Email: A Vulnerable Service
March 4, 2021
Cyber security firm Barracuda counted the number of email attacks that slipped through its clients’ enterprise-wide security measures last year. New Zealand’s SecurityBrief reveals the results in, “Millions of Email Attacks Missed by Organizations’ Cyber Security Protection.” Writer Shannon Williams reports:
“In 2020, 4550 organizations used Barracuda Email Threat Scanner to scan 2,600,531 unique mailboxes and found 2,029,413 unique attacks. On average, 512 attacks were found per organization, and one out of seven mailboxes (14%) had at least one attack currently sitting inside, even if messages were scanned by an email gateway solution, the cyber security firm says. The attacks detected fall into four email threat types: phishing, scamming, extortion, and business email compromise (BEC). Of the 2,029,413 unique attacks detected, phishing was the number one threat missed by the organizations email security solutions (59%). Scamming was the second most common (39%). Extortion, at 9%, and BEC, at 8%, were less prevalent, but cybercriminals tend to send these types of attacks in smaller volumes because they are highly personalized.”
Barracuda recommends companies adopt its inbox-based Email Threat Scanner to detect attacks that slip through any broader security measures. What a surprise! Of course, since the organizations studied were already Barracuda clients, it is entirely possible at least some of them were relying on that solution and skimping on gateway-side security. Even so, the report is a reminder to take email security seriously. One could choose a product like Barracuda’s, if desired. (Or Cyren’s, to name just one competitor.) At the least, workers should learn what to look for and actively avoid opening attack emails should they land in their inboxes. And turn off preview pane, for goodness’ sake.
Founded in 2003. The firm states over 200,000 customers around the world use its software, which some say is effective, affordable, and user-friendly.
Cynthia Murrell, March 4, 2021
Breaching SolarWinds
March 4, 2021
The SolarWinds’ story continues to delight. I read “Former SolarWinds CEO Blames Intern for Solarwinds123 Password Leak.” That’s a heck of a password if I say so myself. Definitely better than admin or password.
How did the hackers breach a company providing services to thousands of clients? Here are the reasons reported by CNN:
- An intern fumbled the ball
- Brute force guessing of passwords
- Some other outfit created software which SolarWinds used and caught malware.
There is a fourth possibility, and it is the one which seems to be one of the more popular ways to gain access to an organization’s network. What is it? Dumpster diving? Mental telepathy? Trawling through open source code looking for credentials? (That’s a pretty good method by the way.)
Nope.
Just strike up a conversation on a social media site, a Dark Web forum, or an encrypted messaging group and [a] use social engineering to get a user name and password, [b] watch for an employee who is not happy with his or her employer, [c] threaten an employee’s mom or family, [d] phishing, or [e] pay a third party contractor writing code for SolarWinds in a far off land.
The preferred approach of bad actors is usually the easiest, simplest, and most hassle free.
Compromising a careless outfit is easy. Even organizations with buttoned up security are vulnerable.
What’s obvious is that the SolarWinds’ misstep reflects on an organizational approach to operating its business. If the company were a railroad, it is conceivable that the firm would lose freight cars, engines, and the keys to the operations office.
What’s fascinating is that the present and former CEO of SolarWinds threw an intern under the digital bus. Nothing like manning up in my opinion.
Stephen E Arnold, March 4, 2021
Microsoft: Back in the Security Spotlight
March 3, 2021
What giant software company with a great marketing operation is back in the spotlight? The answer may be Microsoft. I read “real” news from an outfit which is into trust “Chinese Hackers Plundered Inboxes Using Flaws in Microsoft’s Exchange Server Software.”
The write seems to be taking a slightly less enthusiastic approach to the outstanding software and services provided by the Redmond giant. The company is, as you may know, the outfit which is going to run much of the Department of Defense cloud system. That’s because the cloud is much better than on premises computing devices. The cloud is magical, which I think is a synonym for easier, but that’s just me.
I noted this statement in the trustiness article:
Microsoft’s suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks. Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code — including elements of Exchange, the company’s email and calendaring product.
The paragraph suggests that because Microsoft’s methods worked for the SolarWinds’ misstep, other bad actors are jumping into the hay stack of wild and crazy methods.
My view is that we are likely to see the feedback loop scale to some painful frequencies. Should anyone worry? Nope, those trusted permissions, the fluid code, and the big fat targets like Azure, Exchange, and Office 365 are no big deal. Right, Microsoft. It takes 1,000 engineers to fool the Softies.
Stephen E Arnold, March 3, 2021
Phishing: No Big Gains in 2020
March 3, 2021
In our work for the DarkCyber video news program and the research for our lectures for law enforcement, the people assisting me have reported that phishing is a big deal. The FBI thinks so. Interpol thinks so. And my personal hunch is that some of the outfits hit by ransomware in 2020 think so.
The Proofpoint “State of the Phish” report wishes to provide some good news; to wit:
57 percent of organizations in seven countries revealed they were targets of a successful phishing attack in 2020, which is only a two percent increase over 2019.
Encouraged?
The Tech News World article “Successful Phishers Make Slim Gains in 2020” seems to be optimistic. The write up reports:
the report noted that the number of respondents who told researchers that phishing attacks resulting in data loss increased 13 percent and those leading to credential compromise jumped 11 percent.
Concerning? Not enough to alter the positive spin the editors put on the article title.
If you want to read the original report, navigate to this Proofpoint link. You will have to fill out a form so that the company can keep you informed about phish and other topics.
Stephen E Arnold, March 2, 2021
SolarWinds: Microsoft Moves to Closure after Revealing 1000 Bad Actors Got in the Game
March 3, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, March 3, 2021
SolarWinds: What Are the Characteristics of a Buttoned Up Outfit? One Guess Only, Please
March 2, 2021
I read an allegedly accurate “real” news story called “SolarWinds Told Congress That an Intern Was Responsible for the SolarWinds123 Password Security Breach, but Experts and Documents Suggest a Bigger Issue” asserts:
Two SolarWinds CEOs told the US Congress on Friday that the now-infamous exposure of the password solarwinds123 was the result of an intern’s mistake in 2017.
Those darned interns, and they are paid well, treated with respect, and are the anchors of high technology outfits.
One former CEO and one current CEO pinned the blame on the intern. The write up says:
The username solarwinds.net and password solarwinds123 were viewable in a project on the code-sharing site GitHub, according to the researcher who found the issue and screenshots reviewed by
Insider. The researcher said those credentials would give access to a SolarWinds server handling updates to the company’s software, the process at the heart of the SolarWinds supply chain attacks.
How many bad actors did it take to locate the useful data? Probably one or two people. How did the high value information get passed around? Probably on discussion groups, via email, and on Dark Web hacker forums. How many people would it take to turn the credentials into an intelligence operation? According to a Microsoftie, around a 1,000 people. Sure enough. That sounds like a typical Microsoft team, doesn’t it?
Okay, what are the characteristics of a buttoned up outfit?
How about MBAism combined with indifference to security? This is just one possible answer to my question but a pretty good one I think.
Stephen E Arnold, March 2, 2021
US Senator Throws Penalty Flag at Microsoft
February 26, 2021
JEDI foul? I am not sure. The bright yellow flag has been lofted and it is beginning its descent. One player has a look of disbelief, “A foul. You think I did a chop block?” That’s the image that went through my mental machinery as I read “US Senator claims Microsoft Failed to Fix Cloud Holes before SolarWinds Hack.”
The write up asserts:
Microsoft Corp’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
The year 2017. I recall that was the time the DarkCyber research team began yammering about use of the wonderful Microsoft software update system, access control policies, and business processes to allow estimable Microsoft-friendly software to run. The idea was seamless, smooth, quick, and flawless interaction among users, software, the cloud, and assorted components. Fast. Efficient. Absolutely.
The elected official is quoted as saying:
The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.
The write up points out that Microsoft does not agree with the senator’s observations. In the subsequent testimony (you can view it at this link), one of the top dog Microsoft professionals pointed out “only about 15 percent of the victims in the Solar Winds campaign were hurt via Golden SAML.” SAML is a a security assertion markup language. The golden part? Maybe it is the idea that a user or process signs on. If okayed somewhere in the system, the user or process is definitely okay again. Fast. Efficient.
The “golden” it turns out is a hack. Get into the SAML approved system, and bingo. Users, processes, whatever are good to go. Get administrator credentials and become an authorizing and verifying service and the bad actor owns the system. The idea is that a bad actor can pump out green light credentials and do many interesting things. Hey, being authorized and trusted is a wonderful thing, right?
Back to JEDI? Is the senator confident that the Department of Defense has not been compromised? What happens if the JEDI system is penetrated by foreign actors as the DoD wide system is being assembled, deployed, and operated? Does the vulnerability still exist in live systems?
These are good questions? I am not sure the answers are as well crafted.
Stephen E Arnold, February 27, 2021
What’s a Golden SAML?
Microsoft Concludes SolarWinds Hack Internal Investigation
February 26, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
We noted:
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, February 26, 2021
Facebook Found Lax in Enforcement of Own Privacy Rules
February 26, 2021
Facebook is refining its filtering AI for app data after investigators at New York’s Department of Financial Services found the company was receiving sensitive information it should not have received. The Jakarta Post reports, “Facebook Blocks Medical Data Shared by Apps.” Facebook regularly accepts app-user information and feeds it to an analysis tool that helps developers improve their apps. It never really wanted responsibility for safeguarding medical and other sensitive data, but did little to block it until now. The write-up quotes state financial services superintendent Linda Lacewell:
“Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule. By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place.”
Facebook is now stepping up its efforts to block sensitive information from reaching its databases. We learn:
“Facebook created a list of terms blocked by its systems and has been refining artificial intelligence to more adaptively filter sensitive data not welcomed in the analytics tool, according to the report. The block list contains more than 70,000 terms, including diseases, bodily functions, medical conditions, and real-world locations such as mental health centers, the report said.”
A spokesperson says the company is also “doing more to educate advertisers on how to set-up and use our business tools.” We shall see whether these efforts will be enough to satisfy investigators next time around.
Cynthia Murrell, February 26, 2021
Microsoft: Technical Excellence Translates to More Excellencerness
February 18, 2021
I found the Microsoft explanation of the SolarWinds’ misstep interesting. CBS circulated some of the information in the interview in “SolarWinds: How Russian Spies Hacked the Justice, State, Treasury, Energy and Commerce Departments.” The point that Windows’ security systems did not detect the spoofing, modifying, and running of Microsoft software was skipped over in my opinion. I loved this statement by Brad Smith, one of the senior executives at the Redmond giant:
When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.
Then failing to detect the breach which seems to have exploited the fascinating Microsoft software update methods:
I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.
Okay, “certainly.” Okay, 1,000.
What if SolarWinds’ misstep was not the largest and most sophisticated hack? Is it possible that an insider or a contractor working from home in another country provided the credentials? What if piggybacking on the wild and wonderful Windows’ update system and method was a cottage industry among some bad actors? What if the idea for the malware was a result of carelessness and assumptions about the “security” of how Microsoft and its partners conducted routine business? What if the bad actors used open source software and some commercial reverse engineering tools, information on hacker forums, and trial and error? Does one need a 1,000 engineers? Microsoft may need that many engineers, but in my experience gained in rural Kentucky, a handful of clever individuals could have made the solar fires burn more brightly. Who can manage 1,000 hackers? I am not sure nation states can get 1,000 cyber warriors to a single conference center at one time or get most to read their email, file reports, and coordinate their code. Some may suggest Russia, China, North Korea, or Iran can do these managerial things in a successful way. Not I. The simplest explanation is often the correct one. Insider, opportunism, and a small team makes more sense to me.
Let me shift gears.
What about the spoofing, modifying, and running of Microsoft software for months, maybe a year, maybe more without detecting the intrusion?
I noted “A Vulnerability in Windows Defender Went Unnoticed for 12 Years.” That write up asserts:
A critical bug in Windows Defender went undetected by both attackers and defenders for some 12 years, before finally being patched last fall. The vulnerability in Microsoft’s built-in antivirus software could have allowed hackers to overwrite files or execute malicious code—if the bug had been found. Let’s be clear—12 years is a long time when it comes to the life cycle of a mainstream operating system, and it’s a heck of a long time for such a critical vulnerability to hide.
Sure, let’s be clear. Microsoft talks security. It issues techno-marketing posts like its late January explanation of the SolarWinds’ misstep which I reported on in the DarkCyber video news program on February 9, 2021.
But perhaps more pointed questions should be asked. I don’t want to know about Team featuritis. I don’t want to know why I should not install certain Windows 10 updates or accept updates like the mandatory update KB4023057. I don’t want to know about folding mobile phones. Nope. None of those things.
I want TV interviewers, CBS “real news” writers, and Microsoft to move beyond marketing chatter, hollow assurances, and techno-babble. Oh, I forgot. The election, Covid, and the Azure cloud JEDI thing. I, like others, need their priorities readjusted.
How many employees and partners told Brad Smith, “You were great in the 60 Minutes interview? Lots I would wager.
Stephen E Arnold, February 18, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
