Microsoft: Bob Security Captures Headlines

April 9, 2021

Sleeper code. Yep, malware injected into thousands of servers could wake up and create some interesting challenges for the JEDI contractors with Microsoft T Shirts. Here’s my design suggestion for the security experts’ team:

image

Do you remember the tag line for Bob, a stellar graphical interface for Microsoft Windows? No. Let me highlight one of the zippier marketing statements:

Hard working, easy going software everyone will use.

Who knew that the “everyone” would include bad actors. Plus there are two other security related items to entice cyber professionals.

First, “Windows 10 Hacked Again at Pwn2Own, Chrome, Zoom Also Fall” includes this statement:

The first to demo a successful Windows 10 exploit on Wednesday and earn $40,000 was Palo Alto Networks’ Tao Yan who used a Race Condition bug to escalate to SYSTEM privileges from a normal user on a fully patched Windows 10 machine. Windows 10 was hacked a second time using an undocumented integer overflow weakness to escalate permissions up to NT Authority\SYSTEM by a researcher known as z3r09. This also brought them $40,000 after escalating privileges from a regular (non-privileged) user. Microsoft’s OS was hacked a third time during day one of Pwn2Own by Team Viettel, who escalated a regular user’s privileges to SYSTEM using another previously unknown integer overflow bug.

The statements suggest that either the OS is deliberately flawed in order to allow certain parties unfettered access to user computers or that Microsoft is focusing on moving Paint to the outstanding Microsoft online store.

Second, I spotted “Hackers Scraped Data from 500 Million LinkedIn Users about Two Thirds of the Platform’s Userbase and Posted It for Sale Online.” (Editor’s note: Data is plural, but let’s not get distracted, shall we?) The article reports:

The data includes account IDs, full names, email addresses, phone numbers, workplace information, genders, and links to other social media accounts.

Useful to some I assume.

Net net: I wonder if a Bob baseball cap is available in the Microsoft store?

image

I would wear one with pride during my upcoming National Cyber Crime Conference lecture.

Stephen E Arnold, April 9, 2021

Microsoft Adds Semantic Search to Azure Cognitive Search: Is That Fast?

April 9, 2021

Microsoft is adding new capabilities to its cloud-based enterprise search platform Azure Cognitive Search, we learn from “Microsoft Debuts AI-Based Semantic Search on Azure” at Datanami. We’re told the service offers improved development tools. There is also a “semantic caption” function that identifies and displays a document’s most relevant section. Reporter George Leopold writes:

“The new semantic search framework builds on Microsoft’s AI at Scale effort that addresses machine learning models and the infrastructure required to develop new AI applications. Semantic search is among them. The cognitive search engine is based on the BM25 algorithm, (as in ‘best match’), an industry standard for information retrieval via full-text, keyword-based searches. This week, Microsoft released semantic search features in public preview, including semantic ranking. The approach replaces traditional keyword-based retrieval and ranking frameworks with a ranking algorithm using deep neural networks. The algorithm prioritizes search results based on how ‘meaningful’ they are based on query relevance. Semantics-based ranking ‘is applied on top of the results returned by the BM25-based ranker,’ Luis Cabrera-Cordon, group program manager for Azure Cognitive Search, explained in a blog post. The resulting ‘semantic answers’ are generated using an AI model that extracts key passages from the most relevant documents, then ranks them as the sought-after answer to a query. A passage deemed by the model to be the most likely to answer a question is promoted as a semantic answer, according to Cabrera-Cordon.”

By Microsoft’s reckoning, the semantic search feature represents hundreds of development years and millions of dollars in compute time by the Bing search team. We’re told recent developments in transformer-based language models have also played a role, and that this framework is among the first to apply the approach to semantic search. There is one caveat—right now the only language the platform supports is US English. We’re told that others will be added “soon.” Readers who are interested in the public preview of the semantic search engine can register here.

Cynthia Murrell, April 9, 2021

GitHub: Amusing Security Management

April 8, 2021

I got a kick out of “GitHub Investigating Crypto-Mining Campaign Abusing Its Server Infrastructure.” I am not sure if the write up is spot on, but it is entertaining to think about Microsoft’s security systems struggling to identify an unwanted service running in GitHub. The write up asserts:

Code-hosting service GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company’s servers for illicit crypto-mining operations…

In the wake of the SolarWinds’ and Exchange Server “missteps,” Microsoft has been making noises about the tough time it has dealing with bad actors. I think one MSFT big dog said there were 1,000 hackers attacking the company.

The main idea is that attackers allegedly mine cryptocurrency on GitHub’s own servers.

This is post SolarWinds and Exchange Server “missteps”, right?

What’s the problem with cyber security systems that monitoring real time threats and uncertified processes?

Oh, I forgot. These aggressively marketed cyber systems still don’t work it seems.

Stephen E Arnold, April 8, 2021

Facebook and Microsoft: Communing with the Spirit of Security

April 7, 2021

Two apparently unrelated actions by bad actors. Two paragons of user security. Two. Count ‘em.

The first incident is summarized in “Huge Facebook Leak That Contains Information about 500 Million People Came from Abuse of Contacts Tool, Company Says.” The main point is that flawed software and bad actors were responsible. But 500 million. Where is Alex Stamos when Facebook needs guru-grade security to zoom into a challenge?

The second incident is explained in “Half a Billion LinkedIn Users Have Scraped Data Sold Online.” Microsoft, the creator of the super useful Defender security system, owns LinkedIn. (How is that migration to Azure coming along?) Microsoft has been a very minor character in the great works of 2021. These are, of course, The Taming of SolarWinds and The Rape of Exchange Server.

Now what’s my point. I think when one adds 500 million and 500 million the result is a lot of people. Assume 25 percent overlap. Well, that’s still a lot of people’s information which has taken wing.

Indifference? Carelessness? Cluelessness? A lack of governance? I would suggest that a combination of charming personal characteristics makes those responsible individuals one can trust with sensitive information.

Yep, trust and credibility. Important.

Stephen E Arnold, April 7, 2021

MSFT Exchange Excitement: Another Jolt of Info

March 30, 2021

I read “Exchange Server Attacks: Microsoft Shares Intelligence on Post-Compromise Activities.” Interesting, weeks, maybe longer since what one of my analysts described as another digital Chernobyl, have passed without much substantive information.

This “real” news story reports:

Microsoft is raising an alarm over potential follow-on attacks targeting already compromised Exchange servers, especially if the attackers used web shell scripts to gain persistence on the server, or where the attacker stole credentials during earlier attacks.

Interesting. A massive attack which may have distributed malware, possibly as yet undetected, poses a risk. That’s good to know.

This statement attributed to Microsoft is intriguing as well:

In a new blog post, Microsoft reiterated its warning that “patching a system does not necessarily remove the access of the attacker”.

Does this mean that Microsoft’s remediation is not fixing the “problem”? What sorts of malware could be lurking? Microsoft provides some measured answers to this particular question in “Analyzing Attacks Taking Advantage of the Exchange Server Vulnerabilities”?

But the problem is that Microsoft’s foundational software build and deploy business process seems to be insecure.

Dribs and dabs of the consequences of a major security breach is PR and hand waving, not actions which I craved.

Stephen E Arnold, March 30, 2021

Exchange Servers: Not Out of the Dog House Yet

March 25, 2021

Here’s a chilling statement I spotted in “Microsoft Servers Being Hacked Faster Than Anyone Can Count”:

This free-for-all [Exchange Server] attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic “script kiddies… Because access is so easy, you can assume that majority of these environments have been breached.

The statement is attributed to Antti Laatikainen, senior security consultant at the cyber security firm F-Secure.

Is this accurate?

The ever fascinating digital publication Windows Central ran a story with a headline that offers a different point of view: “Microsoft Says 92% of Exchange Servers Have Been Patched or Mitigated.”

The discussion about these different views raises a number of questions:

  • Does Microsoft want to remediate its business processes to make its products and services more secure? (More security means more difficulties for certain government agencies who use security as a way to achieve their objectives.)
  • Can security professionals be trusted to identify security problems or issues? (The SolarWinds’ misstep went undetected for months, maybe as much as two years before information about the issue surfaced in a FireEye statement.)
  • Can continuous development and update processes deliver acceptable security? (The core business process may exponentially increase the attack surface with each fast cycle change and deployment.)

How secure are “patched” Exchange servers? A very good question indeed.

Stephen E Arnold, March 25, 2021

High Tech Tension: Sparks Visible, Escalation Likely

March 25, 2021

I read Google’s “Our Ongoing Commitment to Supporting Journalism.” The write up is interesting because it seems to be a dig at a couple of other technology giants. The bone of contention is news, specifically, indexing and displaying it.

The write up begins with a remarkable statement:Google has always been committed to providing high-quality and relevant information, and to supporting the news publishers who help create it.
This is a sentence pregnant with baby Googzillas. Note the word “always.” I am not certain that Google is in the “always” business nor am I sure that the company had much commitment. As I recall, when Google News went live, it created some modest conversation. Then Google News was fenced out of the nuclear ad machinery. Over time, Google negotiated and kept on doing what feisty, mom and pop Silicon Valley companies do; namely, keep doing what they want and then ask for forgiveness.

Flash forward to Australia. That country wanted to get money in exchange for Australian news. Google made some growling noises, but in the end the company agreed to pay some money.
Facebook on the other hand resisted, turned off its service, and returned to the Australian negotiating table.

Where was Microsoft in this technical square dance?

Microsoft was a cheerleader for the forces of truth, justice, and the Microsoft way. This Google blog post strikes me as Google’s reminding Microsoft that Google wants to be the new Microsoft. Microsoft has not done itself any favors because the battle lines between these two giants is swathed in the cloud of business war.

Google has mobile devices. Microsoft has the enterprise. Google has the Chromebook. Microsoft has the Surface. And on it goes.

Now Microsoft is on the ropes: SolarWinds, the Exchange glitch, and wonky updates which have required the invention of KIR (an update to remove bad updates).
Microsoft may be a JEDI warrior with the feature-burdened Teams and the military’s go to software PowerPoint. Google knows that every bump and scrape slows the reflexes of the Redmond giant.

Both mom and pop outfits are looking after each firm’s self interests. Fancy words and big ideas are window dressing.

Stephen E Arnold, March 25, 2021

Watching Hoops: Watching Microsoft Defensive Scramble

March 24, 2021

Air ball. I read “Microsoft Defender Will Automatically Prevent Exchange Server Exploits.” Technical foul! The write up contains this statement:

The tech giant warns, however, that this is just an interim mitigation meant to protect customers while they’re in the midst of implementing the comprehensive security update for Exchange it released earlier this month. 

Over and back!

The Redmond Wizards have great cheerleaders, but the opponents own the auditorium. The clock is ticking.

The Wizards’ coach is yelling at the officials. Oh, another technical foul.

Quick. Print out the play.

Wait, Microsoft Windows 10 updates broke the printer.

Whistle. Another technical foul.

Stephen E Arnold, March 24, 2021

Microsoft: Your Computer, Your Data. That Is a Good One

March 23, 2021

The online news stream is chock full of information about Microsoft’s swing-for-the-fences PR push for Discord. If you are not familiar with the service, I am not going to explain this conduit for those far more youthful than I. Like GitHub, Discord is going to be an interesting property if the Redmond crowd does the deal. If we anticipate Discord becoming part of the Xbox and Teams family, the alleged censorship of software posted to GitHub will be a glimpse of the content challenges in Microsoft’s future.

The more interesting development is the “real” news story “Microsoft Edge Could Soon Share Browsing Data with Windows 10.” The idea is that a person’s computer and the authorized users of the computing device will become one big, happy data family.

The article states:

Called share browsing data with other Windows features, it is designed to share data from Edge, such as Favorites or visited sites, with other Windows components. Search is a prime target, and highlighted by Microsoft at the time of writing. Basically, what this means is that users who run searches using the built-in search feature may get Edge results as well.

And what does Microsoft get? Possibilities include:

  • Federated, fine grained user behavior data
  • Click stream data matched to content on the user’s personal computer
  • Real-time information flows
  • Opportunities to share data with certain entities.

What happens to the user’s computer if said user does not accept such integration? The options range from loss of access to certain data to pro-active interaction to alter the functioning of the user’s computing device.

Why is this such a good idea? Microsoft, like Amazon, Facebook, and Google realize that the days of the Wild West are coming to an end. There are new sheriffs with new ideas about right and wrong.

Thus, get what one can while the gittin’ is good as the old times used to say.

But “What about security and privacy?” you ask? One response is, “That’s a good one.” Why not try stand up?

Stephen E Arnold, March 23, 2021

Microsoft Security: An Ominous Signification

March 22, 2021

IT News published “White House Taskforce Meets over Microsoft Software Weaknesses.” The “real news” story included a statement which I placed in the predictive bucket. Here’s the prose which caught my attention:

The security holes in the widely used mail and calendaring software leave the door open to industrial-scale cyber espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or to move elsewhere in the network.

Microsoft is pretty good at issuing magic fixes; for example, “Microsoft Releases One-Click Patch for Exchange Vulnerability” reveals:

Microsoft has released a one-click patch, the Microsoft Exchange On-Premises Mitigation tool, to help customers apply new security updates in the face of the Exchange Server cyber attack.

This IT Pro article points out:

ESET research found that Microsoft Exchange servers had been targeted by “at least ten hacker groups” and that they had managed to install backdoors on more than 5,000 servers in over 115 countries.

In this context the phrase “industrial scale cyber espionage” is doubly chilling.

Now about that JEDI contract for the US Department of Defense?

Stephen E Arnold, March 22, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta