Security Now Episode 916 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now. Steve Gibson is here. There's lots to talk about. An amazing amount of bug bounties paid by Zoom over the years. Steve gives them high praise. We'll talk about Pound to own. They just had it at Canec West in Vancouver, and a big winner this year. Amazing winner this year. And we'll talk about 144,000 malicious packages published on open source software registries. That and a, a stinging rant against Microsoft. All coming up next on Security Now.
... (00:00:40):
Podcasts you love. From people you trust. This. Is TWiT.
Leo Laporte / Steve Gibson (00:00:43):
This is Security Now with Steve Gibson. Episode 916, recorded Tuesday, March 28th, 2023. Microsoft's Email Extortion. Security now is brought to you by Lookout. Whether on a device or in the cloud, your business data is always on the move. Minimize risk, increase visibility, and ensure compliance with lookouts Unified platform. Visit lookout.com today. And by Kolide, Kolide is a device trust solution that ensures that if a device isn't secure, it can't access your apps, it's zero trust For Okta, visit kolide.com/securitynow book a demo today
(00:01:39):
And by Melissa, more than 10,000 clients worldwide in retail education, healthcare, insurance, finance, and government. Rely on Melissa for full spectrum data quality and ID verification software. Make sure your customer contact data is up to date. Get started today with 1000 records clean for free at melissa.com/twit. It's time for security. Now, the show we cover the latest in security, privacy computers, science fiction, vitamins, whatever it is Steve wants to talk about. I'm Game. Steve Gibson is here, our host. Hello, Steve Yole. I This is our sendoff for you. Yes. Gonna be missing you for what, I guess three episodes. Four. Yeah. I think t's gonna take over next week. And I, I can't remember. Jason Will is in Costa Rica right now, but when he gets back, he'll, he'll come back in. It's a mishk of people hosting the show, but it's a really, Steve show you, you are All that matters on this show.
(00:02:42):
Well in this week's grab bag collection, we wonder what happened and who cleaned up during last week's Elite 2023 proto own competition. What happens when inadvertently exposes their own private S S H R S A key Are all DDoS for higher sites legitimate? And is and is legitimate actually <laugh> a word we could even apply to DDoS for higher sites. Just how bad has the malicious open source registry package problem become? And how is it that Russia's presidential staff are still using iPhones after its rocky start in the limelight? How has Zoom's security been faring these past few years? And what benefits can be derived from the sum of two sine waves along a logarithmic curve? What new feature is Microsoft exploring for their already rather feature encumbered, shall we say, web browser? And in one of my blessedly rare rants, we're going to learn what new revenue harvesting Measure <laugh> Microsoft has just announced, which will, which to me seems deeply ethically wrong.
(00:04:09):
Mm. Today's podcast is titled Microsoft's Email Extortion. Oh, boy. Yeah. Well, I look forward to the answers to all those questions, and yet another ridiculous picture of the week coming up in a moment. Ah, yes. But first, I do wanna welcome a brand new sponsor to our show. Lookout. Lookout. Let me tell you about Lookout. Business, as you know, has changed forever. Thanks. I guess probably to the pandemic, but boundaries to where we work, even how we work, have completely disappeared. Your data nowadays as a company is always on the move. Whether on a device in the cloud, across networks, down at the local you know, Starbucks, that's great for your workforce. They love it. But it's a challenge as you probably already know. For IT security just ask Glass Pass Lookout <laugh>. Mm-Hmm. <affirmative> Lookout helps you control your data and free your workforce.
(00:05:15):
With Lookout, you'll gain complete visibility into all your data so you can minimize risk from internal and external threats. You can ensure compliance. That's a couple of things you need to do, isn't it? By seamlessly securing hybrid work, your organization no longer has to sacrifice productivity for security. And Lookout makes it security a lot simpler, working with multiple point solutions and legacy tools in today's environment, that's just too complex. You need a simple one-stop shop for everything. With its single, unified platform Lookout reduces it complexity, giving you more time to focus on whatever comes your way. Good data protection shouldn't be a a cage. It's a, a springboard letting you and your organization bound toward a future of your making. Visit lookout.com today to learn how to safeguard data, secure hybrid work, and reduce it complexity. Lookouts a name you need to know, data protection from endpoint to cloud to your happy place.
(00:06:17):
L W O K o ut.com, lookout.com. We thank 'em so much for their support of security now and I hope you will go pay 'em a visit and as a wave of thanking them for being here on the show. Now, Steve, it's time for the picture of the week. The, the weekly photo conundrum, <laugh>. So for those who tho those who are not looking, imagine, did you have a, a tall wall, very tall, and for some reason you have a need to get to the top of it occasionally. So what do you do? Well, you, you run a staircase. Yeah. Up the side of the wall. Yeah. Because, you know, then you could climb the stairs to get to the top of the wall. But now you have a problem because you decide you don't want everybody to be able to climb to the top of the wall.
(00:07:17):
You only want some people to do. So what do you do? You put a gate with a, you know, a lock so that only people who have a key to the lock are able to open the gate and then climb to the top of the wall. But here's the problem. In this instance, what we see is this gate that, like, that extends across the stairs, is on the third stair up. So, like, you know, you go up three steps up and there's a gate. Well, okay, now, <laugh>. Now there is nothing to keep you from swinging you around the outside of the gate, cuz since the gate's open on one end, right? It's again, on one side of the gate, it's against the wall, as are the steps going up the side of the wall. But you could just, you know, like step around the gate because it's, it's open to the air on the other side, and they've have placed it conveniently.
(00:08:17):
There's a conveniently placed handrail on the other side. For those who do manage to swing around the <laugh>, the gate, we wouldn't want you basically ignoring it anyway, the, the, if the, the picture's wonderful because you just think in fact, I gave, I gave it the caption. Well, that'll stop 'em because you know, it won't <laugh>. And look, and, and again, this is one of those situations where a lot of time and industry and thought went into this. Now, the good news is on this gate, unlike some of the other gates we've seen, the bars of the gate are vertical rather than horizontal. We have encountered in the past gates where they made horizontal bars creating a ladder out of the gate. So yes, you could, if you didn't wanna swing around the side and the bars were horizontal, you could just, you know, use it like a ladder in order to climb over.
(00:09:13):
But in fact, in that case, you could just probably go up to the top of the wall from the top of the gate. But anyway, once again, thank you to our Twitter followers who <laugh> are now understanding what sort of picture to send me to make history. Because yeah, we're getting a lot of great pictures from our listeners. Okay. It's just amazing how many poorly designed facilities there are out there. I'm expecting as I wander around ancient Europe, Rome, yeah. Barcelona. I might find a few of these and I will send them right along. Please have your camera ready, Leo, because as shall you know, they are a constant source of entertainment. I'll, I'll get Lisa and take a picture. Me ASC sending one of these <laugh>, it, it, it does, it does bring, you know, make one wonder about humanity a little bit.
(00:10:03):
It's like, well, maybe we should be <laugh>. We should be taken over by the ais that might actually be intelligent. Okay, so speaking of making history syn active SIVs name first came up, well, actually we've talked about them way in the past, but they also came up last week when the firm grim was asked to double check and verify the result of SIVs forensic reverse engineering of DJ's drone controlling software. Since Zak's report could have been seen as highly inflammatory, depending upon how much one believes that we actually have any true security to start with it appeared that Grim was brought in to obtain, you know, the classic second opinion. And as we know from last week's topic, they concurred with everything that's syn active found. Okay? So if we didn't already know that inactive clearly knows their stuff, their breathtaking performance during last week's three day annual poem to own hacking contest held in Vancouver, Canada would stand as testimony to that.
(00:11:16):
Through the years of this podcast, we've been tracking these honed own competitions, both because they're a lot of fun, and because it never hurts to have an occasional reality check to remind us that whenever skilled hackers take aim at some technology, pretty much it seems any technology which everyone believes to be secure, that belief is quickly proven to be merely wishful thinking. There are three pro to own hacking contests that take place throughout the year. One is dedicated to smartphones and IOT devices, and we recently covered some of the results from that one. Another is dedicated to industrial equipment, which we also recently talked about. And the third is last week's Canec West event. That's dedicated to, well, probably more interesting to most of us desktops, servers, and smart cars. This competition is widely regarded as the now as the premier most prestigious of all the hacking contests.
(00:12:22):
And this was not syn active's first to own win since they took the title two years ago after the competition in 2021. Okay? So during the multi-category three day event, the inactive team successfully demonstrated first a he heap overflow vulnerability and an out of bounds right error in a Bluetooth chip set. And this is what's interesting is that, you know, we were talking about a couple weeks ago about the bass band modem in the, that the, the, the bugs that Google found four of them being the worst possible where no user action. The, this was in a Samsung bass band cellular modem chip. And how that that little chip was able to result in a complete compromise of the phone. Well, here we have a Bluetooth chip that allows you to take over a Tesla. So this is an outbounds right error in a Bluetooth chip set, which allowed them to break into Tesla's infotainment system.
(00:13:37):
And from there they were able to gain root access to the rest of the car. That bit of wizardry netted them a cool, get this quarter million dollars and PO to owns first ever tier two award, which is the designation, the contest organizers reserve for particularly impactful vulnerabilities and exploits. They also demonstrated an attack, secondly known as T O C T O U, that that's a, an abbreviation in the industry, which stands for time of check, time of use. The last fancy term for this, like the original term, is a race condition. That's what we always used to call it. Now it's a talk to T O C T O U. Okay? so a race condition where there is a times critical sequence of events that can be used in some manner to slip past a systems defenses like you query for some status, then you do something that the designers didn't anticipate rather than waiting for the answer.
(00:14:47):
For example, in this instance, they pulled off an attack on Tesla's gateway energy management system. They showed how they could then among other things, open the front trunk or side door of a Tesla Model three, while the car was in motion that less than two minute attack earned the researchers a new Tesla Model three talk about POed to own, but they won't wanna drive it because <laugh>, it's dangerous. Yeah, be sure you have your seatbelt on and, you know, and like tie down the front hood. And they also got a cash reward of a hundred thousand dollars. Next, they pulled off a three bug chain against Oracle's virtual, or yeah, Oracle's virtual box with a host elevation of privilege to earn themselves $80,000. Compounding that to their rapidly growing winnings, they used another T O C T O U bug to escalate their privileges on Mac Os earning $40,000.
(00:15:56):
By leveraging an incorrect pointer scaling, they were able to elevate their privileges on Ubuntu's desktop Linux to win $30,000. And finally they leveraged a use after free flaw against Windows 11 for another $30,000. Wow. They made out like Bandits, yay, really cleaned up. Overall, they took home more than half a million dollars, nice $530,000 and a shiny new Tesla model three, which earned them the largest award ever raked in Wow. By any one contestant in PO to own's history. And it's, it's a good competition. Star Labs, which was the runner up, took home 195,000, which was not bad either. So that's a contest to pay attention to. And what's interesting, of course, is remember that, that China pulled their hackers out of PO to own. So, you know, maybe things would be different if China's hackers, which have proved themselves to be extremely skillful many years in a row if they'd been there.
(00:17:03):
But that's their, you know, China's keeping them home. Now. okay, here, the, the, the moral of the story for GitHub is mistakes happen. We were just talking about the benefit of having GitHub repositories continuously scanned for any inadvertent leakage of secret data. You know, it's like keys, which should never be published. So it was interesting that this just happened to GitHub themselves, causing them to rotate their primary S S H R S A key. Here's what GitHub explained, they said at approximately 500 U T C on March 24th, out of an abundance of caution, we replaced our RSA SS H host Key used to secure git operations for github.com. We did this to protect our users from any chance of an adversary impersonating GitHub or dropping on their GI operations over SS h This key does not grant access to GitHub's infrastructure or customer data.
(00:18:17):
This change only impacts GI operations over SS h using RSA web traffic to github.com and htd P s GI operations are not affected. So they, to clarify, they said only GitHub dot com's, rsa RSA SS H Key was replaced. No change is required for elliptic curve DSA or ED 2 5 5 19 users. So then they explain a little bit more. They said, this week we discovered that GitHub dot com's rsa, SSH private key was briefly exposed in a public GitHub repository. They don't ever tell us like how that happened, but certainly they dug into it and figured it out. They said, we immediately acted to contain the exposure and began investigating to understand the root cause and impact. We have now completed the key replacement, and users will see the change propagate over the next 30 minutes. Some users may have noticed that the new key was briefly present, beginning around two 30 U T C during preparations for this change.
(00:19:32):
They probably like quick, you know, quickly made sure that it would work. And then they, they pulled it back and got ready and then, then got ready to, to do the whole stage. So they said, please note that this issue was not the result of a compromise of any GitHub systems or customer information. Instead, the exposure was the result of what we to be an inadvertent publishing of private information. We have no reason to believe that the exposed key was abused and took this action out of an abundance of caution. So anyway just sort of a, a, you know a reminder that even somebody is taking every precaution who's being safe mistakes happen. And so all you can do is say, whoops, and then look at what the consequences of those are and fix 'em, which they promptly did. So I titled this DDoS for Higher or not, and I love this idea.
(00:20:34):
It, it just makes so much sense to me. The UK's National Crime Agency says its agents have created several fake DDoS for higher services that are up and running today. You know, so these are, they look legitimate right from the outside. So they're on the dark web, you can get to them through onion routing with some funky U R L that gets passed around among hackers. So now, okay, so such a site. So, so for the, for the National Crime Agency to create a fake DDoS for hire service, the point is they're trying to catch people, right, who are wanting to hire these DDoS for hire services. But they, they actually have a dual purpose. They can catch those in the act of attempting to hire DDoSs as well as frightening away others when the nature of the STING operation is revealed.
(00:21:36):
And that's what caught my attention. And I, I thought was so clever to serve that second agenda. The National Crime Agency chose last week to reveal one of its previously popular fake DDoS sites by replacing the site's previous homepage with a splash screen announcing the chilling truth. And I've got this screen in the show notes. It says, this site was created and controlled by the National Crime Agency. This looks so fake, this looks completely fake. They really could have done a better job making this realistic. Well <laugh>, doesn't it? I mean, this looks, I mean, operation Power off Yeah, <laugh>, come on, man. And they've, this is like from the eighties. They have the Euro pole seal and you know, the, the, the, the, the and, and A SEAL for the N C A. But, but, but so what they're wanting to do is the, the, this says the National Crime Agency collaborated under Operation Power off to target users of criminal DDoS services.
(00:22:47):
Ddoss attacks are illegal in the majority of countries. The National Crime Agency has collected substantial data from those who have accessed our domain. We will share this data with international law enforcement for action individuals in the UK who engaged with this site will be contacted by law enforcement. The National Crime Agency has been and will run more services like this site. Operation Power Off has already resulted in the arrest of numerous individuals and continues to ensure that users are being held accountable for their criminal activity. So, so, so the, the point of this second phase is, you know, imagine you're a MIS grant who's wants to, you know, who's annoyed with somebody else and wants to dedos them. So you go to this, to this site that, you know, you may know of, maybe you've used it in the past, and now you're greeted with the news that this was a sting.
(00:23:50):
The whole thing was a sting. So, so what that does is it chills the entire enterprise of DDoS for hire A as L Now, you know, cuz certainly that the word will spread through the underground, that that law enforcement is erecting fake, you know, sting DDoS for higher sight, and how would you know? So anyway, I just think that's a, a, a clever, you know, repurposing of, of the, the concept runner for a while. Collect lots of names and then flip the, flip the, the thing around to show people that, well, maybe you shouldn't be using DDoS for hire because, you know, we are running many of these and you don't know which other ones you may be inclined to, to hire are actually ours. And then we're gonna get you. Okay. So I saw a statistic that was somewhat sobering. We've been looking at the new challenges facing online open source repositories, which are increasingly being poisoned by a flood of malicious package uploads.
(00:25:00):
These fall under the umbrella of supply chain attacks. The developer security firm sync spelled S N Y K says that it recorded more than 6,800 malicious libraries uploaded on the N P M and PII portals since just the start of this year. So not yet three months, 6,800 individual specific malicious libraries. The number that caught my eye was that sink said that this recent batch brings the grand total of specifically identified malicious packages to more than 144,000 published to open source software registries, you know, published and identified, found and removed over the past several years since unfortunately, this growing problem was identified. I mean, it's it's good that it was identified. It's unfortunate. It's unfortunate that it's a growing problem and wow. You know, it's not clear how we're gonna solve this problem. Okay, so Russian, the, the Russian news publication commerce reports that the Kremlins security team has instructed Russia's entire presidential staff to discontinue all use of iPhones by April 1st.
(00:26:35):
April Fool's Day commerce reports that employees were told to get an Android device either from a Chinese vendor, not surprisingly, since China's now Russia's friend, increasingly so, or one running Ross telecom's Aurora Os, and I love this, the Kremlin officials cited security considerations as being behind their decision, claiming that iPhones were more susceptible to hacking an espionage by Western experts compared to other smartphones. Huh? Okay, well that doesn't correspond to anything we know, but it is certainly another of the recent examples that we've looked at here. In an environment of increasing mistrust and hostility, it really doesn't make any sense for anyone to be using a closed device sourced from an entity on the other side of the dispute. And Apple's iPhones are certainly far more closed than Android devices. So yeah, if Russia is planning a long-term split from the West, then discontinuing all use of Western Source Tech is, you know, the only sane long-term strategy.
(00:27:57):
In our industry's apparently eternal quest to rid ourselves of mistakes made in the creation of software. One of the more effective strategies that's been found is the idea of paying good guys to find and report those flaws before bad guys can find them and use them against us. Thus, bug bounty programs have become a mainstay. The covid driven work from, you know, the, the whole work from home, boom, quickly put a lesser known video conferencing system zoom on the map. But as we know, not everything went well from the start. As we've seen time and time again, many more bugs exist than are known. So Zoom's pre celebrity confidence in its own software was quickly shaken when bad guys began looking more closely at it than ever before and discovered all sorts of ways that its benefits could be subverted. As we covered at the time, this came as quite a shock to Zoom's management and they did stumble a little bit out of the gate, but to their credit, they quickly hired some experienced right thinking true security experts and the establishment of a functioning bug bounty program was near the top of their list.
(00:29:23):
Okay, so we're now several years downstream. How's that been going? Here's how Roy Davis Zoom's Security Manager described this effort in a blog posting last week, Roy wrote Insecurity, it's all who gets there first. We race to identify bugs and issues before the bad guys do. So we tap the Ethical hacking community to help us get ahead. We source this help through our Zoom Bug Bounty program, which lets us connect and engage security researchers that help us proactively mitigate risk and create a safer environment for our customers. And we've accomplished a lot as a community in the past year. Here's a look. He says, we test our infrastructure every day at Zoom, but we know we're not immune to Edge case vulnerabilities. So we call in backup. The ethical hacker community can sometimes detect bugs that may only be discovered in certain circumstances. That's why our Bug Bounty program forces on recruiting skilled effective researchers.
(00:30:36):
In 2022, we sent additional invitations to researchers to join our Hacker One program with a focus on attracting active security talent. We also like to go beyond our program to find talent. So we tapped into the community via industry events like H 1 7 0 2, which I'll get, I'll talk about it in a second, which was Hacker One event, H one standing for Hacker one. He wrote, these researchers work hard to help us, so we strive to celebrate a successful report to su to to celebrate successful report submissions accordingly, in the fiscal year 2023, and I don't know how their fiscal calendars aligned, but presumably it just closed. He says, we awarded, and this number surprised me, 3.9 million in bug bounties to hundreds of researchers, and over 7 million to date since the program began. So, props to Zoom, he said, beyond identifying vulnerabilities outside researchers support has helped us make other forms of progress.
(00:31:52):
At Zoom, we used these reports to demonstrate items that needed attention, flag root level causes for issues, create better cross-functional alignment, and find potential threats before they become a problem. As a result, our time to resolution for Bug Bounty reports has significantly improved over the past two years. At the start of this year, we restructured our team and developed updates for the program for fiscal year 24. We evaluated the researchers currently in our program to make sure everyone is active and contributing. We wanna put the right foot forward in the new year, and that all starts by working with high caliber effective researchers. Zoom's Bug Bounty program is also implementing a brand new vulnerability impact scoring system to help researchers do their best work. Yet, while we will continue to use the industry standard common vulnerability scoring system C V S S to score reports, we're evolving our program to add a companion scoring system called the Vulnerability Impact Scoring System, v i s s that analyzes 13 different aspects of impact for each vulnerability reported as they relate to Zoom infrastructure, technology, and security of customer data.
(00:33:17):
With the implementation of V I S S Bug Bounty can focus more on measuring responsibly demonstrated impact rather than the theoretical possibility of exploitation. So then he finishes with the road ahead. As the Zoom Bug Bounty program has grown over the past year, we're continuing to evolve and mature our pro our processes, bug Bounty awards and testing scope. We're very excited to see the impact of our new scoring system and all the good our researchers can do in 2023. If you're interested in helping to make Zoom more secure, email your hacker one profile name to Bug bounty@zoom.us or visit the Zoom careers page to review the open positions within the trust and security team. Happy hacking. So I am very impressed. You know, that's a, I mean, the large number is good, right? It means yes. Yeah. Yes. They're finding and, and they're being actively proactive.
(00:34:23):
Yeah. You know, thi thi this is what being proactive about security looks like. You know, you know, yes, we all know since, you know, we chronicled those early failures that they made that Zoom was initially caught flatfooted when their platform took off. But today, zoom security team is actively not passively managing their bug bounty program. And I think that's clearly making a big difference. You know, not only are they clearly paying well for, for bugs that are being found, so, and they're willing to shell out so far $7 million, but they're not just passively listed over at Hacker One and claiming for the sake of a bullet point on the presentation slide that Oh yes, we offer bug bounties you No, they're, they're serious about tightening up their platform and, you know I it was Alex Stamos that they hired, or, or they, or they brought in as a consultant as I recall, right?
(00:35:21):
Yeah, yeah. Oh, but not just that. I mean, they really did. They bought a crypto company that I used and I was unhappy with it. They bought it. But some of the best cryptographers in the world are now working there. I mean, they, they did a, the right thing. I think sometimes, you know, you hear these numbers like, oh, look at all the flaws that were found. And I think it makes people think, oh, my must be insecure software. But really that's a good thing to find the flaws and fix them. Everything has flaws, right? I mean, not, not of course spin, right? But everything else <laugh> has flaws. Okay? So, yes. So what we keep seeing, we, we see example after example where something looks great until you look at it more closely. And yeah. And that's what it takes.
(00:36:12):
As soon as you start scrutinizing it, as soon as you know anybody, a good guy or a bad guy starts scrutinizing it, you're gonna find problems. So, yes, they're, they're saying that they, they have paid out for hundreds of bug bounties, but tho that those are hundreds of fewer bugs Yeah. That are there. Now, I think a lot of companies would be reluctant to say those numbers cuz they would assume people are gonna say, wow, you really have, you know, your products is like Swiss cheese, right? And, and, and the point is, it once was and now it's not, is way less. So. Yeah. Yeah. So, you know, you know, it, it is by examining those things. So the, this other cool thing that, that, that H one hyphen 7 0 2 event that Roy referred to that was a multi-day hacker, one event held in Las Vegas, Nevada last August.
(00:37:04):
And Zoom was one of two corporate sponsors of the live hacking event on the 4th of August, during which more than 100 security professionals, about 70 of them were in person and 40 were virtual from a 29 countries hacked, hacked the Zoom web and desktop client, the APIs zoom's marketplace apps, and any of the binaries that Zoom distributes five individual awards were distributed. And overall, zoom paid roughly $480,000 in bounties in that one day. They said that they feel this is a reflection of the importance of this industry best practice, meaning paying bounties for responsibly reported bug discoveries. You know, they have come a long way from where they started when they first popped onto our radar. And back then it was in less than stellar fashion. So today I say Bravo zoom, I, I I really think they're doing, you know, you know, this is the way to do it.
(00:38:05):
That, you know, they understood that if they wanted to hold onto their position as like su this suddenly popular telecon, you know, video teleconferencing system, they needed to fix their, their security you know, just hadn't been looked at that closely. And Leo, I'm gonna look more closely at right, that cup I have in front of me. Look at that water, it looks good, right? Mm mm Well, it gives me a moment to say hello to one of our great sponsors. Kolide collide is a device trust solution that ensures that unsecured devices, unsecured devices can access your apps. You know, I mean, we all talk a lot about zero trust architectures, but most, most identity providers really are focused on, do we know this person? Not whether he's logging in with an insecure device. If you're an Okta user, this is some good news.
(00:39:07):
Kolide can get your entire fleet to 100% compliance because it's patching this big hole in, in zero trust architectures device compliance. Your identity provider only lets known devices in, right? That's good, right? But just cuz a device is known doesn't mean it's secure. And again, a lesson learned by some pretty big companies plenty of the devices in your fleet have probably shouldn't be trusted. Maybe they're running on out of date OS versions, or maybe they have unencrypted credentials lying around. Maybe they're using an old version of Plex that hasn't been patched in three years. If a device isn't compliant or it's not running the collide agent at all, it, it just can't log in. It can't access the organization's SaaS, apps or other resources. The device user cannot log into your company's cloud apps at until they've fixed the problem on their end. It's that simple.
(00:40:02):
And it's great cuz it's not a burden on your IT team. The end user does it, which is, has several benefits. Yeah, it, it all flows your IT team, but also teaches the user about security. And in enrolls that makes them part of your team instead of the enemy. For example, the device will be blocked if an employee doesn't have an up-to-date browser. You know, that happens, right? Using end user remediation helps drive your fleet to a hundred percent compliance without overwhelming your IT team collide gives 'em a message, Hey, you can't log in yet. Your browser is is a, is outta date. Here's how you update it. User updates. It probably just closes it and reopens it, right? And boom, you're good to go. Now you can log in without collide it. Teams really don't have a good way to solve these compliance issues or stop insecure devices from logging in.
(00:40:55):
And this is a major hole because you know, these devices, they've been home, they've been operating on a home network, they've been kind of out in the wild, really. And you're gonna bring them back into the network. You wanna make sure they're locked down with collide, you can set and enforce compliance across your entire fleet. And here's another great thing about KA collide. It's completely cross-platform, Mac, windows, and Lennox. And it's unique because Kolide makes device compliance part of the authentication process. When the user logs in with Okta collide alerts them to compliance issues, says, whoa, stop prevents unsecured devices from logging in and then walks them through the process of getting it secure. Again, it's security you can feel good about because Kolide puts transparency and respect for users at the center of their product. So for you, collide means fewer support tickets, less work, but for your users it means less frustration.
(00:41:53):
And for everybody, most importantly, a hundred percent fleet compliance, K o l i d e collide.com/security. Now visit him to learn more to book a demo K O L I d e.com/security. Now, thank you for supporting Steve's work collide. We appreciate it. You support Steve too. When you, you know, you go to that site, make sure you use that full url. So they see the security now part and they know you saw it here. Kolide.Com/Securitynow. Okay, Steve on Vigo. So I knew it Uhoh. Now that's not as I K N E W I T it's n U I T, which in French means nighttime, Nui, Nuit, Nui and noi. Okay, <laugh> the Knight. You say noi it's an acronym in this case for near ultrasound inau audible Trojan. Oh boy, that doesn't sound good. Uhhuh <laugh> not, not good. That sound good?
(00:42:57):
And so, yes, some clever researchers are again going to entertain us with their out-of-the-box thinking. Researchers from the University of Texas at San Antonio and the University of Colorado at Colorado Springs recently published a paper for presentation, or I should say submitted because it's not published yet. Submitted a paper for presentation during the upcoming use Nick's security 2023 conference being held in April next month. It demonstrates a novel inaudible voice, Trojan attack, which exploits vulnerabilities of smart device microphones and voice assistance. You know, like Siri, Google Assistant, Alexa, Cortana, and so on. The researchers used their near ultrasound inaudible Trojan, n u i t, to attack different types of smart ices bridging from smartphones to smart home devices or sometimes just within the smart ho the, the, the smartphone itself. The results of their demonstrations show that N U I T is effective in maliciously controlling the voice interfaces of popular tech products.
(00:44:16):
And that those tech products which are currently on the market oh, are vulnerable. Oh, this is really bad. It's not good. It takes advantage of the fact that digital assistants use microphones, which accurately pick sounds that are inaudible to the human ear. N U I t plays sounds in the near ultrasound frequency range from 16 to 20 kilohertz, which enables it to give voice commands to both close and more remote smart devices. Yeah, cuz that travels really well, that high, high F frequency stuff. It does. Wow. Now their research demonstrated that N U I T style near ultrasound commands can be embedded pretty much anywhere an attacker could direct. And the demos they've got, like you just play a YouTube and, and your phone lights up and does something. Ugh, this, it's terrible. Horrible. It's freaky. So an attacker could direct a victim to click a link to a website that would play some audio or a YouTube video that would then play the inaudible voice commands.
(00:45:22):
The researchers demonstrated that N u UIs also work when playing from one phone, which controls another over Zoom calls, playing, playing on a phone to control a smart speaker or another iot device, or even embedded into files that have background music. And it'll still work through that. Once they've, once they have unauthorized access to a device, hackers can said inaudible action commands to reduce a device's volume and prevent the voice assistance response from being heard by the user before proceeding with further attacks. Okay. So I was unable to find their full research paper online. And the use next conference, as I mentioned, isn't until next month. So some puzzles remain in some summary coverage published by their universities. They, they're quoted saying that to wage a successful attack against voice assistant devices, the length of malicious commands must be shorter than 0.77 seconds. Oh, that's pretty quick.
(00:46:33):
So that, yeah, so, so three quarters of a second, but we don't know why that's the case until their form, their formal paper is published. They did add that the vulnerability is created due to the non-linearity of the microphone design, which the manufacturer would need, they said to address. And the researcher said that out of the 17 smart devices, they tested Apple Siri devices alone needed to capture and reuse. That is replay their user's voice. While other voice assistant devices were activated by using any voice or a robot voice, they also pointed out that the attack could be surreptitious because it was possible to silence Siri response since iPhones maintain separate volumes for Siri and Nons Siri output. And of course, as, as anyone knows who's been around voice assistance they, you know, the u users of voice assistance experience odd triggering events, right?
(00:47:40):
Where the, you know, where it didn't appear that the system was being addressed when it suddenly woke up and said, you know, Hey boss, what do you want? So, you know, we know that these are the results of their microphones hearing and responding to a much wider range of frequencies than, than than humans do. And constantly listening for, for that, that, that trigger. So there's still a lot that we don't know about the mechanism of the attack, but there is an interesting opportunity for a bit of science and math conjecture here. There was the comment made that the attack is due to non-linearities in the operation of these microphones. And that provided the clue for me, that almost certainly means that the instantaneous response to air pressure sound waves is not linear. Now, if the response was non-linear, at normal operating volume, the result would be unacceptable distortion.
(00:48:47):
That's what we call distortion. But the non-linearity is likely to be extreme at very low volume levels where that non-linearity doesn't matter. Anytime you have a non-linear response, the addition of two inputs along that non-linear response curve is wonderfully turned into multiplication. And although this may initially be counterintuitive, you know, this is the principle of log rhythms and it's the way a slide rule, which adds linear lengths is able to produce multiplication. The scales of a slide rule are log rhythmically, non-linear. So when you're adding linear links on a slide rule, you're performing multiplication. This means that if we had two sine waves at very low volume, their summation by the device's microphone, having a non-linear response at low volume would have the effect of multiplying their values in real time instead of adding So next they they multiply instead of adding. Yeah, exactly. Yeah.
(00:50:05):
So next we add one of my favorite trigonometric identities. Don't we all have a favorite trigonometric identity, which states that the product of two sine waves is equal to the sum and the, the, the sum and difference of their frequencies. And Leo, you have your amateur radio operator's license. I do. So you know of this as hetero dining. Mm. In radio Hedin is the way a radio's local oscillator is able to bring a radio frequency signal down into audible frequency range. What we hear is the difference between the two frequencies, neither of which are audible. And that's exactly what's happening here in this attack. The researchers are generating a pair of near ultrasonic frequencies whose difference is the voice signal that they're using to control other devices. We don't hear anything but the microphones in these devices, which are always straining to hear our commands believe that they're hearing our voice because inaudible sine waves are being made to heterodyne.
(00:51:19):
Wow, that's quite clever. Yeah, yeah, yeah. And of course, a problem because now, you know, au regular audio stuff, you know, audio material from wherever could be containing commands that we can't hear. Hmm. So, and they, their demonstrations are, are really chilling. So anyway, I'll keep my eye out for the paper when is published next month, and if it's, if there's anything more, we'll we'll loop back to it. Okay. So the news is that Microsoft has started testing a cryptocurrency wallet, <laugh>, which they're planning to build into their let's just say increasingly versatile edge browser. Wow. I know <laugh>, I, I, I I loved ours. Technical take on this. Their headline read. Microsoft is testing a built-in cryptocurrency wallet for the edge browser <laugh>, and then it had the Subed Crypto Wallet would join coupon's, cash back and buy now pay later add-ons.
(00:52:36):
<Laugh> <laugh>. Yet in the show notes, I have two screenshots whi which ours showed. So Andrew Cunningham is ours. Technic is a senior technology reporter whose take on this is, I think, spot on. So here's how Andrew explained and characterized this new find. He wrote, Microsoft appears to be te to be testing a built-in cryptocurrency wallet for edge, according to screenshots pulled from a beta build of the browser. The feature which the screenshots say is strictly for internal testing, was unearthed by Twitter user. And their handle is at the book is closed, who has a history of digging up present, but disabled features in everything from new Windows 11 builds to ancient windows Vista betas. He says, this is one of many money and shopping related features, but Microsoft has bolted on bolted onto Edge since it was reborn as a chromium based browser a few years ago.
(00:53:47):
In late 2021, the company faced backlash after adding a buy now pay later short term financing feature to Edge as an edge user. The first thing I do, he writes in a new Windows install, is disable the, the endless coupon code, price comparison and cash back popups generated by shopping in Microsoft Edge. And then he says, in Perens, many settings automatically sync between edge browsers. When you sign in with a Microsoft account, the default search engine and all of these shopping add-ons need to be changed manually every time. Meaning they, they're deliberately, apparently not synchronizing. He says, according to the screenshots, the crypto wallet is quote, embedded in edge, making it easy to use without installing any extension. And it can handle multiple types of cryptocurrency. It will also record transactions and the value of your individual currencies as they fluctuate. An explore tab offers news stories relevant to cryptocurrency and an assets tab will let you sta <laugh> will let you stare lovingly at your NFTs, which is all you can do with them.
(00:55:10):
So good. Yeah. Good. I'm glad. Exactly. Yeah. The wallet, the wallet is quote noncustodial also called self custodial, meaning that you have sole ownership of and responsibility for the passwords and recovery keys that allow access to your funds. Microsoft won't be able to back in to let you back in if you lose your credentials. Good. That's how it should be. Whether, yep, whether you find these kinds of add-ons useful, annoying, or predatory is a matter of perspective. Given the prevalence of crypto scams, there may be some value in having a trustworthy, he has in quotes, built in option that doesn't require the installation of dodgy third party extensions. But the feature could also encourage casually interested users to begin exploring the world of cryptocurrency, which is, again, rife with scams. It's also yet another example of Microsoft building a not strictly browsing related feature into its web browser.
(00:56:17):
Many of these features can be disabled and competing browsers like Chrome and Firefox all attempt to add value and earn money by building in access to new niche features and third party services. But Microsoft's moves can still have an outsize impact that deserves extra scrutiny edges. And installed by Edge is an installed by default non-removable component of every Windows 10 and Windows 11 pc. And Leo, I'm endlessly listening and entertained by you and Paul talking on Windows Weekly about, you know, it, it's refusal to go away and, and Lori, my wife is like, honey, how, what, what is, why is being keep coming? Oh God, I know. Anyway, he says, and the operating system pushes you to switch to edge with some regularity. And once in edge the browser pushes you to use Bing and other Microsoft services. So he finishes Microsoft may not ship the crypto wallet to Edge users.
(00:57:20):
The company regularly tests features in edge windows and has other software that never end up making it into the general release versions. We've contacted Microsoft for more information and we'll update if we receive a response. So now, I don't know, not long ago I tried to use Bing. I had become annoyed with Chrome because I noticed that every time I opened it, the fan on my little Intel Nu <laugh> would spin up to dissipate the heat that Chrome was for some reason causing my, the whole system to produce. You know, and this was with no tabs loaded, just Chrome itself, and suddenly up, yo, spin up the propellers, we gotta cool this puppy off. You know? So Chrome had become bloatware and I didn't know whether Bing might be any better, but I I did need left side tabs. So Bing's built in support of that feature drew me in.
(00:58:19):
I figured that, you know, Bing, first and foremost a chromium based browser, I'd at least get good compatibility. But then I found as I was using it that some webpages would not open or display in Bing. So back to Firefox, I went where I am once again, completely happy. So if Microsoft decides to embed a cryptocurrency wallet in Bing, you know, I do hope it works better than their email solutions have, which we'll be talking about next. Oh boy. So that we don't, so that we don't break my rant in a in half. Let's, let's, we'll do an, let's tell our about why we're here and then Oh boy, <laugh>, the rant is on the way, baby. Yeah, God, at least it's not a faux rant, it's real. We had a caller on Ask the tech guy on Sunday whose computer without his approval upgraded to Windows 11 and all turned on some sort of weird security mode that he could only install stuff from the store.
(00:59:17):
So he couldn't install Chrome or Firefox, or, it just drives me nuts. It just drives me nuts. Well, they're, we're, we will shortly see another example of them throwing their weight around. Yeah. They're, you know, I mean, it almost, it almost makes sense that this is where they would've gone, right? Is when they're, when you're that big and you need to keep your shareholders happy, you, you just take advantage of Yeah. The fact that you, your, your users no longer have a choice. Cory, Dr. Rowe calls it eating your seed corn. You know, at some point, yes, in the company, you, you know, you just start, you know, devouring, <laugh>, everything for profit security Now is brought to you by Melissa. Thankfully, Melissa is not in that period. Melissa is very customer focused, very focused on helping you get business done with authentication.
(01:00:16):
Melissa, we call 'em the address experts and they're not a new company, but they've been around since 1985 specializing in global intelligence solutions. Things like address verification, but so much more too. I mean, authentication really is the heart of what Melissa does. Digital onboarding and ID verification is a tool you probably need when you're onboarding new customers to reduce fraud. You'd like to improve customer engagement. Melissa can help you with that. And of course, peace of mind and compliance are both very big priorities. Melissa verifies the authenticity of ID documents, for example, allows customers securely to submit their identity information anytime from anywhere and on their preferred device from an easy use mobile app. And to do it with the confidence that their information is being secured and protected. Their privacy is protected. But there are things you have to do you know, authentication really is huge in so many businesses.
(01:01:21):
Four things to look for when you're considering an a digital onboarding and ID verification service. I'll give you the four in in order Id check. Okay, we were just talking about that today. Machine readable zone or M R Z and optical character recognition or OCR r technologies can instantly identify document types. Just you know, through a camera, passports, driver's licenses, other country IDs. In this step, your solution should also extract client data. Do so reliably populate data into your relevant systems, your crm, for instance, and ideally with no manual entry. Cuz manual entry is where errors get entered accurate, right? So that's Id check 0.2, the four. The second thing to think about biometrics very important these days to make sure your prospective customers, who they say they are biometric checks can use smart facial recognition and comparison algorithms to recognize a match between a selfie and an ID image.
(01:02:28):
The check should distinguish changes though. People grow beards, right? Facial hair, mustaches, makeup, hairstyle, those shouldn't get in the way. Melissa can do that too. And there should be a liveness check. That's the third point along with a biometrics check. A liveness check should be present to determine if the person behind the device they're using to onboard is, is, is alive and not just a picture of somebody. Right? Melissa can distinguish eye movement and other small changes to ensure the user's authenticity. And finally, 0.4 compliance reporting. Make sure your digital onboarding partner keeps a full audit trail and customer due diligence reports. They're critical for your business. They should be organization controlled, right? Your, you should have control of them with the ability to evaluate any time you want. Along with compliance reporting. You should be able to review and approve customer submissions with ease.
(01:03:27):
Four very important things, and you get all of them and more. With Melissa's digital onboarding and verification services, it says 1985. Melissa has specialized in global intelligence solutions. And don't worry, they're absolutely privacy focused. They undergo continuous independent security audits because they're committed to data security, privacy, and of course compliance. You need that compliance. They do too. They're SOC two compliant. Hipaa, gdpr. So, you know, your data is in the best hands. Melissa does so much for authentication, for digital onboarding, for ID verification. You need to check 'em out. They actually have so many tools now. They put together a solutions catalog you can get at melissa.com/twit to find the solution that's right for your particular needs. And it all comes down to making sure your customer contact data is accurate and up to date. In fact, you can get started right now. Test out their API with 1000 records clean for free at melissa.com/twit.
(01:04:32):
M e e L i ssa.com/twit. They've been with us for a while now and I'm constantly amazed by the breadth of their offerings. There's, there's, there's always something new to talk about. Melissa.Com/Twit. We thank him so much for supporting Steve and security now. And if you go to melissa.com/twit, they'll know you saw it here. All right. Put your rant helmet on your goggles. Also, I should, I should start out by noting that it's been quite some time since the listeners of this podcast have hurt me, really get upset about anything. It doesn't happen very often and I don't recall the last time it happened, but it, you know, it's happened before. When I dwell on this one, I'm pretty sure my blood pressure rises because I have a real problem with injustice and bullying. Someone at Microsoft has had a very bad idea. When I first encountered this yesterday, I did a double take really, I thought that I must have misunderstood what Microsoft meant, but unfortunately no, Microsoft has formally announced that they are going to begin blocking incoming email to their exchange online cloud instances, which includes all of Office 365 and outlook.com.
(01:05:50):
If that incoming email originates from other private, so-called on-premises exchange servers, which while they may be functioning just fine are nevertheless past their end of support life <laugh>, I I like, wow. What? That's right. They're saying that they're going to begin blocking incoming email from older version instances of their own exchange server software. No one who purchased Exchange Server 2007, 2010, or 2013 was told at the time, in fact, they've not been told until now that in the future the software they purchased paid for and have continued to happily use would become less useful to them because Microsoft's various online services were going to unilaterally begin refusing to accept email from those otherwise perfectly functioning servers. And yes, I use the term perfectly functioning in the context of exchange server with a bit of tongue in cheek because after all, it is exchange server, but many hundreds of thousands of instances of it are still functioning and everyone else in the world will be able to receive the email they send except for Microsoft's services because Microsoft has apparently decided to punish their previous customers and extort them for additional licensing revenue.
(01:07:32):
Now interestingly, the headline on Microsoft's own announcement doesn't quite fess up to this fully, it reads throttling and blocking email from persistently vulnerable exchange servers to exchange online, but they define the term persistently vulnerable as meaning servers that are unsupported or remain unpatched. And just wait until you hear their rationale for doing this. My breath is still a bit taken away, but I wanna repeat my summation so that you don't need to hit, rewind or replay to be sure you heard it right. <Laugh>, Microsoft is essentially saying that they're going to use their market dominance in online email services to force their previous software customers to upgrade their own instances of exchange server. By refusing to accept email sent by such servers as a means of extorting additional licensing fees from those prior customers, Microsoft is gonna effectively begin reducing the functionality of their previous exchange servers by refusing to accept their email unless and until the licenses for those exchange servers are renewed and their software is updated.
(01:08:53):
I can't think of a precedent for this in our industry. So I suppose that means this is an unprecedented action. Okay, so here's how Microsoft couched this extortion. They wrote this is Them. As we continue to enhance the security of our cloud, we are going to address the problem of sent to exchange online from Unsupported and Unpatched. Yes. Leo, you're laughing. I know. The, the problem, the problem making enough money from legacy customers. <Laugh>. Yeah. We realize there's some people that we are, we haven't squeezed yet enough. So anyway, they said we're gonna address the problem of emails sent to Exchange online from Unsupported and Unpatched Exchange servers. There are many risks associated with running unsupported or unpatched software, but by far the biggest risk is security. Especially with this exchange. Once a version of Exchange Server is no longer supported, it no longer receives security updates.
(01:10:02):
Thus, any vulnerabilities discovered after support has ended don't get fixed. Oh, the horror. There are similar risks associated with running software that is not patched for known vulnerabilities. Once a security update is released, malicious actors will reverse engineer the update to get a better understanding of how to exploit the vulnerability on unpatched servers. Okay. Yeah. As we know, all of that's true. But next comes the pivotal paragraph, the fundamental flaw in the logic upon which this entire extortion effort rests. Microsoft continues. Microsoft uses the zero trust security model for its cloud services, which requires connecting devices and servers to be provably healthy and managed. Servers that are unsupported or remain unpatched are persistently vulnerable and cannot be trusted. And therefore, email messages sent from them cannot be trusted. <Laugh>, they said persistently vulnerable servers significantly increase the risk of security breaches, malware hacking, data exfiltration, and other attacks.
(01:11:26):
Okay. So to put this into perspective, it's as if your modern iPhone would, would no longer accept text messages from iPhones that were out of date. Like, oh, you can't send text messages. You have a iPhone six. Sorry. Right. It's, we, we can't trust that anymore. We're not, we're not supporting that. I mean, in their defense is that, I mean, it could it be hacked, right? Cuz they haven't patched it and exchange servers are notoriously bad. <Laugh>. Oh, yes. In fact, I have an, an update on that too. Okay. But, but here's the problem. They, they said servers that are unsupported or remain unpatched are persistently vulnerable and cannot be trusted, therefore, exactly to your, as as your example, is the email messages sent from them, <laugh> cannot be trusted and those could be validated. I mean, they, they should just be text, right? I mean, okay.
(01:12:20):
They're not, I I have in the show notes here, I, I wrote, this is what's commonly known as a load of crap. Oh, oh yes. That <laugh> that, yes. And I had two phrases that was the more polite of the two <laugh>. It's important that we pause here for a minute because as I said, it is upon this fundamental logical fallacy that Microsoft is hanging their entire campaign. We know that the truth is that yes, through the years Microsoft's Exchange server has had a particularly difficult relationship with security. In short, it's pretty much been an utter disaster. And, and not just for a while, you know, it's, it's inexplicable that they've had this problem. And especially when email is a trivial protocol. I mean, there's hardly anything simpler than email, but Microsoft has managed to make it deadly. On January 3rd of this year, bleeping computers headline read over 60,000 6, 0, 0, 0 0.
(01:13:29):
60,000 exchange servers vulnerable to Proxy, not Shell. And a few months earlier on October 27th, Wired's headline <laugh>, and I'm not making this up, was Your Microsoft Exchange server is a security liability. <Laugh> was their headline with a subhead, endless vulnerabilities, widespread hacking campaigns slow and technically tough patching. It's time to say goodbye to on-premise exchange. As an aside, I'll remind everyone of just how conscientious Microsoft has been about exchanges security. In that article describing the constant struggle over exchange vulnerabilities Wired wrote, they said the latest reminder of that struggle arrived earlier this week when Taiwanese security researcher Orange Si published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Si warned Microsoft about this vulnerability as early as JU June of 2021. And while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully reserve resolve the underlying security problems.
(01:14:51):
Said early SI had earlier reported a related vulnerability in exchange that was massively exploited by a group of Chinese state-sponsored hackers known as half Nam, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in sizes post last week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring si no fewer than four times that it would patch that bug before pushing off a full patch, before pushing off the full patch for months longer. When Microsoft finally released a fix, Cy wrote it still required manual activation and lacked any documentation for four more months. Meanwhile, another pair of actively exploited vulnerabilities in exchange that were revealed last month still remain unpatched after researchers showed that Microsoft's initial attempts to fix the flaws failed. Those vulnerabilities were just the latest in a years long pattern of security bugs in exchanges code.
(01:16:02):
And even when Microsoft does relief exchange patches, they're often not widely implemented due to the time-consuming technical process of installing them. Okay, so let's first just be really clear here, any security problems that Exchange server has are directly Microsoft's fault, right? So now they're saying that they're afraid of receiving any email that previous versions of their software might send to their current versions. It's true that the poor users of those previous versions are likely risking life and limb to continue running older and out of date versions of exchange. But that's their choice, or it used to be, and it's they who are being put in danger by running Microsoft's perennially insecure offering, not people who receive the email it sends, that's utter nonsense, but the utter nonsense upon which as I noted this entire campaign rests. So here's how Microsoft continues. They said, we've said many times that it is critical for customers to protect their exchange servers by staying current with updates and by taking other actions to further strengthen the security of their environment.
(01:17:31):
Many customers have taken action to protect their environment, but there are still many exchange servers that are out of support or significantly behind on updates. Okay? So Microsoft has coined a new term of art for which for, for which we'll be entering our industry's lexicon. They are calling what they will be employing their transport based enforcement system. They said to address this problem, which of course they've invented, we are enabling a transport based enforcement system, oh God, in Exchange online that has three primary functions, reporting, throttling and blocking. The system is designed to alert an admin about unsupported or unpatched exchange servers in their on-premises environment that need remediation, upgrading, or patching. The system also has throttling and blocking capabilities. So if a server is not remediated, mail flow from that server will be throttled delayed and eventually blocked. Wow. We don't want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering exchange online by putting in place safeguards and standards for email entering our cloud service.
(01:19:01):
And then they said, we also want to get the attention of customers who have unsupported or unpatched exchange servers and encourage them to secure their on-premises environments. That's right. Encouragement is what we call it here at Microsoft when your email servers outbound mail starts being refused, not due to any misbehavior on its part, which would be your problem in any event, but only because you have chosen to continue using an older version of Exchange Server, which you paid for, whose email output we have since decided, we no longer want to accept. Oh, but if you purchase a new license, then all will be forgiven and will happily receive your email. They also explain about the actions they'll be taking about, you know, progressive amounts of delaying and, and, and, and how they'll send back an SMT four 50 message, delayed message and then e ending in an SMT five 50 error to, to the sender.
(01:20:14):
So after all this, the announcement then contains an F FAQ to clarify in q and a format what this all means. The answers to a few of the questions they ask themselves are a bit chilling. So they ask themselves, what is a persistently vulnerable exchange server? Answer any exchange server that has reached end of life, for example, exchange 2007, exchange 2010, and soon as actually next month exchange 2013 or remains unpatched for known vulnerabilities, for example, exchange 2016 and Exchange 2019. Servers that are significantly behind on security updates are considered persistently vulnerable. Is Microsoft blocking email from on-premises exchange servers to get customers to move to the cloud? No. Our goal is to help customers secure their environment where wherever they choose to run exchange, the enforcement system is designed to alert admins about security risks in their environment, right? Because their email can't get delivered anymore.
(01:21:31):
And to protect exchange on protect exchange online recipients from potentially malicious messages sent from persistently vulnerable exchange servers. Cuz you know how, how bad the email is that's sent from those old exchange servers. Okay. Why is Microsoft only taking this action against its own customers? Customers who have paid for Exchange server and Windows server licenses? Oh, we are always looking for ways to improve the security of our cloud and to help our on-premises customers stay protected. This effort helps protect our on-premises customers by alerting them <laugh> potential significant security risks in their environment well created by our software. We are initially focusing on email servers. Oh, initially focusing, we are initially focusing on email servers. We can readily identify as being persistently vulnerable, but we will block all potentially malicious mail flow that we can will Microsoft enable the transport based enforcement system for other servers and applications that send email to exchange online?
(01:22:51):
We are always looking for ways to improve the security of our cloud and to help our on-premises customers stay protected. We are initially focusing on email servers. We can readily identify as being persistently vulnerable, but we will block all potentially malicious mail flow that we can. If my exchange server build is current, but the underlying Windows operating system is out of date, will my server be affected by the enforcement system? No. The enforcement system looks only at exchange server version information, but it is just as important to keep Windows and all other applications up to date and we recommend customers do that. However, we haven't figured out how to make you do it yet. Delaying and possibly blocking emails sent to Exchange online seems harsh and could negatively affect my business. Can't Microsoft take a different approach to this? Microsoft is taking this action because of the urgent <laugh>.
(01:23:53):
That's right. We just made it up but is now it's urgent because of the urgent and increasing security risks to customers that choose to run unsupported or unpatched software. Over the last few years, we have seen a significant increase in the frequency of attacks <laugh> against Exchange servers. You bet we have done and will continue to do everything we can to protect exchange servers, but unfortunately there are a significant number of organizations that don't install updates or are far behind on updates and are therefore putting themselves their data as well as the organizations that receive e as as well as the organizations that receive email from them at risk, we can't reach out directly to admins that run vulnerable exchange servers. So we are using activity from their servers to try to get their attention. Our goal is to raise the security profile of the exchange ecosystem.
(01:25:03):
Why are you starting only with Exchange 2007 servers when Exchange 2010 is also beyond end of life and Exchange 2013 will be beyond end of life when the enforcement system is enabled. Starting with this narrow scope of Exchange server lets us safely exercise, test and tune the enforcement system before we expand its use to a broader set of servers. Additionally, as Exchange 2007 is the most out of date hybrid version, it doesn't include many of the core security features and enhancements in later. Oh, so it's less bad even though it's, you know, way older. Oh no, it's more bad. More bad. The newer ones are less bad. Restricting the most potentially vulnerable. Oh, it's the most potentially vulnerable an unsafe server version first makes sense. That's right. <Laugh>. Does this mean that my exchange online organization might not receive email sent by a third party company that runs an old or unpatched version of Exchange Server?
(01:26:15):
Possibly. The transport based enforcement system initially applies only to email sent from Exchange 2007 servers to exchange online over an inbound connector type of on-premises. The system does not yet apply to emails sent to your organization by companies that do not use an on-premises type connector. Our goals are to reduce the risk of malicious email entering exchange online by putting in place safeguards and standards for email entering the service and to notify on-premises admins that the exchange server their organization uses needs remediating. In other words, the answer is yes to this question. If you're, if you are an organization using Exchange online, you will stop getting email from these scoff laws who have decided to continue using the software they purchased a while ago. How does Microsoft know what exchange version I'm running? Does Microsoft have access to my servers? No, Microsoft does not have any access to your on-premises servers.
(01:27:20):
The enforcement system is based on email activity, for example, when the on-premises exchange server connects to Exchange online to deliver email. Anyway, it's it's in the headers, the, the the version of exchange and the, and the service pack and, and and update level and so forth. And in in this posting they have some additional back and forth between some people who feel pretty much as I do and a Microsoft guy, but e everyone's got the sense for this. So the world is apparently full of past end of life and non updated exchange server instances that are day in and day out working perfectly well for their users who once purchased the software from Microsoft and who have felt for whatever reason no need to purchase new licenses, the servers online and working for them the way they want it to without problems.
(01:28:24):
And for whatever reason they have chosen not to upgrade their software. Is it not their choice and their right to run the software that they have purchased as long as they wish and as long as it is serving their needs? That software was not a subscription. It did not come with an expiration date. It's licenses. Clear assertion was that they would be able to use it for as long as they wished. The idea that email originating from out of date and unsupported email servers is itself inherently dangerous, is utter nonsense. There's no awareness out in the world that email from certain versions of this or that email software is known to be dangerous. We, we would know that on this podcast if that was the case. Microsoft just invented that out of thin air to suit their commercial purpose. To the extent that there is any danger, it's to the organization running such software not to those receiving its email output.
(01:29:29):
This is the shaky premise upon which Microsoft's policy rests and it doesn't hold up. But that doesn't matter because Microsoft is able to claim it and will soon begin enforcing it. Those perfectly good servers have been tirelessly working apparently without problems for many years. But now that's about to change, not because they suddenly represent any actual danger, but because Microsoft figured out how they can extort some new revenue from their old customers because most organizations will take the path of least resistance, which will be to upgrade. Microsoft surely knows that the net effect of this will be to generate additional revenue for itself. Those wayward users have fallen off the Microsoft Gravy train and is high time that they be brought back into the fold. What better way than to create a new inability for those old servers to send mail to Office 365 and outlook.com users whom Microsoft already utterly controls it's diabolically brilliant.
(01:30:49):
And so that it doesn't appear to be the bald faced revenue extortion scheme that it is couch the whole thing in their need to protect their paying customers from those evil email messages being generated by their own, presumably now highly dangerous software. And finally, it's worth noting that this is not a one-time event. No one using any Microsoft Exchange server software will ever again be able to fail to keep it updated nor to avoid the purchase of future licenses forever. Now I celebrate that idea moving forward since keeping software updated, especially Exchange Server is a good thing. And since New Licensors will be aware that they will never again have any choice other than to be paying Microsoft forever under whatever terms and conditions Microsoft may choose. The problem I have is with Microsoft's effectively unilateral revocation of the open-ended licenses they previously sold. That's a clear violation of trust and that's never gonna be okay even though it's gonna happen.
(01:32:16):
Yeah, I mean I'll have to ask Richard Campbell about this. He is a exchange server admin is abandoning exchange server for his home system. Anybody who's been using Exchange Server has been tortured long enough. Yeah. But this seems like a really unseemly way cuz you're basically breaking email, correct? You are, you are, you are saying here is a valid piece of email Yeah. With, you know, a a, a letter from your mom and it w who that has no malware on her system, but because it was sent to, to a a Office 365 or outlook.com user through an old version of Exchange Server. Yeah. They're not gonna accept the email. That's not okay. They're just gonna say, oh no, we, we we're not gonna accept the email. Yeah, I mean, it is Leo, it is so wrong. Yeah, I agree with you a hundred percent.
(01:33:14):
I'm sure Richard and my Paul will have something to say about it on Windows Weekly. I will refer them to your rant <laugh> just to prepare them <laugh> excellent points and as always, an excellent show. Thank you Steve. Steve is of course at grc.com. You can get a lot of things there, including this show. He has 16 Kilobit audio versions for the bandwidth impaired. He has transcripts you can read along as you listen or use them to search. He also has a 64 kilobit audio grc.com while you're there, pick up spin, right? His bread and butter and version 6.0 is current, but 6.1 is imminent. And that's good news because it means everybody owns six oh will actually get a upgrade of six one, which is awfully generous. And these are people who paid years ago. I, I'm proud to say than I expected, but I paid years ago for 6.0.
(01:34:08):
But I bought another copy I think last year or earlier this year just to just to kind of, you know, kind of keep 'em up to date. It's not required Steve Lana, your license forever, but si you, you'll never, you won't, you won't do what Microsoft does and say you can't check a drive with this old version of spin. Right? It's not <laugh>. That drive cannot be checked until you have a new version of spin, right? Grc.Com. We also have copies of the show at our website, 64 Kilobit audio and video at twit.tv/sn. There is a YouTube channel dedicated to security. Now, easiest way to find our YouTube channels, each show has its own channel is to go to the main one, which is youtube.com/twit. And you'll see their thumbnails for all the other shows. You can link to those or subscribe to those or whatever is you do.
(01:34:59):
And of course the easiest way to get it, subscribe in your favorite podcast player because it's, it's a podcast. There's an RSS feed and if you subscribe it just happens automatically. You'll get the newest versions the minute they're available. And if you want all 916 <laugh>, we only put 10 previous shows on our feeds. You'll have to go to the website, twit tv slash sn and you, you can download them all at your leisure. We do stream it live if you want the freshest version, if you wanna watch us do it live. The stream is live twit tv. There's audio and video streams there, and the show is right after MacBreak Weekly on Tuesdays. That time varies. It was 2:00 PM Pacific today, 5:00 PM Eastern, 2100 UTC might be a little bit earlier or later depending on how long MacBreak Weekly goes.
(01:35:48):
But you can watch both shows if you want. We stream them and we'll repeat them throughout the day and night. In fact, all about Androids coming up in just a little bit, Steve. Have a wonderful week and friend, I will not be here as you know. Yeah, three weeks at the end of next month. Yep. Three weeks the 25th I think of March of April rather. So but I'll send you, if I find Gates that are easily circumvented, I will send them too, right along to you. We need, we need foolish pictures, foolish pictures of security. I will keep my eye peeled for you. Thanks Steve. Have a great month and I'll see you next time. Hey buddy, bye-bye to you soon. Bye. Yeah, yeah, it's gonna be a long time away, <laugh>. Well, have a great trip, my friend. I know you will. I can't wait. Sounds like it's gonna be a good one. I'm excited. Talk, talk to you in four weeks. All right, thanks Steven. Hey buddy. Bye-Bye. Bye.
Mikah Sargent (01:36:43):
Oh, hey, that's a really nice iPhone you have there. You totally picked the right color. Hey, since you do use an iPhone and maybe use an iPad or an Apple Watch or an Apple tv, well you should check out iOS today. It's a show that I mic a sergeant and my co-host, Rosemary Orchard, host every Tuesday right here on the Twit Network. It covers all things iOS, tv, os, home, pod, os, watch, os, iPad os. It's all the OS that Apple has on offer and we love to give you tips and tricks about making the most of those devices, checking out great apps and services and answering your tech questions. I hope you check it out.
... (01:37:23):
Security Now.