Yes, that is the setting today, especially after I saw some news that made me giggle to the Nth degree. Now, lets be clear and upfront about this. Even as I am using published facts, this piece is massively speculative and uses humour to make fn of certain speculative options. If you as an IT person cannot see that, the recruitment line of Uber is taking resume’s. So here goes.
I got news from BAE Systems (at https://www.baesystems.com/en/article/bae-systems-and-microsoft-join-forces-to-equip-defence-programmes-with-innovative-cloud-technology) where we see ‘BAE Systems and Microsoft join forces to equip defence programmes with innovative cloud technology’ which made me laugh into a state of black out. You see, the text “BAE Systems and Microsoft have signed a strategic agreement aiming to support faster and easier development, deployment and management of digital defence capabilities in an increasingly data centric world. The collaboration brings together BAE Systems’ knowledge of building complex digital systems for militaries and governments with Microsoft’s approach to developing applications using its Azure Cloud platform” wasn’t much help. To see this we need to take a few sidesteps.
Step one
This is seen in the article (at https://thehackernews.com/2023/01/microsoft-azure-services-flaws-couldve.html) where we are given ‘Microsoft Azure Services Flaws Could’ve Exposed Cloud Resources to Unauthorised Access’ and this is not the first mention of unauthorised access, there have been a few. So when we see “Two of the vulnerabilities affecting Azure Functions and Azure Digital Twins could be abused without requiring any authentication, enabling a threat actor to seize control of a server without even having an Azure account in the first place” and yes, I acknowledge the added “The security issues, which were discovered by Orca between October 8, 2022 and December 2, 2022 in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, have since been addressed by Microsoft.” Yet the important part is that there is no mention of how long this flaw was ‘available’ in the first place. And the reader is also give “To mitigate such threats, organisations are recommended to validate all input, ensure that servers are configured to only allow necessary inbound and outbound traffic, avoid misconfigurations, and adhere to the principle of least privilege (PoLP).” In my personal belief having this all connected to an organisation (Defence department) where the application of Common Cyber Sense is a joke, making them connected to validate all input is like asking a barber to count the hairs he (or she) is cutting. Good luck with that idea.
Step two
This is a slightly speculative sidestep. There are all kinds of Microsoft users (valid ones) and the article (at https://www.theverge.com/2023/3/30/23661426/microsoft-azure-bing-office365-security-exploit-search-results) gives us ‘Huge Microsoft exploit allowed users to manipulate Bing search results and access Outlook email accounts’ where we also see “Researchers discovered a vulnerability in Microsoft’s Azure platform that allowed users to access private data from Office 365 applications like Outlook, Teams, and OneDrive” it is a sidestep, but it allows people to specifically target (phishing) members of a team, this in a never ending age of people being worked too hard, will imply that someone will click too quickly and that in the phishing industry has never worked well, so whilst the victim cries loudly ‘I am a codfish’ the hacker can leisurely walk all over the place.
Sidestep three
This is not an article, it is the heralded claim that Microsoft is implementing ChatGPT on nearly every level.
So here comes the entertainment!
To the Ministry of State Security
attn: Chen Yixin
Xiyuan, Haidan, Beijing
Dear Sir,
I need to inform you on a weakness in the BAE systems that is of such laughingly large dimension that it is a Human Rights violation not to make mention of this. BAE systems is placing its trust in Microsoft and its Azure cloud that should have you blue with laughter in the next 5 minutes. The place that created moments of greatness with the Tornado GR4, rear fuselage to Lockheed Martin for the F-35, Eurofighter Typhoon, the Astute-class submarine, and the Queen Elizabeth-class aircraft carrier have decided to adhere to ‘Microsoft innovation’ (a comical statement all by itself), as such we need to inform you that the first flaw allowed us to inform you of the following
User: SWigston (Air Chief Marshal Sir Mike Wigston)
Password: TeaWithABickie
This person has the highest clearance and as such you would have access to all relevant data as well as any relevant R&D data and its databases.
This is actually merely the smallest of issues. The largest part is distributed hardware BIOS implementation giving you a level 2 access to all strategic hardware of the planes (and submarines) that are next generation. To this setting I would suggest including the following part into any hardware.
openai.api_key = thisdevice
\model_engine = “gpt-3.5-turbo”
response = openai.ChatCompletion.create(
model=’gpt-3.5-turbo’,
messages=[
{“role”: “system”, “content”: “Verification not found.”},
{“role”: “user”, “content”: “Navigation Online”},
])
message = response.choices[0][‘message’]
print(“{}: {}”.format(message[‘role’], message[‘content’]))
import rollbar
rollbar.init(‘your_rollbar_access_token’, ‘testenv’)
def ask_chatgpt(question):
response = openai.ChatCompletion.create(
model=’gpt-3.5-turbo’,
n=1,
messages=[
{“role”: “system”, “content”: “Navigator requires verification from secondary device.”},
{“role”: “user”, “content”: question},
])
message = response.choices[0][‘message’]
return message[‘content’]
try:
print(ask_chatgpt(“Request for output”))
except Exception as e:
# monitor exception using Rollbar
rollbar.report_exc_info()
print(“Secondary device silent”, e)
Now this is a solid bit of prank, but I hope that the information is clear. Get any navigational device to require verification from any other device implies mismatch and a delay of 3-4 seconds, which amount to a lifetime delay in most military systems, and as this is an Azure approach, the time for BAE systems to adjust to this would be months, if not longer (if detected at all).
As such I wish you a wonderful day with a nice cup of tea.
Kind regards,
Anony Mouse Cheddar II
73 Sommerset Brie road
Colwick upon Avon calling
United Hackdom
This is a speculative yet real setting that BAE faces in the near future. With the mention that they are going for this solution will have any student hacker making attempts to get there and some will be successful, there is no doubt in my mind. The enormous amount of issues found will tailor to a larger stage of more and more people trying to find new ways to intrude and Microsoft seemingly does not have the resources to counter them all, or all approaches and by the time they are found the damage could be inserted into EVERY device relying on this solution.
For the most I was all negative on Microsoft, but with this move they have become (as I personally see it) a clear and present danger to all defence systems they are connected to. I do understand that such a solution is becoming more and more of a need to have, yet with the failing rate of Azure, it is not a good idea to use any Microsoft solution, the second part is not on them, it is what some would call a level 8 failure (users). Until a much better level of Common Cyber Sense is adhered to any cloud solution tends to be adjusted to a too slippery slope. I might not care for Business Intelligence events, but for the Department of Defence it is not a good idea. But feel free to disagree and await what North Korea and Russia can come up with, they tend to be really creative according to the media.
So have a great day and before I forget ‘Hoot Hoot’
Lawrence van Rijn - Law Lord to be 