Microsoft Sharepoint security

Discussion in 'Business & Enterprise Computing' started by GillBates, Jul 19, 2017.

  1. GillBates

    GillBates Member

    Joined:
    Oct 23, 2010
    Messages:
    123
    Location:
    Brisbane
  2. RyoSaeba

    RyoSaeba Member

    Joined:
    Sep 11, 2001
    Messages:
    11,494
    Location:
    Perth
    Yeh I got literally hundreds of hits per day on our spam servers with dodgy sharepoint urls. I've had enough of it and just blocked all emails with sharepoint.com urls in them. Seems like no one else actually use it except scammers.
     
  3. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,910
    Sharepoint is just the current hotness, We didn't ask wordpress my so many of their blogs hosted malware. We didn't ask Dropbox why they hosted malware.

    Anywhere that allows users to upload or create files can be used as a vector for distribution of malware.

    If you reconfigure any services to allow for the upload or creation of files for future download by anyone, you'll get used for malware distribution.
     
  4. GillBates

    GillBates Member

    Joined:
    Oct 23, 2010
    Messages:
    123
    Location:
    Brisbane
    But is it. I have not received any wordpress links from ASIC, none from Dropbox. From the urls it seems that these sites belong to non it companies who don't have a clue as to how to configure their Sharepoint. Perhaps you can enlighten us as to how it should be done? I think Microsoft should be a good corporate citizen and fix this problem. After all the Australian Goverment spends huge amounts of cash on their software.
     
    Last edited: Jul 19, 2017
  5. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,250
    Location:
    NSW

    Yes and No.

    Pisspoor sysadmins who don't change the admittedly default option to allow anonymous people with valid links write/modify access to files/folders (With a valid link). I suspect most of these are coming from hacked email accounts where the links are sent with the correct link thus having modify level access to files or folders.
     
  6. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,910
    Anytime a service lets you host files via https, attackers will look at leveraging that to distribute malware.

    Sharepoint can be 'fixed' a few ways.. One of which is to disallow to creation of links that work 'externally' (ie. To unauthenticated users). But, since this is a feature people have asked for, They shouldn't really do this.

    In each of these instances, I'm saying that the inital infection vector is leaked creds or a poor password. Someones Microsoft account has been breached at each of the domains, and the attack has then created a file and generated an external link for it, to email around.

    Microsoft provide a portal for reporting missuse of their services for malware and phishing distribution.

    https://portal.msrc.microsoft.com/en-us/engage/cars

    You can use that form to report any microsoft sites that are being used to host malware.

    Should they pro-actively scan all files hosted on their services for malware? Maybe... but you can bet, as soon as they do. the forums will be full of people (look at the Win10 thread in the windows forum) complaing "Microsoft are stealing my information".

    Malware is a sad fact of internet life.
    Enable SSL inspection
    Report
    Filter
    Move on.

    Same steps no matter what the destination of the dodgy link.
     
  7. GillBates

    GillBates Member

    Joined:
    Oct 23, 2010
    Messages:
    123
    Location:
    Brisbane
    Perhaps Microsoft should change this default then?
    It seems incredulous that they have let this slip especially with the government attempting to implement a new security regime.
    Take a look at
    http://forums.whirlpool.net.au/forum-replies.cfm?t=2648805
    This is a big problem.
    As Trent says
    "You can easily get a free trial of SharePoint online without a credit card and use it for bad purposes."
     
  8. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    29,967
    Location:
    Brisbane
    Yeah we did. And many of us blocked their shit too, until they cleaned their acts up.

    Part of good design is sensible defaults. Vendors should ship with closed down defaults.

    If shit sysadmins "chmod 777" everything to make it work, that's on the sysadmin, not the vendor. Sounds like pedantry, but the vendors need to lead by example.
     
  9. GillBates

    GillBates Member

    Joined:
    Oct 23, 2010
    Messages:
    123
    Location:
    Brisbane
    As I said be a good corporate citizen. Hell we spend enough, time to get their act together!
     
  10. ^catalyst

    ^catalyst Member

    Joined:
    Jun 27, 2001
    Messages:
    11,592
    Location:
    melbourne
    A lot this.

    I had a very strange experience a few years ago using a very expensive motorised camera mount. I was working in a camera store doing shop stuff and I took care of anything that plugged in/was a computer.
    The mount was network operated, which was great because USB cable length limits were problematic. I was excited to be able to get it up and running to demo.

    Plugged it in, turned it on, went to grab a coffee across the road.

    Came back, people in the office complaining "Internet not working", "My computer doesn't work" type stuff.

    Start digging.

    Nearly fall over when I discover the camera head by default ran a DHCP server.

    I engaged in a rather curt email exchange with the manufacturer who couldn't figure out why this was a problem...
     
  11. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    4,952
    Location:
    qld.au
    Four big reasons.

    1. Really shitty defaults for Sharepoint make it ripe for this sort of things.
    d domains. Even lazier sysadmins
    2. Whitelistewhitelist *.sharepoint.com so it's always allowed through. Don't ask how many I know where this has been the case.

    3. Users are really, really dumb. They'd still download a zip file containing Javascript from www.thissitewilldestroyallyourdata.com so a neat URL doesn't matter.

