Ok this is late. We could claim that in this lockdown world we had no idea what day it was, and that would be a great excuse. The dog ate my homework etc etc. None of these are the reason.
We have been following the fascinating interactions in the American courts between the, hiding-in-plain-site, purveyor of hacking applications, NSO Group (who's best seller was used to hack a human rights lawyer’s phone in the Gulf ) and Facebook, the owners of the leaky as Henry’s bucket, WhatsApp.
For those not familiar with the case, NSO Group makes a product called Pegasus, which they sell to Nation States. It is used to hack mobile phones - mostly via WhatsApp. FaceBook has sued the Israeli outfit who initially two-fingered them and did not show up to court. About as arrogant as you can get, unless you have some dirt on someone or friends in high places eh? This week, Facebook and independent researchers claim to have proof that European and American servers were used by the NSO Group, bringing the matter into jurisdiction.
We all know that they have done it, they advertise that they can do it, and they have been caught with their pants down. The interesting thing is with a Government that despises Zuck and loves all things Tel Aviv, especially security outfits, how will this play out?
Anyhow that is by-the-by. Whilst our in-house bloodhound was on this last week, we heard a rumour that another Israeli outfit, CyberArk (it was them, honestly chief, they were never phoned by a friend) had, being very good citizens, discovered and responsibly disclosed a vulnerability in Microsoft Teams. Bravo.
This particular vulnerability meant that by sending a GIF that was fetched by Teams, the attacker, having first compromised two Microsoft domains to fetch malicious content, could deploy malware on a fellow Teams participant's machine.
So it is really two issues; Microsoft had two misconfigured domains which could be compromised and Teams content in the form of animated GIFS could be used to deliver malicious content and be an attack vector. This was announced today.
As regular readers of this seemingly irregular blog will know, we have been talking about the security of collaboration applications, especially the Zoom/HouseParty issues and suggested that Teams was pretty secure, as far as we are aware. So, is it?
This vulnerability, trumpeted by the security press in Bold (they would do flashing Magenta if they could), is quite serious, but requires the parties to be having a Teams conversation and makes assumptions about the hackability of the DNS servers. To our mind it is highly hypothetical. Serious, but not as useful as the CyberArk people will tell you (solution, obviously buy more CyberArk). It is also patched.
What is interesting and we will see how this plays out, is not the scrutiny of collaboration apps at this very difficult time, it is the way it is being shamelessly used to rubbish technology and sew the seeds of fear, uncertainty and doubt which, surely, should be a tool that is removed from Sales and Marketing, perhaps replaced with best practice and support?
The question; ‘How many other Zero days are being stashed around the place, Israel included?' should be considered. Probably loads, the market for them is very shady.
If you are using Teams., we wouldn’t worry too much.
Onwards, in last week’s (ok, the week before, yes yes) missive, we were discussing the Hows Whys and Whats of the proposed Uk Government tracking app, and said:
Moving on to the dystopia bit. Given the above (summary: WTAF?), why would you invest in this unless you had a mate in a software business or a grander plan? Just saying.
Just yesterday, the amazing journalist Carole Cadwalladr tweeted this:
Now we know she is a little bit of a conspiracist, and this will no doubt go legal, but ‘mate in the software business’ ? High score!
It turns out that this story is murkier than a Murk record being played at 5AM in Turnmills, and that was pretty murky.
Here’s hoping you are all well. Incidentally, the baby on the cover of Nirvana’s album Nevermind which has the track Smells Like Teen Spirit on it, is now 29.
This blog updated at 1900 BST 27/04/20 as follows.
Last week we talked about the Google and Apple plan and shared a piece of reporting to illustrate the capability of Google in this space. It was just announced that The NHS/UK Government (advised by GCHQ) are not going to use this tech and are going it alone with a 'centralised model'. `This means that any developed application will be built, controlled and managed by The Governments of the UK and USA, presumably using Palantir tech, selected with no apparent oversight or governance. See 'grander plan' above. This is not good.