Security Now 974 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
0:00:00 - Leo Laporte
It's time for Security Now. Steve Gibson's here. He's ready. He's champing at the bit, excited to get the show on the road. He's going to talk about what we learned by examining 3.4 million four-digit pins. You guys have some bad habits. He'll also talk about an interesting old-school approach to solving the GPS fuzzing problem. And then Microsoft and how they're getting serious about cloud-based services security, or are they? It's a big yellow taxi moment coming up. Next He'll explain on Security Now.
0:00:35
Podcasts you love. From people you trust. This is TWiT.
0:00:50 - Leo Laporte
This is security now with Steve Gibson, episode 974 recorded Tuesday, may 14th 2024 Microsoft's head in the clouds. It's time for Security Now. The show we cover the latest news from the security verse as it were.
0:01:10 - Steve Gibson
Second verse same as the first there you go.
0:01:13 - Leo Laporte
That's Steve Gibson, the guru around here when it comes to security, privacy and technology in general. Hi Steve, hi Steve, yo Leo.
0:01:22 - Steve Gibson
It's great to be with you again for this May 14th episode of Security, now as we continue to approach 999. Wow, I actually had intended to make time to take some of these whiskers off, but I ran out of time, so our audience will have to. Those unfortunate enough to be watching the video can just bear with us.
0:01:47 - Leo Laporte
You're with it. That's hip now to have a little bit of a beer and a little scruff, hey see, if you just wait long enough, it all comes around. Are you?
0:01:56 - Steve Gibson
a three blade, a four blade or a five blade guy. Oh God, there was the greatest piece that snl did back in the day. Remember that.
0:02:09 - Leo Laporte
And and the tagline was because they'll believe anything it was their response, I think, to two blades, but anyway, uh, it was so old that they didn't that they thought five blades was funny and then, in fact, that's exactly what we got now.
0:02:24 - Steve Gibson
I think it's the more the merrier. As far as the Blades go, all the Blades, that's right. So, okay, this is another of those episodes where there's such rich topics to discuss that we're going to do a few of them, rather than a gazillion little titty-bitties topics. Careful there, yeah, a gazillion little titty bitties, uh. Careful there, uh, yeah. So we're gonna look at what fascinating insights we have obtained from the examination of 3.4 million four digit pins. The oh, I this.
0:03:04 - Leo Laporte
I know what you're talking about.
0:03:06 - Steve Gibson
I saw this I posted this picture a heat map that we'll be describing in detail here in a minute on Twitter yesterday. Nothing I have ever posted before has generated so many little heart things likes I guess we call them when we're a hipster, like I am, with my unshaven face. So that's going to be a lot of fun. We're also going to look at an interesting surprise, which is the plan that is already underway as a backup for today's vulnerable GPS technology, which we talked about we opened the show with last week. Was, you know, like looking at what Russia is doing over in the Baltics and the vulnerability that we may not be taking seriously enough? It turns out we've got an answer for that.
Also, there was a lot of feedback from our listeners, who are avid PassKeys users, about their experiences. I want to share some of those and essentially correct the record about one aspect that was wrong from last week, and then we're going to take, as the title of today's podcast suggests, which is Microsoft's Head in the Clouds, a look at a topic that everybody else in the industry has already covered, but we haven't yet here, and we're going to do it in our own way, as we always do, which is, you know, microsoft's promise to get serious about their cloud-based services security. What happened? What has been found? And we have an interesting take, as we always do, so I think our listeners are going to have a great podcast Surprise.
0:05:00 - Leo Laporte
Surprise, surprise, you're going to have a great podcast. Well, we're very excited about that. Uh, meanwhile, let me talk about one of our great sponsors, as we get ready picture of the week coming up as well. Uh, today we're sponsored by you probably heard me talk about them. 1bigthink. It's brilliant idea, uh, designed especially for businesses kind of like ours small to medium businesses who are faced with seemingly insurmountable issues with privacy and AI.
Compliance Regulation has taken the world by storm and, in fact, those regulations are changing, it seems, almost daily, which means any organization that wants to operate in public has to embrace concepts like privacy by design, transparency, purpose limitation, data minimization, data subject rights. If all that sounds like words to you, you need some help. Mid-sized high growth organizations need to focus on what they're doing. As we sometimes say, stick to their knitting. They don't have time to keep a full time, or the money or really even the volume of work to keep a full time. Privacy at AI Team Disney. And, of course, you're competing with other giant companies like Google and Facebook, and you know to get that talent. How are you going to solve this problem? It's really a conundrum. Well, that's where 1bigthink comes in. The number one B-I-G-T-H-I-N-K dot com. 1bigthink does the job for you of a data protection officer, of an AI privacy expert.
With OneBigThink services, you're guided by an experienced executive who essentially becomes your DPO, your data protection officer. This is an enterprise of security role. It's a leadership role responsible for overseeing data protection strategy compliance and implementation to ensure compliance with GDPR in California, the CCPA, the CPRA and so on. There's lots of interlocking regulations, as you know. That's part of the world we live in today. A DPO can help and it's kind of something you need, but if you're a mid-sized company focused on growth, you probably who's got time, who's got the money. The DPO is going to be an expert in in data protection law and practices.
Okay, this is what you would have to find somebody with broad and deep information, privacy, compliance and data processing skill sets across multiple industries, including your own, obviously. A complete understanding of it infrastructures, technologies and technical and organizational structures in your industry. This person's also a manager a high level, so you have to have excellent management skills, the ability to interface easily with internal staff at all levels. I know where you can find one 1bigthink. You also get an AI expert.
1bigthink's AI compliance service is designed to integrate with your organization's privacy program and provide the required governance, compliance and assessment activities that those regulations require. Are you ready for all that? Have you tried to hire somebody like that? It's hard to do. That's why you need one big thing. They'll help you raise awareness of and train staff on all these regulatory requirements and issues with AI and compliance.
You want to know more. I think you need to know more. Do me the favor To learn more about how to give your organization sustainable privacy and AI compliance. You just do one thing: Visit the website. It's easy to remember 1, the number one 1bigthink.
Go there right now. 1 B-I-G-T-H-I-N-K.com. Just ask for information. Find out what one big thing can do for you. It's one of those things I think companies put off. Oh well, yeah, well, yeah, I know, I got to do the privacy thing. I got to do the compliance thing. I know, I know, I know, and you put it off. Maybe you post a listing. Good luck finding somebody. Good, this is the way. It's easy, it's straightforward 1bigthink. We thank them so much for their support. They love you, steve. They said there's only one place we can be in the whole wide world and that is Steve Gibson, Security Now. So support steve by going to 1bigthink. That's because of our listeners we got the best listeners in the world, absolutely all right, I'm ready for uh picture time so yeah, this is just a quick, simple cartoon.
0:09:40 - Steve Gibson
Uh, we've got two people sitting behind their laptops. Uh, one is sort of curious about what the other one is doing and she looks over at his screen and says what are you doing on the dark web? And his reply is I forgot my password. So I'm looking it up.
0:10:00 - Leo Laporte
Of course the NSA knows, and it's not them, the hackers.
0:10:05 - Steve Gibson
That's where you'll find your password on the dark web. You bet, you bet that's awesome. Okay, so this, as I said, this is just a great chart. This is from the Information is Beautiful project, which, you know, demonstrates that if you graph things in creative ways, you could learn a lot, and this is a perfect example of that. 3.4 million four-digit pins, which were obtained from multiple data breaches, were aggregated, were aggregated. Now, you know, this is a wonderfully enlightening graphic chart that I want to share. Unfortunately, the terms graphic chart and listeners are at odds, so you know you're going to have to describe it.
Steve, yeah, I'm going to note that this delightful chart is at the top of this week's show notes. Yeah, you need to see it. I tweeted it and I gave it a permanent GRC shortcut of PIN P-I-N so anybody can see it at any time from at GRCSC slash PIN P-I-N. Okay, but you know. P-i-n. Okay, but you know I can do this verbally also, okay. So this chart, as I said, takes 3.4 million four-digit PINs which were recovered from and disclosed by multiple data breaches. Now, of course, a four-digit P pin can have any value between 0000 and 9999. So there are 10,000 possible pins and this wonderful chart contains 10,000 little itty-bitty squares arranged in a flat two-dimensional map. So it's got rows, you know. It's got 100 rows and 100 columns and, of course, 100 times 100 is 10,000. So one way to think of this is that the first two digits of the pin which you know 00 through 99, specify one axis and the last pair of digits specify the other. So every single possible four digit pin has its own square on this chart and, within this 3.4 million pin data set, the relative number of times every single possible pin appears in the data set determines the brightness of its square on the chart. Okay. So what do we learn from this?
Okay, possibly the most prominent feature is a bright diagonal line running from the lower left corner of the chart, where both of the first two and the last two digits are 0, 0, to the chart's upper right corner, where the first two and the last two digits are both 9, 9. The diagonal line, then, is formed by all of the intermediate squares, by all of the intermediate squares where their first two and last two digits are identical, you know, and naturally, like 00 in the far lower left. That's bright, because a lot of people just chose 0000 as their pin. And similarly, the very far upper right corner, also very bright, because 9999 is, you know, many people's pins. So there is, you know, some variation in the brightness along the diagonal, which is interesting, you know, and of course, human nature being what it is, the pin 6969 appears to be overrepresented relative to its neighbors. No surprise. Two other solitary bright spots would also not surprise anyone. They are the locations of the 1234 and 4321 pins.
Not very creative and thus bright on the map. Very creative and thus bright on the map. Another really interesting prominent line is the 20th line, up from the bottom, since lines are numbered from zero. The 20th line is the line for all pins beginning with 19. And what's so interesting is that the line gets gradually brighter as it moves to the right, then dims a bit toward the end and wraps around a bit to the 20 line on the left. So what's going on here? Well, if you guessed people's birth year, you would be correct. Pins often begin, it turns out, with 19. And they appear to be brightest somewhere around 1980 seems to be the place where it's most. You know, most people have their pins clustered there.
0:15:18 - Leo Laporte
A lot of 40-year-olds, exactly. I would have thought it would be the baby boomers that would be the brightest, but maybe not.
0:15:27 - Steve Gibson
Yeah, it's kind of fading out for us, leo. On the other hand, then, so are we? Yes, yeah. Another notable feature is a generally brighter region down at the lower left of the chart. This would be where both the first two and the last two digits form low numbers. Okay, why? Because people use their month and day of birth within the month running from 1 to 12, of course, for the month and then day of month 1 through 31.
And, what's interesting, there's a brighter horizontal stopping at 12 than the vertical stopping at 12, both which, however, are clear. This indicates that most people chose the ordering with the month first and the day of month second as their pin. Now, stepping way back from it and looking at the overall illumination, there's a top to bottom brightness variation, with it being brighter at the top and dimmer toward the bottom, suggesting that most pins have low starting numbers, but there's less left-to-right variation. So people are generally choosing four-digit pins with, as I said, smaller first two digits but for some reason, more randomly distributed last two digits. And the final, really interesting observation is that, whereas most of the chart shows varying shades of illumination, there are around 40 distinct cells that are black or nearly black, like, I mean dramatic contrast against their neighbors, like I mean dramatic contrast against their neighbors. In other words, out of all 10,000 possible four-digit pins, there are around 40 of those that are significantly underrepresented. Isn't that weird, isn't that so?
odd yeah, for some reason, it looks kind of randomly, randomly distributed, but maybe not. Yeah, well, it's well.
0:17:50 - Leo Laporte
Most of them have high.
0:17:51 - Steve Gibson
Almost all of them are yeah, yeah, almost all of them are in the upper third of the chart, so their first two digits are are larger. Um, for some reason, for example, very few people have chosen 6806. So if you're looking for a lesser chosen four digit pin, there you go in there.
0:18:16 - Leo Laporte
That's right, or 60, whatever this one is. You know it's interesting, there are three dots on the 68 line.
0:18:23 - Steve Gibson
Yeah, and in fact that first one on the 68 line was the 6806 that I just chose to highlight. But you're right, and there looks like there's also three on the 60 or on the 70 line. Huh, I mean, it's really non-random in that area. Okay so, and as for the extremely low entropy skewing observed in the data set, again, low entropy skewing, get this. Just the top 20, the top 20 most used pins out of, remember the 10,000 that are possible? Right, Just the top 20 account for 27% of all pins observed in use. Oh, that's terrible.
Top 20 are 1-2-3-4-0-0-0-0-7-7-7-7-2-0-0-0-2-2-2-2-9-9-9-9-5-5-5-5-1-1-1-2-2-8-8-8-8-2-0-0-1-1-1-1-1-1-2-1-2-1-0-0-4-4-4-4-4-6-9-6-9-3- 2, 1, 0, 0, 4, 4, 4, 4, 4, 6, 9, 6, 9, 3, 3, 3 3 6, 6, 6, 6, 1, 3, 1, 3, 4, 3, 2 1 and 1 0, 1 0.
0:20:03 - Leo Laporte
If any of those sound like your pins, you're in trouble. Yeah, just very, very well means you can guess you know 10 or 20 and have a one in four chance of being right.
0:20:08 - Steve Gibson
Right um, if, if, for example, something prevented you from brute forcing all 10 000, you would absolutely want to go for those 20. Yeah, as your first, as your first 20 guesses.
0:20:22 - Leo Laporte
It also means you should use more than four digits in your pin right.
0:20:26 - Steve Gibson
Yeah, yeah. So I think we're still at four digit pins, purely for historical reasons. It's just you know. It's because that's you know. Once upon a time we didn't have computers and people had to actually remember them. Upon a time we didn't have computers and people had to actually remember them, and I'm sure a lot of people used their month and day of birth or the last four digits of their Social Security number or digits from their license plate or something, the point being four digits. That was all they could actually remember. We didn't have technology to say, oh yeah, no, here, here's a string of 20 digits you know. Repeat after me pick something.
0:21:10 - Leo Laporte
you know what I always do is I pick the last four digits of a phone number, not my current phone number, but maybe my childhood phone number or phone number I particularly recommend remember because those are mostly pretty random. They certainly don't have anything to do with my birth date, I don't know or just pick something random.
0:21:36 - Steve Gibson
You can remember four digits or better yet, use an alphanumeric password, not a PIN. Yeah Well, and of course, back once upon a time. Oh no, I was going to say once upon a time. We were keying them into our touch-tone phones in order to authenticate ourselves.
0:21:48 - Leo Laporte
Oh yeah, right.
0:21:48 - Steve Gibson
But even then, unless you used Q, I think was Q missing. I think Q was missing.
0:21:54 - Leo Laporte
Q was missing. That's right.
0:21:56 - Steve Gibson
There were a couple things that were not there.
0:21:57 - Leo Laporte
You know where these are. Mostly still used is on ATM machines. I don't know of any ATM machine that uses more than four digits.
0:22:05 - Steve Gibson
Yeah, Right Again because there's some back end, some old creaky back end machine that could only take four digits.
Anyway, this was a huge win for our audience, who got a big kick out of it. So again, if you want to see what we were talking about, grcsc, slash pin and that will bounce you over to my site. I grabbed the. I actually could have just pointed to it. The original source was over on Reddit and I think I got tweeted to me, but I was afraid that that might not last. You know that could disappear. So I grabbed it and stuck it on GRC's server, just because it's just such a cool infographic. Okay. It on GRC server, just because it's just such a cool infographic Okay.
We started off last week with the piece in Wired about the growing threat to GPS, while the mischief Russia has been getting up to in the Baltic region is, you know, quite localized. We also noted that space is sadly not necessarily a benign environment anymore. A piece of our listener feedback, which was generated by this discussion last week, led me to look at what's being done about. This is testing an updated version of the Loran system, which was shut down in the 1980s, called eLoran. I've been monitoring the eLoran test signals on 100 kHz since August of 2023. Kilohertz since August of 2023, my ancient Loran receivers woke up and started giving me timing signals output again at that time and have been receiving continuously ever since.
Okay, so this note from Sean got me to poke around a bit, and I quickly learned that indeed, there is an acute recognition of the inherent vulnerability of any satellite-based navigation system. Loran is an abbreviation for long-range navigation and the E in E-LORAN stands for enhanced. The original LORAN dates back from World War II. It's a ground-based navigation system that operates entirely differently from GPS and, of course, entirely differently is what you want in something that's going to withstand an attack on GPS. You want something very orthogonal to the thing that you're trying to create a second solution for. I found an interesting summary on the site GPS World.
The article's title was E-Loran Part of the Solution to GNSS Vulnerability the solution to GNSS vulnerability Under the heading Opposite and Complementary, the article leads with Though marvelous, gnss are also highly vulnerable. E-loran, which has no common failure modes with GNSS, could provide continuity of essential timing and navigation services in a crisis. So here's what they explain. They said indistinguishable from magic. Yet it also has several well-known vulnerabilities, including unintentional and intentional RF interference the latter known as jamming, spoofing solar flares, the accidental destruction of satellites by space debris and their intentional destruction during an act of war, system anomalies and and failures and problems with satellite launches and the ground segment.
Over the past two decades, many reports have been written on these vulnerabilities and calls have been made to fund and develop complementary positioning, navigation and timing, which are collectively referred to as PNT, positioning, navigation and timing PNT systems. In recent years, as vast sectors of our economy and many of our daily activities have become dependent on GNSS, these calls have intensified. A key component of any continent-wide complementary PNT would be a low-frequency, very high-power ground-based system because it does not have any common failure modes. With GNSS, you know, collectively meaning satellite-based, which are high-frequency, very low-power and space-based. Such a system already exists in principle. It is Loran, which was the international PNT gold standard almost 50 years prior to GPS becoming operational in 1995. At that point, loran-c was scheduled for termination at the end of 2000. However, beginning in 1997, congress provided more than $160 million to convert the US portion of the North American Loran C service over to enhanced Loran. In 2010, when the US LORAN Sea Service ended, it was almost completely built out in the continental United States and Alaska During the following five years, canada, japan and European countries followed the United States' lead in terminating their Loran C programs. Today, however, eloran is one of several PNT systems proposed as a backup for GPS. Okay, so, first of all, it's great news that the US has been seriously looking intoa backup technology.
Since I think our listeners will find this interesting, I'll share a little bit of background. In the 80s this author writes he says I used Loran C to navigate on sailing trips off the US East Coast. It had an accuracy of a few hundred feet and required interpreting blue, magenta, black and green lines that were overprinted on nautical charts, and we'll get to why that is here in a minute. The system was a modernized version of what was originally launched in 1958, a radio navigation system first deployed for US ship convoys crossing the Atlantic during World War II. Its repeatability was greater than its accuracy. Lobster trappers could rely on it to return to the same spots where they'd been successful before, though they may have had some offset from the actual latitude and longitude. By contrast, e Loran has an accuracy of better than 20 meters and in many cases, better than 10.
It was developed by the US and British governments in collaboration with various industry and academic groups to provide coverage over extremely wide areas using a part of the RF spectrum protected worldwide. Unlike GNSS, which is to say GPS, e-loran can penetrate to some degree indoors, under very thick canopy, underwater and underground, and it is exceptionally hard to disrupt, jam or spoof. Unlike Loran-C, eLoran is synchronized to UTC and includes one or more data channels for low-rate data messaging, added integrity, differential corrections, navigation messages and other communications. Additionally, modern Loran receivers allow users to mix and match signals from all eLoran transmitters and GNSS satellites in view. For the eLoran system to cover the contiguous United States, between four and six transmission sites could provide overlapping timing coverage and 18 transmission sites could provide overlapping positioning and navigation.
Okay, the article quoted Charles Hsu, the CEO of Yursa Nav. Ceo of Yursa Nav. He said quote. I think he said think of of a resiliency triad consisting of GNSS global, e, loran continental and an inertial measurement unit with a precise clock. It is extremely difficult to jam or spoof all three sources of location and time at the same time, in the same direction and to the same amount. In other words, great for protecting ourselves. So it's cool that Sean's ancient Loran receivers woke up and began picking up Loran signals. I don't know where he's located, but the intention is to cover the continental US with multiple overlapping transmitters.
The author of that article quote it had an accuracy of a few hundred feet and required interpreting. Blue, magenta, black and green lines that were overprinted on nautical charts. Said Right. So why these fancy charts? Imagine for nautical navigation that so you're out on the ocean somewhere that two synchronized radio transmitters have been placed on the coast several hundred miles apart. Transmitters have been placed on the coast several hundred miles apart. These two stations both emit a pulse of radio frequency energy at precisely the same time and the pulses radiate outward spherically from each station at the speed of light. So 186,000 miles per second station at the speed of light, so 186,000 miles per second. So the ship at sea will receive these two pulses, but it does not know when they were sent. So it doesn't know its distance from these transmitters. The only thing it knows is the relative timing separation between them when they arrived.
Now you can get out a pencil and paper and play with this a bit, but the Loran system is called a hyperbolic positioning system because any given pulse separation describes a hyperbola.
In other words, when a ship received a pair of pulses, their relative spacing, would tell the ship's navigator which of many possible hyperbola plotted on their navigational charts the ship was currently sitting on. It would not yet have any way of knowing where it was sitting along that hyperbola, but it would have that one piece of information. The ship would get a fix on its position along that hyperbola by tuning to a different pair of transmitters. It would get another pulse spacing which would identify another hyperbola on the navigation chart and its location would be at the intersection of the first and second hyperbola. So that's the way we located ourselves back during World War II.
The good news is that today we have far more advanced technology with integrated circuits and fancy computers that can do all of this for us. But what hasn't changed is the decision to use low-frequency, high-power terrestrial transmitters to provide precise timing and location data as a backup for GPS. It's dispiriting to imagine that we might need it, but what's been going on over in the Baltics with Russia and GPS probably helped to get those projects funded here in the United States. So just a little very cool bit of technology.
0:34:58 - Leo Laporte
It's really interesting. Yeah, Very cool.
0:35:00 - Steve Gibson
Yeah, hyperbolic positioning system, and on that note, let's take a non-hyperbolic break, and then we're going to talk about pass keys. Yes, indeed coming up.
0:35:12 - Leo Laporte
But first, a word from our sponsor, the fine folks at Zscaler. The Z in Zscaler stands for zero trust. That's what makes Zscaler the leader in cloud security. It's no surprise cyber attackers are now using ai right creative, using it in creative ways to compromise users and breach organizations. I saw, just saw the other day, a couple of days ago, the ceo of wpp, big global advertising agencies uh, had his voice impersonated with a deep fake to an employee asking him to open an account, transfer some money for everything from high precision phishing emails to voice and video deep fakes of ceos and celebrities. They're out there using all the tools at their disposal, which shouldn't be a surprise. I, that's what the bad guys do. But in a world where employees are working everywhere, apps are everywhere, your data is everywhere, what are you doing to protect yourself? Firewalls and VPNs are failing to protect organizations. They're just simply not designed for these distributed environments and AI-powered attacks. In fact, as we learned last week with Option 121, firewalls and VPNs have become the attack surface right. In a security landscape where you've got to fight AI with AI, the best AI protection comes from having the best data. You've got to know what's going on out there, right.
Zscaler has extended its zero-trust architecture with powerful AI engines that are trained and tuned by 500 trillion with a T daily signals. That's kind of amazing, but that's what you have to do. These block advanced threats, even brand new advanced threats. That's why you want those 500 trillion daily signals to discover and classify sensitive data everywhere. Oh, jim's got a laptop at a coffee shop and he's got the company quarterlies on there. I don't know what are we going to do. Generate user to app segmentation and that limits lateral threat movement. Quantify risk, prioritize remediation and generate board ready reports. Got to keep the board happy. Learn more about z scaler zero trust plus AI to prevent ransomware and other AI attacks by gaining the agility of the cloud. Not a surprise, it's from Zscaler. Experience your world secured. Visit zscaler.com/zerotrustai. That's zscaler.com/zerotrustai. We cover security from A to Z with this guy right here, Steve Gibson, and on, we go with the show.
0:38:12 - Steve Gibson
So, okay, a number of bits of feedback from our listeners. Jeff Erwin, he said just listened to SN. Pass keys are even worse, based upon website implementation. Some sites get this. Use a cookie to know. He has in air quotes they issued you a pass key. Oh wow, so even with one password which supports and synchronizes among pass keys or among browsers, he says I can't use the passkey from a different browser than originally set. He says CVS Pharmacy is one with this bad implementation. Thanks for all your great shows.
Rg tweeted regarding passkeys. For what it's worth, every website I have set up with a passkey has let me set up multiple passkeys, so I have not been limited to a single ecosystem. Lachlan Hunt tweeted regarding what you said in episode 973 about passkeys. You'll be happy to hear that every single account for which I've been able to register a passkey and store in 1Password has been able to support registering multiple passkeys. For some of my most important accounts, I've registered additional passkeys stored on my YubiKeys. In my experience, storing passkeys in 1Password has been fantastic. The only major issue I've encountered has been with certain sites, for example PayPal and LinkedIn, that do browser sniffing to unnecessarily prevent pass keys from being used within Firefox, this can usually be worked around by simply spoofing the user agent string. Why?
0:40:01 - Leo Laporte
would you do that?
0:40:02 - Steve Gibson
That's weird. We've talked about poor implementations, so poor implementations certainly exist and Miguel Farad said Hi, steve, in SN 973, you read Dave Brenton's questions about using a backup Yuba key. To complement your answer, I'd like to share my personal experience. I've owned two Yuba keys for several years one with me all the time and a backup stored in a safe place. Some services like Gmail, github and Bitwarden allow us to register more than one YubiKey. In case of Bitwarden's family plan, it allows registering up to five YubiKeys. I guess it should be the same for Bitwarden's individual premium plan. Unfortunately, he writes, paypal only allows registering one YubiKey. Regarding the question, can the same key be applied to two different people? He says the answer is yes. If we're talking about the physical key, YubiKey, each service will use one of the 25 available slots inside the YubiKey, regardless of the person owning the account he said he finishes. I hope this information can be useful to other, to our other SN listeners. All the best, miguel.
Ok, so last week's discussion of this generated, as I've said, significant feedback from our listeners and the thing that stood out more than anything was that everyone showed a somewhat different set of facts. Some said that WebAuthn FIDO2 providers would allow any number of passkeys to be registered with a service. Some said that only one could be and others, like Miguel, noted that this varied by provider, with PayPal, for example, only allowing for a single registration. If this were true, it would mean that separate his and her Yuba keys could not be used with some services, but all other listeners noted that they had never encountered a site that did not allow for any number of PassKeys registrations, and doing so is part of the PassKeys specification, so all sites should. I went over to PayPal to take a look, and their PassKeys management page makes it very clear that they support multiple PassKeys without any trouble.
However, paypal appears to only support PassKeys generated by iOS and Android devices. Its FAQ is quite clear about that, and there's no mention of Yuba keys. So perhaps that's what stopped Miguel. He didn't actually register a passkey at all over on PayPal. He was using PayPal's longstanding and much older multi-factor authentication. Football my first football yeah, the multi-factor authentication over on PayPal. But this further demonstrates the mess that we're currently working through, the fact that something stopped Miguel, even though he has a perfectly secure authentication device, arguably even though you know smartphones are now very secure. But you know you could argue that you could make a strong argument that the YubiKey, being so focused and single purpose and simpler, you know, and doesn't have multiple radios hooked to it, is more secure than the two smartphone brands that PayPal does support. But this all shows that we're still in the early days of this technology.
You get a YubiKey which supports passkeys. Paypal supports passkeys, but PayPal won't support a passkey generated by a YubiKey which supports passkeys. Paypal supports passkeys, but PayPal won't support a passkey generated by a YubiKey. One thing that all of the feedback made very clear was that many of our listeners have jumped into the passkeys world with both feet. They like them and I think that's great Really. They like them and I think that's great really. I think that those of us in the industry who are grousing at the moment and Paul Therot, for example, went on a nice rant again about this last week- Easily triggered.
Yes. Well, no all of the users are doing. Those of us in the industry are ranting because we're disappointed with the rollout and are impatient for pass keys to live up to their potential. We know that change takes time and that this is still the very early days for this new technology. Browser and browser extension. Support for original username and password authentication has created a system that's mostly good enough for now, with second-factor authentication adding additional protection where needed. Your football Leo. None of us can predict the future and today's PassKeys support remains really disappointing, thank you.
Relative to how slowly new technology is adopted, passkeys only became available yesterday. Once the various kinks are ironed out and any device we wish to use can supply a previously generated passkey to a website, the traditional problems with passwords will begin to fade. Problems with passwords will begin to fade. I think that the most compelling use case of all is the typical user. You know there are a lot more money of those typical users than there are listeners to security. Now, the typical user, who has no interest whatsoever in any of this. They could care less. They're using an iOS or Android smartphone, a Mac or a Windows device having strong biometric hardware authentication. They visit a site which newly supports passkeys, and the site says hey, how would you like to never need to use a username or password to log in with this device ever again? You know who's not going to click. Yes, any regular user will think that's great. Pass keys are annoying as hell. If I don't need to use one here anymore, count me in.
Presumably and this is what remains unknown whether and to what extent, additional sites will offer this support over time. If it does succeed in setting a new standard, then passkeys will just gradually and organically seep into the world and become the way Internet users authenticate. I think you know we're excited by the potential those of us who are into the technology and we want it to happen immediately, but it's just going to take some time and clearly a lot of the listeners of this podcast have been curious about this and mostly their experiences have been all good, which I think is great. Okay, microsoft's head in the clouds. Sc Magazine's headline read Sweeping Cybersecurity Improvements P pledged by Microsoft and follows with numerous cybersecurity incidents. I'm sorry, numerous cybersecurity.
0:48:16 - Leo Laporte
Well, there were incidents, but they wrote numerous cybersecurity enhancements, enhancements in response to incidents, that's what it was.
0:48:24 - Steve Gibson
Will be adopted by Microsoft to address the woeful security failures driven by poor cybersecurity practices and lax corporate culture Identified in a report issued by the Cyber Safety Review Board last month. And security week carried the headline microsoft overhauls cyber security strategy after scathing csrb. That's the same. This the cyber safety review board report. And then they follow with. Microsoft security chief charlie bell pledges significant reforms and a strategic shift to prioritize security above all other product features, basically saying we're going to stop with the features here, although one could argue that they're not stopping with their AI push, but otherwise we're really prioritizing security.
Now, anyone who's been following this podcast for the past year will have heard me go off on Microsoft over their truly astonishing, apparent lack of concern or accountability over egregious security practices. Doing so always leaves me feeling a bit odd, since I'm sitting in front of Windows machines. All of my coding for the PC has been for Microsoft operating systems, from DOS through desktop and server, and I love the Windows working and development environments. Love the Windows working and development environments. But, as we've clearly documented on this podcast over and over, security researchers repeatedly hand Microsoft every detail, complete with working proofs of concept, demonstrations for various vulnerabilities, which Microsoft will seemingly ignore for months and even years, until that vulnerability is actually used to cause a highly public catastrophe, and only then will Microsoft apparently think huh, why does that exploit path have a familiar ring to it? Right, you know, and we understand why. Right, microsoft is a monopoly. You cannot build a large modern enterprise without Microsoft glue. Too many things require Microsoft. So the simple fact is Microsoft does not have to care, and we've seen example after example of Microsoft not doing anything it does not want to do. All of this makes Microsoft's recent pronouncements about their new focus upon security all the more interesting.
Two weeks ago, the cybersecurity dive site posted an article with a headline that caught my eye. They wrote at Microsoft, years of security debt come crashing down, and the subhead was critics say negligence, misguided investments and hubris have left the enterprise giant on its back foot. They wrote years of accumulated security debt at Microsoft are seemingly crashing down upon the company in a manner that many critics warned about but few ever believed would actually come to light. Microsoft is an entrenched enterprise provider, owning nearly one quarter of the global cloud infrastructure services market and, as of the first quarter last year, nearly 20% of the worldwide software-as-a-service application market, though not immune from scandal. In the wake of two nation-state security breaches of its core enterprise platforms, microsoft is facing one of its most serious reputational crises. Adam Myers, senior Vice President at CrowdStrike, said it's certainly not the first time a nation-state adversary has breached Microsoft's cloud environments. After so many instances, empty promises of improved security are no longer enough. Okay, now to review a bit.
In January, microsoft said a Russia-backed threat group called Midnight Blizzard gained access to emails, credentials and other sensitive information from top Microsoft executives, as well as certain corporate customers and a number of federal agencies. We're going to see that the numbers were actually somewhat worse than that. Then, in early April, the Federal Cyber Safety Review Board released a long-anticipated report which showed the company failed to prevent a massive 2023 hack of its Microsoft Exchange Online environment. The hack by a People's Republic of China-linked espionage actor led to the theft of 60,000 State Department emails and gained access to other high-profile officials Actually, many. Just weeks ago, cisa issued an emergency directive to order federal civilian agencies to mitigate vulnerabilities in their networks, analyze the content of stolen emails, reset credentials and take additional steps to secure Microsoft's Azure accounts. While the order only applies to federal civilian executive branch agencies, cisa warned other organizations could be impacted.
For many critics of Microsoft, the events of the past nine months are the logical conclusion of a company that has ridden the wave of market dominance for decades and ignored years of warnings that its product security and practices failed to meet the most basic standards. Aj Grotto, the director of the Program of Geopolitics, technology and Governance at the Stanford Cyber Policy Center and a former White House director for cyber policy, said and a former White House director for cyber policy said, in a healthy marketplace, these would be fireable offenses. Regrettably, the marketplace is far from healthy. Microsoft has the government locked in as a customer, so the government's options for forcing change at Microsoft are limited, at least in the short term. The concern was and is that Microsoft security gaps would potentially lead to catastrophic outcomes. According to Karan Santi, cto at Trellix, microsoft needs to dedicate its internal resources towards zero trust initiatives and make new investments in its infrastructure. Currently, he says, microsoft directs the vast majority of their security investments toward revenue generating roles instead of internal security roles. We'll come back and talk about that here toward the end.
Microsoft has a considerable stake in the cloud security space and we'll come back and talk about that here toward the end. Microsoft has a considerable stake in the cloud security space. Not only is Microsoft one of the world's largest cloud providers, but according to Microsoft's CEO, satya Nadella, during the company's fiscal second quarter conference call in January quote it is also a major security provider to the enterprise. Microsoft has more than one million security customers, with 700,000 using four or more of its security products. Microsoft generates more than $20 billion in revenue per year from its security business, in other words, by selling security that, one could argue, ought to be baked in.
Okay now I should note here for the record that I don't have any feelings at all of Schadenfreude. Really, I don't have any feelings at all of schadenfreude. Really, I'm not the least bit happy that it took some seriously frightening and damaging security lapses within Microsoft to get them to finally start thinking about taking security seriously. It would have been better for everyone if those breaches never occurred. It would have been better for everyone if those breaches never occurred, but unfortunately, all evidence suggests that nothing would have changed at Microsoft ever but for those breaches. So the way things have been going, it was probably inevitable.
The trouble they've fallen into feels like the result of a cycle, a cultural cycle within Microsoft. We've witnessed such cycles within Microsoft in the past. I think that happens when a company grows so much that it keeps creating very wealthy upper management who then, no longer needing to work, eventually leave the company. But they're not the only things that leave. What leaves with them is their deep understanding of the culture their leadership created while they were there.
Those who replace them think they know how to keep everything running, but, not having created it, they lack the same deep, experience-based understanding of what's important. And then, over time, the ship drifts off course. Since I cannot even conceive of captaining a ship the size and complexity of Microsoft, it doesn't surprise me that it might lose its way from time to time. I'm amazed it's still afloat. Csrb, as I've mentioned, the Cyber Safety Review Board, released their findings following a deep and detailed investigation into Microsoft's recent security breach troubles. I'm going to share the summary of that report from the cybersecurity. Dive people after we take another break, leo. Dive people after we take another break, leo.
0:59:27 - Leo Laporte
Indeed, indeed, we'll have more in just a moment. You threw me a little bit. I wasn't prepared, but I am now. I have in my hands the commercial for segment number three of Security. Now, are you prepared? Are you ready? It's Kolide. I love talking about Kolide because Kolide is a technology that puts users first. We've been talking about Kolide for some time, but perhaps have you heard the word that Kolide has now been acquired by 1Password. That is, first of all, really good news. I'm happy for the Kolide folks. But also it kind of makes sense because both companies are all about security, all about putting the user first.
In the security story. For over a year, collide device trust has been is for companies that use octa to ensure that only known people can, you know, authenticate the users as they log in. Kolide adds that extra piece. They authenticate the device to make sure that only known and secure devices can log in, can access the data, and they're still doing that. They're just part of 1Password now. So if you've got Okta, you've been meaning to check out Kolide. This is a great time. Don't say you know, oh well, I got to wait. No, now.
And Kolide makes it easy to get started really fast. Kolide comes with a library of pre-built device posture checks. So you kind of out of the box you're ready to go with everything you'd want, but you can easily add your own custom checks for just about anything you can think of. So you start with a great base and then, as you use Kolide, you go. You know, I really don't want users who have an out-of-date version of Plex on their laptop to log in as a completely random example, although strangely specific. Plus, you can use Kolide on devices without MDM, which means your entire Linux fleet, your contractors' devices and, of course, all those BYOD phones and laptops that continue to sneak into your company. Kolide's really great. Check it out.
There's a great demo online at kolide.com/securitynow. Watch the demo. I think it probably does a better job of explaining what Kolide does than I do. K-o-l-i-d-e.com/securitynow Just know, if you're a company that uses Okta, you need the second half of the equation. You need Kolide, and you can get more information at K-O-L-I-D-E.com/securitynow. Now On we go with the sad tale of Microsoft finally waking up to the security needs. This, by the way, was not their first time at this rodeo. They keep waking up to security requirements. It's like one more memo Okay that'll fix it.
1:02:19 - Steve Gibson
Yeah, and, as we'll see here when I sort of summarize and wrap this all up, that it's not clear what this means, but we can hope. So the thing that this article from I've lost my cursor from Cybersecurity Dive brings is some additional color and quotes and background from other people they wrote. The CSRB report laid out a blistering assessment of a corporate culture that has failed for years to take cybersecurity seriously. The report was designed to assess the company's response to the summer 2023 breach from the People's Republic of China-linked threat actor that breached the company's Microsoft online exchange environment. However, it also laid out a security culture that failed to adhere to the most basic standards, given the enormous market power that Microsoft yields across modern business applications in government and the private sector. One of the more damaging findings was that Microsoft learned of the attacks only because the State Department had set up an internal alert system after purchasing from Microsoft, at additional cost, a G5 license. Customers who failed to purchase the enhanced security license were not able to see the extensive logging capabilities that would have alerted them to a breach, and we'll get back to the implications of that. Also Many in the security community see the CSRB report and the recent CISA emergency directive as direct indictments not only of Microsoft security culture, but a government that has allowed Microsoft to maintain lucrative government contracts with no fear of competition across many of its services.
Mark Montgomery, senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracy, said quote the federal government gets off the hook a little easy in this report. Despite significant encouragement from outside experts, the Biden administration and its predecessors have failed to treat cloud computing as a national critical infrastructure that is itself critical to maintaining the security of our other national critical infrastructures. So it's a, you know, a critical infrastructure infrastructure. Senator Ron Wyden, who called for a federal investigation following the State Department email hack, said the federal government shared responsibility for the negligent behavior disclosed in the report. Wyden said Microsoft has been rewarded with billions of dollars in federal contracts while not being held to account for even the most basic security standards. Wyden told the author of this article, the government's dependence on Microsoft poses a serious national security threat, which requires strong action. Now think about that for a minute. Requires strong action. Unquote. Now think about that for a minute. The government's dependence on Microsoft poses a serious national security threat. I know that the practice of politics generates a great deal of rhetoric, but that's not something you want a well-placed and respected US senator saying about your company. And speaking of rhetoric, microsoft knows how to play the game with the best of them.
Microsoft officials said they understand the larger concerns raised by the summer 2023 attacks, as well as the continued threat from Midnight Blizzard and other nation state actors. The company is working to make extensive changes in its engineering processes, improve its relationships with the security community Wow, listen to the security community, what a concept and its responsiveness to customer needs. Brett Arsenault, corporate VP and chief security advisor at Microsoft, said in a statement quote we're energized and focused on executing Microsoft's secure future initiative commitments, and this is just the beginning. We commit to sharing transparent learnings. They love that word. Oh God, I hate that word. I know Transparent learnings there's got to. You know, god, I hate that word. I know Transparent learnings there's got to. You know, I thought Leo, can't isn't there a better word? But you, you, you've turned, you know, you, you, you've turned an activity into a noun Right, and I guess there's no helping you. There's no helping you.
After you've done that. Yes, I just wish that some of the Microsoft customers would have some walkings and would walk away From earnings. Yeah, my God, okay. So, interestingly, one of the problems with being transparent about what's being fixed is that the process of enumerating all the improvements also serves to enumerate just how bad things had been allowed to become. Yeah, exactly, uh-huh. Listen to these numbers.
Brett said that since the launch of the company's Secure Future initiative, the company has sped up related engineering work in several areas. Okay, he calls it a speed up. Well, he lists four. He says Microsoft has accelerated the lifecycle management of tenants, with a focus on either unused or older systems, or older systems. The company eliminated more than 1.7 million intra-ID systems related to used aging or legacy technology. In other words, there were 1.7 million intra-ID systems that could be eliminated but had not been. They were just, you know, hanging around waiting to be abused. It has also made multi-factor authentication enforcement automatic across more than 1 million intra-ID tenants, which again says that they weren't before. Also, more than 730,000 apps have been removed across production and corporate tenants that were either out of lifecycle or were no longer meeting current standards. Current standards, nearly three quarters of a million apps were just again, you know left alone, left there even though they were no longer serving any purpose, as we know. You know, fundamental to security is taking an employee's badge and then removing all their passwords from the system before they have a chance to use them. Three quarters of a million apps were left there. Also, microsoft said new employees and vendors are now being given short-term credentials to make impersonation and credential theft more difficult. More than 270,000 have been implemented thus far. And finally, the company's internal multi-factor authentication implementation using Microsoft Authenticator has been enhanced by eliminating a call feature and relying on an in-app login feature. This change covers more than 300,000 employees and vendors. Again, 300,000 employees and vendors were using an insecure feature of the multi-factor authentication that likely made it easier to use but was less secure. So, okay, gee, I guess we should fix that. Okay, so I've observed for some time here on the podcast that one of the reasons Microsoft has been acting the way it has, has been able to act the way it has for so long without correction, is that until now, its negligence had no consequence. Exactly as Senator Ron Wyden observed For this article, dante Stella, an attorney at Dykema and a specialist in incident response, said that enterprise customers do not usually walk away in the face of nation state threats against Microsoft, in part due to its enormous presence as a cloud provider.
Dante was quoted. Quote many switched to Exchange Online or Microsoft 365 to get away from on-prem servers and managed service providers, from on-prem servers and managed service providers. If the only other choice is going back or a potentially disruptive switch to another platform like Google Workspace, they will most often just ride it out and trust Microsoft to fix the issues Right. The customers may be unhappy, but due to Microsoft's dominance in the market, that unhappiness is never reflected in Microsoft's bottom line. So why change anything? As we know, I always want to go to the source.
So after reading this piece, I was curious to see the report from the Cyber Safety Review Board. Now the full report I'm not going to share. It's 34 pages of quite eye-opening content, but the short executive summary at the start paints the picture. Here's what the review board found the world. The actor known as Storm 0558, here and after simply as Storm and assessed to be affiliated with the People's Republic of China in pursuit of espionage objectives of espionage objectives accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. In other words, that key had never expired or been rotated in seven years. In seven years, okay, they say this intrusion comprised I'm sorry compromised. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, united States Ambassador to the People's Republic of China, nicholas Burns, and Congressman Don Bacon.
Signing keys used for secure authentication into remote systems are the cryptographic equivalent of crown jewels for any cloud service provider. As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key's domain. A single key's reach can be enormous and in this case, the stolen key had extraordinary power. Key had extraordinary power. In fact, when combined with another flaw in Microsoft's authentication system, the key permitted Storm to gain full access to essentially any exchange online account anywhere in the world. As of the date of this report, microsoft does not know how or when Storm obtained the signing key. This was not the first intrusion perpetrated by Storm, nor is it the first time Storm displayed interest in compromising cloud providers or stealing authentication keys. Industry links Storm to the 2009 Operation Aurora campaign that targeted over two dozen companies, including Google, and the 2011 RSA SecureID incident, in which the actor stole secret keys used to generate authentication codes for SecureID tokens, which were used by tens of millions of users at that time. Indeed, security researchers have tracked Storm's activities for over 20 years.
On August 11, 2023, secretary of Homeland Security Alejandro Mayorkas announced that the Cyber Safety Review Board, csrb, or the Board would quote assess the recent Microsoft Exchange online intrusion and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable cloud service providers and their customers. The board conducted extensive fact-finding in a Microsoft intrusion, interviewing 20 organizations to gather relevant information. Microsoft fully cooperated with the board and provided extensive in to support their conclusion that Microsoft stood out as negligent. This wasn't common practice, what Microsoft was doing, the way Microsoft was operating, they wrote. The board finds that this intrusion was preventable and should have never occurred. The board also concludes that Microsoft's security culture was inadequate and requires an overhaul, particularly in light of the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.
The board reaches this conclusion based on seven points. One, the cascade of Microsoft's avoidable errors that allowed this intrusion to succeed. Second, microsoft's failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed. I'll just take a moment here to say elsewhere they explain. The State Department was the first victim to discover the intrusion when, on June 15, 2023, state's Security Operations Center detected anomalies in access to its mail systems. The next day, state observed multiple security alerts from a custom rule it had created, known internally as Big Yellow Taxi, that analyzes data from a log known as Mail Items Accessed, which tracks access to Microsoft Exchange online mailboxes. State was able to access the Mail Items access log to set up these particular big yellow taxi alerts because it had purchased Microsoft's government agency focused G5 license that includes enhanced logging capabilities through a product called Microsoft Purview Audit Premium. The mail items access log was not accessible without that premium service.
1:19:34 - Leo Laporte
This is why Microsoft gets in trouble, because they demand you pay for security, exactly. But wait a minute. Big Yellow Taxi is the name of the tool.
1:19:47 - Steve Gibson
Big Yellow Taxi is the name of the tool. Big Yellow Taxi is the name they gave to the intrusion detection rules for determining whether the Microsoft Exchange online mailboxes were being maliciously accessed.
1:20:03 - Leo Laporte
It's the name of a Joni Mitchell songell song, but I don't. I don't really know why they use that. That's weird, okay, big yellow taxi.
1:20:11 - Steve Gibson
The big yellow taxi alert went off, leo, and they thought oh, okay, I'm trying to take that seriously. I'll be honest with you I that's why we normally don't get those internal names exposed to the public. When we find out that the State Department has named their intrusion rule, Big Yellow Taxi, it's like ah.
1:20:34 - Leo Laporte
Somebody's a.
1:20:34 - Steve Gibson
Joni Mitchell fan Is it a miracle you guys discovered this, anyway. Also, they said, the board's assessment of security practices at other cloud service providers, which maintained security controls that Microsoft does not. Fourth, microsoft's failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft's corporate network in 2021. So a compromised laptop was hooked up to Microsoft's network after Microsoft acquired the company, and that was a problem. Also, number five Microsoft's decision not to correct in a timely manner its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion, when in fact, it still has not meaning, even to this day. And even though Microsoft acknowledged to the board in November 2023 that its September 6th 2023 blog post about the root cause was inaccurate, it did not update that post until March 12th of 2024, as the board was concluding its review, and only after the board's repeated questioning about Microsoft's plans to issue a correction. In other words, what, oh, oh, you mean what we immediately said back in September. Yeah, we've been meaning to change that, but gee, you know, we just haven't gotten around to it. Number six the board's observation of a separate incident disclosed by Microsoft in January of this year. 2024, the investigation of which was not in the purview of the board's review, which revealed a compromise that allowed a different nation state actor to access highly sensitive Microsoft corporate email accounts, source code repositories and internal systems. And finally, number seven how Microsoft's ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy and public health and safety, require the company to demonstrate the highest standards of security, accountability and transparency.
As opposed, obviously, to the lowest review, they wrote, the board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.
Deprioritized To drive the rapid cultural change that is needed within Microsoft. The board believes, believes and I love the fact that here's the government telling you know there's directly focusing on the company's security culture and developing and sharing publicly a plan with specific timelines to make fundamental security-focused reforms across the company and its full suite of products. The board recommends that Microsoft's CEO hold senior officers accountable for delivery against this plan. In the meantime, microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In other words, if you don't have enough people available to fix your security, why don't you just hold off on all those new improvements that you were planning and get your security house in order first? How would that be? Because you know national security and billions of dollars in contracts that we keep providing to you and rolling over year after year after year.
1:25:27 - Leo Laporte
How about fixing?
1:25:29 - Steve Gibson
Yeah, how about fixing some things?
1:25:30 - Leo Laporte
Yeah.
1:25:31 - Steve Gibson
That's right. Okay, leo, let's take our last break. Okay, then I want to look back at mainframe computing and why where we are is like where we were then. Oh, that's interesting.
1:25:45 - Leo Laporte
A little bit of history to tie into the present. I like it. First word from our sponsor, the fine folks at DeleteMe. In fact, on Sunday you might have heard it on Ask the Tech Guys we had a fellow who works with law enforcement call us and sing the praises of DeleteMe. DeleteMe really works. We use it. He used it. He was very happy with it.
If you've ever searched for your name online and if you don't have to, I wouldn't, because you will be, I mean shocked by the amount of information that comes out you will be, I mean, shocked by the amount of information that comes out. I mean personal stuff your address, your phone number, how much money you make, your relatives, photos, et cetera, et cetera. It's maintaining your privacy isn't just a personal concern. It's a family affair. With DeleteMe's family plans, you can ensure that everyone in the family feels safe online. DeleteMe helps reduce risk from identity theft, cybersecurity threats, harassment and more. In fact, we got it for Lisa when people started impersonating her in text messages to her direct reports, trying to get them to buy Amazon gift cards and send them along. Trying to get them to buy Amazon gift cards and send them along. Now our employees are smart enough not to be fooled, but what scared us is the fact that they knew Lisa's name. They knew her phone number, they knew her direct reports. They knew their phone numbers. It's a cybersecurity issue and this stuff is all online.
Who's the culprit? Data brokers. Until Congress gets off its duff and makes comprehensive privacy laws, we're going to have to deal with the fact that there are companies legally out there who buy and sell your information to bad guys, to foreign governments, to anybody. And who's giving them that information? Your ISP companies you do business with. That's why you need to delete me to fight back. They will find and remove your information from hundreds of data brokers because they're experts. They know not only the names of the current data brokers, but they know every day there's new data brokers. It's a good business. In fact, if you're thinking of a new business might want to consider being a data broker. Lots of money to be made. The lead me keeps track and we'll get that stuff down and then we'll come back and keep looking, because the other problem and it's really sad is that, yes, they're required to allow you. They have a form. All of them do. Please take my information down, but that doesn't stop them from tomorrow starting to start your dossier over again, and, believe me, it doesn't take long to build it. You can, if you want to do it with your family, you can assign a unique data sheet to each family member, tailored to them. You have to be an adult to set this up With an easy use controls. Account owners can manage privacy settings for the whole family. Get them started right.
DeleteMe will continue to scan and remove your information regularly. We're talking addresses, photos, emails, relatives, phone numbers, social media, property value and on and on and on. In our case, it was our org chart. Basically, they were able to put together. Protect yourself, reclaim your privacy. Visit joindeleteme.com/twit. If you use the offer code TWiT, you're going to get 20% off. That's joindeleteme.com/twit. The offer code TWIT will get you 20% off If you get a chance. If you didn't see it, watch, Ask the Tech Guys from a couple of days ago, because this guy was great. He was a caller you see the guy in shades, he works in law enforcement and he said I had to do this and it worked. And he said I had to do this and it worked, unsolicited testimonial joindeleteme.com/twit. Use the offer code Twit for 20% off. Now let us conclude our journey down the highway of insecure operating systems with Steve Gibson.
1:29:37 - Steve Gibson
One of the earliest breakthroughs in computing was the introduction of a concept that came to be called timesharing. Yes, back then, mainframe computers were incredibly expensive to purchase and operate. A single machine, installation was planned years in advance, electrical power and cooling was plumbed, large rooms were set aside and these machines had their own staff and managers. The bean counters who occupied the upper floors quickly realized that their costs were the same, whether or not the monstrously expensive machine in the basement was busily working for them or sitting idle. So the question soon became how do we keep this massive investment of ours busy? And the answer was time sharing. Time sharing meant that a great many people could share the machines time. This worked because most people spent most of their time staring at the screen of their time-sharing terminal, reading what had just been displayed, deciding what to do next and then slowly punching out the next command they wished to issue. If it had been just one person, the mainframe would have been bored to death. But the bean counters perked right up when they learned that their machine in the basement could keep thousands of their employees literally everyone in the building busily poking away at their keyboards and never waiting long for their next screen of data to be presented. Most of the company's thousands of employees never visited the basement. They weren't allowed to. Security was high because too much was at stake. All of the company's jewels had been concentrated into a single small region and those who had privileged access wore white coats and prominently displayed ID tags. To most of the rest of the company, these tenders of the machine did not appear to speak English, and what exactly they did down there in the basement was shrouded in rumor and mystery, with some not appearing to emerge for days on end. Not appearing to emerge for days on end.
I've painted this picture of the past because it's interesting that it's a close approximation of what is gradually and organically re-evolved today, mostly of its own accord. Part of it is upside down because instead of computing being done in the basement today, it's being done in the basement today it's being done in the clouds. But we have a very similar concentration of value into a small, high security, tightly controlled area to which few people have access, and the concept of resource sharing exists pervasively. Thanks to the miracle of the global Internet, the networking wires that interconnect the servers are literally being shared by everyone in the world and the use of virtual machine technology which shares physical processor resources. Which shares physical processor resources among a great many more virtual processors, is the essence of time sharing. No single virtual machine and needs to or can keep a high power cluster of processor cores completely busy, so a much larger number of virtual machines can simultaneously share that single powerful resource with many others.
This move to the cloud does not feel like yet another phase. This feels like an inevitable evolution. Noted that Dante Stella had been quoted saying many switched to Exchange Online or Microsoft 365 to get away from on-premises servers. I think this represents an inevitable evolution because, just as happened in the past era of mainframe computing, the computational resource we were able to create far outstripped the needs of the typical user. Today's processors are so powerful that most PC users today are only using a small fraction of their systems capabilities. When this is scaled up to an enterprise of 10,000 employees, the wasted resources are astonishing, since most people today are just as they were 50 years ago staring at a screen, taking the time to figure out what it says, then poking away at their keyboard to indicate what they want to do next.
We've returned to the mainframe era and what we're sharing are cloud-based resources, and I'll just note that the recent evolution of interactive cloud-based AI models represents another example where sharing a single massive resource among many users is vastly more economical than giving each user their own instance. And even though local mini models can be used, thanks to our astonishing computing power, the best models will be continuously training, which requires massive connectivity and a far greater level of processing. Ok, so how did Microsoft get into trouble? There's that old observation which I've heard isn't actually true, but it makes for a great example nevertheless that if you toss a frog into a pot of boiling water, it will immediately jump out, but if the frog is placed in the cold water and the temperature is slowly increased, it won't notice the change. What this report makes clear is that the world has awoken to just how utterly dependent we have become upon computing in the cloud. It happened so gradually, so incrementally and slowly, with one day following after the next, with one company after another deciding that the economics of moving their communications infrastructure into the cloud made the most sense, that, just as with the apocryphal frog, we've arrived at a position where the security of our cloud computing can no longer be considered an afterthought and it can no longer be taken for granted and it can no longer be taken for granted. I initially skipped past the opening statement.
From nation, and indeed to much of the world, Numerous companies, government agencies and even some entire countries rely on this infrastructure to run their critical operations, such as providing essential services to customers and citizens, driven by productivity, efficiency and cost benefits. Adoption of these services has skyrocketed over the past decade and in some cases, they have become as indispensable as electricity. As a result, cloud service providers CSPs have become custodians of nearly unimaginable amounts of data. Everything from Americans' personal information to communications of US diplomats and other senior government officials, as well as commercial trade secrets and intellectual property, now resides in the geographically distributed data centers that comprise what the world now calls the cloud. The cloud creates enormous efficiencies and benefits, but precisely because of its ubiquity but precisely because of its ubiquity it is now a high-value target for a broad range of adversaries, including nation-state threat actors. An actor that can compromise a CSP can quickly position itself to compromise the data or networks of that CSP's customers. In effect, the CSPs have become one of our most important critical infrastructure industries. As a result, these companies must invest in and prioritize security consistent with this new normal for the protection of their customers and our most critical economic and security interests.
So, getting back to your comment, leo, what will all this mean to Microsoft and what will it mean to us? I have no idea, and neither does anyone else. For one thing, big changes take time. What Microsoft's rhetoric promises is a major reorganization of their corporate priorities. They're saying this because it has become clear to everyone that a major reorganization of their corporate priorities is exactly what will be needed. Exactly what will be needed.
I want to conclude our look at this by sharing the report of Microsoft's actions once the State Department's big yellow taxi honked its horn, indeed noting that there was a problem. I want to share it because it reads like a detective novel, which I know our listeners will enjoy, and because, while it's part of the same scathing report, it paints Microsoft in a good light and shows what this behemoth is capable of doing when it wants to or maybe needs to. The report wrote, though the alerts showed activity that could have been considered normal and indeed, state had seen false positive big yellow taxi detections in the past. State investigated these incidents and ultimately determined that the alert indicated malicious activity. State triaged the alert as a moderate level event and on Friday, june 16th, 2023. So you know, coming up on a year ago, a month from now, its security team contacted Microsoft.
Microsoft opened and conducted an investigation of its own and, over the next 10 days, ultimately confirmed that Storm 0558 had gained entry to certain user emails through state's Outlook web access to certain user emails through states' Outlook web access. Concurrently, microsoft expanded its investigation to identify the 21 additional impacted organizations and 503 related users impacted by the attack, and worked to identify and notify impacted US government agencies. Microsoft initially assumed that Storm had gained access to State Department accounts through traditional threat vectors, such as compromised devices or stolen credentials. However, on June 26th, 10 days after the initial alert, microsoft discovered that the threat actor had used OWA, that's, outlook Web Access, to access emails directly using tokens that authenticated Storm as valid users. Such tokens should only come from Microsoft's identity system, yet these had not. Moreover, tokens used by the threat actor had been digitally signed with a Microsoft Services account MSA cryptographic key that Microsoft had issued in 2026.
In 2026. This particular MSA key should only have been able to sign tokens that worked in consumer OWA, not enterprise exchange online, and this 2016 MSA key was originally intended to be retired in March of 2021, but its removal was delayed due to unforeseen challenges associated with hardening the consumer key systems, whatever that means. This was the moment that Microsoft realized it had major overlapping problems. First, someone was using a Microsoft signing key to issue their own tokens. Second, the 2016 MSA key in question was no longer supposed to be signing new tokens. And third, someone was using these consumer key signed tokens to gain access to enterprise email accounts. According to Microsoft, this discovery triggered an all-hands-on-deck investigation by Microsoft that ran overnight. Oh my God, leo, somebody lost some sleep over this.
1:43:54 - Leo Laporte
Well, maybe not. Maybe they just ran it overnight and went to bed. Oh, that's possible, you're right. Maybe they just ran it overnight, went to bed.
1:43:59 - Steve Gibson
Oh, that's possible, you're right. It ran overnight, from June 26th into June 27th 2023, focusing on the 2016 MSA key that had issued the token, as well as the access token itself. By the end of that day, microsoft had high confidence that the threat actor was able to forge tokens using a stolen consumer signing key. Microsoft then escalated this intrusion internally, assigning it the highest urgency level and coordinating its investigation across multiple company teams. As a result, microsoft developed 46 hypotheses to investigate, including some scenarios as wide-ranging as the adversary possessing a theoretical quantum computing capability to break public key cryptography, or an insider who stole the key during its creation. Microsoft then assigned teams for each of the 46 hypotheses to try to prove how the theft occurred.
1:45:21 - Leo Laporte
How interesting.
1:45:23 - Steve Gibson
Yeah, what an approach Prove it could no longer occur in the same way now and to prove Microsoft would detect it if it happened again. Nine months after the discovery of the intrusion, microsoft says that his investigation into these hypotheses remain ongoing. Another way of phrasing this would be Microsoft still has no idea exactly how this happened. They know what, but not in detail exactly how the report continues. Microsoft began notifying potentially impacted organizations and individuals on or about June 19th and July 4th respectively. As detailed below, this effort had varying degrees of success. Ultimately, microsoft determined that Storm 0558 used an acquired MSA consumer token signing key to forge tokens to access Microsoft Exchange Online accounts for 22 enterprise organizations, as well as 503 related personal accounts worldwide. Of the 503 personal accounts reported by Microsoft, at least 391 were in the US and included those of former government officials, while others were linked to Western Europe, asia Pacific, latin America and Middle Eastern countries and associated victim organizations.
Microsoft found no sign of an intrusion into its identity system and, as of the conclusion of this review, has not been able to determine how Storm 0558 had obtained the 2016 MSA key. It did find a flaw in the token validation logic used by Exchange Online that could allow a consumer key to access enterprise exchange accounts if those exchange accounts were not coded to reject a consumer key by June 27, 2023,. Microsoft believed it had identified the technique used to access victim accounts and rapidly cleared related caching data in various downstream Microsoft systems to invalidate all credentials derived from the stolen key. Microsoft believed that this mitigation was effective as it almost immediately observed Storm beginning to use phishing to try to regain access to the email boxes it had previously compromised. However, by the conclusion of this review, microsoft was still unable to demonstrate to the board that it knew how Storm 0558 had obtained the 2016 MSA key 2016 MSA key.
So we've already seen that Microsoft has reversed its profit-motivated policy of charging its customers extra for security logging. We covered that earlier and overall, a policy of charging anything extra in return for extra security seems similarly short-sighted. Security should be baked into all underlying aspects of any cloud deliverable. It should not be possible to buy more security. It should be impossible to purchase less. Only time will reveal what lessons Microsoft learns from all this. The lesson we must all learn is that when we transfer our corporate assets to the cloud, when we transfer our corporate assets to the cloud, we're also transferring the responsibility for the security of those assets to the cloud services provider. So it's important to recognize that doing so does come with some risk and that the fine print of the provider's contract holds them harmless, regardless of fault.
1:50:04 - Leo Laporte
What a world Do you feel like? Microsoft's, however, recognized the issue and made the changes they need to make, and we won't have to do this all over again.
1:50:15 - Steve Gibson
Everybody loves a project.
1:50:18 - Leo Laporte
Leo, it's like a committee. It's very similar to a committee. You know you don't want to make a decision, appoint a committee, you don't want to really solve something, create a project. Maybe 47 of them working overnight.
1:50:32 - Steve Gibson
Yeah, everybody loves a project. I mean, they need something to do. You know you could argue Windows is done. You know cloud, you know Exchange is done. Everybody, I mean, what is the refrain we hear? Leave it the F alone. Just why? So? Microsoft? Yes, put a freeze, a formal freeze, on features, because they keep breaking it, right? I mean then, how many times have we said they're never going to get rid of the bugs Because as many as they fix, they introduce new ones. Yes, with all with new features, because they're constantly adding features. Stop with the features already. How about considering security, a feature? What a concept. Yeah, good point.
1:51:29 - Leo Laporte
Good point. This is why you listen to Security Now, right, every Tuesday, 1.30 Pacific, 4.30 Eastern, 20.30 UTC, to get the deets, the update, the straight talk. That's the really most important thing, without fear of favor. So many other places on the net you can get information, but there's always this undercurrent of like well, you know who, who's paying for this. With Steve, you know this is. Steve says what he thinks and is extraordinarily trustworthy, and I love that about this show. I'm glad you're here, glad you like it too.
If you want to support security, now join the club. That's the best way to keep us doing this and everything else we do at Twit. Advertiser support is not enough. It's become less and less. Frankly, we need more members in the club. Seven bucks a month. You're joining a community of really smart, interesting people. That's a great thing. You can meet them in the Discord. You get ad-free versions of this show and all the other shows we do. You get special stuff we don't put out anywhere else. But most of all, you're supporting honest reporting about the world we live in today, without fear or favor, and I think that's an important standard to hold in this world where everybody seems to have something going on. Steve is a grc.com. That's where you'll get spin right. This is his only, by the way, the only, the only thing he has, the only uh, his only a bread and butter winner, the world's finest maintenance and recovery and speed up utility for mass storage.
1:53:09 - Steve Gibson
Performance recovery, data recovery and performance recovery.
1:53:13 - Leo Laporte
Yeah, 6.1's out. You can get it now, right now. At GRCcom. There's a great forum there. Somebody was saying, well, I don't want to be on Twitter, how do I get a hold of Steve? The forums are great. There's also a feedback forum, grccom. There's a great forum there. Somebody was saying, well, I don't want to be on TWiTter, how do I get a hold of steve? The forums are great. There's also a feedback form grccom feedback but his TWiTter dms are open to all at sggrc on xcom and I expect to have an announcement for about email next week.
1:53:36 - Steve Gibson
Oh, that's great's great, that's good to know. Good, it's almost running.
1:53:42 - Leo Laporte
I've got a plan.
1:53:43 - Steve Gibson
Ball. I've been having so much fun coding. There's nothing I love. Leo, coding is great isn't it?
1:53:49 - Leo Laporte
I know, I know. If everything were as straightforward, clean, result-focused, result focused as coding, life would be a lot easier for us nerds. Anyway, grccom we have his show also, uh, at our site, TWiTtertv slash sn, um and and, of course, best thing to do is subscribe, find it in your favorite podcast player, audio or video, and that way you'll just get it every week automatically. Okay, steve, good show, great subject you getting a new?
1:54:25 - Steve Gibson
iPad no.
1:54:26 - Leo Laporte
No, you don't need one.
1:54:27 - Steve Gibson
No, the ones I've got are fine, you know they work. I mean they're a little slow and so you know, maybe, but I'm not in a big hurry.
1:54:39 - Leo Laporte
Watch tomorrow MacBreak Weekly. We swapped with Twig today, we did this Week in Google to cover Google IO. Tomorrow, Macbreak Weekly is at the Google IO time, 2 pm Pacific, 5 pm Eastern, 2100 UTC. Jason Snell will be on with the new iPad and Micah and I might have our new iPads by then. If we do. They're supposed to come tomorrow sometime. If we do, we'll do an unboxing and we'll show them off. We'll at least have one to show off. Thank you, Steve. See you all later. Thanks for joining us on Security Now. See you next week bye.
