Microsoft Outlook Users: Maybe Proton Mail?
March 8, 2021
I spotted another write up about the security issues with the Azure, Defender, and Office365 services. Wow, nation states and groups of allegedly China-aligned hackers are making Microsoft look worse than Jackie Smith when he dropped a game winner for the Dallas Cowboys years ago. It seems as if bad actors are trying to out do one another in exposing the vulnerabilities of the Redmond construct. Wowza.
I read “White House Warns of Active Threat Following Microsoft Outlook Breach.” The write up states:
“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official said.
Several observations:
- If I were involved in the JEDI procurement, I would not be too enthusiastic about Microsoft technology being the plumbing for the Department of Defense. Hey, I know PowerPoint is the go to tool in many DoD units, but it appears that there may be some bad actors able to get their digital paws on the PPTX attachments to Outlook email.
- Microsoft is fighting an after action situation. The bad actors are forcing Microsoft to rush code fixes to large, already compromised organizations. If the bad actors are indeed “inside” certain entities, the bad actors are likely to have access to these speedy fixes and be able to exploit them. Why not substitute a “real” MSFT fix with a certified malware infused fix. Sounds like something bad actors might consider.
- In my lecture to a group of US government cyber security professionals in 48 hours, I use the analogy of radiation poisoning for the SolarWinds’ and Microsoft Exchange breaches. Once the polonium is in the target, the fix is neither quick, simple, or ultimately likely to work.
Net net: Other bad actors will learn from these breaches and launch their own initiatives. That’s not good because there are quite a few bad actors eagers to make a mockery of US technology. I think one might characterize the Microsoft “repair after the barn burns down” as bad optics.
It’s bad something, for sure. Remember. It is the White House sounding the alarm, not an alphabet soup agency.
Stephen E Arnold, March 9, 2021
Microsoft: Yeah, about Those Distributed Systems and the Wonderful Exchange Systems
March 8, 2021
I found the information about the most recently disclosed Microsoft Exchange breaches troubling. The “1,000 bad actors” comment from the Softies seemed to say:
Hey, how can a company like Microsoft defend itself against a 1,000 programmers focused on undermining out approach to building, deploying, and servicing our software?
Yep, 1,000 bad actors were allegedly needed to create the issues associated with SolarWinds and the assorted silly names attached to malware available via certain “dark” channels?
How many bad actors does it take to create issues for what is it? 20,000 or more organizations. One news service based in India did its level best to maintain an even tone in “Over 20,000 U.S. Organizations Compromised through Microsoft Flaw.” See the number? 20,000. Maybe India does not buy into a larger number; for example, Krebs on Security states: “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software.”
Just a delta of 10,000? Hey, no big deal.
Now who pulled off this hack in the midst of the SolarWinds’ misstep? China. The country is larger than Russia which managed an estimated 18,000 compromised systems.
Okay, it is time to face up to reality:
- The oh-so-nifty distributed systems which rely on libraries which may or may not be secure is a big, fat sitting duck
- There is no quick fix. Microsoft’s rush rush patches don’t seem to be working if the sources I have reviewed are on the money
- Microsoft’s method of shoving software to licensees creates problems; for example, check out KIR, a tool that undoes updates which kill or impair licensees’ systems.
Who spotted the breach? Microsoft Defender, the Azure security system, Microsoft’s own security teams? Nope, allegedly an outfit call Volexity.
Exactly what was being monitored by the hundreds of super duper security sleuthers who sell threat intelligence, AI infused cyber security systems, and special entities which perform checks on crucial systems?
Pretty much checking out YouTube, sending text messages about pizza, and posting to Twitter about the perils of Facebook and Google.
The scale of the Exchange misstep is interesting.
What happens if one of the groups undermining the computer systems of the US decide to terminate the systems for finance, travel, and mobile communications?
Here’s my answer: Find a donkey and a cart. Life will change quickly and no quick patch for deeply flawed Microsoft technical processes will arrive to make everything better again.
