[This was originally posted on attrition.org. This is a rebuttal piece to Microsoft: We’re not vulnerable to DDoS attacks (2011-07-06) by Ms. Smith. More to the point, this is intended for John Howie, senior director in the Online Services Security & Compliance (OSSC) group at Microsoft.]
Microsoft: We’re not vulnerable to DDoS attacks
Microsoft’s John Howie claims Microsoft security is stronger than Sony and RSA which were hacked due to “rookie mistakes.” The software giant also released Volume 10 of its Security Intelligence Report.
Uh-oh. There’s nothing quite like throwing down the gauntlet and virtually taunting hackers to prove a proud boast is false. In what some attackers might consider a dare, John Howie, Microsoft’s senior director in the Online Services Security & Compliance (OSSC) team, basically claimed that Microsoft sites are unhackable and can’t be DDoSed.
According to Microsoft, “rookie mistakes” by Sony and security firm RSA caused the corporations to be brought down by hackers. Howie told Computing News that Sony was coded badly and failed to patch its servers. “These are rookie mistakes,” Howie said. In regards to the breach at RSA, Howie stated, “RSA got hacked because someone got socially engineered and opened a dodgy email attachment. A rookie mistake.”
I’ll give you the “rookie mistakes” as applied to Sony. They have demonstrated that security was not a focus at any time during the past 10 or more years.
As for RSA, calling it a “rookie mistake” that someone clicked on an attachment, without knowing the context of the e-mail or how it was crafted is presumptious. If you want to apply this label to anyone that clicks an attachment and gets popped, that is fine, just eat your own dogfood first. Or did you forget that Microsoft UK’s chief security advisor Ed Gibson likely clicked something stupid and installed a rogue dialer?
Howie added, “At Microsoft we have robust mechanisms to ensure we don’t have unpatched servers. We have training for staff so they know how to be secure and be wise to social engineering. We have massively overbuilt our internet capacity, this protects us against DoS attacks. We won’t notice until the data column gets to 2GB/s, and even then we won’t sweat until it reaches 5GB/s. Even then we have edge protection to shun addresses that we suspect of being malicious.”
In 2009, Microsoft had almost 90,000 employees world-wide. Do you really think they have all received training on how to identify suspicious attachments? If a spoofed mail hits their inbox with a @microsoft.com address and XLS or DOC attachment, what are the odds at least a small percentage click it? I’d wager a few bucks that some would click and be popped as fast as RSA was.
That said.. let’s revisit some “rookie mistakes”.
John, when you start to flagrantly cast stones about, it is best to make sure you observe your surroundings. It is equally important that you remember your history, because some of us sure do.
In the realm of “rookie mistakes”, the term is a bit subjective. What you call a rookie mistake may be understandable actions to some. What I call a rookie mistake, is likely explained away in a Microsoft press release chock-full of bullshit and fluff. That, or the old go-to.. “no comment”.
Do you remember when Microsoft shipped virus-laden software? Oh that’s right, “which time” is the key question. Since they sent out Nimda in Visual Studio .NET, the WordMacro/Concept on a disk given to journalists and a WinWord.Concept infection with the Microsoft Office 95 and Windows 95 Business Guide CD-ROM. Rookies.
How about the rookie mistake of not properly performing QA before sending out a product update? Your company broke Office for Mac with an update, labeled authentic Windows copies as pirated copies and gave a stellar XP update that crippled Internet communications for 600,000 users.
You speak of patching, and how Microsoft does it well. Given the 100,000+ machines you use, your patching cycle must be bad-ass. I mean, you obviously don’t test them on a dev network before pushing to production like many companies do. And you must have all of those machines to pull them instantly, install and reboot within minutes of them being released, if not before public availability. Fortunately for you, this is a big change from the past. Remember when Microsoft UK got defaced? Do you also remember that was the 26th defacement of a Microsoft web site? Perhaps the time one of your rookie employees allowed a Microsoft machine to get infected by NIMDA and attacked our beloved attrition.org? We still haven’t received an apology for that one. Of course, that was before a “boneheaded employee” let you guys get infected by Code Red as well as a W32.Slammer infection at Redmond. Oops.
I also remember an alleged intrusion into the Microsoft network that was never admitted by Microsoft. “No comment” for the win! That type of event may explain how Windows NT / 2000 source code got leaked, or that could have been the rookie mistake of an employee leaking it themselves?
Which of your rookie security staff decided they wanted users to send their passwords to Microsoft? What ever happened to the rookie that coded that stupid Passport service vulnerability? Did the rookie web masters who let beta testers see entirely too much get a slap on the wrist? And perhaps the ultimate rookie move, not sanitizing input! This led the Microsoft MSDN Site to be vulnerable to XSS.
In the realm of administrative nightmares, perhaps the ultimate rookie mistake would be “not having backups”. I believe Microsoft learned that lesson quickly after the T-Mobile Sidekick disaster, yes?
Finally, on the topic of rookie mistakes as applied to software coding, which of the Microsoft rookies decided adding a backdoor to software was a good move? Which of your rookie security specialists used the moronic “you can’t get code execution off that” argument before being proven wrong? Last, but not least, which of these 3,000+ vulnerabilities in Microsoft products could be chalked up to rookie coding mistakes?
I’ll stop there, because I believe I have made my point. The point being, you John Howie, are a fucking egotistical douchebag that is only going to bring headache upon your company.