Category Archives: Microsoft

Why The Microsoft Exchange Email Hack is So Bad

The media continues to report on the Microsoft Exchange hack, likely perpetrated by China. Reports are that at least 30,000 Exchange servers in the United States are impacted and some people say that number is likely way underestimated. On top of that, the number of servers worldwide is maybe ten times that number.

Given all the media attention, you would think that everyone would, at least, install the patches. It appears that AT LEAST 46,000 servers are not patched, according to The Record.

So why is this a big deal? First, the attackers could read any email on those servers. Whatever that might contain. One organization affected was the European Banking Authority. They say that no data was accessed. Sure, we believe them.

Second, the attackers, in many cases, left behind a present called a web shell. It is a way for the attackers to get back in to the server later. Many of our IT partners decided the only way to make sure that the hackers are really out is by rebuilding the servers from bare metal, not a simple task, especially if you have to do that to tens of thousands of servers.

So lets look at the timeline involved. We are getting more details every day and this timeline is interesting. This timeline comes from Brian Krebs, who Chris Krebs, former head of DHS CISA called his brother from another brother (i.e. they are not related).

Security testing firm Devcore says they alerted Microsoft on January 5 – two months ago.

On January 6th, Veloxity spots attacks that use unknown Exchange bugs

On January 8th, Devcore told Microsoft that they had been able to reproduce the bug.

On January 27th Dubex tells microsoft about new attacks on Exchange servers.

On January 29th, Trend Micro reports in their blog about these web shells infecting Exchange servers, but incorrectly says this was allowed by a bug patched last year.

In February, Microsoft tells the folks who reported the bug that they had escalated the problem and that they had a target release date of March’s patch Tuesday, March 9th.

By the end of February, the cat is out of the bag (it is hard to keep good news secret) and security folks are seeing global mass scans of Exchange servers looking for vulnerable systems.

This forces Microsoft’s hand and they released the patches a week before they planned to, now on March 2.

By March 3rd, tens of thousands of Exchange servers have been compromised. Once the patch is out, especially knowing that it is an emergency patch, hackers worldwide reverse engineer the patch, likely within hours of it being released.

By this time it is a national security emergency and everyone from CISA (who told government agencies that they had 48 hours to patch their servers or shut them down) to the White House to the National Security Advisors are sounding the alarm bell.

On March 5th, Chris Krebs, former head of DHS CISA says that the real number of compromised servers dwarfs the numbers being reported.

Needless to say, this is a big problem.

A couple of interesting footnotes.

Microsoft says that Office 365 was not compromised. Why? Don’t know. Possibly their server configuration is different. Possibly, since they knew about the bugs in early January, they were able to tweak their security before the word got out. I vote for number 2. Apparently at this point, now that we know how the attacks work, it is easy to block new attacks.

Second, Microsoft released patches for every supported version of Exchange. That means that the bug goes back, at least, to 2013.

But wait. Microsoft even patched an unsupported version of Exchange – Exchange 2010. That means that the bugs go back at least a decade. Possibly more.

Now here is the answer that we don’t have.

Were these bugs being quietly exploited for years? Remember if you do it quietly, you probably won’t get noticed.

If so, by whom?

China?

Russia?

Private hackers?

The NSA, CIA, Others?

Foreign intelligence agencies – friendly or not?

And if so, what have they stolen?

Likely we will never know the full extent of the attack, but between the SolarWinds hack and the Microsoft Exchange attack, one thing should be clear. We came to a gun fight with a spoon. And if we do not improve on our security efforts, we are going to continue to lose.

Security News for the Week Ending Jan 1, 2021

Happy New Year. May 2021 be more sane than 2020.

Microsoft Says Goal of Solar Winds Attack Was Your Cloud Data

Microsoft says that the objective of the Solar Winds Hackers was to get into a number of organizations and then pick and choose which ones to attack, leaving the back door in place at the others for future operations. One way to do that was to generate SAML login tokens from inside the network and then use those tokens to gain access to cloud resources, including, but not limited to email. The article also provides more information on how to detect if the hackers did compromise your cloud resources. Credit: Bleeping Computer

“Swatting” Moves to the Next Level

Swatting, the practice of calling in a fake 911 call so that SWAT teams are deployed to the victim’s location based on, say, a fake kidnapping, are moving to the next level. As if having the police show up unexpected with lots of guns and breaking down your door isn’t bad enough, now the perpetrators are taking advantage of the fact that people choose crappy passwords and are watching and listening to the police assault on the victim’s own smart devices. On occasion, the situation becomes deadly when the police, not really knowing what to believe, shoot the victim. On rare occasions, the swatters, as they are called, are caught and prosecuted. Credit: Bleeping Computer

I Think The Wasabi Got a Little Too Hot

Wasabi, the cloud storage competitor to Amazon S3 that claims that it is significantly cheaper than Amazon and 99.999999999% reliable just got a little less reliable. Their domain registrar notified them of some malware hosted on one of their domains. Only they sent the email to the wrong email address. The registrar, following normal procedures, suspended their domain for not responding to an email they never got, knocking many of their customers offline.

After Wasabi discovered they had been DDoSed by their domain registrar, they suspended the offending customer and asked to get their domain back. That process took over 13 hours. Are you ready for this kind of attack from your suppliers?

That attack probably knocked several of those 9’s off their reliability, depending on how the mess with the data.

Credit: Bleeping Computer

Solar Winds Troubles Are Not Over

A second piece of malware called SUPERNOVA and a zero-day vulnerability that it exploited makes it look like there may have been a second attack against Solar Winds. This appears to be a separate attack from the Russian attack. The attack vector is different too – this is not an attack against Solar Winds code base. This spells additional trouble for Solar Winds. Credit: Security Week

Security News for the Week Ending August 23, 2019

Remember That Vague Client Alert Earlier This Week?

For those of you who are clients, you received an out of cycle client alert on Tuesday (they usually come out on Wednesday) providing a copy of the Homeland Security Alert on the Sodinokibi ransomware going after Managed Service Providers or MSPs.   It now appears that the attack on Texas towns (see below) is based on an attack on the MSP hosting the systems of those municipalities.  Assuming that is true (The state of Texas is being very vague on the whole situation), that could explain why DHS issued the alert at this time.  To reiterate the recommendation in the alert – make sure that your MSPs’ security programs are up to the task.  In the case of Texas, one town has announced that the attacker wants that town to pay $2.5 million in ransom.  Source: Bleeping Computer.

20 Texas Towns Hit by Ransomware.  Wait 23.  Wait …..

Cities and towns across the country have been hit by a wave of ransomware attacks, but of course, everything is bigger in TEXAS.

While the press release is very short on details, the Governor has called out the Texas Military Department (that is the combination of the Army National Guard, the Air National Guard and the Texas State Guard, which is an organized militia as defined in the Constitution) along with the experts at Texas A&M University (The Aggies have a world class cybersecurity capability) to help the cities impacted deal with the situation.  While Colorado was the first state to activate the National Guard to help with a cyber attack, Texas is now the third (after Louisiana) in what may become a trend. Source: KUT, Austin’s Public Radio Station. 

IRS Notifies Thousands of Cryptocurrency Traders of Back Taxes and Penalties

Not wanting to leave money – even digital money – on the table, the IRS has sent out letters to thousands of cryptocurrency traders who did not report the trades on their tax returns assessing them  taxes and penalties along with the threat of possible criminal prosecution.  Not a big surprise, but if you thought you could escape the tax man…  Of course, if you are trading peer to peer, then it is 100% unlikely that the tax man will ever find you.  Source: CNBC.

 

Huawei Goes Into Full Battle Mode

Huawei CEO Ren Zhengfei sent a memo to the company that says, in light of the US bans, that it was time for the company to go into full battle mode, making references to the military bible, The Art of War.

As President Trump effectively admitted, the ban on Huawei has only a little to do with national security and all to do with his trade war, by continuing to suspend the ban – which is affecting US companies bottom lines and user’s security.

In the mean time, Huawei says that it will build 60,000 5G base stations this year and 1.5 million next year – all without any US components.  Since other countries continue to buy Huawei equipment and US rural cell carriers say that that it will cost them more than a billion dollars to replace Huawei equipment which they do not have – meaning that they will dramatically slow 5G deployments.

Currently the US is lagging in 5G deployment and despite the President’s wishes that this is not so, this is not likely to change any time soon.  Read the details of this dance here.

 

Plan for End of Life of Software Support

End-of-life in software and hardware means no more security fixes and given the number of fixes we see every month, using software and hardware that is no longer supported is not a good plan.  No more patches does not mean no more flaws – just no more fixes for those flaws.  Hackers count on that fact.  Here is what is coming up to the end of life soon:

Python 2 on January 1, 2020 (about 4 months)

Windows 7 on January 14, 2020 (also about 4 months)

Windows Server 2008 and 2008 R2 also on January 14, 2020 (4 months).  As an incentive to get you to migrate to Azure, if you migrate your Windows 2008 servers to Azure before January 14th (and therefore pay Microsoft monthly cash), they will support Server 2008/2008 R2 for three more years.

For states with cybersecurity and privacy laws that say that you have to take reasonable measures to protect your data, it will be hard to defend in court, if you have to, that using unsupported software is taking reasonable measures.

Google to Add GMail Features – Maybe – For A Fee?

Google has a interesting strategy.  Build prototypes of products.  Show them or leak them.  See if anyone cares.   Kill them if it doesn’t work out – there are lots of examples.  After many users are already using them.

One other thing that they do is attempt to lock users into the Google ecosystem.  Of course.

Tech Crunch is reporting that Google is working on a self destructing email (like Snap Chat for email?).  But it only works if both users are on GMail and only if both users use the web client for GMail.  Sounds a bit limiting.  If one user is not using the GMail web client, they get a link instead that takes them to the web.

They may also be adding a feature to stop printing and stop forwarding.

Again, if they do, it will only work for GMail on both ends and only with the GMail web client.

Information for this post came from The Register.

So what does this mean?

Well first, what seems to be missing is end to end encryption, which seems like a pretty important feature.  

But encryption stops them from reading your email and doing things that they like to do.  They don’t read your emails to target ads – they have better ways to target ads – but they do read them for other features.

Next, the speculation is that this will only be available under the paid GMail model (GMail for business).  The paid version costs either $10 or $25 a month per user.  At that price there are competitors.

As of last year, Google said that they had 3 million paying users.  Microsoft says that they have 60 million paying Office 365 users and adding 50,000 customers (not mailboxes) a month.  Google never wants to play second fiddle.

It is certainly possible that they will give it away for free, but given that they are so far behind Microsoft, maybe not.  With GDPR taking effect in the European Union next month and other countries, not including the U.S. following the EU lead, maybe ad revenue might be less predictable going forward.  Millions of monthly paying customers might be nice.

If you are looking for a free answer for secure email, Proton mail is a good choice.  They also have a paid version with more features, but the free version is pretty good.

Office 365 has nice security features at well below $25 a month.  Microsoft has said that they are about to roll out end to end encryption for all paid Office 365 users at all levels.

The bottom line is that if you are looking for a secure email solution there are some decisions to make.  To me, Google’s solution is not so great.

 

Microsoft 0, EU 1, Users 10

Microsoft has been, ever since Windows 10 was released, on a race to collect more and more data on how you as a user do things.  While users have complained, Microsoft remained steadfast and not only did not change its habits, but also remained pretty quiet as to what data they were collecting.

Then the E.U.’s Working Party 29 (WP29) came along.  Last year the E.U. started investigating Microsoft’s privacy practices.  The E.U. has a different perspective on privacy than the U.S. does.

In fact, in the E.U., come next year when the General Data Protection Regulation (GDPR) goes into effect, a company can be fined up to 4 percent of the annual global turnover (revenue).

Apparently, Microsoft decided that this was not a game of chicken that it wanted to play and so they folded.

So, what did they do?

First, they added a privacy section to each user’s web account (https://account.microsoft.com/privacy ) that  allows a user to see his or her browsing history, search history, location history and Cortana history, among other data.

Then they added a new privacy panel in the Windows 10 release that is going out next week (called Creators Update).

Here is a screen shot of the new panel:

Next, they updated the privacy statement on their web site at https://privacy.microsoft.com .

While all of this is interesting, what is the most interesting is that they finally outlined what data on you and me they are collecting in Windows 10.

They posted two Wiki pages detailing the information that they are collecting.   The two pages represent two different data collection options that a user has, basic or full.

This is, by far, the most information that Microsoft has published to date on Windows 10 data collection practices.

While you cannot turn off all of the collection activities, at least we now know what data is being collected.  I am sure that researchers and reporters will be combing over this data in the days and weeks ahead to give us a better view of what this means.

A few of the data types they are collecting include:

  • OS name, version, build, and locale
    User ID
    Xbox UserID
    Device properties
    Device capabilities
    Device preferences and settings
    Device peripherals
    Device network info
    App usage
    App or product state
    Login properties
    Device health and crash data
    Device performance and reliability data
    Installed applications and install history
    Device update information
    Content consumption data (movies, TV, reading, photos)
    Microsoft browser data
    Information about local search activity
    Voice, inking, and typing
    ​​​​​​​Licensing and purchase data

And just think. All it took was the threat of WP29 fining Microsoft up to $4 billion.  I guess, even to Microsoft, $4 billion is a lot.

Information for this post came from the Bleeping Computer.

Security News: Apple, Microsoft and Lastpass

A few short items today.

First, Lastpass, one of the two password managers that I like (the other is Keepass) has been hit with three different security bugs in the last couple of weeks.  This is due to the fact that Google Project Zero security researcher Tavis Ormandy has put Lastpass in his sights.  The first two bugs were each patched within a day of Tavis’ disclosure to Lastpass, which compared to many other companies, is pretty amazing.  The third one has not been fixed yet and Tavis says that is a fundamental architectural issue and cautioned Lastpass to take some time and fix it right.  Lastpass automatically updates it’s software, so as soon as the patches are available, they will be installed across the entire user base.

These bugs highlight the conflict between security and convenience.  All of the bugs are related to integrating Lastpass into the browser so that users can have it automatically push userids and passwords to a website’s login page.   If you did not do the browser integration, then none of these compromises would work.  Keepass does not have any browser integration so it is not susceptible to these types of attacks.  The downside of not integrating it is that users have to look up and type or copy/paste the passwords manually, which, of course, is not so convenient.

I absolutely still recommend password managers and if you are on the overly paranoid side, disable Lastpass’s browser integration until these issues are resolved.

On the Microsoft front, they run a web site called Docs.com, which they bill as a way to showcase your documents.  While no bugs were found, by default, documents uploaded to Docs.com, but not those created in Office 365, DEFAULTED to public viewing.  With this setting search engines indexed the files  and a number (like thousands) of very sensitive documents like passports, password lists, medical records and other documents were exposed.

After this was publicly revealed Microsoft made a change to the site.  While uploaded documents are still public by default, you get a huge warning telling you that and it pushes you down on the page where you can easily change that setting – but only for that document.

This means that the user needs to pay attention and make sure that the permissions on documents are what they want them to be.  Why the permissions on Office 365 documents are different than on uploaded documents is still a mystery to me.  Seems like you should set it to default to private and make people intentionally share it if that is there intention, but that is not what Microsoft is doing right now.

This is a reminder to all users of cloud storage systems such as Box, Dropbox, Google Drive and others to make sure that the privacy settings on documents are what they expect.  In many cases, if you send someone a link to a document, then anyone who has access to the link can open the document.

Finally, Apple just released IOS 10.3.  To dispel the myth that Apple is a superhero, the list of bugs is pretty long.  Apple, while very security conscious, still uses human beings to program their software (as far as I know) and humans make mistakes.  If you have not installed the  new version, you should as attackers use these announcements to exploit vulnerabilities in non-updated software.  A partial list of the count of bugs fixed by category includes:

  • Accounts -1
  • Audio -1
  • Carbon -1
  • CoreGraphics – 2
  • CoreText –  3
  • Data Access -1
  • Font Parser – 3
  • HomeKit – 1
  • Http Protocol -1
  • ImageIO – 4
  • iTunes Store – 1
  • Kernel – 8
  • Keyboards – 1
  • Safari -4
  • Safari Reader – 1
  • Safari View Controller – 1
  • Security – 4
  • Webkit – 17 (this is the basis of Safari)

And a bunch of others.

As you can see, this fixes bugs all over the operating system, not just in one area.

This is not a dig at Apple , just a reminder that you really do need to make sure that your Apple (and other) devices stay updated.

Information for this post came from Steve Gibson at Gibson Research.  If you are not familiar with Steve’s security podcast, I highly recommend it, but it is a bit geeky.