Microsoft’s methods are the problem. And what about the 1,000 programmers? That’s Microsoft speak for flaws which a small group of focused bad actors can achieve. The only coding that takes a 1,000 people is Microsoft’s Teams unit. Those folks are adding features while core functions are stripped bare, exploited, and turned into weapons.
It will be interesting to learn what Microsoft apologists involved in the JEDI program say about this misstep.
Keep in mind. No one knows exactly how many systems have been and remain compromised by by the SolarWinds’ and the most recently revealed Exchange fumble.
What will Brad Smith say? I can hardly wait assuming that my systems are not zapped by bad actors who are surfing on shoddy solutions.
Stephen E Arnold, March 8, 2021
An Existential Question: LinkedIn or LinkedOut?
March 5, 2021
Writer Joan Westenberg is over LinkedIn, and advises us we would all be better without it. The Next Web posts, “Delete LinkedIn—You’ll Have Zero F****ing Regrets.” After years of enduring countless messages from those who want to sell her something, she finally deleted her LinkedIn account. Not only did the platform fail to provide her any professional benefits, she was also disheartened by the superficial relationships with her hundreds of contacts. (At least this platform does not call them “friends.”)
Having had some success at sales for her business, Westenberg has observed that the way to sell to someone is to build a real relationship with them. Her favorite way to do so is to offer help with no agenda, to demonstrate her products have value. She writes:
“That is the antithesis of LinkedIn. Where people send you off-brand and clumsy sales pitches at best — or at worst, scrape your details for scalable and utterly useless outbound campaigns. They send pitch decks in the same breath that they introduce themselves for the first time. They want you to buy with no reason why. LinkedIn feels less like a platform for selling, and more like a platform for being sold to. A LinkedIn message is the 2020s equivalent of a cold sales call. You dread it. You hate it. You just don’t want to deal with it. … I would rather focus my attention on platforms where I know people have come to genuinely research, interact, learn and consume. Quora. Angel List. Dribble. Medium. Substack. And yes, Twitter. And I would rather remove the false sense of accomplishment we get from engaging on LinkedIn, where we log into a landfill of utter [excrement] several times a day and feel like we’ve done our bit of networking and growing, with no evidence to support that belief.”
Westenberg advises others to join her in ditching the platform. All we will lose, she concludes, are the vanity metrics of clicks, likes, shares, and comments, all of which provide nothing of value. Hmm. I for one have never gotten a job through the platform, but I do know someone who has. Then there are all the professional courses the platform acquired when it snapped up Lynda.com in 2015, many of which are quite helpful. I suppose each user must weigh the site’s role in their professional lives for themselves, but on this point I agree—LinkedIn is not fundamental to professional success. No one should feel they have to use it by default.
Cynthia Murrell, March 5, 2021
Cloud or Not? Fighting Words for Sure
March 5, 2021
I read “SolarWinds Hack Pits Microsoft against Dell, IBM over How Companies Store Data.” Ah, ha, a dispute with no clear resolution. The write up suggests that some big dogs in technology will be fighting over the frightened gazelles. Will the easily frightened commercial buyers take off when the word “cloud” is voiced. Or, will the sheep-inspired animals head for the perceived security of computers in the farm house?
The write up states:
[The dispute over where to put data] pits Microsoft Corp., which is urging clients to rely on cloud-computing systems, against others including Dell Technologies Inc. and International Business Machines Corp., who argue customers want to mix the cloud with the more traditional on-premise data-storage systems in a construct called hybrid-cloud.
Do you want pickle on top of a hamburger or underneath the juicy patty? Which method? Come on. Decide.
The write up reports:
Microsoft, one of the world’s biggest cloud vendors, has said cloud services offer customers the most robust data protection. A mixed approach “creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services,” Microsoft said in a blog post on its investigation of the hack. The notion that the hybrid cloud is less secure is inaccurate, said Paul Cormier, chief executive of Red Hat, the business IBM acquired two years ago in part in a bet on the growing demand for hybrid cloud services. “Any software could get broken into. The cloud providers could get broken into as well,” he told The Wall Street Journal.
