Month: February 2018

Posted on

What’s In An Azure Subscription ID?

“Can I be hacked if someone has my Azure Subscription ID?”

“Is my Azure Subscription ID the key to the kingdom?”

I’ve had this conversation a number of times with colleagues and clients alike.  What is this ID that Azure assigns to your account, and can it be leveraged to gain access to your subscription?  Not really.  So let’s take a look at what an Azure Subscription ID is, how it works, and how it should be handled.

An Azure Subscription ID is a GUID – a globally unique identifier – that identifies your subscription and the underlying services.  When someone hears this, they immediately think of it in the same regard as a user account, but it’s really not.  What it is, is directions to a container of the services that you want to access, if you have the permissions to do so.  In order to access a particular subscription ID, you need to do the following:

  • Be authenticated to Azure (through the portal, CLI, or PowerShell).
  • Have your Microsoft Azure or Active Directory ID assigned the permissions to view the subscription ID.

Let’s test this.

Here’s a subscription ID for you to play with:

$UnknownID = 'f2007bbf-f802-4a47-9336-cf7c6b89b378'

Looks pretty unassuming.  So I’m going to see if I can look at the properties of this subscriptionID without authenticating to Azure.

PS C:\WINDOWS\system32> $UnknownID = 'f2007bbf-f802-4a47-9336-cf7c6b89b378'

PS C:\WINDOWS\system32> Get-AzureRmSubscription -SubscriptionId $UnknownID
Get-AzureRmSubscription : Run Login-AzureRmAccount to login.
At line:1 char:1
+ Get-AzureRmSubscription -SubscriptionId $UnknownID
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-AzureRmSubscription], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand
 

PS C:\WINDOWS\system32>

Well…that gave me bupkus.  So let’s authenticate and try again.

PS C:\WINDOWS\system32> Get-AzureRmSubscription -SubscriptionId $UnknownID
Get-AzureRmSubscription : Subscription f2007bbf-f802-4a47-9336-cf7c6b89b378 was not found in tenant . Please verify 
that the subscription exists in this tenant.
At line:1 char:1
+ Get-AzureRmSubscription -SubscriptionId $UnknownID
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-AzureRmSubscription], PSArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand
 

PS C:\WINDOWS\system32>

So I log into Azure, and try again to resolve the SubscriptionID to the tenants that I have access to, and it returns an error stating that there is no such subscription in my tenant.  So by means of leveraging both unauthenticated and authenticated means, I cannot see any information pertinent to this SubscriptionID.

So, let’s try using our preferred internet search provider.  Which, if you’ve tried this, you’ll actually get search hits because this is my subscriptionID – one that I use for just about all of my Azure examples.  However, you’ll find that the only thing that comes up are links to my articles.  There is nothing from an Azure standpoint that is publicly available when searching for this ID.  Even publicly available blob URIs.

Shameless plug: Read my articles. I put a lot of love into those.

So what have we figured out so far?

  • No information in Azure that is tied to your SubscriptionID is made publicly available by search.
  • No information in Azure that is tied to any SubscriptionID is made available unauthenticated.
  • No information in Azure that is tied to a SubscriptionID is made available to you if you are authenticated with an account that does not have permissions to view that SubscriptionID.

So what do we need?  User creds.  If you have access to a user credential that has admin rights to a subscription (or multiple subscriptions), you don’t even need the SubscriptionID.

PS C:\WINDOWS\system32> Get-AzureRmSubscription


Name     : ProdSub
Id       : 1a8c783b-3317-4535-8f12-5066eec9094c
TenantId : 1f9d2d05-2bef-4f58-8f74-697e76e704db
State    : Enabled

Name     : LastWordInNerd
Id       : f2007bbf-f802-4a47-9336-cf7c6b89b378
TenantId : 96b32bac-743d-49bb-adff-7552b2d86956
State    : Enabled
<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>

Notice that after I authenticated to Azure, I was able to use the Get-AzureRmSubscription command to get the entire list of subscriptions that I have access to.  I have the metaphorical keys to the castle, or multiple castles, if I have the admin credentials.  After I have those credentials, I use the subscriptionID (of which I now have) to put myself into the context of the Azure Subscription.  I’m telling Azure, “I want to work in THIS subscription,” and it takes me there.

What you really need to protect are your credentials.  This can easily be handled with multi-factor authentication.  Use it.  At the very least, privileged accounts should have this enabled by default.  According to a 2017 Verizon Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

If you haven’t enabled multi-factor authentication in your environment yet, and you’ve already gone to (or are planning on going to) the cloud, a subscription ID is the least of your concerns.

Posted on

NASA, SpaceX, and Showmanship

Tuesday marked the maiden voyage of SpaceX’s Falcon Heavy.  Their heavy lift rocket system to compete with the United Launch Alliance’s Delta IV Heavy and Vulcan, Blue Origin’s New Glenn, and NASA’s upcoming Orion replacement – the Space Launch System.  The launch went off with tons of fanfare as millions of viewers hopped online to catch the live stream as Elon Musk’s company fired 27 engines across three boosters to launch his little red Tesla Roadster on an orbit that will cross the orbit of Mars.

Elon Musk just shot a car into space out towards Mars.  With a mannequin in the driver’s seat wearing a production model of SpaceX’s space suit, and the radio blaring David Bowie’s Space Oddity on repeat in the vacuum of space.  Oh, and two words displayed on the radio: “Don’t Panic!”

That’s an attention grabber, and NASA could learn a lot from what SpaceX does to keep the attention of the public.  I’m not saying that NASA needs to partner with a car company and start filling the solar system with an automotive museum.  But aside from the occasional two minute blip on the news, what do we really hear about them?

NASA does some amazing things, and they’ve managed to swipe a few headlines here and there.  NASA has been delivering some gorgeous photos of Jupiter a la Juno.  But it hasn’t really seemed to resonate with the public like a SpaceX launch.

Just about every single flight of the Falcon series of rockets draws a massive audience to their online webcasts.  Whether they’re deploying a Korean Communications Satellite or a Top Secret government satellite that may or may not have failed in flight, SpaceX gets hundreds of thousands (if not millions) of views on every launch.  Their lowest viewed video of the last year appears to be the EchoStar XXIII Technical Webcast at 111,000 views, while NASA has only had 21 of their 300 videos in the last year exceed that number.

So what is NASA’s problem?  Well…it really boils down to showmanship.  If you can put on a show – make a spectacle of your accomplishment – you can capture an audience.  But to do that, you need a critical component that NASA sorely lacks; people.

Elon Musk has become almost a household name alongside that of Bill Gates and Steve Jobs.  He’s in the forefront of every major piece of news that comes out about SpaceX and Tesla.  He gets peoples’ attention with crazy stunts like shooting his car into space, or taking pre-orders for personal flame throwers, and people are loving it!  There is even a weekly YouTube show dedicated to all things Elon Musk.

Seriously. This.

Astronauts Scott Kelly and Chris Hadfield did amazing work for NASA from this perspective.  Their regular interactions on social media while they were on the International Space Station kept the attention of the masses by interacting with people on Earth.  Hadfield’s Space Oddity video alone has grabbed over 38 million views on YouTube.  And Kelly’s comedic skit on the ISS with an ape suit grabbed quite a few headlines.  But stunts like these don’t seem to happen very often with NASA, and I think it really hurts them in the public eye.

NASA has always struggled with keeping the attention of the public when things become ‘routine’.  It’s well documented that the live broadcasts from Apollo 13 (prior to the emergency) weren’t being aired because spaceflight had become boring to the public.  The same thing happened with the Space Shuttle.  Granted, their publicity stunt in 1986 ended in tragedy, but had they figured out how to keep the attention of the public in the first place, I wonder if Challenger would have actually been flown that day.  NASA had been under intense pressure to get a highly publicized flight off the ground after a number of delays.  If they already had a level of attention and interest from the public that they were seeking with this flight, you have to wonder if they might have leaned more towards safety and prudence.

SpaceX’s showmanship isn’t limited to Elon Musk alone.  Watch their webcasts.  They have an opening montage with cool music.  Announcers (plural) keeping you informed of what’s going on with the rocket, and how it works (in layman’s terms).  At launch, you can hear the crowd at SpaceX’s mission control cheering at every stage of flight.  Hey, the employee cheering may or may not be staged, but it keeps you engaged and on the edge of your seat!

With NASA, you got a wide shot of the rocket and absolute silence with the exception of the occasional communications callout.  And maybe a monotone voice explaining the dry details of what was going on or what would happen next.

NASA needs to get people engaged consistently.  They need to establish familiar personalities that interact with the public on a regular basis.  I would go so far as to say that Destin Sandlin of Smarter Every Day would be perfect for the job.  He’s personable, understands the underlying science to a lot of things related to spaceflight (because he works in the industry), and knows how to keep people engaged.  If you stuck him in orbit on station for a year, you would have an audience.  Keep him at mission control after that, or maybe vlogging about some of the cool experiments and projects that NASA is working on, and you’d have engagement well beyond that.

SpaceX is making huge strides in innovating the aerospace industry and they’re taking the public along for the ride – quite literally.  NASA needs to figure out what it wants to do.  They’re going to have to eventually choose to either leave the innovation and spaceflight to organizations like SpaceX or Blue Origin and become a regulating agency; or they’re going to have to really start working on their audience problem and find some people to bring some personality to their mission.  If they don’t, I fear that Congress will eventually make the decision by budget.

If you didn’t catch the maiden voyage of SpaceX’s Falcon Heavy rocket, you missed out on quite a show.  Fortunately, you can catch the recording here: