US Senator Throws Penalty Flag at Microsoft
February 26, 2021
JEDI foul? I am not sure. The bright yellow flag has been lofted and it is beginning its descent. One player has a look of disbelief, “A foul. You think I did a chop block?” That’s the image that went through my mental machinery as I read “US Senator claims Microsoft Failed to Fix Cloud Holes before SolarWinds Hack.”
The write up asserts:
Microsoft Corp’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
The year 2017. I recall that was the time the DarkCyber research team began yammering about use of the wonderful Microsoft software update system, access control policies, and business processes to allow estimable Microsoft-friendly software to run. The idea was seamless, smooth, quick, and flawless interaction among users, software, the cloud, and assorted components. Fast. Efficient. Absolutely.
The elected official is quoted as saying:
The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.
The write up points out that Microsoft does not agree with the senator’s observations. In the subsequent testimony (you can view it at this link), one of the top dog Microsoft professionals pointed out “only about 15 percent of the victims in the Solar Winds campaign were hurt via Golden SAML.” SAML is a a security assertion markup language. The golden part? Maybe it is the idea that a user or process signs on. If okayed somewhere in the system, the user or process is definitely okay again. Fast. Efficient.
The “golden” it turns out is a hack. Get into the SAML approved system, and bingo. Users, processes, whatever are good to go. Get administrator credentials and become an authorizing and verifying service and the bad actor owns the system. The idea is that a bad actor can pump out green light credentials and do many interesting things. Hey, being authorized and trusted is a wonderful thing, right?
Back to JEDI? Is the senator confident that the Department of Defense has not been compromised? What happens if the JEDI system is penetrated by foreign actors as the DoD wide system is being assembled, deployed, and operated? Does the vulnerability still exist in live systems?
These are good questions? I am not sure the answers are as well crafted.
Stephen E Arnold, February 27, 2021
What’s a Golden SAML?
Microsoft Concludes SolarWinds Hack Internal Investigation
February 26, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
We noted:
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, February 26, 2021
Facebook Found Lax in Enforcement of Own Privacy Rules
February 26, 2021
Facebook is refining its filtering AI for app data after investigators at New York’s Department of Financial Services found the company was receiving sensitive information it should not have received. The Jakarta Post reports, “Facebook Blocks Medical Data Shared by Apps.” Facebook regularly accepts app-user information and feeds it to an analysis tool that helps developers improve their apps. It never really wanted responsibility for safeguarding medical and other sensitive data, but did little to block it until now. The write-up quotes state financial services superintendent Linda Lacewell:
“Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule. By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place.”
Facebook is now stepping up its efforts to block sensitive information from reaching its databases. We learn:
“Facebook created a list of terms blocked by its systems and has been refining artificial intelligence to more adaptively filter sensitive data not welcomed in the analytics tool, according to the report. The block list contains more than 70,000 terms, including diseases, bodily functions, medical conditions, and real-world locations such as mental health centers, the report said.”
A spokesperson says the company is also “doing more to educate advertisers on how to set-up and use our business tools.” We shall see whether these efforts will be enough to satisfy investigators next time around.
Cynthia Murrell, February 26, 2021
Microsoft: Technical Excellence Translates to More Excellencerness
February 18, 2021
I found the Microsoft explanation of the SolarWinds’ misstep interesting. CBS circulated some of the information in the interview in “SolarWinds: How Russian Spies Hacked the Justice, State, Treasury, Energy and Commerce Departments.” The point that Windows’ security systems did not detect the spoofing, modifying, and running of Microsoft software was skipped over in my opinion. I loved this statement by Brad Smith, one of the senior executives at the Redmond giant:
When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.
Then failing to detect the breach which seems to have exploited the fascinating Microsoft software update methods:
I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.
Okay, “certainly.” Okay, 1,000.
What if SolarWinds’ misstep was not the largest and most sophisticated hack? Is it possible that an insider or a contractor working from home in another country provided the credentials? What if piggybacking on the wild and wonderful Windows’ update system and method was a cottage industry among some bad actors? What if the idea for the malware was a result of carelessness and assumptions about the “security” of how Microsoft and its partners conducted routine business? What if the bad actors used open source software and some commercial reverse engineering tools, information on hacker forums, and trial and error? Does one need a 1,000 engineers? Microsoft may need that many engineers, but in my experience gained in rural Kentucky, a handful of clever individuals could have made the solar fires burn more brightly. Who can manage 1,000 hackers? I am not sure nation states can get 1,000 cyber warriors to a single conference center at one time or get most to read their email, file reports, and coordinate their code. Some may suggest Russia, China, North Korea, or Iran can do these managerial things in a successful way. Not I. The simplest explanation is often the correct one. Insider, opportunism, and a small team makes more sense to me.
Let me shift gears.
What about the spoofing, modifying, and running of Microsoft software for months, maybe a year, maybe more without detecting the intrusion?
I noted “A Vulnerability in Windows Defender Went Unnoticed for 12 Years.” That write up asserts:
A critical bug in Windows Defender went undetected by both attackers and defenders for some 12 years, before finally being patched last fall. The vulnerability in Microsoft’s built-in antivirus software could have allowed hackers to overwrite files or execute malicious code—if the bug had been found. Let’s be clear—12 years is a long time when it comes to the life cycle of a mainstream operating system, and it’s a heck of a long time for such a critical vulnerability to hide.
Sure, let’s be clear. Microsoft talks security. It issues techno-marketing posts like its late January explanation of the SolarWinds’ misstep which I reported on in the DarkCyber video news program on February 9, 2021.
But perhaps more pointed questions should be asked. I don’t want to know about Team featuritis. I don’t want to know why I should not install certain Windows 10 updates or accept updates like the mandatory update KB4023057. I don’t want to know about folding mobile phones. Nope. None of those things.
I want TV interviewers, CBS “real news” writers, and Microsoft to move beyond marketing chatter, hollow assurances, and techno-babble. Oh, I forgot. The election, Covid, and the Azure cloud JEDI thing. I, like others, need their priorities readjusted.
How many employees and partners told Brad Smith, “You were great in the 60 Minutes interview? Lots I would wager.
Stephen E Arnold, February 18, 2021
SolarWinds: Woulda, Coulda, Shoulda?
February 17, 2021
The SolarWinds security breach had consequences worldwide. The bad actors, supposed to be Russian operatives, hacked into systems at the Department of Homeland Security, the Treasury Department, the National Institutes of Health, the Department of Justice, and other federal agencies as well as those of some major corporations. The supply-chain attack went on for months until it was finally discovered in December; no one is sure how much information the hackers were able to collect during that time. Not only that, it is suspected they inserted hidden code that will continue to give them access for years to come.
Now ProPublica tells us the government paid big bucks to develop a system that may have stopped it, if only it had been put into place. Writers Peter Elkind and Jack Gillum report that “The U.S. Spent $2.2 Million on a Cybersecurity System that Wasn’t Implemented—and Might Have Stopped a Major Hack.” Oops. We learn:
“The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers. This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for ‘as a whole’), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. … Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.”
Other experts also believe in-toto, which is free to use, would have been able to stop the attack in its tracks. Some private companies have embraced the software, including SolarWinds competitor Datadog. That company’s security engineer, in fact, contributed to the tools’ design and implementation. We are not sure what it will take to make the government require its vendors implement in-toto. Another major breach? Two or three? We shall see. See the write-up for more details about supply-chain attacks, the SolarWinds attack specifically, and how in-toto works.
Cynthia Murrell, February 17, 2021
Post SolarWinds: Let Smart Software Do Security
February 9, 2021
Forty-one percent of IT leaders would suggest cybersecurity pros get their resumes ready, according to a recent survey. ZDNet reports, “AI Set to Replace Humans in Cybersecurity by 2030, Says Trend Micro Survey.” Writer Eileen Brown summarizes:
“[Trend Micro’s] predictions report, Turning the Tide, forecasts that remote and cloud-based systems will be ruthlessly targeted in 2021. The research was compiled from interviews with 500 IT directors and managers, CIOs and CTOs and does not look good for their career prospects. Only 9% of respondents were confident that AI would definitely not replace their job within the next decade. In fact, nearly a third (32%) said they thought the technology would eventually work to completely automate all cybersecurity, with little need for human intervention. Almost one in five (19%) believe that attackers using AI to enhance their arsenal will be commonplace by 2025. Around a quarter (24%) of IT leaders polled also claimed that by 2030, data access will be tied to biometric or DNA data, making unauthorised access impossible. In the shorter term, respondents also predicted the following outcomes would happen by 2025. They predict that most organisations will have significantly reduced investment in property as remote working becomes the norm (22%). Nationwide 5G will have entirely transformed network and security infrastructure (21%), and security will be self-managing and automated using AI (15%). However, attackers using AI to enhance their arsenal will be commonplace (19%).”
Trend Micro’s Bharat Mistry cautions that AI is most valuable when combined with human expertise, suggesting companies not jettison their human resources so readily. Since cyberattacks will continue to be a growing concern, the report recommends companies pay close attention to security best practices and patch management programs. It is also wise to train workers on security for work performed outside the office and the importance of avoiding doing business on personal devices.
Global cybersecurity firm Trend Micro offers protection for its clients’ users, networks, and cloud environments. Founded back in 1988, the company is based in Tokyo.
One question: If flawed humans create the smart security AI, won’t that have the same blindspots?
Cynthia Murrell, February 9, 2021
US Department of Defense: Procurement Methods Zapped by JEDI
February 5, 2021
I don’t know if the information in this article is 100 percent accurate, but it is an entertaining read. Navigate to “Pentagon May Cancel JEDI Contract and Start Over.” The write up does not mention the SolarWinds’ misstep, but I have heard that some DoD work from home professionals are getting a bit of a tan. Solar radiation can be a problem. The write up states:
The Pentagon could be set to cancel the $10 billion Joint Enterprise Defense Infrastructure (JEDI) contract it awarded to Microsoft in 2019, as a legal battle with Amazon rages on. The cancellation, should it occur, could provide significant financial benefits for AWS, with the cloud provider ready to swoop in. A new memo has revealed the extent of the Pentagon’s frustration with the legal wrangling. In particular, the memo states that, should Amazon’s complaint be upheld, the entire JEDI contract may be abandoned.
Her are the operative words:
$10 billion
Legal battle
Microsoft
Amazon
JEDI
and the biggie frustration.
Amazon arrives at the party without a tan from the SolarWinds. Microsoft may have been singed or hit with some first degree burns. Oracle is a wild card because it may find a way to provide a very competitive option.
Where is the DoD now? Snagged in Covid, wrestling with leadership, adapting to the new administration, working the numbers for the remarkable F 35 alongside figures for A10s and F 15 enhanced models, and the drone of social media and talk about thousands of nano drones descending on a squad in some delightful camping areas.
If the information in the write up is accurate, perhaps a connection with the SolarWinds’ misstep may surface. But for now, its legal hassles and the thrill of many silos of systems.
Stephen E Arnold, February 5, 2021
Google Speaks But Is MIT Technology Review Delivering Useful Information or Just PR?
February 4, 2021
I read “Google Says It’s Too Easy for Hackers to Find New Security Flaws.” I assume that the Google is thrilled that its systems and methods were not directly implicated in the SolarWinds’ misstep and possibly VMWare’s and Microsoft’s. But I don’t know because the information is dribbling out at irregular intervals and in my opinion has either been scrubbed or converted to euphemism. A good example is the Reuters’ report “Exclusive: Suspected Chinese Hackers Used SolarWinds Bug to Spy on US Payroll Agency — Sources.”
The esteemed institution supported by Jeffrey Epstein and housing a expert who allegedly had ties to an American adversary’s officials reports:
Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees.
What makes this story different is that the Google is now agreeing that today’s software is easy to compromise. The write up quotes an expert who offers:
Over its six-year lifespan, Google’s team has publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero-days that were being exploited—a quarter of which were extremely similar to previously disclosed vulnerabilities. Three were incompletely patched, which meant that it took just a few tweaks to the hacker’s code for the attack to continue working. Many such attacks, she says, involve basic mistakes and “low hanging fruit.”
This is news? I think it is more self congratulatory just like the late January 2021 explanation of the SolarWinds’ misstep which I discuss in the February 9, 2021 DarkCyber video program. You can view the video on this blog.
Stephen E Arnold, February 4, 2021
Security Gaffes and the Tweeter
February 2, 2021
The Next Web has some advice for those going online to discuss how a security breach has affected them—“Don’t Dox Yourself by Tweeting About Data Breaches.” Writer Ben Dickson noticed several NetGalley users doing just that following the breech of that site’s database backup file last month. He writes:
“The database in question included sensitive user information, including usernames and passwords, names, email addresses, mailing addresses, birthdays, company names, and Kindle email addresses. Unfortunately, many users took to social media and started discussing the incident without thinking about what they are putting up for everyone to see. And in their haste to be the first to tweet about the breach, many users made awful mistakes, which could further compromise their security.”
A couple examples include the person who announced they use the same password everywhere (!) and someone who revealed their full name by reproducing their NetGalley notification. (Her Twitter account uses a pseudonym.) To make matters worse, it appears the database stored user information unencrypted. Though NetGalley itself does not keep incredibly sensitive data like banking information, hackers have ways of twisting even the most benign information to their dastardly goals. The write-up continues:
“After the NetGalley hack, the attackers have access to a fresh list of emails and passwords. They can use this information in credential stuffing attacks, where they enter the login information obtained from a data breach on other services and possibly gain access to other, more sensitive accounts. Cross-service account hijacking is something that happens often and can even include high-profile tech executives. The attacks can also combine the data from the NetGalley breach with the billions of user account records leaked in other data breaches to create more complete profiles of their targets. So, alone, the NetGalley data breach might not look like a big deal. But … every piece of information that falls into the hands of malicious actors can become instrumental to a larger attack.”
Dickson hastens to add that people need not stop tweeting about data breeches altogether. Doing so can actually provide valuable discussion, as his closing examples illustrate. One should just be careful not to include personal details the hackers’ might add to their collection.
Cynthia Murrell, February 2, 2021
Microsoft Security: Perhaps Revenue Does Not Correlate with Providing Security?
February 1, 2021
I want to keep this brief. Microsoft makes money from the sale of security services. “Microsoft CEO Satya Nadella: There Is a Big Crisis Right Now for cybersecurity” reports:
For the first time on Tuesday, Microsoft disclosed revenue from its various security offerings as part of its quarterly earnings — $10 billion over the last 12 months. That amounts to a 40% year-over-year jump in the growing security business, making up roughly 7% of the company’s total revenue for the previous year.
Here’s a fascinating passage:
Microsoft itself was also hacked, though no customer data was breached. A Reuters report indicated that, as part of the hack of the National Telecommunications and Information Agency, Microsoft’s Office 365 software was attacked, allowing the intruders to monitor agency emails for months. Microsoft, however, said at the time that it has identified no vulnerabilities in its cloud or Office software.
Er, what?
I don’t want to rain on this financial parade but The Register, a UK online information service, published “Unsecured Azure Blob Exposed 500,000+ Highly confidential Docs from UK Firm’s CRM Customers.” Furthermore, the Microsoft security services did not spot the SolarWinds’ misstep, which appears to have relied upon Microsoft’s much-loved streaming update service. The euphemism of “supply chain” strikes me as a way to short circuit criticism of a series of technologies which are easily exploited by at least one bad actor involved in the more than 12 month undetected breach of core systems at trivial outfits like US government agencies.
Net net: Generating revenue from security does not correlate with delivering securing or engineering core services to prevent breaches. And what about the failure to detect? Nifty, eh?
The February 9, 2021, DarkCyber video program takes a look at another of Microsoft’s remarkable dance steps related to the SolarWinds’ misstep. Do si do, promenade, and roll away to a half sashay! Ouch. Better watch where you put that expensive shoe.
Stephen E Arnold, February 1, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
