Microsoft and Security: Bondo, Lead, or Duct Tape?
May 17, 2021
This round of updates will not fix all of Exchange’s vulnerabilities, but we may be getting closer to some semblance of security. The Register reports, “Microsoft Emits More Fixes for Exchange Server Plus Patches for Remote-Code Exec Holes in HTTP Stack, Visual Studio.” This release includes 55 CVE fixes for 32 MS apps and services, down from the 114 fixes released in April. Writer Thomas Claburn elaborates:
“Among the 55 CVEs identified by Microsoft, four are rated critical, 50 are rated important, and one is rated moderate. Those who recall the slew of Exchange Server fixes in March and April may experience a sense of deja vu: May brings still more Exchange Server fixes, for Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9. The four Exchange bugs are all rated moderate; one, a security-feature bypass (CVE-2021-31207), is already publicly known. Dustin Childs, director of communications for the Zero Day Initiative, observes in an advisory that a number of Exchange bugs came out of the recent Pwn2Own exploit contest. ‘More Exchange patches are expected as not everything disclosed at the contest has been addressed,’ he said. Aware that state-sponsored miscreants have been breaking into Exchange Servers via earlier vulnerabilities, Microsoft said while it’s not aware of any active exploitation of these latest flaws, ‘our recommendation is to install these updates immediately to protect your environment.’”
Good idea. Childs points to several more vulnerabilities that warrant immediate attention in HTTP Protocol Stack, Hyper-V, Visual Studio, and Windows Wireless Networking. There are also two that depend on their victims accessing a website—an OLE Automation remote code execution vulnerability and a Scripting Engine memory corruption vulnerability. Will it be another month before Microsoft addresses these?
Cynthia Murrell, May 17, 2021
Who Watches? Mom or a 20-Something?
May 14, 2021
It is undeniable that COVID-19 has forever changed the work environment. In order to guarantee that telecommuting workers were being productive, organizations adopted new ways to monitor their performance. These include software that pushes the boundary between professionalism and Big Brother.
Organization heavily relied on Zoom for business meetings and calls, but that could be a thing of the past if NICE works. CFO Tech New Zealand has the details on the new employee management software: “NICE Rolls Out Agile Workforce Management For Distributed Workforces.”
NICE is a workforce engagement management (WEM) platform designed to virtually connect workforces in one location. Even thought workers can log onto a work network, engage in a Zoom conference call, or share work via the cloud it does not give them one centralized location.
It also does not allow organizations the chance to check in on their employees’ work. Before the pandemic, offices had “swivel chair assistance” or direct communication with workers. Worker engagement is at an all time low, but WEM could fix that. Here some NICE features:
“Gain visibility – understand employee activities and behaviors based on desktop analytics and workforce management (WFM) data from schedules and activities. By leveraging business-based key performance indicators (KPIs), such as average handle time (AHT), productivity and adherence, organizations can now drive team and employee focus. A holistic view of the blended office and workforce also enables better management of performance and skill gaps. Ensure performance – personalize employee coaching to meet and exceed business goals by focusing on direct data that emphasizes knowledge and gaps. This enables supervisors and managers to guide the workforce in the right direction. Share dedicated employee dashboards that provide insights to adjust their performance course. Drive engagement – boost workforce commitment and engagement by creating activities that challenge, motivate and reward employees to achieve results and support teamwork. Reward success by applying points and badges and enable their use for additional time off or related prizes.”
Exactly what does NICE do as part of its business? Does the firm provide specialized services to intelligence agencies, security, and law enforcement? That’s a good question. The answer may put these NICE workforce engagement tools in a different context.
Whitney Grace, May 14, 2021
Evidence of the Unreasonable Effectiveness of Malware
May 11, 2021
I read “The Fortnite Trial Is Exposing Details About the Biggest iPhone Hack on Record.” I am less interested in the dust up between two giant commercial enterprises than the attempt Apple has made and seems to be making to cope with malware. The write up states:
Apple released emails that show that 128 million users, of which 18 million were in the U.S., downloaded apps containing malware known as XCodeGhost from the App Store.
The data are stale, dating from 2015. Perhaps more current information will emerge. Maybe there will be a chart or two, showing Apple’s progress in fighting malware. There were 4,000 malware delivering or malware infused apps. I don’t know. Details are scarce.
The write up points out:
Apple has always had a good reputation in terms of security. But the company has been reluctant to speak publicly and candidly about specific security incidents. So these emails, which were only released because of discovery in the Epic v. Apple Fortnite trial, are an interesting peek behind the curtain that show a fuller extent of the damage from this hack as well as specifics about how the company handled the hack’s fallout in real time.
Another item of interest was:
Apple also disclosed the apps that included the malicious code, some incredibly popular such as WeChat and the Chinese version of Angry Birds 2.
Some thoughts which crossed my mind.
- There is zero doubt in my mind that these disclosed items of data will encourage and strengthen bad actors’ confidence in the use of malware. It works.
- Apple appears to be trying to deal with malware, but these allegedly accurate factoids indicate that it has not been as successful as some individuals believed. Apple tried and failed, which provides a signal that a well funded, well intentioned outfit can be exploited.
- Malware is the Achilles’ heel for computer users. Apple’s billions cannot prevent clever bad actors from gaining access to devices.
- Data like these bolster comments about American online users loss of trust in their ISPs. (See, for example, “Study Shows Two-Thirds of Americans Don’t Trust Their Internet Service Providers.”
Net net: Malware is unreasonably effective in compromising security. Does this mean that cyber security systems are failing? I would offer this observation, “Sure looks like it in the first degree burns left behind by SolarWinds, Microsoft Exchange Server, et al.”
Stephen E Arnold, May 11, 2021
Drone Allegedly Compromises a Tesla
May 11, 2021
I read “Tesla Car Hacked Remotely from Drone via Zero click Exploit.” I am not certain about the reproducibility of this alleged hack. Nevertheless, it encapsulates the interesting security threats in today’s zippy zip environment. The write up states:
The attack, dubbed TBONE, involves exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. An attacker can exploit these flaws to take full control of the infotainment system of a Tesla without any user interaction.
Here’s the method:
“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us [the researchers] to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity.
What about drone based attacks on a mobile phone?
Stephen E Arnold, May 11, 2021
Sharing a Stage: Microsoft and Huawei
May 10, 2021
Just a small item from “Huawei Calls for Closer Public-Private Sector Action to Restore Trust in Technology” in New Zealand. The focus of the write up was on a call by Huawei (yep, the Chinese technology giant viewed with suspicion by some in the US, delivered a message about trust. Here’s the quote from the Huawei professional explaining trust:
As more devices feature connectivity, more services go online, and more critical infrastructures rely on real-time data exchanges, so must governments worldwide ensure that everyone is protected by the highest security standards… We must build strong trust in technology, enabled by a common set of rules, innovations, and progress. Only then can we commit to the sustainable and trustworthy use of technology.
Okay. But the item of information in the article which struck me as important was this passage:
Other speakers from the private sector include Roche board of directors chairman, Christophe Franz, Daimler chairman of the board of management, Ola Källenius, Microsoft chief executive officer, Satya Nadella, and HCL Corporation’s chief executive officer, Roshni Nadar Malhotra. [Emphasis added]
I found it interesting that Microsoft’s CEO shared a podium at a conference about trust. As you may recall, Microsoft experienced a misstep with Exchange Server and has struggled with Windows updates which bedevil some users.
The write up emphasized that “that trust is inherently built on openness and transparency.” Sounds tasty. Trust.
Stephen E Arnold, May 10, 2021
SolarWinds: Info Dribbles Continue
May 10, 2021
A “dribble” is, according to Merriam Webster, “issue in piecemeal or desultory fashion.” From my point of view, “SolarWinds Says Russian Group Likely Took Data During Cyber-Attack” qualifies as info dribble. Paywalled Bloomberg reports:
SolarWinds said it “found evidence that causes us to believe the threat actor exfiltrated certain information as part of its research and surveillance,” according to a regulatory filing on Friday. The hackers “accessed email accounts of certain personnel, some of which contained information related to current or former employees and customers,” the company said.
How much data were taken, what content was pilfered, and for how long? Sorry, no info to address these questions. The write up reports:
SolarWinds estimates the hackers breached fewer than 100 of its customers using its software, according to the filing. The White House has found that about 100 U.S. companies and nine government agencies were hacked by the Russian cyber-attackers through SolarWinds and other means in the course of their espionage operation.
Remarkable how few entities were affected.
How did the attack occur? Here’s the explanation in the write up:
… the company believes the hackers may have used an unknown vulnerability, a brute-force cyber attack,or through social engineering — such as a phishing operation — according to the filing. The hackers then conducted “research and surveillance” on the company, including its Microsoft Office 365 environment, for at least nine months prior to October 2019, when they moved to the “test run” phase of the attack, according to the filing.
Okay, what happened exactly? Right, the company does not know.
What about the cyber security systems in place to identify malicious activity? What about systems to identify threats? What about the vulnerabilities in the supply chain processes?
Many questions. Dribble info is interesting but not germane to the big question: How did a lengthy attack go un-noticed for months? Another question: What’s the fix?
Stephen E Arnold, May 10, 2021
Despite Acronyms, Ineffective Cyber Security Persists
May 7, 2021
I want to be brief. I read “XDR defined: Giving Meaning to Extended Detection and Response.” The write up is a commercial for a forthcoming flurry of fuzzy reports from assorted mid-tier consultants. Some of the big blue chips are embroiled in management dust ups and legal matters related to opiate marketing. So the mid-tier crowd has a chance to sell reports and billable consulting hours. Furthermore some vendors of cyber security products and services will rush to the party.
The article is about the outfit doing business as Forrester. I learned:
Forrester has released research on what XDR is, what XDR isn’t, and what clients need to look for when evaluating XDR solutions. This research is a rigorous breakdown of what to expect from XDR solutions based on interviews and survey results from XDR end users and over 40 security vendors.
Well, what is XDR in the current environment of SolarWinds, Microsoft Exchange Server, and assorted breaches involving Facebook and dozens of other outfits? XDR is shorthand for extended detections and response.
The hitch in the git-along is that cyber breaches are a today problem. Presumably many firms have one, two or three cyber security solutions, threat intelligence updates, and smart software like the high profile, yet debate sparking Darktrace.
From my point of view, existing cyber security solutions did not work for the months which the bad actors had to exploit SolarWinds. Then the Microsoft Exchange Server issue. These have been followed by VPN exploits, wonky partners with ties to ever cozy bears, and assorted database thefts.
The fix is an acronym and a report?
I don’t want to be skeptical, but the problem is that marketing is now more important than delivering cyber security information and solutions that prevent breaches. As a point of fact, the compromised systems in the US Federal government and an unknown number of organizations are now compromised. Do we have a cyber security system capable of dealing with the sophisticated exploits used by adversaries.
The answer is, No, not XDR.
Stephen E Arnold, May 7, 2021
Russia Keeps Backdoor Into US Security Networks
May 5, 2021
Russia and the US keep each other at arm’s length. While the two countries might not officially be at war, each are wary of what the other does behind closed doors. In March, the US Department of Homeland Security was hacked in what is now called the SolarWinds hack. US authorities believe it was Russia’s doing and, according to Engadget, they kept a back door open: “Report: Russia ‘Likely’ Kept Access To US Networks After SolarWinds Hack.”
Despite the US bolstering their firewalls and security systems in the wake of the SolarWinds hack, Russia’s SVR intelligence agency could still have access to them. Deputy National Security Director Anne Neuberger did not directly state that Russia still has access to the systems, but did say blaming Russia for the hacks was not going to prevent future attacks.
Russia has hacked US systems for years:
“A continued presence in American networks is consistent with history. Russia continued to mount cyber attacks against the US after the Obama administration imposed sanctions in late 2016, targeting politicians and other systems during the 2018 midterms and beyond. Even if the US successfully dislodged Russia from government systems, there was a good chance it would find another security hole.”
While the US has a robust digital security system with robust minds operating it, Russia has their own equivalent. Each country will continue to attack the other in order to have an edge in this post-Cold War world.
Whitney Grace, May 5, 2021
Amazing Moments in Cyber Security: The SolarWinds Awards
May 5, 2021
Believe it or not.
In a gem of an understatement, SolarWinds’ Sojung Lee called 2020 a “challenging year.” Lee made this assessment at his company’s recent APJ Q2 Virtual Partner Briefing where, as ChannelLife reports, “SolarWinds Celebrates Channel Partners in APJ Channel Awards.” Yes, that company gives out awards. We’re told:
“The awards recognize SolarWinds’ partners and distributors for their achievements in delivering services and expertise to customers. SolarWinds Asia Pacific and Jap vice president sales, Sojung Lee, says that 2020 was a challenging year but SolarWinds partners remained resilient.”
Resilient—yes, they would have to be. Readers can navigate to the brief write-up for the list of recipients, if curious. We just find it remarkable this list even exists at this point in time. What about these “winners’” security? We don’t know and maybe SolarWinds does not either. Sales, not security, could be job one.
Cynthia Murrell, May 5, 2021
How Are Those Cyber Security Vendors Performing? (Yes, That Is the Correct Word)
April 30, 2021
This sounds like old news. This is really new news. The trust outfit Thomson Reuters published “U.S. Government Probes VPN Hack within Federal Agencies, Races to Find Clues.” The main idea is that despite the amped up cyber security efforts, another somewhat minor issue has been discovered. The trust outfit reports:
The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records.
What’s up with VPNs? Here’s the trusted news source’s slick prose answering this question:
The use of VPNs, which create encrypted tunnels for connecting remotely to corporate networks, has skyrocketed during the COVID-19 pandemic. Yet with the growth in VPN usage so too has the associated risk.
Some questions:
- Do existing cyber security systems ignore VPN traffic?
- Do existing monitoring systems provided by vendors like Microsoft have a “certain blindness”?
- In the aftermath of the SolarWinds and Microsoft Exchange Server stubbed toes, have systems been enhanced to deal with threats which appear to operate in an undetectable manner?
Answers? No good ones its seems. Ads and speeches. Oh, yeah! Marketing is performance art.
Stephen E Arnold, April 30, 2021, 942 am US Eastern
-
- Subscribe to Beyond Search
Feature archive
News archive
-
