Microsoft Teams is not quite the Team Player we thought

The folks at CyberArk uncovered a new vulnerability in Microsoft Teams. In Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, they investigate a serious security hole in Teams that could threaten your organization and provide access to confidential information. Fortunately, Microsoft has, in theory, patched this vulnerability thanks to locking down any vulnerable Microsoft Teams servers.

This is a startling development considering how I’ve had to defend Zoom with respect to its long-ago patched UNC Path vulnerability. Now, we find out that by intercepting the traffic during the sending of images like a Gif, an attacker can subvert a computer’s security, intercept a victims access tokens, and impersonate the victim to begin a social engineering attack.

The basic process is the attacker can use Fiddler to intercept a benign image being transmitted. Since the image is transmitted via its URI, the attacker can modify the packet that transmits the benign URI and change the source domain to come from a compromised Microsoft Teams server.

Next, the attacker needs to intercept traffic to the compromised Microsoft Teams servers. Once the victim loads the image in his Teams viewer, the victim’s computer transmits his authentication tokens to the compromised server and thus the attacker has the users credentials.

The main solution is to lock down any vulnerable servers in the Microsoft Teams subnet. However, it is interesting that Teams uses a REST API with JWT. This is a very common authentication method and one used by OAuth Authentication. I have developed a number of software components that use JWT from OAuth and use those tokens to make connections to various web services I typically use, like meetup and Google Drive.

Microsoft Teams uses two JWT. First, the user gets an authentication token, and with that, the user can get the session token called skypetoken_asm. Both tokens are required by the Microsoft REST API to communicate with the server. The interesting thing, though, is that the second token is called Skype Token. A few years ago Microsoft bought Skype. At the time, people speculated why and of course with Microsoft Teams, I thought it might be leverage Microsoft with its own video conferencing platform. The question was, was Microsoft Teams based on Skype? It looks like at least in part, the answer is yes.

Below, you can watch a video of how this attack might actually work.

Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams | CyberArk

So, be careful what video conferencing system you use. Clearly, Zoom isn’t perfect, but neither is Microsoft, and neither is Google likely to be. There is no reason to pick on any of them. All three are working hard to patch vulnerabilities as soon as they’re found. Just, try to keep your software up to date. And that’s my latest deep dive into Video Conferencing security. If you like what you’ve read, I’m available and eager for hire.

Join Me Today to see #CO2Fre in Cyberspace

I’m excited to show off #CO2Fre to all of you today on Zoom. My friend Charles Gerena has organized an exciting event where I will be lecturing on the advantages of EV ownership and my love for cruising on a cloud.

I love showing off #CO2Fre for Drive Electric Week and I love working with Charles. Each year, Charles organizes an EV Event in Richmond during the main session of the General Assembly of Virginia and 2020 was no exception. I was down there on Tuesday, 14 January showing of #CO2Fre to everyone who cared to stop by.

I was very happy to give a ride to Delegate Joshua G. Cole that day. He is someone we’ve been following for years, hoping to see him in office. I was so happy when he was finally, fairly elected to represent Fredericksburg. VA. He’s also a great singer!

2020 RVA Drive Electric Day in Richmond
On Tuesday, 14 January, 2020, I was back in Richmond to show off #CO2Fre to the various staff, Lobbyists, and of course, when opportunity arose, Delegates and Senators. 2020 was no exception and this year I gave a ride to none other than Del. Joshua Cole from Fredericksburg! He’s someone we have been fighting to get into office for years and it was so great to see him on his first year serving us as Delegate!

I was so happy to give Joshua a ride in #CO2Fre that day. That day was bright and sunny and although this day has started out with dreary rain, I’m hoping to have better weather when I show you around #CO2Fre and show you what #CO2Fre can do!

Join us on meetup and follow our Facebook event for updates and a video of our event, to be posted after we finish.

I look forward to cruising on a cloud with y’all, today.

Electric Cars from near and far

At today’s EVA/DC meeting, we used Zoom to connect with our fellow Electric Car enthusiasts both news and old. I’ve been part of the EVA/DC for ten years and there have been many friends I’ve made through my time there. It was great seeing so many longtime friends once again thanks to the EVA/DC Zoom chat.

Some on Facebook complained that using Zoom for the EVA/DC meetings was insecure. But, as I’m literally a professional white hat hacker, I knew all too well the early and unfounded FUD against Zoom and what it is and is not appropriate for, and how it’s improved. Though I’ve written about it at length, the short answer is: secure enough for EVA/DC, not secure enough for COMSEC TS/NOFORN. Nobody is talking about issues of national security, so please, come join us on Zoom!

My good friend and fellow Eclipse enthusiast, Scott Wilson, shared with us an invitation to the Drive Electric Earth Day event with Plug-In America. The Drive Electric Earth Day Tribute: EVs Making a Difference will occur on 22 April, at 14:00 EDT / 11:00 PDT. You can RSVP here. I should put a disclaimer here that I have asked to be nominated for Plug-In America’s Drive Electric Awards this year, but to be honest, I don’t think anyone nominated me so no worries about a conflict of interest.

Then my longtime friend Eric Cardwell in Tennessee showed us his burgeoning Drive Electric Tennessee page and his new logo. Of course, we wish him well and hope when he’s got it set up to maybe attend one of his meeting on Zoom. Your logo’s looking sharp, my friend!

But the pièce de résistance has to be seeing my longtime friend and first Smart Electric Drive (Smart ED) owner in the US, LTC Mindy Kimball. She shared with us this classic clip from Dan Rather Reports.

Brava Mindy! Was wonderful seeing you again and getting a glimpse of this blast from the past. And you know, though it’s not exactly the same Smart ED owner, her current Smart ED is now driven by the young man in the videos. Look how far we’ve come!

Finally, I would be remiss if I didn’t invite all of you to join me this Saturday on Secure Zoom where I will be presenting #CO2Fre. Please, come cruise the cloud with me.

An Electric Ford Model T?

My good friend Charles Gerena is organizing a special Zoom event on Meetup where we get to meet the owner of a Ford Model T. Now, if you know anything about the old Ford cars, their engines were only built for about 25,000 miles. After that, you’d have to rebuild the engine, replacing worn parts from a very limited supply, and build it back up again for the next 25,000 miles. As I do almost 25,000 a year in #CO2Fre, that’s not much driving for me at all.

So, why, you may ask, am I promoting a Model T Meetup? Simply put, this is no ordinary Model T—this Model T has been electrified! Today, we are going to learn how the owner converted his classic Model T into an electric car, complete with batteries and electric motor. I hope you can join us!

1914 Model T Hack
Electric Cars aren’t always OEM, sometimes they’re converted. Here in Virginia, someone has converted a Ford Model T into an electric car!

Although I’ll not be cruising on my cloud to get there, hope to see you today at 14:00 EDT!

Meetup Online: It’s Okay to Zoom

As an Internet Security professional, I have heard some folks expressing dismay over various security issues in the Zoom video conferencing package and the MatterMost chat services. I may do a piece on MatterMost at a later date, but for now I want to focus on Zoom because Zoom is what Meetup is suggesting as one of their preferred video conferencing platforms. (The other, Google Hangouts, is limited to ten people and thus isn’t practical for a number of the meetups I run.)

The thing is, many of the earlier security issues which plagued Zoom at the beginning of the recent surge in online meetings have been solved. Tom’s Hardware wrote a very insightful analysis of these issues in a recent article by Paul Wagenseil, Zoom privacy and security issues: Here’s everything that’s wrong (so far).

Most of the issues covered have already been patched, such as UNC password theft under Microsoft Windows. This was a rather insidious security flaw but fortunately the folks at Zoom stepped up to the plate and patched.

iOS profiling also seems to be fixed. Since I do a lot of my Zoom conferencing, with the National Popular Vote Interstate Compact grassroots coalition, on the iPhone, this has been a great relief. Now, though, I do most of my meetup Zoom conferences on my laptop.

The decrypting of streams at the Zoom servers and re-encrypting them as they go out to the far-end client is at first blush worrisome, but that in part is necessary for folks recording their zoom sessions and though it puts a vulnerability at the level of Zoom staff, one hopes Zoom is careful with whom it employs. But it must be said, nothing I do on Zoom is something I would be embarrassed about were it to leak. I nonetheless want to do everything in my power to make sure it stays secure and I’m happy to hear Zoom is looking into closing this security flaw.

The auto-download for Macintosh is worrisome but again I am happy to say this practice is also ending as it is a backdoor that Zoom can use to allow third party software onto ones Mac. Zoom also has ceased allowing team profiles to share email addresses, though this is not a feature I’m using for any of my Zoom conferences.

As for recording leaking onto the Internet or folks joining your conference uninvited (Zoom Bombing) or war drive scanning Zoom to find your conference, all of these can be solved by user diligence. It’s important to be mindful of who you let into a conference, and don’t let just anyone have access to your recordings. For my Writing Groups, only myself, the account owner, and the persons being reviewed will ever have access to the recordings, and if the reviewed doesn’t need the recordings, we will delete them.

Also, as of this morning, 5 April 2020, at 0:00 UTC, Zoom now requires passwords on all new Zoom events. Thus, even with a Zoom ID scan, you won’t be able to get into the meeting without the password and although the URL can encode the password in an obfuscated way, simply scanning Zoom IDs will not get you into the conferences. And even if you did, I’d still have to approve you. I won’t.

Zoom
The Zoom Logo

Overall, I’m quite happy with Zoom and hope to use it all through Covidapolis. Overall, I give it this Security Engineers line of approval. And please note, I am available for hire if you like what you see!

I Am Irate

Google ate me email

From about 2020-03-23T14:30:00Z (10:30 am, Monday) to about 2020-03-23T23:30:00Z (7:30 pm, Monday), Google was redirecting all my email and either bouncing it or deleting it.

I Am Irate
Too angry for words!

Let me repeat, google deleted or bounced my email for Nine Hours, as a part of the setup of my setup for a paid Google Apps account. The setup for these accounts are a bit weird. They require you to create a new google entity with your own company URL. Fortunately, I have multiple domains I own and maintain, including this one, TimeHorse.com.

I probably should have used my writing group domain, RestonWriters.org. After all, the whole reason I wanted to get a paid Google account is because Meetup was moving to Online-Only meetings, following the outbreak of SARS-COV-2, and I needed a tool that allowed for video conferencing.

Skype was a non-starter. For one thing, it’s great for person-to-person communications, but for group chats, it has this annoying habit of muting everyone except the current speaker and you have to wait until that speaker stops to get a word in edgewise. My understanding is WhatsApp has the same problem.

Meetup actually suggested using Google Hangouts or Zoom. I happen to like Zoom. I use it for my regular NPVIC Grassroots strategy meetings and for Toastmasters and it’s always worked great. Zoom does support up to a hundred participants, both free and Pro. The only problem is, each of those Zoom sessions are either limited to the free forty-minute block or are using an up-to-24-hour Zoom Pro Account. Since most of my Meetups are at least an hour, breaking meeting up into forty-minute chunks would be tedious. And, at $14.99 a month, the professional account is well out of my price range.

Just before the first week of Virtual meetings began, my writing colleagues and I, including Elizabeth Hayes, who runs The Hourlings, tested both free Zoom and Google Hangout. Despite being limited to ten people, we decided on Google Hangout and I mapped it to our official Virtual Meeting URL.

Ten people worked fine for Reston Writers and for the Saturday Morning Review. The Saturday Morning Review actually worked out quite well because Meetup, despite suggesting we move to a virtual platform, still won’t let you delete the venue from your event and mark it as virtual, which, when editing events can cause some confusion. But when the Library cancelled all our events, I just deleted them all from the Meetup Calendar, and recreated them with no Venue and just announced them as occurring in Cyberspace.

Stay with me folks, I’m getting to the email…

As Sunday approached, I new ten participants wouldn’t be enough. Google Hangout would be fine for Bewie Bevy of Brainy Books and Saturday Morning Review, and likely The Science Book Club, as they all usually have fewer than ten participants for each meeting. The Hourlings, on the other hand, often had twelve, and sometimes as many as sixteen!

I new Zoom was $14.99 a month, but I read that Google App accounts could up the number of participants to twenty-five. Unfortunately my 2TB Google Drive account didn’t qualify. I had to get a Google Apps account.

And that’s where my troubles began.

At first, I could only sign up for the $12 per month account, even though I’d read it could be had for $6. Since the setup has a fortnight trial period, I didn’t worry about the financial discrepancy. I set up the account with my business email address for TimeHorse, LLC. I associated it with with that email, it connected to my Gandi Registrar, and my account was ready to go. I created a Google Hangout and assigned it to the Virtual Meeting URL, hoping it would allow twenty-five. The plan was to use it with the Hourlings to verify that fact.

It failed! We still could only get ten people into the meetup despite it being a paid account.

Unfortunately, since Monday I’ve been on Weather and Safety Leave from work because my Telework agreement was revoked, but that’s a story for another day as this post is long as it is! However, it did allow me to speak to Google and they suggested I try Google Meet. Meet was included with all Google App paid accounts, and it would allow for up to a hundred people and could be as long as I needed. Also, I could downgrade to the $6 per month account and I would still be able to use it. I thus downgraded.

We tried it with Reston Writers Review and it worked wonderfully. We had up to twelve connections simultaneously! But I’m getting ahead of myself.

At around 10:30 am, that Monday, after chatting with Google, I was examining my Google Apps account more closely. It was telling me I had one last step I needed to complete: integrate me email with Gmail.

Stop
Stop, do not pass Go. You’re done!

That’s when my troubles began. You see, what this innocuous, turn-key step says it does is it says it sets up GMail for your company. What it actually does is obliterate all the MX Records (email routing information) of your DNS (Internet routing information) Zone File (routing configuration file) on Gandi and replace it with MX Records that point to Google. The setup wizard doesn’t actually tell you this and I’m totally oblivious.

At current writing, I have 188 forwarded email addresses set up on Gandi with their MX Servers. One of those is my business email, the one Google took over and is my Google Apps login. That’s the email google set up as the official email address used in GMail. Once the GMail setup goes through and I send an email from the GMail interface to my personal email address on the timehorse.com domain.

It never arrives. All day long, I watch my email and, strangely, nothing arrives after 10:30 in the morning. I refresh and refresh, and it’s still nothing. Where have all my emails gone?

It’s not until I’m setting up for Reston Writers that I decide to contact Google about this. I’m crazy-busy setting up the Google Meet, opening up the pieces we’d be reviewing on my computer, and, simultaneously, chatting with Google, trying to figure out why I’m not receiving any email.

Eventually, Google Tech Support starts talking about MX Records and a chill runs down my spine. As you probably gathered by now, I am well versed in DNS records and Zone File manipulation. I even have a Python script which updates my DNS A Record when the IP Address for this server changes.

With trepidation, I logged into my Gandi account and saw the damage. Google had modified my Zone file and added a bunch of strange new MX Records pointing to Google. They had nuked all my Gandi Email forward since they’d redirected all email traffic to google. As google only had one account registered on the domain, timehorse.com, namely my business email address, every other email address I possessed was either being deleted or bounced by google!

Fortunately, Gandi’s Email Forwarding page provides a warning when the Zone file doesn’t point to their email server, listing the correct MX Record settings to use Gandi as the mail hosting server. I quickly commented out the Google MX Records and pasted in the Gandi MX Records around 7:30 pm, in the middle of my Reston Writers meeting.

Needless to say, I was miffed that I could not give my full attention to my writers during our weekly writing gettogether. But it’s good I finally did figure out the disastrous actions committed by Google after only nine hours, and not a day or more.

I may never know what was contained in those nine hours of lost emails. I suppose there is one blessing, though. I get too much email already and still have dozens of unread messages I’m desperately trying to catch up on. One Covidapolis, novel-length email after another from every business under the sun. STFU companies, you’re all doing the same thing and I don’t like reading the same message again, and again, and again! You have a plan, that’s all I need to know!

Maybe Google was doing me a favor?

In the end, I was able to solve the problem because I got skills and I’m available for hire!