Microsoft Teams and Sensitive Information

October 13, 2022

I read a somewhat unusual analysis of Microsoft Teams security. “Microsoft Teams Users Are Using It for a Really Bad Reason, So Stop Now” presents some data about Teams’ users and their sending information over the system. Now the purpose of Teams and similar conferencing software is to exchange information. Therefore, access to Teams sessions and the data exchanged while using the using may have some value to certain individuals if such access were available.

Okay, now let’s look at some of the numbers in the write up:

  • 45 percent of those in the sample (who knows how many were in the sample by the way?) “admit to sending confidential and sensitive information frequently via Microsoft Teams.” Now let’s think about this. Does this mean that 55 percent of those using Teams do not provide “confidential or sensitive information”? Is this a measure of productivity which Teams enhances?
  • 51 percent were found to be “sharing business critical information.” I am not sure I understand the distinctioin between “sensitive” and “business critical. The idea that half of those using Teams don’t share important data.
  • 56 percent believe training is needed.

Net net: Microsoft may have to do more than silence Teams’ blowhards. See “Microsoft Is Working Hard to Shut Up the Egotistical Blowhard on Your Team.”

Stephen E Arnold, October 15, 2022

Cyber Security: The Stew Is Stirred

October 12, 2022

Cyber security, in my opinion, is often an oxymoron. Cyber issues go up; cyber vendors’ marketing clicks up a notch. The companies with cyber security issues keeps pace. Who wins this cat-and-mouse ménage a trois? The answer is the back actors and the stakeholders in the cyber security vendors with the best marketing.

Now the game is changing from cyber roulette, which has been mostly unwinnable to digital poker.

Here’s how the new game works if the information in “With Security Revenue Surging, CrowdStrike Wants to Be a Broader Enterprise IT Player” is on the money. I have to keep reminding myself that if there is cheating in competitive fishing, chess, and poker, there might be some Fancy Dancing at the cyber security hoe down.

The write up points out that CrowdStrike, a cyber security vendor, wants to pull a “meta” play; that is, the company’s management team wants to pop up a level. The idea is that cyber security is a platform. The “platform” concept means that other products and services should and will plug into the core system. Think of an oil rig which supports the drill, the pumps, spare parts, and the mess hall. Everyone has to use the mess hall and other essential facilities.

The article says:

Already one of the biggest names in cybersecurity for the past decade, CrowdStrike now aspires to become a more important player in areas within the wider IT landscape such as data observability and IT operations…

Google and Microsoft are outfits which may have to respond to the CrowdStrike “pop up a level” tactic. Google’s full page ads in the dead tree version of the Wall Street Journal and Microsoft’s on-going security laugh parade may not be enough to prevent CrowdStrike from:

  1. Contacting big companies victimized by lousy security provided by some competitors (Hello, Microsoft client. Did you know….)
  2. Getting a group of executives hurt in the bonus department by soaring cyber security costs
  3. Closing deals which automatically cut into both the big competitors’ and the small providers’ deals with these important clients.

The write up cites a mid tier consulting firm as a source of high value “proof” of the CrowdStrike concept. The write up offers this:

IDC figures have shown CrowdStrike in the lead on endpoint security market share, with 12.6% of the market in 2021, compared to 11.2% for Microsoft. CrowdStrike’s growth of 68% in the market last year, however, was surpassed by Microsoft’s growth of nearly 82%, according to the IDC figures.

CrowdStrike’s approach is to pitch a “single agent architecture.” Is this accurate? Sure, it’s marketing, and marketing matters.

Our research suggests that cyber security remains a “reaction” game. Something happens or a new gaffe is exploited, and the cyber security vendors react. The bad actors then move on. The result is that billions in revenue are generated for cyber security vendors who sell solutions after something has been breached.

Is there an end to this weird escalation? Possibly but that would require better engineering from the git go, government regulations for vendors whose solutions are not secure, and stronger enforcement action at the point of distribution. (Yes, ISPs and network providers, I am talking about you.)

