All posts by Eitan Caspi

WhatsApp group for information and cyber security news

Hello everyone,

I opened a WhatsApp group where I regularly post information / cyber security news and sometimes other interesting things in this field.

Most of the links are to content in English, but sometimes also in to content in Hebrew.

You are hereby invited to join the group, and invite more people, using the link below.

The group’s description:

Hello everyone, My name is Eitan Caspi.

In this group I will share information security news and updates from around the world, including interesting content that is not necessarily news (such as technical articles, thoughts about the field, and so on), mainly in English and a little in Hebrew.

Group members are invited to invite relevant people to join. Let’s have fun!

Link to join the group – https://chat.whatsapp.com/Lxt5DYAomRGKbwfLrt5iiW

My LinkedIn Profile – https://www.linkedin.com/in/eitancaspi/

My Consulting firm – https://vsec.co.il/

My Information Security Blog – https://fudie.net/

My initiative to end default passwords, “Default is a FAULT!” – https://defaultisafault.com/

Microsoft, you have a problem

Recently (some will say – for many years by now) Microsoft is being criticized for its Information Security capabilities, as that it is slow to do the move from on-premises products security to also, in addition, a cloud provider security, which is, in my opinion, even harder.

This is my recent incident about it:

I recently accepted an email from one of Microsoft’s sub domains.

I use a commercial cloud email security service to protect my email traffic, and this system stopped this email from entering because the sub domain did not have any SPF record, so my email security service stopped this email as a possible email impersonating to be from Microsoft).

This sub domain still doesn’t have an SPF record, as I write this.

It is not a big security issue, but I know that if I was in charge of this online asset and I had such an issue – I will be glad if someone would alert me about it, so I tried to find a way to report this to Microsoft, but I did not find any explicit content directing where to report online security issues, so I opened a case at MSRC (Microsoft Security Response Center)

I am aware it is not a vulnerability but a missing security measure that MS better fix and I had no better place to report this to MS.

This is the response I got as my report was set by the MSRC analyst to a status of “This closed as a non-MSRC case.” (the bold text was highlighted by me):


Hello,

Thank you for contacting the Microsoft Security Response Center (MSRC). We appreciate the time taken to submit this assessment.

Upon investigation we have determined that this does not meet the definition of a security vulnerability.

The website you reported does not contain a MX record, which indicates we do not use the domain to send email messages.  In which case SPF/DMARC records are not considered required and would not meet the bar for security servicing.

As such, this thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused.

If you believe this to be a misunderstanding of the report, submit a new report at https://aka.ms/secure-at

Please include:

Relevant information previously provided in your initial report
Detailed steps required to consistently reproduce the issue
Short explanation on how an attacker could use the information to exploit another user remotely
Proof-of-concept (POC), such as a video recording, crash reports, screenshots, or relevant code samples

For more information on what qualifies as a security vulnerability please see the following:
Definition of a Security Vulnerability: https://www.microsoft.com/msrc/definition-of-a-security-vulnerability

We thank you again for taking the time to submit this report!

Regards,

<name of the analyst>
MSRC

This is sad for at least two reasons:

  1. The core claim of the analyst is simply not true, technically – ” The website you reported does not contain a MX record, which indicates we do not use the domain to send email messages.  In which case SPF/DMARC records are not considered required and would not meet the bar for security servicing.”.
    MX record is for accepting emails. It can be absent and still it is possible to send emails from the relevant sub domain. Email sending and receiving works independently of each other.
    Hence, the core claim to block my report was based on mistaken or unknowledgeable information.
  2. I know it is not a vulnerability, but I guess MS should be happy to get any information that let it know it is missing a basic security measure, even if it is regarding an online attribute of it, not of a software product vulnerability

If Microsoft put at its MSRC frontline an analyst with such level of understanding how email works – then Microsoft really, really, have a problem.

And no, I will not open a new case at MSRC to prove them wrong. I will just go on with my life and Microsoft will need to live with the consequences of how it operates.

I will not make the extra mile effort when MS doesn’t even do the basics.

Law enforcement bodies ask social media to open end-to-end encryption (E2EE) for them

Interesting. Does these almost same-time publications are a coincidence? I tend to doubt it.
 
Both law enforcement bodies in Europe and Australia publicly turn to the private market, with focus on Social Media, asking it to ease its end-to-end encryption (E2EE), so law enforcement can read relevant data, for law enforcement reasons.
 
In my view this can mostly one of two:
1. Law enforcement has a real problem here
2. Law enforcement has the ability to overcome end-to-end encryption (E2EE) so they use these publications to pretend to be helpless against it, hence building the criminals/enemies confident that these platforms are safe for them, so they will act freely in them and so the law enforcement bodies will be able to spy on them
 
If it is the first reason – then I think it looks like we are escalating towards a clash.
 
News article
“Police Chiefs Call for Solutions to Access Encrypted Data in Serious Crime Cases”
 
The Europol post about it
 
The declaration (PDF file)
 
News article
“The director general of Australia’s lead intelligence agency and the commissioner of its Federal Police yesterday both called for social networks to offer more assistance to help their investigators work on cases involving terrorism, child exploitation, and racist nationalism.”