Plus the article points out:
Microsoft itself was a victim in the attack and had some of its source code used to write software downloaded. The hackers viewed software linked to Microsoft’s Azure cloud, the company said. Mr. Smith, at the Senate hearing on the hack on Tuesday, called for a “full examination of what other cloud services and networks the Russians have accessed.”
I don’t think any computer data are secure, but that’s just me. Here in Harrod’s Creek, professional etch secrets on lumps of boghead. Once the message has been read, one burns it. Good for secrecy, not so good for the environment.
Who will win this battle? The key is marketing. Security is a slippery fish particularly when the boats are owned by Dell, IBM, and Microsoft. The SolarWinds’ attack exploited the cloud and on premises devices. How does one spell “insider threat”? One can unplug computing devices. Put them in a locked room. Don’t let anyone enter the room. Is that a solution?
Stephen E Arnold, March 5, 2021
The Microsoft Supply Chain Works Even Better Going Backwards
March 4, 2021
Do you remember the character KIR-mit. He once allegedly said:
Yeah, well, I’ve got a dream too, but it’s about singing and dancing and making people happy. That’s the kind of dream that gets better the more people you share it with.
I am not talking about Jim Henson’s memorable character. That frog spelled its name Kermit. This is KIR-mit, an evil doppelgänger from another universe called Redmonium.
This KIR-mit is described in “Microsoft Is Using Known Issue Rollback (KIR) to Fix Problems Caused by Windows 10 Updates.” I learned that KIR
enables Microsoft to rollback changes introduced by problematic patches rolled out through Windows Update. KIR only applies to non-security updates.
Does the method expand the attack service for bad actors? Will weird calls to senior citizens increase with offers to assist with KIR-mit modifications? Will questionable types provide links to download KIRs which are malware? Yes, yes, and yes.
The article points out:
Known Issue Rollback is an important Windows servicing improvement to support non-security bug fixes, enabling us to quickly revert a single, targeted fix to a previously released behavior if a critical regression is discovered.
KIR is something users have said they wanted. Plus Microsoft has had this capability for a long time. I recall reading that Microsoft had a method for verifying the “digital birth certificate” of software in order to identify and deal with the SolarWinds-type of supply chain hack. I point this out in my upcoming lecture for a law enforcement entity. Will my audience find the statement and link interesting? I have a hunch the cyber officers will perk up their ears. Even the JEDI fans will catch my drift.
Just regular users may become woozy from too much KIR in the system. Plus, enterprise users will be “in charge of things.” Wonderful. Users at home are one class of customers; enterprise users are another. In between, attack surface the size of the moon.
Several questions:
- Why not improve the pre release quality checks?
- Why not adopt the type of practices spelled out by In Toto and other business method purveyors?
- Why not knock off the crazy featuritis and deliver stable software in a way that does not obfuscate, mask, and disguise what’s going on?
And the answers to these questions is, “The cloud is more secure.”
Got it. By the way a “kir” is a French cocktail. Some Microsoft customers may need a couple of these to celebrate Microsoft’s continuous improvement of its outstanding processes.
As KIR-mit said, “It’s about making people happy.” That includes bad actors, malefactors, enemies of the US, criminals, and Microsoft professionals like Eric Vernon and Vatsan Madhava, the lucky explainers of KIR-mit’s latest adventure.
Stephen E Arnold, March 4, 2021
Microsoft: Back in the Security Spotlight
March 3, 2021
What giant software company with a great marketing operation is back in the spotlight? The answer may be Microsoft. I read “real” news from an outfit which is into trust “Chinese Hackers Plundered Inboxes Using Flaws in Microsoft’s Exchange Server Software.”
The write seems to be taking a slightly less enthusiastic approach to the outstanding software and services provided by the Redmond giant. The company is, as you may know, the outfit which is going to run much of the Department of Defense cloud system. That’s because the cloud is much better than on premises computing devices. The cloud is magical, which I think is a synonym for easier, but that’s just me.
I noted this statement in the trustiness article:
Microsoft’s suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks. Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code — including elements of Exchange, the company’s email and calendaring product.
The paragraph suggests that because Microsoft’s methods worked for the SolarWinds’ misstep, other bad actors are jumping into the hay stack of wild and crazy methods.
My view is that we are likely to see the feedback loop scale to some painful frequencies. Should anyone worry? Nope, those trusted permissions, the fluid code, and the big fat targets like Azure, Exchange, and Office 365 are no big deal. Right, Microsoft. It takes 1,000 engineers to fool the Softies.
Stephen E Arnold, March 3, 2021
SolarWinds: Microsoft Moves to Closure after Revealing 1000 Bad Actors Got in the Game
March 3, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, March 3, 2021
From Customer Support to the Deceased: The Wonder of Chatbots and Smart Software
March 2, 2021
I know that chatbots lashed to customer support departments delivers prompt, effective, and pleasing results. No, not to you, gentle reader, to the outfit using smart software to reduce the costs of handling these organizations’ most important asset — Customers.
Now chatbots have nosed into a new domain. We learned from “Chatbots That Resurrect the Dead: Legal Experts Weigh In on Disturbing Technology.” I learned:
It was recently revealed that in 2017 Microsoft patented a chatbot that, if built, would digitally resurrect the dead. Using AI and machine learning, the proposed chatbot would bring our digital persona back to life for our family and friends to talk to. When pressed on the technology, Microsoft representatives admitted that the chatbot was “disturbing” and that there were currently no plans to put it into production.
The write up offered:
Microsoft’s chatbot would use your electronic messages to create a digital reincarnation in your likeness after you pass away. Such a chatbot would use machine learning to respond to text messages just as you would have when you were alive. If you happen to leave behind rich voice data, that too could be used to create your vocal likeness – someone your relatives could speak with, through a phone or a humanoid robot.
What if a hacker uses the technology to keep a deceased LinkedIn professional alive? Other AI tools could generate reports. A third smart system would issue invoices. What if the bad actors responsible for SolarWinds bring back now departed Microsoft wizards? The possibilities are interesting to contemplate.
Respect for the dead? Sure, among the tech elite. Absolutely.
Stephen E Arnold, March 2, 2021
US Senator Throws Penalty Flag at Microsoft
February 26, 2021
JEDI foul? I am not sure. The bright yellow flag has been lofted and it is beginning its descent. One player has a look of disbelief, “A foul. You think I did a chop block?” That’s the image that went through my mental machinery as I read “US Senator claims Microsoft Failed to Fix Cloud Holes before SolarWinds Hack.”
The write up asserts:
Microsoft Corp’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
The year 2017. I recall that was the time the DarkCyber research team began yammering about use of the wonderful Microsoft software update system, access control policies, and business processes to allow estimable Microsoft-friendly software to run. The idea was seamless, smooth, quick, and flawless interaction among users, software, the cloud, and assorted components. Fast. Efficient. Absolutely.
The elected official is quoted as saying:
The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.
The write up points out that Microsoft does not agree with the senator’s observations. In the subsequent testimony (you can view it at this link), one of the top dog Microsoft professionals pointed out “only about 15 percent of the victims in the Solar Winds campaign were hurt via Golden SAML.” SAML is a a security assertion markup language. The golden part? Maybe it is the idea that a user or process signs on. If okayed somewhere in the system, the user or process is definitely okay again. Fast. Efficient.
The “golden” it turns out is a hack. Get into the SAML approved system, and bingo. Users, processes, whatever are good to go. Get administrator credentials and become an authorizing and verifying service and the bad actor owns the system. The idea is that a bad actor can pump out green light credentials and do many interesting things. Hey, being authorized and trusted is a wonderful thing, right?
Back to JEDI? Is the senator confident that the Department of Defense has not been compromised? What happens if the JEDI system is penetrated by foreign actors as the DoD wide system is being assembled, deployed, and operated? Does the vulnerability still exist in live systems?
These are good questions? I am not sure the answers are as well crafted.
Stephen E Arnold, February 27, 2021
What’s a Golden SAML?
Microsoft Concludes SolarWinds Hack Internal Investigation
February 26, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
We noted:
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, February 26, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