Net net: Cyber security will become a market sector to watch. Some darned creative marketing will be on display. Meanwhile as the English majors write copy, the bad actors will be exploiting old and new loopholes.

Stephen E Arnold, October 12, 2022

Gmail Is for the Googley

October 11, 2022

I spotted an interesting Twitter thread about Google and its beneficial two factor authentication system. You can in theory view the sequence of tweets at this url. The prime mover is Twitter user @chadloder.

The main point is that the Google requires account verification several times a year. Individuals who are in a life condition that pivots on free phones called Obamaphones in the string of tweets lose their account. The phones are lost, broken, stolen, and replaced in many cases. However, these phones often come with a different phone number.

The result is that these individuals cannot provide the “verification” that Google requires. One of @chadloder’s tweets states:

Not only do many of these benefits sites fail to function properly on mobile devices, but if you lose access to your GMail account, your caseworker will close your case for non-response and you have to start all over again.

Let’s look at this issue from a different point of view. I hypothesize the following:

  1. Google’s executives did not think about homeless Gmail users as individuals
  2. The optimal Gmail user consumes Google advertising
  3. Individuals who do not have a home are not the targets of Google’s advertising system
  4. Those who cannot verify are not part of the desired user cluster.

To sum up, when one is Googley, these problems do not manifest themselves. Advertisers want the plump targets with money to spend.

Stephen E Arnold, October 11, 2022

Russia: Inconsistent Cyber Attack Capabilities

October 7, 2022

Do you remember that Microsoft’s president Brad Smith opined that the SolarWinds’ misstep required about 1,000 engineers? I do. Let’s assume those engineers then turned their attention to compromising Ukraine as part of a special military operation.

Failure of Russia’s Cyber Attacks on Ukraine Is Most Important Lesson for NCSC” presents information I found interesting about Mr. Smith’s SolarWinds’ remark. [The NCSC is the United Kingdom’s National Cyber Security Council.’

Here’s the key passage from the write up:

Ukrainian cyber defences, IT security industry support and international collaboration have so far prevented Russian cyber attacks from having their intended destabilising impact during Russia’s invasion of Ukraine.

The write up also points out that a cyber content marketing campaign designed to undermine Ukraine’s leadership was also not effective.

Okay, but, Mr. Smith said that Russia was able to coordinate the efforts of 1,000 individuals to breach SolarWinds’ security and create considerable distress among some in commercial enterprises and other organizations.

How could Ukraine resist this type of capable force? I have no idea. I prefer to flip the information around and ask, “Why did SolarWinds’ security yield so easily?” Did Russia put more effort into breaching SolarWinds than fighting a kinetic war? Yeah, sure it did.

Maybe the 1,000 programmer idea was hand waving and blame shifting? Microsoft cannot make printers work. Why would Microsoft security be much better?

Stephen E Arnold, September 2022

Insider Threat: Worse Than Poisoned Open Source Code and Major Operating System Flaws?

October 5, 2022

Here’s a question for you.

What poses a greater threat to your organization? Select one item only, please.

[a] Flaws in mobile phones

[b] Poisoned open source code

[c] Cyber security and threat intelligence systems do not provide advertised security

[d] Insider threats

[e] Operating systems’ flaws.

If you want to check more than one item, congratulations. You are a person who is aware that most computing devices are insecure with some flaws baked in. Fixing up flawed hardware and software under attack is similar to repairing an L-29 while the Super Defin is in an air race.

Each day I receive emails asking me to join a webinar about a breakthrough in cyber security, new threats from the Dark Web, and procedures to ensure system integrity. I am not confident that these companies can deliver cyber security, particularly the type needed to deal with an insider who decides to help out bad actors.

NSA Employee Leaked Classified Cyber Intel, Charged with Espionage” reports:

A former National Security Agency employee was arrested on Wednesday for spying on the U.S. government on behalf of a foreign government. Jareh Sebastian Dalke, 30, was arrested in Denver, Colorado after allegedly committing three separate violations of the Espionage Act. Law enforcement allege that the violations were committed between August and September of 2022, after he worked as a information systems security designer at the agency earlier that summer.

So what’s the answer to the multiple choice test above? It’s D. Insider breaches suggest that management procedures are not working. Cyber security webinars don’t address this, and it appears that other training programs may not be pulling hard enough. Close enough for horse shoes may work when selling ads. For other applications, more rigor may be necessary.

Stephen E Arnold, October 5, 2022

Board Games at Microsoft? Maybe Corner Cutting?

September 30, 2022

I noted a write up called “Anonymous Lays Waste to Russian Message Board, Releases Entire Database Online.” The article describes what a merrie band of anonymous, distributed bad actors can do in today’s decentralized, Web 3 world of online games like Cat and Mouse. The article explains that Mr. Putin’s bureaucracy is a big, fat, and easy target to attack. One statement in the article caught my attention; to wit:

For all their reputation on cyber security and hacking, the Russians were careless…. KiraSec has taken down hundreds of Russian websites, Russian banks like alfabank,, pro-Russian terror-leaning websites, Russian pedophile websites, Russian government websites, Russian porn sites and a lot more. The cyber activists also “hacked various Russian SCADAs and ICS, nuking their systems and completely destroying their industrial machines.”

I immediately thought about Microsoft’s Brad Smith suggesting that more than 1,000 programmers worked to make SolarWinds a household word. My thought was that Microsoft itself may share the systems engineering approach used to protect some Russian information assets. The key word is “careless.” Arrogance, indifference, and probably quite terrible management facilitated the loss of Russian data and the SolarWinds’ misstep.

I then spotted in my news headline stream this article from the UK online outfit The Register: “Excel’s Comedy of Errors Needs a New Script, Not New Scripting.” This article points out that Microsoft has introduced a new feature for Excel. I am not an individual who writes everything in Excel, including holiday greetings and lists of government officials names and email addresses. Some are.

Here’s the passage I circled after I printed out the write up on a piece of paper:

Excel is already the single most dangerous tool to give to civilians. You can get things wrong in Word and PowerPoint all day long, and while they have their own security fun you’re not getting things wrong through a series of tiny letterboxes behind which can live the company’s most important numerical data. The Excel Blunder is its own genre of corporate terror: it brings down companies, it breaches data like a excited whale seeking sunlight, it can make a mockery of pandemic control. And because Excel is the only universal tool most users get for organizing any sort of data, the abuses and perversions it gets put to are endless.

What’s the connection between bad actors hacking Russia, Microsoft’s explanation of the SolarWinds’ misstep, and Excel’s new scripting method?

Insecurity appears to be part of the core business process.

No big deal. Some bad actors and a few cyber security vendors will be happy. Others will be “careless” and maybe clueless. That’s Clue the board game, not the motion picture.

Stephen E Arnold, September 30, 2022

Yo, Amazon, Hello, Facebook, Hey, Google, Sup, IBM: Any Moonlighting Wizards on Your Payroll?

September 28, 2022

A couple of years ago, I provided those in my LE and intel lectures with the names of some online recruiting services which say things like:

Hire Silicon Valley-caliber engineers at half the cost

The number of outfits offering programmers with in-demand skills is large. Do these “remote” employees have: [a] full time jobs at big tech firms, [b] work remotely with supervision from an indifferent 20 something or Microsoft Teams-type monitoring functions, or [c] have automated a full-time job so that an eight hour work day can be used to generate income from gig work or another full-time job?

I read “Wipro Chairman Rishad Premji Fires 300 Employees for Secretly for Moonlighting.” [Note: this item appeared in India and the provider of the content can be disappeared at any time or charge for access to the full text. There’s not much I can do to ameliorate this issue.] The article states:

Wipro has terminated 300 employees found to be moonlighting with its key rivals at the same time, its Chairman Rishad Premji said on Wednesday [September 21, 2022] . Speaking at the All India Management Association (AIMA) National Management Convention, Premji termed moonlighting is a complete violation of integrity “in its deepest form”. “The reality is that there are people today working for Wipro and working directly for one of our competitors and we have actually discovered 300 people in the last few months who are doing exactly that,” the Wipro Chairman said. The company has now terminated their employment for “act of integrity violation”.

I find the action of Mr. Premji instructive. I wonder why US-based high-tech firms do not take the same action.

The point I made in my lecture is that bad actors can pass themselves off as legitimate businesses just based in some interesting city like Athens, Greece. The technical skills required are advanced and not directly connected to anything other than helping a jewelry company or online egame service implement a resilient network. The person responding to this opportunity may have requisite experience working at a big US high tech company. The person does the work and forgets about the project. However, the entity doing the hiring is a bad actor. The task completed by the US high tech engineer snaps into a larger set of work.

Should the online recruitment outfit perform more due diligence on what looks like a legitimate company selling fountain pens or plumbing equipment in another country? The answer is, “Sure.” That’s not the case. Based on our research none of the recruiters or the gig workers did much if any investigation of the hiring outfit. If a company paid the matchmaker and the gig worker, that was the proof of appropriate activity.

The reality, which I described in my lecture, is that insiders are making it easy for bad actors to learn about certain companies. Furthermore, the simple and obvious coding task is just one component in what can be an illegal online operation. The example I provided to the LE and analysts in my lecture was an online streaming service with an illegal online gambling “feature.”

I can hear the senior managers’ excuses now:

  1. “Our employees are prohibited from doing outside work.” [Yeah, but does anyone validate this assertion?]
  2. “We have a personnel department which works closely with our security team to prevent this type of insider activity.” [Yeah, but telling me this is cheaper and easier than reporting on specific data compiled to reduce this type of activity, right?]
  3. “Our contractors are moderated and subject to the same security procedures as our work-from-home full time staff? [Yeah, but does anyone really know how that contractor located in another company actually operates?]k

Net net: Mr. Premji is on the right track. FYI: WiPro was founded in 1945 and the firm took action on this matter after 77 years. Speedy indeed.

Stephen E Arnold, September 28, 2022

Cyber Security Management: Does It Work or Just Output Excuses?

September 23, 2022

It seems that cyber security is a bit of an issue at a number of organizations. Uber faces a teen and seems to say, “We’re a-okay.” A Chinese entity may have lost data about one billion people. If I poke around, I can find one or two examples of what seem to be cyber security challenges. Oh, sorry. Yes, one or two may be an understatement.

“Nearly a Third of Security Teams Lack a Management Platform for IT Secrets” suggests that there may be a problem with management. The write up states:

most security pros expect cyber attacks to intensify over the next year, some 32% surveyed lack a management platform for IT secrets, such as API keys, database passwords, and privileged credentials, posing significant security risks.

Does this mean that geared up outfits with layers of security, training programs for employees because phishing is a problem, and expensive real time flows of threat data about vectors with snappy names have a vulnerability?

Yes, some organizations have another cyber security issues with which to wrestle. Management of “information technology secrets” may pose a threat. More precisely, a failure to manage passwords and other “IT secrets” is lacking. No kidding? Poor or ineffective management. Who would have guessed that work-from-home, quiet quitters, and basic safeguards were inadequate. Wow. Insight!

The article says:

While many surprisingly report feeling prepared for attacks, security leaders admit their tech stacks lack essential tools: Some 84% are concerned about the dangers of hard-coded credentials in source code, but 25% don’t have software to remove them. And, more than one-quarter of respondents (26%) say they lack a remote connection management capability that can secure remote access to IT infrastructure.

I think this means that after many PowerPoints, trade show presentations, and big buck mergers and acquisitions, bad actors have some vulnerabilities to exploit.

Is it time perchance to rethink cyber security and the management thereof?

Nah, security is a cost center. And most executives with whom I talk are reasonably confident that their personnel, advisors, and information technology professionals are Top Guns, flying juiced up cyber gear.

Okay, no problem. That’s why storing Microsoft Teams’ tokens in plain text is such a great idea.

Stephen E Arnold, September 22, 2022

Darktrace–Thoma Bravo Deal: An Antigen Reaction?

September 21, 2022

Darktrace is one of the cyber threat detection outfits to which I pay some attention. I read “Darktrace Shares Plunge After Thoma Bravo Acquisition Falls Apart.”

The article quotes an expert as saying:

“I don’t think Thoma Bravo is backing off of Darktrace because of valuations,” he [Richard Stiennon, chief research analyst at IT-Harvest] says. “I think strategically there is not a clear market for the AI-enhanced threat hunting that Darktrace touts. The market is pretty much equal to Darktrace’s revenue today.”

My take on the deal is that the cyber threat detection and cyber threat information services are not convincing some skeptical prospects. News like the teen who compromised the Uber taxi service and the sharp rise in ransomware attacks has created some Nervous Nellies. Multi-persona phishing and old fashioned social engineer work in today’s work-from-home world. Plus, there is nothing like a bundle of cash promised to an insider who might be tempted to exchange access credentials for a new Tesla or a shopping spree at Costco.

Darktrace has done a masterful job of marketing. The Bayesian methods work reasonably well in certain use cases. Quite a chunk of change has been spent buying and marketing cyber related businesses.

One report (“Shares Plunge As US Private Equity Titan Backs Out of Darktrace Takeover“) said:

Darktrace revenue grew 45.7 per cent in the financial year to 30 June, while the customer base swelled 32.1 per cent year-over-year. However, the firm did note an accounting mishap, stating that $3.8m of revenue it had been recognising in the full year, including a portion recognised and reported in its unaudited half year results, was related to prior periods and should instead be recognised in full year 2021 results. This reallocation would reduce revenue reported this year to $415.5m from the $419.3m that was expected.

And cyber crime is at an all time high, but I am not sure any firm, including Darktrace, has cracked the code.

Stephen E Arnold, September 21, 2022

Open Source: Everyone Uses It. Now Bad Actors Know Where to Aim

September 2, 2022

Peace of mind is a valuable thing, a commodity one might think worth allocating some funds to ensure, particularly when one is engaged in permanent cyber warfare. Yet, according to BetaNews, “80 Percent of Enterprises Use Open Source Software and Nearly All Worry About Security.” A recent report from Synopsys and based on research by Enterprise Strategy Group found 80% of enterprises use open source software (OSS), and 99% of those are concerned about related security issues. Apparently one percent is not paying attention—such worry is justified because few in the IT department know what’s in the open source libraries or know how to find manipulated or rogue instructions. Reporter Ian Barker tells us:

“In response to high profile supply chain attacks 73 percent of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain. Steps taken include the adoption of some form of multi-factor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent). Despite those efforts, 34 percent of organizations report that their applications have been exploited due to a known vulnerability in open source software within the last 12 months, with 28 percent having suffered a previously unknown zero-day exploit found in open source software.

Pressure to improve software supply chain risk management has shone a spotlight on software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — the ESG research shows that 39 percent of survey respondents marked this task as a challenge of using OSS. … [The study also found] 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.”

All this, and the use of open source software is expected to jump to 99% next year. It seems those who hold organizational purse strings care more about saving a few bucks than about their cybersecurity teams’ sleepless nights. If they suffer a breach, however, they may find that metaphoric purse has acquired a large hole. Just a thought, but an ounce of prevention may be warranted here.

Cheap and easy? Yep.

Cynthia Murrell, September 2, 2022

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta