10.12.21

Citation/Atlas ‘Security’ Exam is a Total Farce, But It’s Still Good for Entertainment Purposes

Posted in Deception, Microsoft, Security, Windows at 7:38 pm by Dr. Roy Schestowitz

Summary: What are people being taught about so-called ‘security’? Might that explain so many security breaches? (Poor training, wrong assumptions)

OVER the years I saw criticisms of school or classroom indoctrination about copyrights. They’re basically teaching/pushing a bunch of lies to young children in an effort to “educate” them about “copyright law” (sounds reasonable on the surface… until one actually checks what these pupils are being told).

“It’s supposed to sound sophisticated, but the net gain for security is laughable.”For ISO compliance purposes, sometimes I’m required to take and pass some online “training” courses. Some of these are ridiculously bad, so I end up taking screenshots.

This post is about fake security mindset — a concept explained here several times earlier this year. It’s supposed to sound sophisticated, but the net gain for security is laughable. Complexity does not beget security (usually the opposite is true; simplicity is auditable). Basically, it boils down to what’s sometimes known as "security theatre", owing to a ‘fake security’ cargo cult of “phones” or “apps” and “clown computing” (i.e. giving all your access credentials to some other company, along with highly sensitive data).

During my latest “training” I stumbled upon about 40 examples of amusing errors and silliness (it’s all over the place, sometimes with repetition for extra effect or ‘good’ measure), but to keep things more concise and digestable I took screenshots and annotated them a little, just as I did last year with edX [1, 2], in effect shilling for the Linux Foundation in the guise of “training”. Where does one draw the line between courses and marketing, revisionism, and even outright lies?

“Basically, it boils down to what’s sometimes known as “security theatre”, owing to a ‘fake security’ cargo cult of “phones” or “apps” and “clown computing” (i.e. giving all your access credentials to some other company, along with highly sensitive data).”Below I present just a small sample. Almost at random I narrowed it down to just a dozen rather unique examples (there are many more similar instances of these). Surely, a more exhaustive list would take a lot of time to prepare while the clock is running. At the end, one is required to lie or say what they expect you to say in order to pass the test (which I did). To be fair, the questions aren’t as terrible as the supposed ‘training’, as they don’t mention brand names there or promote outrageous fallacies.

Without further ado, let’s begin.

Does that mean what they think it means? Yes! They can! Like, every person? If you already labeled them that, what does that mean? 'Good' ones?

It doesn’t take a genius to see what’s happening here and why it’s shallow. Infantile questions like, ARE CRIMINALS A THREAT? It’s like a colouring book quiz with heroes and villains. They present actual adults with such questions. We’ll come back to it later when it comes to “exam time”.

They don't need to target you, they can target the software you use, e.g. Microsoft Windows

Notice how, just like Microsoft, they’re looking to blame computer users or “criminals” (or some nations like China or Russia). Anything to divert liability away from rogue software companies that write shoddy code, hide the defects, and code back doors for the NSA et al.

Let’s move on.

Apple or Microsoft

Wait, I’m confused.

You mean Microsoft

As if it’s the user’s fault that Microsoft cannot secure its own systems…

Surveillance devices with back doors are some of the least secure ways to maintain access to things

Yes, let’s all use ‘phones’ to manage critical servers… with “apps”.

Back doors of vendors and governments not even mentioned

Missing part?

With back-doored encryption of the aforementioned brands?

No mention of “weakened” (i.e. fake) encryption.

Microsoft promotion (niche player)

Why are they ignoring bigger players like Facebook and Twitter? Brand promoting? Wait, there’s more right after that…

What if I don't use (back-doored) Windows?

It’s 2021 and they still think everyone uses Windows. Guess what… Windows market share is less than a third.

But should I use Windows at all?

Windows again.

OK, questions time. First in the test:

The simplistic children's villain narrative

So let me guess… “criminals” are the threat. Who would have guessed?

Did I learn something from this course? Absolutely nothing. But I got some giggles. Many millions of people are constantly subjected to this kind of propaganda, which sometimes seems more like marketing than actual education.

Firefox 93 Disables Triple DES and Doesn’t Mention NSA Backdoors. Windows 11 Continues Degrading VPNs With It If They Use the Native APIs.

Posted in Microsoft, Security, Windows at 6:23 am by Guest Editorial Team

Guest post by Ryan, reprinted with permission from the original

Summary: Firefox 93 has finally disabled the NSA-backdoored and weak Triple DES encryption when you connect to “secure” websites.

In their blog post, Mozilla imply that all that’s wrong with it is that it’s obsolete and seen better days, however, the US National Security Agency was involved and weakened the entire scheme to the point where they could easily break it, but thought that nobody else could for a while.

Flash forward to today, and Triple DES can be easily attacked using many known weaknesses and, if you know the terrible security track record of the OpenSSL project, they dropped it by default (and you’d have to turn it back on) in 2016.

What’s amusing, is that Microsoft and their pet lap dogs over at the Linux (Destroying) Foundation, which has little to do with Linux anymore and more to do with producing mountains of whitepapers using indecipherable buzzwords, technobabble, and treknobabble that would probably make Laura Callahan blush, got together with other companies and poured money into OpenSSL. Lots of money.

And the result of this money is…….. that we’re still stuck with a bloated train wreck that has a lot of obsolete code and security issues.

Some GNU/Linux distros tried switching to LibreSSL, but that turned out to be an even bigger disaster in some ways because the OpenBSD people consider the Apache 2 license to be “non-Free” because it doesn’t allow patent trolls to give you a program and then sue you for using it, and since OpenSSL is now under that license, it means they can’t just pull code from it, and pretty much all hope of remaining API/ABI compatible or something close to it went out the window.

“Still, just one of the many lingering security problems regarding Triple DES is that the Windows 10 and now, “11” operating systems continue to use it despite it being known for years to be bugdoored by NSA and vulnerable to known attacks and providing weak security, if you use the built-in implementation of IKEv2 to connect to a virtual private network.”And although OpenSSL is a crucial component of every Windows OS out there, anything that goes wrong with it is a “Linux bug” in the media. That’s not an accident. It’s a deliberate red herring.

Still, just one of the many lingering security problems regarding Triple DES is that the Windows 10 and now, “11” operating systems continue to use it despite it being known for years to be bugdoored by NSA and vulnerable to known attacks and providing weak security, if you use the built-in implementation of IKEv2 to connect to a virtual private network. This is one reason why no decent VPN company will touch Windows’ included VPN services and usually bundle OpenVPN or, now, Wireguard.

Microsoft is still out there pretending to give a shit about security, when this is happening. Windows “11” has been a complete disaster of performance-killing bugs, especially for gamers and people who use the AMD Ryzen CPU platform, and that’s assuming folks can even get it to install in the first place.

Internally, Windows rots away and continues its ride into the sunset as a legacy platform, which oddly can now be used by only 15-20% of all PCs out there. Meaning, there’s never been a better time to get away from it.

Yes, that’s right, while the overwhelming majority of PCs out there can install GNU/Linux distributions, Microsoft has deliberately made most of them “incompatible” with a blacklist, or slowed them down with “bugs” so that users go “Welp, time to buy new stuff again!”.

“Microsoft usually sabotages their older products so that people holding out on them or trying to use them on newer computers to forestall having to deal with the latest bloat, bugs, backdoors, and other bullshit give up and throw in the towel.”There’s about to be a fire sale of cheap used computers that will run GNU/Linux fine. Many people fall for this old chestnut every few years and never learn.

Microsoft usually sabotages their older products so that people holding out on them or trying to use them on newer computers to forestall having to deal with the latest bloat, bugs, backdoors, and other bullshit give up and throw in the towel.

They talk about “new silicon” (CPUs) “being designed” for their latest OS, but people were installing Windows 7 on Skylake stuff that came with Windows 10, and the only thing that got in the way was Microsoft disabling Windows Update at a certain point if you did.

This goes way back, I’m told, to at least Windows 95.

Hey, Nathan Lineback would probably know. He was doing just about anything to keep Windows 95 trucking along, including figuring out how to use USB thumb drives on it and getting Seamonkey 2.0 to work. Which is oddly dedicated to a Microsoft OS from decades past (for a guy who otherwise seems to hate everything they’ve done), but oh well.

They are easily one of the most dishonest and disreputable companies on the planet. Why, oh why, do people insist on using this?

10.02.21

Microsoft Secure Boot and Intel VMD Pointless on GNU/Linux and Lenovo’s Documentation Recommends That You Turn Them Off

Posted in Deception, GNU/Linux, Hardware, Microsoft, Security at 2:32 pm by Guest Editorial Team

Guest post by Ryan, reprinted with permission from the original

Secure Boot is Microsoft trash that was designed to paper over some of the reputation of Windows as a malware plaything.

The problem is that Secure Boot doesn’t actually work. uEFI firmware has been so horrendously bad from its inception that there’s always a Secure Boot escape.

Microsoft introduced the Windows RT (ARM, not the standard x86 instruction set CPU) devices, based on Windows 8, and there was a Secure Boot escape almost immediately. It was necessary to escape Secure Boot were there to be any other operating systems for these devices, because there was no option to turn it off. Something that may be coming with new “Windows 11” PCs, since Secure Boot is required or else Windows will refuse to load.

“Sometime they lose billions of dollars and quietly write it down.”Someone got Grub (the bootloader program commonly used with GNU/Linux) to work on the Surface RT, but GNU/Linux was never ported to these things due to lack of interest at the time. Nobody bought the product and it was just another Microsoft FAIL. They have many of them, like Windows Phone. Sometime they lose billions of dollars and quietly write it down.

GNU/Linux has never had a big malware problem. Microsoft pays the “tech media” to imply otherwise, but it always turns out to be a bald-faced lie. More propaganda. More Microsoft bullshit!

In these churnalism articles, EVERYTHING with an open source license inevitably becomes “Linux”, even if it has the same problem on Windows. Even if it’s a part of Windows (like OpenSSL is). In some cases, when they refer to “Linux malware”, they mean malware that runs on Windows if you use the fake Linux (virtual machine with bad performance) in Windows, called WSL/WSL2.

And frankly, I’m getting sick and damned tired of Microsoft paying for this crap to be typed up and then Googlebombing Linux as part of their most recent smear campaign.

In South Park, Mr. Garrison, as a stand in for Donald Trump, defined something called DARVO, wherein the bully denies their bad behavior, then goes on the attack by reversing the victim and offender.

““Get The Facts”, “GPL is Communism”, and “Linux is a cancer”, never stopped. They just changed the signaling.”It’s hard to come up with a better description of what Microsoft has been doing for the past two decades. “Get The Facts”, “GPL is Communism”, and “Linux is a cancer”, never stopped. They just changed the signaling.

And of course, it’s easier to try to imply that GNU/Linux has problems than it is to fix your own Windows mess.

In the past 20 years, GNU/Linux has had fewer viruses and worms than you can count on your fingers which were even worth mentioning. None of them “just happened”, either. You had to defy GNU/Linux best practices of getting signed packages from your distribution or other trusted source, and grab random unsigned software from some internet site and jam it in somehow.

Grabbing random things from the Internet and hoping for the best is how most software gets installed on Windows.

In fact, according to most antivirus companies, Windows gets that in under a typical hour.

They don’t even try to keep up with detection patterns for most specific threats because they can’t. So, antivirus on Windows becomes mostly a guessing game except for the very most prevalent threats.

And when this happens, many threats are missed.

“Grabbing random things from the Internet and hoping for the best is how most software gets installed on Windows.”That’s why you hear about Ransomware attacks that mean no gasoline on the eastern seaboard of America or how a poultry plant can’t process chickens. The media, bribed by Microsoft money, never mentions Windows.

Windows Security is so godawful that they add tons and tons of fake security bullet points that are trivially bypassed and probably don’t do much except break legitimate applications that are just too old to anticipate them, or need to write somewhere and aren’t automatically allowed to.

Did you enable Controlled Folder Access to “protect against Ransomware” and now LibreOffice can’t save your documents?

Congratulations. Even though there are 4 ways to use the Windows system to evade this protection, and malware authors will do it, your LibreOffice broke.

“Disable Secure Boot and turn off Intel VMD.”What’s more telling is that Lenovo’s documentation on how to install GNU/Linux recommends changing uEFI (BIOS) settings.

Specifically, they tell you to do what I did when I changed over to Debian 11 GNU/Linux on this PC.

Disable Secure Boot and turn off Intel VMD. (VMD was previously called RST. Which is pointless under Linux, hides the storage from Linux and makes it impossible for you to install and use GNU/Linux until you figure out that this is why.)

Here’s some images from their PDF for installing Ubuntu on several of their notebooks.

Ubuntu setup
Ubuntu setup manual

VMD
VMD

Secure boot
‘Secure’ boot

Secure Boot is a bandaid for Windows.

Lenovo knows it. They support GNU/Linux on some of their models and probably don’t want their customers calling in when something like this inevitably happens again.

The uEFI key revocation problem struck me a while back when I had been running Kubuntu on my Lenovo Yoga 900-ISK2 (older laptop) and then went to boot Fedora. Ubuntu had “updated the dbx” and ended up revoking Microsoft’s permission (yes, you heard this right) for Fedora to run on MY LAPTOP.

“Moreover, with the mess that uEFI and Secure Boot have been over the last decade plus, why would I enable this antifeature when all it will cause is more problems for me?”So, it was at that point I disabled Secure Boot, which the Fedora Wiki said to do for the time being, as well as resetting the Secure Boot system in the BIOS, although I never turned it on again for obvious reasons. Why exactly, the hell, should Microsoft have any say over what I do with my laptop, which doesn’t even run their OS, ever?

Moreover, with the mess that uEFI and Secure Boot have been over the last decade plus, why would I enable this antifeature when all it will cause is more problems for me?

This is another reason why dual booting with Windows is unwise and you should just let GNU/Linux completely take over the PC. Not only does Windows ultimately end up hosing Grub and causing both systems to fail, but these key revocations can be pushed by Windows Update with total disregard for whether GNU/Linux will boot up again.

It’s bad enough that this Microsoft/Intel trash, uEFI, completely screwed up the relative simplicity of installing and using operating systems that the “Legacy BIOS” provided for, but it didn’t even improve anything.

Right before uEFI became common, I bought the best computer I could afford at the time, a quad core Phenom II based system, with a Legacy BIOS, expecting early uEFI to be a disaster, and it was.

“And even years later, there are killer pokes when operating systems use uEFI interfaces, and it’s becoming apparent that this situation is uEFI Groundhog Day. It’s always going to be broken.”Right off the bat, many OEMs permanently walled off the native interface and had it expose itself to the OS in (Legacy) BIOS mode because they knew their own native uEFI interfaces were too bad to trust, and the BIOS CSM sort of acted like a condom to filter what the OS was doing with the firmware, to prevent a “killer poke” that left the computer unusable.

And even years later, there are killer pokes when operating systems use uEFI interfaces, and it’s becoming apparent that this situation is uEFI Groundhog Day. It’s always going to be broken.

Ubuntu introduced the intel-spi driver in one release (I think it was an LTS, but don’t quote me.), and inadvertently caused the Yoga 900-ISK2’s settings to become read-only as soon as the pointless (to most people) driver was loaded. At the time, I was spared because it was part of the -staging tree for known bad drivers and ones that are not high enough quality to merge yet, and Fedora wasn’t building it. Many people booted Ubuntu after the new kernel went out and had to figure out how to fix their firmware after just booting the OS up even once!

“This is touted by people like Linux saboteur Matthew Garrett, who implemented Security Theater Boot in Linux as if it were an improvement.”Plus, there were/are still numerous cases where operating systems use a native uEFI interface as documented and the computer never boots again.

This is touted by people like Linux saboteur Matthew Garrett, who implemented Security Theater Boot in Linux as if it were an improvement.

It’s an improvement if we rewrite the dictionary to say that a convicted software monopolist that hates Linux and wants you to have problems with it, who sponsored Garrett indirectly to put it in the kernel, and succeeded, has improved the situation. I think my computer potentially not booting because of this rat’s nest is not an improvement, but what do I know, right?

“They don’t get any pushback ever since they started using their money to corrupt many organizations including the Linux Foundation.”Regardless, I think Lenovo’s advice of just shutting it off…. Look, you’re probably only going to hear me say this once or twice in my life. Listen to Lenovo!

All I can say is that the Free Software Foundation must be truly hopeless if it mostly gives awards to treacherous scumbags these days, and this is at least the second major incident. The first was when they gave Miguel de Icaza one for implementing the patent mess called Microsoft .NET Runtime on Linux. His company was bought by Microsoft as a golden parachute after Novell (his former employer, a Microsoft collaborator) went under.

In closing…

I’d like to summarize that this is a small taste of the bad behavior that continues at Microsoft. They don’t get any pushback ever since they started using their money to corrupt many organizations including the Linux Foundation.

Linus Torvalds has been put on mute even though he used to say things about Microsoft and Intel in particular that were not family-friendly.

Is there really any hope for the future of the x86 PC or are people who want their computing to work going to have to abandon it entirely in the era of Windows Vista 11?

Comments welcome.

10.01.21

With Microsoft, Security Breaches Are Presumed

Posted in Deception, Microsoft, Security at 10:18 am by Dr. Roy Schestowitz

Video download link | md5sum 90baecb5d2c9d010cbd33c5e9a387984

They migrated to Azure for 'security'Summary: A video about the current media coverage about Azure being inherently bad when it comes to security

LAST night we republished an article from a Microsoft whistleblower who had seen from the inside how insecure Azure really is. Nothing has improved since then and days ago it made the news, highlighting a longstanding issue that Microsoft refuses to address. Microsoft’s own clients complained about it years ago.

“Nothing says it better like Microsoft’s own words. When it talks honestly.”The video above concerns this whole matter and some broader issues, knowing that Microsoft does not actually care about the security of Azure ‘tenants’ (that’s what they are; they pay rents to be controlled and even neglected by Microsoft). Nothing says it better like Microsoft’s own words. When it talks honestly.

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

09.30.21

[Meme] Azure Security

Posted in Deception, Microsoft, Security at 6:13 pm by Dr. Roy Schestowitz

Trump Facepalm: Azure is the most secure thing ever; when it's not, this isn't our fault

Summary: Remember that when it's too embarrassing and impossible to fix, then it is a feature, not a bug

Microsoft Whistleblower and Clients Warned, More Than 2 Years Ago in Fact, About the Current Azure Mess (But Microsoft Ignored Those Warnings, Buried Facts)

Posted in Deception, Microsoft, Security at 5:33 pm by Guest Editorial Team

This article is reproduced with a foreword about how Microsoft’s staff were forewarned (and ignored the warnings). As usual, when it comes to Azure, Microsoft just ignores security-related issues because security is not an actual goal. We saw that again very recently. “Covered this a few years ago,” Mitchel Lewis told us, citing new reports such as this one.

New Azure Active Directory password brute-forcing flaw has no fix | Ars Technica

This is in the news now

“My article from two years ago,” he added, already cautioned about it. We reproduce it below in full with permission from Mitchel Lewis.


How Azure AD Could Be Vulnerable to Brute-Force and DOS Attacks

Azure walking

MICROSOFT’S Azure AD is the de facto gatekeeper of Microsoft cloud solutions such as Azure, Office 365, and Enterprise Mobility. As an integral component of their cloud ecosystem, it is serving roughly 12.8 million organizations, 950+ million users worldwide, and 90% of Fortune 500 companies on a growing annual basis. Given such a resume, one might presume that Azure Active Directory is secure, but is it?

Microsoft Azure AD

Source: https://www.microsoft.com/en-us/microsoft-365/blog/2017/11/13/how-organizations-are-connecting-their-on-premises-identities-to-azure-ad/

Despite Microsoft itself proclaiming “Assume Breach” as the guiding principle of their security strategy, if you were to tell me a week ago that Azure or Office 365 was vulnerable to rudimentary attacks and that it could not be considered secure, then I probably would have even laughed you out of the room. But when a client of ours recently had several of their Office 365 mailboxes compromised by a simple brute-force attack, I was given no alternative but to question the integrity of Azure AD as a whole instead of attributing the breach to the services merely leveraging it and what I found wasn’t reassuring.

After a simple “Office 365 brute force” search on google and without even having to write a line of code, I found that I was late to the party and that Office 365 is indeed susceptible to brute force and password spray attacks via remote Powershell (RPS). It was further discovered that these vulnerabilities are actively being exploited on a broad scale while remaining incredibly difficult to detect during or after the fact. Skyhigh Networks named this sort of attack “Knock Knock” and went so far as estimating that as many as 50% of all tenants are actively being attacked at any given time. Even worse, it seems as if there is no way to correct this within Azure AD without consequently rendering yourself open to denial of service (DOS) attacks.

PowerShell bruce-force

Source: https://cssi.us/office-365-brute-force-powershell/

In fact, this sort of attack is so prevalent that it happens to be one of the biggest threats to cloud tenant security at Microsoft according to Mark Russonivich (CTO of Azure) and is among several reasons that Microsoft itself advises their customers to enable multi-factor authentication (MFA) for all users and implement advanced threat intelligence available only to E5 subscription levels or greater; basically requiring companies to give Microsoft more money to secure their own solutions. But MFA also doesn’t impede hackers from cracking passwords or protect businesses from a DOS attack nor does it help those that are unaware of its necessity as many tenants are at present.

Exchange and PowerShell
Source: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps

Further, since RPS does not work with deferred authentication (DAP) and MFA, partners consisting of consultants, managed services and support providers also cannot use their partner credentials to connect to the tenants of their clients via RPS for advanced administration and scripting. Even though they can easily manage their clients via a browser-based admin center with MFA, they often have to resort to creating admin accounts within Office 365 tenant itself instead, but others do it simply for ease of access to the admin console or for when they are not the Partner On Record. These accounts are precisely what many of these attacks are targeting, often unbeknownst to admins, and Deloitte’s breach is a perfect example of such a scenario.

Unfortunately, these accounts are often stripped of MFA security to make them more convenient and accessible for the multitude of support and operations staff to use while working for various companies offering support services and they seldom expire or change upon company exit. By default in Office 365 and on top of being vulnerable to being cracked and breached, the password expiration policy is further set to a 730-day expiration and further disabled, rendering accounts vulnerable to a prolonged breach at that. Needless to say, they are ripe for attack and this exact scenario is what enabled a hacker to have unabridged administrative access to Deloitte’s Exchange Online tenant for 6+ months.

Azure panel

Complicating matters even further, the natural solution to this problem renders the tenant vulnerable to DOS attacks by virtue of being able to lock users out of their accounts for a fixed duration imposed by Azure AD; but this is still in preview phases. For example, by default Azure AD Smart Lockout (Preview Stage), which is still in preview, is configured to allow 10 password attempts before subjecting the account to a 60-second lockout, giving attackers a theoretical limit of 14,400 attempts per account/per day. You could decrease the threshold to 5 and increase the duration to 5 minutes protect against breaches, reducing attempts to 1,440 per day, but this would create the potential for downtime for users whenever their accounts are being attacked with brute force and password spray attacks.

More brute-force PowerShell
Source: https://cssi.us/office-365-brute-force-powershell/

However, Tyler Rusk at CSSI also called out that Microsoft doesn’t seem to throttle or limit authentication attempts made through RPS. As shown, Tyler was able to surpass the theoretical 14,400 per day limit listed in Azure AD Smart Lockout Preview without added logic, moving at a rate of 48,000 per day had he let it run for a 24 hour period or an est. 17,520,000 attempts over 365 days. However, there are obvious ways to optimize these efforts even further through via background jobs (start-job cmdlet) by essentially running attacks asynchronously instead of synchronously while optimizing for custom lockout limits, max attempts, and minimal detection. The possibilities are endless with regard to password spray attacks for obvious reasons. To be fair to Tyler and CSSI though and in my opinion, they didn’t need to leverage such measures to validate their concern.

If their lockout feature were to work though and if you were able to reduce the threat surface in the manner above, you would then have to contend with the hard countdown of the duration time. It’s immutable which means that users have to wait for it expire in order to render the account accessible again. The unlock cannot be expedited administratively at present. As such, it can just as easily result in an intentional DOS for end users if they or an unintentional DOS while running the possibility of exposing the attack; that is when/if it starts actually working. Obviously protecting from breach takes precedent over downtime, but becoming prone to DOS attacks is hardly a consolation prize.

Ned Pyle

Banned passwords nor MFA cannot protect against DOS or brute-force attacks either, only against the breach itself. In fact, when brute forcing an account protected by MFA, the MFA challenge itself can be treated as confirmation of a valid cracked username and/or password. In turn, they can then begin to try these credentials in other places which may not be protected by MFA as users and admins alike tend to keep them as similar as possible in multiple directories so that they’re easy to remember. I’ll defer to Ned Pyle of Microsoft as to whether this applies to his employer and their partners.

Summarizing matters thus far, you can brute force accounts housed in Azure AD via RPS. Obvious solutions for this such as MFA, customized password blocking, and advanced threat intelligence are either ineffective, insufficient, paywalled, and/or generate significantly more overhead in order to offset these vulnerabilities. Further, these solutions are often ignored by lazy admins, consultants, and managed services providers and many may be oblivious to this threat entirely; possibly even to breaches of their own. Deloitte has proven that this can even hit the best of them.

Windows 2000 Server

As offensive as all of this may seem though, it’s important to remember that AD was never designed to be public facing, quite the opposite. It has actually always been inherently vulnerable to brute-force, password spray, and DOS attacks by design. AD has always been designed to be implemented in conjunction with various other counter-measures in order to maintain its integrity. This includes but certainly is not limited to relying on physical security measures such as controlled entry and limiting the ability to access the domain to those that make it past physical security measures successfully; with the obvious exception of VPN users. This is nothing new.

That said, AD was never, ever, meant to be the sole source of security for IT infrastructure and is fundamentally dependent on other security measures in order to be effective. Consequently, AD becomes markedly more vulnerable when other pre-emptive methods fail or are non-existent. Put simply, such breaches should be the expectation when depending on Azure AD alone for IT security, and this sadly applies to any Office 365 tenant with its default security settings. However, understanding its limitations helps us illuminate ways to harden Azure AD and mitigate these problems just the same.

It almost goes without saying, but none of the measures necessary to patch these vulnerabilities are free to companies leveraging these services at present. Even if Microsoft were to fix this, who is to say that something else just as simplistic and embarrassing isn’t hiding around in the corner or already being used? That said, avoiding products backed by a 20-year-old security system streamlined for vendor lock-in seems like a viable solution to avoiding this problem in the first place.

Azure AD

Source: https://www.microsoft.com/en-us/microsoft-365/blog/2017/11/13/how-organizations-are-connecting-their-on-premises-identities-to-azure-ad/

Before anything else, I truly think that the onus is on Microsoft to ensure that their baseline configuration for cloud accounts doesn’t expose their tenants unnecessarily. Sure, we could blame ignorant users and lazy admins, but I don’t think that this is fair given the scope of this vulnerability, which is essentially 46% of AzureAD’s user-base (password hash sync + cloud only = 46%). It is unknown how many have MFA enabled and the scope of this is ultimately an unknown both with regard to those who are vulnerable to it, actively being attacked, and/or those already breached though. But as a former tier 3 support engineer for Exchange Online at Microsoft, I can confirm that a significant amount of individuals as well as small-medium businesses are relying on Azure AD exclusively without further counter-measures and that they account for a sizable amount of Office 365’s user-base. That said, telling customers that pay you to secure their mailboxes or to disable basic auth to address this doesn’t cut it.

Microsoft has clearly acknowledged this problem, but rather than hardening their tenants from such attacks as other cloud services have, they have offered solutions only available to their high tier plans so as to capitalize on this problem rather than fixing it. As expensive as they are to migrate away from now, or sticky as they like to call it, their products are just going to become more costly to manage, vulnerable, and difficult to migrate away from over time. This is the malady of any legacy solution.

One easy way for Microsoft to mitigate such attacks is to update their RPS module to support DAP and develop other creative avenues for admins and the like to efficiently and securely manage their clients’ tenants. They should also extend their threat intelligence and advanced customizations available only to costly, high tier license subscribers to all license levels, at least until proper solutions are implemented for all tenant levels.

As an immediate mitigation step though, Microsoft could simply swap the order of authentication. Rather than requiring a password prior to doing a two-step verification on your phone, they could require the phone verification through authenticator app or a third party MFA app such as Duo as the initial means of authentication. By deferring their password in Azure AD as the second step instead of the first, they could buffer its weak password security at present and buy time to implement a proper solution. However, this only applies to users and tenants with MFA enabled and in-use.

System life span

Just as Active Directory seems to create necessity for other costly ancillary solutions, Microsoft seems to have built AzureAD to generate further necessity for more costly solutions coincidentally offered by them just the same. On top of this and if they had their way, their solution to enable MFA would also require employers to buy phones and mobile plans for two-step verification for all of their employees which can cost more on an annual basis than any of their plans.The same can be said of the costs associated with a proper MFA solution and/or an on-premises or hosted ADFS solution (if none exist) as they drastically complicate the solution as a whole while consequently inflating the ownership costs associated with it. As complexity increases, stability falters while costs skyrocket. All of which is why I recommend avoiding their solutions entirely.

stickiness-ip-microsoft

Source: https://blogs.partner.microsoft.com/mpn/create-stickiness-with-ip/

But if a company is entrenched with Microsoft products and migration is out of reach, there are options. One solution that companies can implement is ADFS which defers authentication attempts to your own domain controllers on-premise rather than Azure AD while immediately granting more granular control of password policies with Active Directory on-premise and as much protection as money can buy on the network layer. All of which can be quite costly from a licensing perspective alone, let alone the hardware, network infrastructure, and labor required to implement it all let alone the staff to maintain it. This creates a single point of failure, often on-premise, for a cloud solution unless implemented in a highly available manner though.

They can also implement an MFA solution as well but there still remains added exposure and vulnerabilities which may require further consideration. But as mentioned before, there are also added costs and MFA may not protect accounts entirely. Users tend to manually synchronize their passwords across multiple platforms for the sake of remembering it, but not all of them have the same protections, MFA or otherwise. Similar to ADFS, access to your mailbox and other apps are restricted when MFA services are degraded, also becoming a single point of failure, as shown today by Azure’s MFA outage. So if you go with an MFA solution, diversify with a 3rd party MFA provider.

Microsoft password policy

While the existence of dirsync can do little to protect against brute-force attacks, enforcing a strong password policy including a customized banned password list on premise can be mirrored in the cloud. Customers with dirsync already pay for this functionality with Active Directory on premise and can simply have it be mirrored in the accounts synced to the Azure AD forest. Although this cannot protect from brute force, password spray, or denial of service attacks, it can absolutely harden accounts against prolonged breaches.

I suppose they could also call support to complain about it and see if they’ll fix it, but you will likely be met by someone difficult to understand without experience on such matters. Or maybe they could even get a technical account manager to yell into the void or possibly even find someone with half of an ass on your behalf if you have deep enough pockets for a premier membership. While you’re at it, maybe you could upgrade your E3 plan to an E5 plan at almost double your monthly cost of E3 just to pay Microsoft to compensate for its own vulnerabilities.

Microsoft: assume breach

In summary, Microsoft services built on Azure AD along with the businesses leveraging them are vulnerable to brute-force and password spray attacks which can be carried out by anyone with the capacity to run a script in RPS. Also, there isn’t an adequate means of hardening these services without incurring significant financial burden and paying for more of Microsofts services. All of which has probably been the case for as long as the ability to access tenants via RPS has been widely available to admins and ultimately why you would be wise to assume breach with Microsoft cloud solutions just as Microsoft does. Entities can absolutely mitigate these vulnerabilities, but Office 365 and Azure would cease to function as true cloud solutions while generating significantly more overhead costs in the process. All things considered though, it seems as if there is no way to harden Azure AD or the services such as Azure or Office 365 when leveraged by itself without incurring significant costs in addition to the aforementioned introduction of further complexity, points of failure, and on-premise dependencies for your cloud architecture.

By default , Azure AD is more of a security problem than a cloud. This is not to say that Azure cannot be made to be secure but it comes at a cost while sacrificing cloud resiliencies. Although they advise others to assume breach, Microsoft seems to be omitting this reality from Office 365 and Azure advertisements and such inconsistencies are indicative of this stance being more of a cop out than a tenable security strategy because of this. Rather than hardening the vulnerabilities inherent to Active Directory and Azure AD which makes them susceptible to some of the oldest tricks in the book, Microsoft seems to be attempting to capitalize on them instead while exposing those unaware to a haunting amount of risk.

Azure: need premium

09.17.21

[Meme] Microsoft Loves Linux Bug/Back Doors

Posted in GNU/Linux, Microsoft, Security, Windows at 9:38 am by Dr. Roy Schestowitz

Yesterday: Microsoft Azure and Back/Bug Doors in GNU/Linux: Fool Me Once (Shame on You) / Fool Me Twice (Shame on Me) | Trusting Microsoft With Security is a Clown Show

Dirty Things: I put my GNU/Linux VM in Azure; Wait until she finds out his 'desktop' is WSL...

In the news (when they say “Linux” they actually mean Windows):

New malware uses Windows Subsystem for Linux for stealthy attacks

Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders

Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders

Summary: Microsoft is just cementing its status as little but an NSA stooge

09.16.21

Trusting Microsoft With Security is a Clown Show

Posted in Deception, GNU/Linux, Microsoft, Security, Servers at 5:56 am by Dr. Roy Schestowitz

Video download link | md5sum 6998bd1e8c92ab9d3acfe358c787c62a

Summary: A quick and spontaneous video about this morning's post regarding a major new revelation that reaffirms a longstanding trend; Microsoft conflates national security (back doors) with security

THE subject isn’t new to us. We’ve been writing about this for well over a decade and when Ed Snowden released a stash of leaked documents our worst fears or concerns were largely confirmed. Not that the corporate media pays attention to these any longer (those are presumed “old news” even though nothing was done or said to suggest a policy change).

“The latest news will only further curtail that latter agenda, assuming corporate media will bother reporting it like it constantly badmouths “Linux”.”Microsoft is really struggling in the server space. Windows Server is being rapidly abandoned, so Microsoft is trying to swallow the GNU/Linux servers market (without success). The latest news will only further curtail that latter agenda, assuming corporate media will bother reporting it like it constantly badmouths “Linux”. Even when Microsoft is at fault

As Ryan has just put it (in IRC): “Microsoft plummeted down to nothing in the server market in the past year. Everyone took advantage of the downtime, I guess, to migrate to somehing else. It had probably been a long time coming, but when you’re in the thick of things, it can be hard to abandon something that’s plodding along and working just okay enough to get you by. The COVID mess probably did to Microsoft in a year what would have happened in five or six anyway.”

“They’ll try to avoid talking about that, which means that we should. Everyone is trying to get away and will the first chance that they get. It’s like women who were being controlled by their husband to the point that he puts their paychecks in his bank account to make sure they don’t have enough money to start over. Microsoft tries to keep its customers by playing dirty and implying they’ll be helpless if they leave.”

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts