The Microsoft Supply Chain Works Even Better Going Backwards
March 4, 2021
Do you remember the character KIR-mit. He once allegedly said:
Yeah, well, I’ve got a dream too, but it’s about singing and dancing and making people happy. That’s the kind of dream that gets better the more people you share it with.
I am not talking about Jim Henson’s memorable character. That frog spelled its name Kermit. This is KIR-mit, an evil doppelgänger from another universe called Redmonium.
This KIR-mit is described in “Microsoft Is Using Known Issue Rollback (KIR) to Fix Problems Caused by Windows 10 Updates.” I learned that KIR
enables Microsoft to rollback changes introduced by problematic patches rolled out through Windows Update. KIR only applies to non-security updates.
Does the method expand the attack service for bad actors? Will weird calls to senior citizens increase with offers to assist with KIR-mit modifications? Will questionable types provide links to download KIRs which are malware? Yes, yes, and yes.
The article points out:
Known Issue Rollback is an important Windows servicing improvement to support non-security bug fixes, enabling us to quickly revert a single, targeted fix to a previously released behavior if a critical regression is discovered.
KIR is something users have said they wanted. Plus Microsoft has had this capability for a long time. I recall reading that Microsoft had a method for verifying the “digital birth certificate” of software in order to identify and deal with the SolarWinds-type of supply chain hack. I point this out in my upcoming lecture for a law enforcement entity. Will my audience find the statement and link interesting? I have a hunch the cyber officers will perk up their ears. Even the JEDI fans will catch my drift.
Just regular users may become woozy from too much KIR in the system. Plus, enterprise users will be “in charge of things.” Wonderful. Users at home are one class of customers; enterprise users are another. In between, attack surface the size of the moon.
Several questions:
- Why not improve the pre release quality checks?
- Why not adopt the type of practices spelled out by In Toto and other business method purveyors?
- Why not knock off the crazy featuritis and deliver stable software in a way that does not obfuscate, mask, and disguise what’s going on?
And the answers to these questions is, “The cloud is more secure.”
Got it. By the way a “kir” is a French cocktail. Some Microsoft customers may need a couple of these to celebrate Microsoft’s continuous improvement of its outstanding processes.
As KIR-mit said, “It’s about making people happy.” That includes bad actors, malefactors, enemies of the US, criminals, and Microsoft professionals like Eric Vernon and Vatsan Madhava, the lucky explainers of KIR-mit’s latest adventure.
Stephen E Arnold, March 4, 2021
Microsoft: Back in the Security Spotlight
March 3, 2021
What giant software company with a great marketing operation is back in the spotlight? The answer may be Microsoft. I read “real” news from an outfit which is into trust “Chinese Hackers Plundered Inboxes Using Flaws in Microsoft’s Exchange Server Software.”
The write seems to be taking a slightly less enthusiastic approach to the outstanding software and services provided by the Redmond giant. The company is, as you may know, the outfit which is going to run much of the Department of Defense cloud system. That’s because the cloud is much better than on premises computing devices. The cloud is magical, which I think is a synonym for easier, but that’s just me.
I noted this statement in the trustiness article:
Microsoft’s suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks. Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code — including elements of Exchange, the company’s email and calendaring product.
The paragraph suggests that because Microsoft’s methods worked for the SolarWinds’ misstep, other bad actors are jumping into the hay stack of wild and crazy methods.
My view is that we are likely to see the feedback loop scale to some painful frequencies. Should anyone worry? Nope, those trusted permissions, the fluid code, and the big fat targets like Azure, Exchange, and Office 365 are no big deal. Right, Microsoft. It takes 1,000 engineers to fool the Softies.
Stephen E Arnold, March 3, 2021
SolarWinds: Microsoft Moves to Closure after Revealing 1000 Bad Actors Got in the Game
March 3, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, March 3, 2021
From Customer Support to the Deceased: The Wonder of Chatbots and Smart Software
March 2, 2021
I know that chatbots lashed to customer support departments delivers prompt, effective, and pleasing results. No, not to you, gentle reader, to the outfit using smart software to reduce the costs of handling these organizations’ most important asset — Customers.
Now chatbots have nosed into a new domain. We learned from “Chatbots That Resurrect the Dead: Legal Experts Weigh In on Disturbing Technology.” I learned:
It was recently revealed that in 2017 Microsoft patented a chatbot that, if built, would digitally resurrect the dead. Using AI and machine learning, the proposed chatbot would bring our digital persona back to life for our family and friends to talk to. When pressed on the technology, Microsoft representatives admitted that the chatbot was “disturbing” and that there were currently no plans to put it into production.
The write up offered:
Microsoft’s chatbot would use your electronic messages to create a digital reincarnation in your likeness after you pass away. Such a chatbot would use machine learning to respond to text messages just as you would have when you were alive. If you happen to leave behind rich voice data, that too could be used to create your vocal likeness – someone your relatives could speak with, through a phone or a humanoid robot.
What if a hacker uses the technology to keep a deceased LinkedIn professional alive? Other AI tools could generate reports. A third smart system would issue invoices. What if the bad actors responsible for SolarWinds bring back now departed Microsoft wizards? The possibilities are interesting to contemplate.
Respect for the dead? Sure, among the tech elite. Absolutely.
Stephen E Arnold, March 2, 2021
US Senator Throws Penalty Flag at Microsoft
February 26, 2021
JEDI foul? I am not sure. The bright yellow flag has been lofted and it is beginning its descent. One player has a look of disbelief, “A foul. You think I did a chop block?” That’s the image that went through my mental machinery as I read “US Senator claims Microsoft Failed to Fix Cloud Holes before SolarWinds Hack.”
The write up asserts:
Microsoft Corp’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
The year 2017. I recall that was the time the DarkCyber research team began yammering about use of the wonderful Microsoft software update system, access control policies, and business processes to allow estimable Microsoft-friendly software to run. The idea was seamless, smooth, quick, and flawless interaction among users, software, the cloud, and assorted components. Fast. Efficient. Absolutely.
The elected official is quoted as saying:
The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.
The write up points out that Microsoft does not agree with the senator’s observations. In the subsequent testimony (you can view it at this link), one of the top dog Microsoft professionals pointed out “only about 15 percent of the victims in the Solar Winds campaign were hurt via Golden SAML.” SAML is a a security assertion markup language. The golden part? Maybe it is the idea that a user or process signs on. If okayed somewhere in the system, the user or process is definitely okay again. Fast. Efficient.
The “golden” it turns out is a hack. Get into the SAML approved system, and bingo. Users, processes, whatever are good to go. Get administrator credentials and become an authorizing and verifying service and the bad actor owns the system. The idea is that a bad actor can pump out green light credentials and do many interesting things. Hey, being authorized and trusted is a wonderful thing, right?
Back to JEDI? Is the senator confident that the Department of Defense has not been compromised? What happens if the JEDI system is penetrated by foreign actors as the DoD wide system is being assembled, deployed, and operated? Does the vulnerability still exist in live systems?
These are good questions? I am not sure the answers are as well crafted.
Stephen E Arnold, February 27, 2021
What’s a Golden SAML?
Microsoft Concludes SolarWinds Hack Internal Investigation
February 26, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
We noted:
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, February 26, 2021
Microsoft LinkedIn: Opting and Gigging
February 25, 2021
Microsoft LinkedIn has determined that its millions of job seekers, consultants, and résumé miners can become gig workers. “LinkedIn Is Building a Gig Marketplace” asserts:
LinkedIn is developing a freelance work marketplace that could rival fast-growing gig sites Fiverr and Upwork. The two-sided marketplace will connect freelance service providers with clients in need of temporary workers for one-off projects. Like Fiverr and Upwork, it would focus on knowledge-based work that can be done remotely online…
How long has Microsoft LinkedIn been contemplating this shift? One date offered in the article is 2019. That’s when LinkedIn acquired UpCounsel. The idea is that when one needs a lawyer, one uses a legal version of Match.com. Very me-too. Thomson Reuters offers a service called FindLaw.com, which has been available since the early 2000s. But good ideas take time to gestate. This is not a me too knock off of TikTok which has inspired Facebook and Google innovation. LinkedIn innovated with ProFinder. This is a way for LinkedIn members to find “professionals.”
Sounds good, right?
Writer Joan Westenberg is over LinkedIn, and advises us we would all be better without it. The Next Web posts, “Delete LinkedIn—You’ll Have Zero F****ing Regrets.” After years of enduring countless messages from those who want to sell her something, she finally deleted her LinkedIn account. Not only did the platform fail to provide her any professional benefits, she was also disheartened by the superficial relationships with her hundreds of contacts. (At least this platform does not call them “friends.”)
Having had some success at sales for her business, Westenberg has observed that the way to sell to someone is to build a real relationship with them. Her favorite way to do so is to offer help with no agenda, to demonstrate her products have value. She writes:
“That is the antithesis of LinkedIn. Where people send you off-brand and clumsy sales pitches at best — or at worst, scrape your details for scalable and utterly useless outbound campaigns. They send pitch decks in the same breath that they introduce themselves for the first time. They want you to buy with no reason why. LinkedIn feels less like a platform for selling, and more like a platform for being sold to. A LinkedIn message is the 2020s equivalent of a cold sales call. You dread it. You hate it. You just don’t want to deal with it. … I would rather focus my attention on platforms where I know people have come to genuinely research, interact, learn and consume. Quora. Angel List. Dribble. Medium. Substack. And yes, Twitter. And I would rather remove the false sense of accomplishment we get from engaging on LinkedIn, where we log into a landfill of utter [excrement] several times a day and feel like we’ve done our bit of networking and growing, with no evidence to support that belief.”
Westenberg advises others to join her in ditching the platform. All we will lose, she concludes, are the vanity metrics of clicks, likes, shares, and comments, all of which provide nothing of value. Hmm. I for one have never gotten a job through the platform, but I do know someone who has. Then there are all the professional courses the platform acquired when it snapped up Lynda.com in 2015, many of which are quite helpful. I suppose each user must weigh the site’s role in their professional lives for themselves, but on this point I agree—LinkedIn is not fundamental to professional success.
Cynthia Murrell, February 25, 2021
Microsoft on Security
February 25, 2021
I think that some believe the SolarWinds’ misstep should be called surfing the Microsoft access control process.” I may be wrong on that, of course. I did find some of the statements and quotations in an article called “Microsoft CEO For Global Rules On Data Safety, Privacy.” On the same day that another Microsoftie was explaining the security stumble which has compromised systems at Microsoft itself and a few minor US government agencies, the CEO of the outstanding software company allegedly said:
One thing I hope for is that we don’t fragment, that we are able to, whether it’s on privacy or data safety, bring together a set of global rules that will allow all of us to both comply and make sure that what we build is safe to use.
He allegedly noted:
One of the things we are trying to ensure is how do we have that design principles and engineering processes to ensure that the products and the services are respecting privacy, security, AI ethics as well as the fundamental Internet safety but beyond that there will be regulation.
With some of the source code for Azure, Exchange, and Outlook on the loose, one hopes that those authentication and access control systems are indeed secure. One hopes that the aggressively marketed Windows Defender actually defends. That system appears to have been blind to the surfing maneuvers executed by bad actors for months, maybe a year or more.
Microsoft’s core methods for granting efficient access to trusted users or functions with certifying tokens were compromised. At this time, the scope of the breached systems and the existence if any of sleeper code is not yet quantified.
Assurances are useful in some circumstances. Foundational engineering flaws are slightly more challenging to address.
But “hope” is good. Let’s concentrate security with Microsoft procedures. Sounds good, right? Talk is easier than reengineering perhaps?
Stephen E Arnold, February 25, 2021
Insights into Video Calls
February 24, 2021
I read a ZDNet write up. The word I would use to describe its approach is “breezy.” Maybe “fluffy?” “Microsoft Teams or Zoom? A Salesman Offers His Stunning Verdict” reveals quite a bit about the mental approach of the super duper professionals referenced in the article.
The security of Microsoft Teams and Zoom concern me. The SolarWinds’ misstep resulted in Microsoft’s losing control of some Azure and Outlook software. But we only know what Microsoft elects to reveal. Then there is the Zoom-China connection. That gives me pause.
What’s the write up reveal? Policy or personal preference dictates what system gets clicked. But the write up reveals some other factoids, which I think are quite illuminating.
First, the anonymous sales professional states:
“I’m on video calls eight hours a day. I just do what’s easiest…Some of my meetings are in the middle of the night. You want me to think then?”
Not a particularly crafty person I think. The path of least resistance is the lure for this professional. I like the idea that this professional’s thought processes shut down for the night. To answer the rhetorical question “You want me to think then?”, I would reply, “Yes, you are a professional. If you don’t want to think, go for the Walmart greeter work.” Lazy radiates from this professional’s comment.
Another person explains that answering a question about video conferencing features can be expressed this way:
“Zoom to Teams is like Sephora to Ulta. Or Lululemon to Athleta.”
I assume that this is a brilliant metaphor like one of Shakespeare’s tropes. To me I have zero idea about the four entities offered as points of reference. My hunch is that this individual’s marketing collateral is equally incisive.
A source focused on alcohol research (who knew this was a discipline?) This individual is convinced that Zoom’s “has more security protocols.” This individual does not know that most Zoom bombing is a consequence of individuals invited to a meeting.
Here are my takeaways from the write up:
- The salesman cuts corners
- The person who speaks in terms of product brand names is likely to confuse me when I ask, “What’s the weather?”
- The alcohol researcher’s confidence in Zoom security is at odds with the Zoom bomb thing.
For my Zoom sessions, I use an alias, multiple bonded Internet services, and a specialized VPN. I certainly don’t trust Zoom security. And Microsoft? These pros develop security services which could not detect a multi month breach which resulted in the loss of some source code.
My verdict: Meet in person, wear a mask, and trust but verify.
Stephen E Arnold, February 24, 2021
LinkedIn Phishing
February 22, 2021
One of the news items in an upcoming DarkCyber talks about LinkedIn phishing exploits. I want to mention this method of hijacking or intruding into a system for two reasons. First, Microsoft has been explaining and reframing the SolarWinds’ security misstep for a couple of months. The Redmond giant has used explanations of the breach to market its Windows and Azure security systems. LinkedIn is a Microsoft property, and it seems as if Microsoft would clamp down on phishing attacks after it lost some of the source code to Exchange and a couple of other Microsoft crown jewels. Second, LinkedIn, like Microsoft Teams, is going through a featuritis phase. The service is making publishing, rich media, in message links, and group functions more easily available. The goal is to increase the social network’s value and revenue, particularly among those seeking employment. There’s nothing like a malicious exploit that kills a job hunter’s computing to brighten one’s day.
The article “Phishers Tricking Users via Fake LinkedIn Private Shared Document” explains the exploit. The write up says:
The phishing message is delivered via LinkedIn’s internal messaging system and looks like it has been sent by one of the victim’s contacts. The message urges the recipient to follow a third-party link to view a document.
If you want more details, check out the full Help Net Security post.
In the wake of SolarWinds, I think that Microsoft needs to button up its security. Less marketing and more substantive action seems to be appropriate. Microsoft will be the plumbing for the JEDI program. What vulnerabilities exist within this system? Hopefully none, but recent events and this LinkedIn phishing information suggest reality is insecure.
Stephen E Arnold, February 22, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
