The miserable mess that is Microsoft Recall

Last week Microsoft announced a new feature that is a major security sinkhole called Recall. It is a miserable mess, and makes Windows more vulnerable to attack. Sadly, it will be operating by default unless you get out your secret decoder ring and lock it up behind some group policies.

Why is Recall so bad? It combines the features of a keylogger and an infostealer and puts them inside the Windows OS. It automatically takes frequent screenshots of what you are doing, and stores them on your hard drive. This data is stored in a searchable database, so you can rewind what you are doing to a specific point in time. This includes all your passwords, if they are displayed on screen. Kevin Beaumont wrote that Recall fundamentally undermines your security and introduces immense new risks.

It didn’t take long after the announcement at Build, Microsoft’s annual developer conference, for the UK ICO, its privacy agency, to open an inquiry. Yes, hackers would need to gain access to your device and figure out the encryption of the data, but these aren’t big hills to climb. “Something could go wrong very quickly,” said one security researcher. 

Eva Galperin, director of cybersecurity with the Electronic Frontier Foundation, said Recall will “be a gift for domestic abusers,” given that a partner would have physical PC access and perhaps login details too. She said the database of screenshots would be a tempting target for hackers.

Bh187 Total Recall GIF - Bh187 Total Recall Arnie GIFsMicrosoft will start selling its own line of AI-enabled laptops later this summer that will include Recall. Sometimes total recall goes awry, as fans of the original Arnold movie (or Philip Dick short story) might remember. It’s too bad that this is one journey from sci fi to reality that we could do without.  Here is how to disable it.

CSOonline: Third-party software supply chain threats continue to plague CISOs

The latest software library compromise of an obscure but popular file compression algorithm called XZ Utils shows how critical these third-party components can be in keeping enterprises safe and secure. The supply chain issue is now forever baked into the way modern software is written and revised. Apps are refined daily or even hourly with new code which makes it more of a challenge for security software to identify and fix any coding errors quickly. It means old, more manual error-checking methods are doomed to fall behind and let vulnerabilities slip through.

These library compromises represent a new front for security managers, especially since they combine three separate trends: a rise in third-party supply-chain attacks, hiding malware inside the complexity of open-source software tools, and using third-party libraries as another potential exploit vector of generative AI software models and tools. I unpack these issues for my latest post for CSOonline here.

CSOonline: Microsoft Azure’s Russinovich sheds light on key generative AI threats

Generative AI-based threats operate over a huge landscape, and CISOs must look at it from a variety of perspectives, said Microsoft Azure CTO Mark Russinovich during Microsoft Build conference this week in Seattle. “We take a multidisciplinary approach when it comes to AI security, and so should you,” Russinovich said of the rising issue confronting CISOs today. I cover his talk, which was quite illuminating, about AI-based threats here for CSOonline.

 

A new week and new threats to worry about

This week I saw two stories that sent a chill up my spine. They indicate that cybersecurity is an ever-evolving universe where exploits continue to find new ground, and defenders have to look carefully and remain ever-vigilant. Let’s take a look.

The first one sounds almost comical: two UC Santa Cruz students figured out how to get their clothes cleaned at their dorms’ laundry room for free. But behind the stick-it-to-the-man college prank lies a more sobering tale. The students were able to analyze the data security posture of the laundry vendor and find a combination of weak programs to run endless wash-and-dry cycles almost surgically. The vendor wasn’t some small-time operator either: they run a network of a million machines at hotels and campuses installed around the world. But despite this footprint, they have miserable application security. To wit, there is no way for anyone to report any vulnerabilities, either online or via phone.  The company’s mobile app, used to pay to activate a specific machine, has no authentication mechanisms and so the students were able to top off their accounts without spending any actual money. The APIs used by their apps don’t verify the users, so the students could issue commands to the washers and dryers, commands that were easily discovered with the company’s own documentation.

The students were responsible, although they did “top off” their accounts to the tune of a million dollars, just to make a point. The only thing the laundry vendor did do was zero these accounts out but didn’t fix any of the other flaws. Nor did the company reach out to them or work with them (or any actual security researcher, at least according to what I read), again showing a complete cluelessness.

I will let you spin up the various morals from this story. I was impressed with the level of professionalism that the students demonstrated, and would imagine that they will have no problem getting infosec jobs and will do well once they have to leave the halls of academia and have to start paying for their own laundry operations.

Let’s move on to the second story, about how your Wifi router can be used as another means of surveillance. Brian Krebs broke this one, based on research from two University of Maryland computer scientists. They discovered a way to de-anonymize the locations of Wifi routers based on the network communications of Apple and Google products that connect to them. The problem lies in the design of Wifi positioning systems that are seeking more precise geo-locations: think Apple AirTags and other GPS applications that are tracking your movements. Attackers could leverage these processes to figure out specific movements of people, even people that haven’t given any permission to be tracked and are just moving about the world. Someone with a portable travel router, for example, is ripe for this exploit. The research paper posits three situations that demonstrate what you can learn from this analysis, such as tracking the movements of Gazans after 10/7, the victims of the Maui wildfires last summer, or people involved on both sides of the war in Ukraine.

As they wrote in their paper, “This work identifies the potential for harm to befall owners of Wifi routers. The threat applies even to users that do not own devices for which the Wifi positioning systems are designed — individuals who own no Apple products, for instance, can have their router listed merely by having their Apple devices come within Wifi transmission range.”

For privacy-concerned folks, one solution is to append “_nomap” to the SSID name of your Wifi router, which will prevent Apple and Google from using its location data.

CSOonline: It is finally time to get rid of NTLM across your enterprise networks

It is finally time to remove all traces of an ancient protocol that is a security sinkhole: NTLM. You may not recognize it, and you may not even know that it is in active use across your networks. But the time has come for its complete eradication. The path won’t be easy, to be sure.

The acronym is somewhat of a misnomer: it stands for Windows New Technology LAN Manager and goes back to Microsoft’s original network server operating system that first appeared in 1993.

NTLM harks back to another era of connectivity: when networks were only local connections to file and print servers. Back then, the internet was still far from a commercial product and the web was still largely contained as an experimental Swiss project. That local focus would come to haunt security managers in the coming decades.

In this analysis for CSOonline, I recount its troubled history, what Microsoft is trying to do to rid it completely from the networking landscape, and what enterprise IT managers can do to seek out and eliminate it once and for all. It will not be a smooth ride to be sure.

I remember Myst

I have long been a fan of quirky museums and collections, and heard last week about the Museum of Play, based in Rochester NY. They recently awarded their latest round of “hall of fame” computer video games, and on this year’s list is Myst. This 30+ year old game was a significant moment in its day and a big hit back as I wrote on a blog from 2012. It sold more than six million copies and raised the bar from crude graphics and beeping computer generated noises that were found in many of the early games from that era. After hearing about the news, I wanted to dust off my software and try to take it for another spin (which is what I did back in 2012), but alas, I didn’t have the right vintage of OS and drivers to make it work.

Myst gets a fully modern update in this realtime 3D Masterpiece Edition - PolygonAs I wrote back then in my blog, I observed that Myst’s graphics were not anything like more modern games. Its genius was giving equal weight to both graphics and audio, and while I was clicking about its landscape, I left the sounds of the ocean lapping up against the rocky island playing while I was working, and it was very soothing. The museum says it was slow paced and contemplative but inspired wonder. I concur.

Myst was not a first-person-shooter, but a game that involved solving puzzles, puzzles that had very inscrutable clues that were easy to miss at first glance. It easily got frustrating, and I often found myself going back over ground that I thought I had covered, only to find another hidden puzzle that unlocked a new landscape. Eventually, I bough a cheater book to get to the end of the game, thereby sealing my fate as a forever-novice gamer.

Myst came along at a time when PCs were just getting CD-ROMs installed: I remember buying this add-on package from Soundblaster because those early computers didn’t have any audio support either. And figuring out that puzzle of drivers, OS updates, and rooting around inside my computer to connect everything up was my first foray into building the kind of computer that we now take for granted where sound and optical media (and writable multi-speed ones at that) are part of the package.