    4. Lax security. UTM's are cheap protection for a business and can break this cycle yet 99% won't have it in place.
     
  12. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,250
    Location:
    NSW
    Don't get me wrong, I for the most part agree, but i also say the following:

    People who use windows tend to be ... how shall i put this "Low hanging fruit", that is not to say there aren't plenty of good people, but generally speaking because its point and click and easy, they tend to be less tech savvy, and due to that you also have to lower the bar to accomodate for that. This is both for the End users, and sometimes for the admins that look after them, and sometimes to appease a manager after getting them to sign the, "This is a pisspoor idea form"

    To me its just as bad as pisspoor software vendors who insist their shitty MYOB has to run as a local admin, etc.

    Could it be improved, hell yes, but you also have that low hanging fruit bar in your way. and often when business has a choice between retraining their staff, or making things easier to please their staff, you can almost always know what is going to win. Its also the big reason why *nix is not a successful desktop replacement for windows yet or ever *Looks at elvis and waves*

    Three Words:

    Low
    Hanging
    Fruit
     
  13. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,910
    From what I can see, the default is sane. You need to specifically generate and share links to unauthenticated users (thats what guestaccess.aspx?=token is). AFAIK, they don't exist automatically.

    You can easily host dodgy files on any file sharing website, even those used by $BigCorporate.

    Just because its Microsoft, doesn't make the rules any different.

    If I'm on a network that doesn't have DHCP Snooping enabled, I assume you WANT me to run a DHCP server :).
     
  14. ^catalyst

    ^catalyst Member

    Joined:
    Jun 27, 2001
    Messages:
    11,592
    Location:
    melbourne
    A small retail / wholesale outfit with about 10-20 pcs and some printers and shit. Didn't even have a managed switch mate!
     
  15. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,910
    The new fangled internet of shit will make this a more and more common occurrence. Especially with all the libraries making it piss-easy for someone to accidentally leave a DHCP server running on their embedded bollocks.

    Anything network related here gets configured "offline", and has all its insane bollocks and stupid services turned off before it gets introduced to the rest of the network.
     
  16. GillBates

    GillBates Member

    Joined:
    Oct 23, 2010
    Messages:
    123
    Location:
    Brisbane
    Well if Microsoft are not going to get serious about Cybersecurity how then is the Australian Government Cybersecurity going to be taken seriously?
    Is the recent government restructure just going to be a another waste of tax payers money?

    Most users of PC's are incapable of operating securely. Do we need operators of PC's to be licensed like a motor car considering the damage that they are capable of doing.
     
  17. ^catalyst

    ^catalyst Member

    Joined:
    Jun 27, 2001
    Messages:
    11,592
    Location:
    melbourne
    Oh I know. I don't work there any more :). Where I am now we have an OPS team who kick a fair bit of arse, so I can leave it to the pros :thumbup:
     
  18. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    29,967
    Location:
    Brisbane
    While I appreciate all of that. the argument of "make stuff easy for dummies" vs "make stuff smarter and fuck the dummies" is always muddied by management and profits.

    I, as a bull-headed sysadmin, err on the side of sensibility, security, and "git gud". That would invariable destroy a chunk of profits for any product that is to be sold, but I personally don't think short term monetary profit is worth the risk of my customers.

    Managers on other hand, being well documented as high functioning psychopaths who put personal gain ahead of everything else, disagree.

    And therein lies the epic battle. Doesn't matter whether you're talking politicians blindly pushing oil/coal and ignoring climate science, or software. Same shit everywhere you look.

    From my perspective, the world could do with culling the bottom 50%. It would solve countless problems in one fell swoop. But apparently that's frowned upon, and so now we have "access granted to all by default" as policy, and this thread exists for that reason.
     
  19. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,910
    Microsoft are very serious about securing their operating systems and platforms... however. This is not a problem with their operating system or their platform.

    It's a bit of a 'guns don't kill people' argument I know, but its fairly apt. I've used Onedrive to share malware samples with people. so I'd be pissed if Microsoft decided to limit what can and can't be put into it.

    Probably, simply because you can't just have 'border force' protect the internet from the Cyber boatpeople, and Australia aren't a big enough market for big software to care about.

    America say "No Kaspersky in Govt, and Kaspersky start offering all sorts of concessions and source access to not get locked out of that market...

    Australia ask Adobe "Why do you ream us on software"

    https://www.youtube.com/watch?v=78yigV0GYGQ

    And this happens.

    Yes, but that's one for the rants thread.

    This thread exists because stupid people do stupid things (Bad password/account security practices)
    and bad people do bad things with the credentials they get from the aforementioned stupid people.

    Do any of the services used for malware distribution *force* 2fa?
     
    Last edited: Jul 19, 2017
  20. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    29,967
    Location:
    Brisbane
    I wouldn't.

    Google limit a lot of shit on their platforms. More importantly, they scan inside anything that can be scanned (i.e.: anything unencrypted) for malware, and block anything they find.

    As a sysadmin managing a load of space for really careless end users, this is a good thing, and I *want* that from a paid service. For what it's worth, I do exactly the same for our self-hosted SFTP servers (clamfs mounted file systems mean any malware uploads get rejected even before the file is flushed to disk).

    If I want to share malware samples with someone, I am either forced to use a different mechanism, or wrap it in an encrypted file. i.e.: there's an intelligence barrier to doing dangerous things, which for mine is the right way to approach it.
     

Share This Page