlike the uncertainty of it being off-site.




By overlandpark4me on 12/30/2010 7:33:33 PM , Rating: 2
did they think it would hold anything substantial? I'm surprised they got this far along without a leak. Heck, I can't even log in to Lifehacker anymore. I'm scurrred




Another day, another Microsucks security screw up
By Beenthere on 12/24/10, Rating: -1
By FaceMaster on 12/30/2010 7:54:21 PM , Rating: 1
quote:
Why would you allow drug addicts to be in charge of a controlled substance?


Drug addict? Would explain Steve Ballmer...

http://www.youtube.com/watch?v=e8M6S8EKbnU


"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki