Social Business Zone is brought to you in partnership with:

Currently te ASEAN Collabortion Executive for IBM responsible for collaboration and social business initiatives and revenue growth in the countries of Singapore, Malaysia, Thailand, Indonesia, Vietnam and the Philippines. Previously spent 14 years at Microsoft in a career than spanned sales and marketing roles. Christopher is a DZone MVB and is not an employee of DZone and has posted 26 posts at DZone. You can read more from them at their website. View Full User Profile

Excuse me Microsoft. I think SharePoint's Slip is showing

07.29.2013
| 1038 views |
  • submit to reddit
It's been an interesting day with the newswires running hot with updates on the infamous Edward Snowden, who (allegedly in line with being innocent until proven guilty) stole data from the NSA then decided to announce key parts of it publicly. 
Whilst not daring to enter into any discussion as to whether this was warranted action taken by Mr Snowden or not, what is of concern is the manner in which a contractor gained access to what undoubtedly was sensitive, very highly classified information on national security.
Just the Facts Mam
With apologies to Joe Friday from Dragnet, what are the facts of the matter. First up, go to youtube and watch the press conference announcing the leaks. (see http://www.youtube.com/watch?v=fawN4OZEt-Y)


The key phrase used in this video is "This leaker was a System Administrator and ran the SharePoint account at NSA Hawaii, so his responsibility was to move data.."
So why was a System Administrator needed at all? if you scan the video forward from 45:15, you will also hear "This leaker was a System Administrator who was trusted with moving information to actually make sure the right information was on the SharePoint Servers that NSA Hawaii needed.
 You mean manual intervention by a Sys Admin is needed? 
You mean that a single userid and password are all that are needed? 
Where are the inbuilt checks and balances Microsoft? 
Where is the inbuilt ability to enforce a two userid, 2 password (or even more) security policy to access?
Who watched the watches of SharePoint? Apparently no one. All you need is System Admin privileges and you're free to go your own way.
Personally moving off of SharePoint would be a good start for the NSA to close these gaping holes, more so since research into attacking SharePoint is due to be presented at this year's DEF CON conference.
Sorry Microsoft, it's not just your slip showing, it looks like its your whole rear end.
Enjoy

Chris
Published at DZone with permission of Christopher Blake, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)