Well, at least we can take the sound features for granted —  we seem to be moving away from having DVD drives as standard equipment in the name of streaming and having ultra-thin laptops and tablets. It also came at a time when color monitors were very new to the Mac world and graphics cards came with very little additional memory. This meant that the ability to do full-motion high-resolution video was still far off. Now we have graphic processors that have more horsepower than the CPUs in the same machine, and companies like Nvidia and AMD are finding new markets in providing the GPUs for doing machine learning and AI processing.

And software such as Photoshop and QuickTime were very much v1.0, barely able to keep up with the demands by the game’s two brothers who created it. Creating the three-dimensional images wasn’t easy: rendering took hours per image, because of software and hardware limitations.

And it especially wasn’t easy because the internet hadn’t yet taken off: the Myst dev team had to resort to “tire net” — meaning driving around the latest builds on removable media that were probably all of a 100MB in capacity and delivering them to various team members.

The Miller brothers would also star as actors in the video segments that a player would uncover in the game itself.

Myst was also ahead of its time when it came to non-linear storytelling: we have since had various feature films that are so constructed, such as Sin City in 2005 and Pulp Fiction, just to name a few of them. Rand Miller in a long interview with Ars done a few years ago speaks about how real life is all about embedding stories, and Myst was the first time that a game used this technique to make it more realistic and compelling. It was as if the made-up world was talking back to you, the gamer, directly. Again, now we take this situation very much for granted in modern games.

So I am glad after all these years that Myst is receiving some recognition, even if it is in a quirky Rochester museum, and even if all of my aging PCs can’t run it because they are n’t old enough. But if this essay has piqued your interest and you want to run Myst for yourself, act now and offer to pay the Fedex delivery and it could be yours. I will pick one reader to get the 3-CD package of Myst and its successor games — if you have a vintage machine that is old enough to run it.

The battlefield smartphone: a progress report

Thaddeus Grugq’s latest newsletter opines on the role of the smartphone in how warfare is reported on by the media, calling it a revolution in military media relations. Things have certainly changed since battlefield reporters began reporting on wars: events are posted in near-real-time, with streaming color video transmitted via social media networks, shrinking the distance from the war zone to the reporter and viewed around the world. “The information environment is truly beyond the control of the military,” he writes.

This is perhaps the ultimate in media disintermediation. There are no gatekeepers, everyone with a smartphone and a You Tube channel is now a “citizen journalist” with a ready-made audience.

It isn’t just for the reporters: there are benefits for smartphone-toting warfighters as well. There have been plenty of articles that have documented how soldiers have exploited smartphones over the past several years, including this one that documents what is going on in Israel. It enables the troops to better communicate with their families, something that I am personally familiar with my Israeli son-in-law, who has been deployed several times since the war began. When he was deployed in Gaza, his regular phone didn’t work, so it was always stressful. But when he was deployed in Israel, he was in touch with us, which seemed surreal. Even foxholes now have Wifi.

And of course smartphones and citizen journalists aren’t restricted to the war zone either, such as coverage of the riots during the Ferguson summer of 2014 and this spring’s college encampments. Some of that reporting was better than the mainstream media, to be sure. That link explores the concept of citizen journalists that I wrote during that summer.

But we have crossed a Rubicon of sorts with the Israeli government literally shuttering Al Jazeera’s Jerusalem studios this week. My daughter, who has been living there for many years, and I disagree on this action (she is in favor of the shutdown, I think the network should be allowed to continue to broadcast). Imagine if Biden were to shutter Newsmax. Or if police raided a newspaper in Kansas. (Wait, that did happen last year.)  For many years, I watched the early morning news coverage from Al Jazeera English’s programming. It was mostly fair. I haven’t seen much since the war began last October, and I am not sure how I would react to hearing misinformation being broadcast now.

The record of independent journalism in the Israel-Hamas war is a difficult one, because no one can really do research. But imagine if nearly 100 journalists were killed by the US in one of our recently wars — that is the current tally of who has been killed in Gaza and the West Bank, according to the CPJ. None of these people were engaged in any military capacity, at least according to their documentation. And Israel has also blocked any journalists from entering Gaza, making matters more difficult.

