Monoculture Is a Security Risk

Speaking of privacy, it looks as though Microsoft will be embroiled in the investigation of the recent massive security breach I mentioned the other day. Consider this Reuters report:

The breach presents a major challenge to the incoming administration of President-elect Joe Biden as officials investigate what information was stolen and try to ascertain what it will be used for. It is not uncommon for large scale cyber investigations to take months or years to complete.

“This is a much bigger story than one single agency,” said one of the people familiar with the matter. “This is a huge cyber espionage campaign targeting the U.S. government and its interests.”

Hackers broke into the NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months, sources said.

A Microsoft spokesperson did not respond to a request for comment. Neither did a spokesman for the Treasury Department.

I found this detail reported by Microsoft particularly troubling:

Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate. This enables the actor to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.

While I recognize that a protocol like SAML (Security Authorization Markup Language) makes things a lot more convenient for users, it also inherently opens up security risks. That’s something I pointed out more than 20 years ago about Microsoft itself. Software monoculture especially in operating systems increases risks. Such a monoculture reduces the opportunity costs for prospective hackers while the vast reach of today’s data increases the rewards.