Let’s look at the coverage of the college protests. We saw the furniture barricades at Hamilton Hall on Columbia’s campus: is that a peaceful protest? Did the police act responsibly? With all the live streams, including some from the police bodycams, it is hard to say. Now imagine having very limited access to what is going on (which some colleges are trying to do). For all the real-time streaming, the fog of war becomes very thick indeed.

I wrote after the Ferguson riots, that if we are going to be a shining example of a working democracy, we need a strong and independent press that can document police abuses. Otherwise, we are no better than the countries we criticize for trumped up charges and wrongly arresting people. The same is true for wartime journalism.

CSOonline: An update on IAM

Comedian Colin Quinn says identity is a big thing. “Your id is who the government says you are. Your personality is the people who know you think you are, your reputation is the people who don’t know you think you are, your social media profile is who you think you are, and your browser history is who you really are.”

While my writing about identity management isn’t going to make the comedy circuit, I  recently updated my explainer piece for CSOonline. Identity is even more important these days, as enterprises move into more cloudy and virtual infrastructures, federate apps with their partners and customers, and try to protect themselves against supply-chain attacks that can tie them in knots for weeks and months.  And thanks to poor multi-factor implementations, more sophisticated phishing methods, more automated credential stuffing techniques and numerous legacy IAM systems that haven’t been updated, bad actors can often find easy entries with minimal effort into corporate systems to ply their exploits.

IAM needs to be a well-integrated fabric or mesh of architectures and processes that connect everything together into a coherent whole that can protect the entire digital surface of an enterprise. This fabric uses adaptive risk assessments to authenticate and connects both people and machines and uses information collected from continuous threat detection and operations visibility. My post explains how to get to this state, and some things that enterprise IT managers need to consider in their evaluations.

Managing your identity theft protection

World Password Day is Thursday, I know all of my readers are gearing up major parties to celebrate. What, you don’t know about this day in flackery?  Read on.

I know my inbox runneth over with WPD PR pitches. Perhaps you have already planned your day, such as noting yet another account of yours that has been breached? Another chance to reuse that password from 1992? Time to get another password manager other than Lastpass? Or perhaps just have a cupcake decorated with ones and zeros? (Image credit: Google’s Gemini)

Here is how I am celebrating. I am actually reviewing the two free identity protection services that I have been granted, thanks to two recent and massive data breaches. One is from the credit bureau Experian, the other from a company called IdentityDefense.com. Normally, these outfits charge anywhere from $10 to $30 a month, and in the past I have not been motivated to use these, or any other service. Here is the problem: being a privacy paranoid person, I don’t want to give out any of my numbers. Yet to sign up for these services, you have to lay it all out there: SSN, birth date, previous addresses, drivers license, phone numbers and so forth.

Some things you might want to know: my wife and I have had spurious credit card charges over the years — one just recently where someone kept trying to charge a rideshare in San Francisco repeatedly. And I think her credit is still frozen (although I don’t recall when we got it or if we actually unfroze it).

The dashboard for IdentityDefense looks like this:

You’ll notice that it shows you a bunch of dark web alerts (where a bunch of passwords have been collected after a breach by some baddie), my credit score (nice), and a bunch of other stuff. The alerts all date from when I initiated the service last month and haven’t been updated. Some of these alerts are less than meaningful, such as the breach of Xss.js that was found in May of 2018 or the one called Combolist_bundles_solenya from December of 2017. I have no idea what these were, and if actually wanted to change my password, where to go about doing so. On some of the other dark web listings, the breach id’ed an actual website where I didn’t ever have an account. So right away, you can see that this information isn’t very helpful.

One thing that IdentityDefense does have is a way to file online credit freezes for the three credit agencies. You could probably find the web pages for these on your own, but still, it is nice to have this all here in one place.

Let’s look at the Experian ID works dashboard. It is less than useful:

This is because almost everything that you want to know about will require a lot of clicking around, For example, you see the “CreditLock” panel — that is slightly more than a freeze, because you can lock and unlock it in real time, and of course this is just for Experian. When you find your way to the dark web alert report, you will also see a lot of useless data, such as an email address for me that I have never used, although attached to my actual phone number. One alert had both the right phone and email for a breach from Apollo.io in July 2018, never heard of them, and when I tried to reset my password on their site, it claimed no one with that email has an account.

There is another service that businesses use to manage their dark web and other threats that I have used from time to time from CyberSixGill.com, where I wrote a white paper for them a few years ago. That paper spoke to this situation of not having very complete information about what was breached, or how metadata on the breach wasn’t of sufficiently high-enough quality or complete enough to be actionable. I wrote that you should be able to visualize the context of the threat and figure out where you were compromised, and what you should do in the future to prevent something similar from happening. That is still very much the case.

And if you are in the market for one of these services, you can read Paul Bischoff’s hands-on review of these and other services here on Comparitech. He puts them through more rigorous testing, and recommends services depending on how much of your life you want to divulge and then protect, and how complex a financial situation you might have.

So you should know by now that when something is free, it may or may not have any value to you. That latter situation is certainly the case with these protect-after-breach situations. Far better to have stronger (long and complex) passwords that are unique and managed by a service other than LastPass (I use Zoho Vault, which is free and does have value).

And if you are still in the mood to celebrate WPD, this comment from a security nerd from 2018 is instructive: “Happy WorldPasswordDay. Or in 90 days, WorldPassword1 Day.” Last year, I wrote: “Maybe on WPD in 2024 we can finally break out the bubbly and celebrate their actual demise.” Nope, not yet, put that bottle back in the fridge.

The latest anime-based North Korean IT threat

A couple of years ago I wrote about the report that North Korean IT workers were using fake resumes to get jobs as software developers. Once ensconced, they would leverage their position to launch attacks as well as using their salaries to generate hard cash for their government handlers. But a new research report has shown this threat to be even more pernicious, with North Korean digital animators getting jobs working on major motion pictures that will be broadcast on HBO, Amazon, and other outlets.

As I mentioned in my earlier post, this is the ultimate supply chain attack, but the supply is the humans who produce the code, rather than the code itself. The new report is based on a misconfigured cloud server, showing that even North Koreans can make this common programming mistake that is made every day by nerds around the globe. The group working on this server left it wide open for a month, during which time security researchers could download the files placed on this server and figure out the workflows involved.

They learned from the incident how difficult it is for animation studios to vet whether or not their outsourced work ends up on North Korean computers and how these studios might be inadvertently employing North Korean workers. It also demonstrates how hard it can be to have effective sanctions when it comes to our interconnected world.

As you might already know, North Korea doesn’t have very many internet connections by design, because of these sanctions. Typically, an IT shop would have just a couple of connected computers with net access that is carefully monitored by the state. Looks like they need to add “search for unprotected cloud storage buckets” in their monitoring software, just like the rest of us have learned.

What makes this discovery interesting is how far down the workflow food chain these animators operate. Examining one of the images posted by the researchers, shown below, you can see two text annotations, one in Korean and one in Chinese characters. The conclusion is that this was a translation between two teams working on the project: the hidden Korean team that was a subcontractor for the Chinese team. China is often the safe-mode proxy to hide North Korean origins from Western-based businesses, and Chinese businesses that have been discovered to be these go-betweens are eventually sanctioned by our government.

The researchers found work on a half dozen different animation projects that span the globe of video programming being produced for Japanese, American, and British audiences. Some of these shows aren’t scheduled to run until later this year or next. “There is no evidence to suggest that the companies identified in the images had any knowledge that a part of their project had been subcontracted to North Korean animators. It is likely that the contracting arrangement was several steps downstream from the major producers,” they wrote.

Last October, our government updated its warnings about recognizing potential North Korean IT workers, such as tracking home addresses of the workers to freight forwarding addresses, or where language configurations in software don’t match what the worker is actually speaking. They further recommend any hiring manager do their own background checks of all subcontractors, and not trusting what the staffing vendor supplies, and verifying that any bank checks don’t originate from any money service business. They further recommend preventing any remote desktop sessions and verifying where any company computers are being sent, and for workers to hold up any physical ID cards while they are on camera and show their actual physical location.

I am sure that animation studios aren’t the only ones employing North Koreans. The human employment supply chains can snake several times around the globe, and this means all of us that hire IT — or indeed any specialized talent — need to be on guard about all the component layers.