This is a startling development considering how I’ve had to defendZoom with respect to its long-ago patched UNC Path vulnerability. Now, we find out that by intercepting the traffic during the sending of images like a Gif, an attacker can subvert a computer’s security, intercept a victims access tokens, and impersonate the victim to begin a social engineering attack.
The basic process is the attacker can use Fiddler to intercept a benign image being transmitted. Since the image is transmitted via its URI, the attacker can modify the packet that transmits the benign URI and change the source domain to come from a compromised Microsoft Teams server.
Next, the attacker needs to intercept traffic to the compromised Microsoft Teams servers. Once the victim loads the image in his Teams viewer, the victim’s computer transmits his authentication tokens to the compromised server and thus the attacker has the users credentials.
The main solution is to lock down any vulnerable servers in the Microsoft Teams subnet. However, it is interesting that Teams uses a REST API with JWT. This is a very common authentication method and one used by OAuth Authentication. I have developed a number of software components that use JWT from OAuth and use those tokens to make connections to various web services I typically use, like meetup and Google Drive.
Microsoft Teams uses two JWT. First, the user gets an authentication token, and with that, the user can get the session token called skypetoken_asm. Both tokens are required by the Microsoft REST API to communicate with the server. The interesting thing, though, is that the second token is called Skype Token. A few years ago Microsoft bought Skype. At the time, people speculated why and of course with Microsoft Teams, I thought it might be leverage Microsoft with its own video conferencing platform. The question was, was Microsoft Teams based on Skype? It looks like at least in part, the answer is yes.
Below, you can watch a video of how this attack might actually work.
So, be careful what video conferencing system you use. Clearly, Zoom isn’t perfect, but neither is Microsoft, and neither is Google likely to be. There is no reason to pick on any of them. All three are working hard to patch vulnerabilities as soon as they’re found. Just, try to keep your software up to date. And that’s my latest deep dive into Video Conferencing security. If you like what you’ve read, I’m available and eager for hire.
From about 2020-03-23T14:30:00Z (10:30 am, Monday) to about 2020-03-23T23:30:00Z (7:30 pm, Monday), Google was redirecting all my email and either bouncing it or deleting it.
Let me repeat, google deleted or bounced my email for Nine Hours, as a part of the setup of my setup for a paid Google Apps account. The setup for these accounts are a bit weird. They require you to create a new google entity with your own company URL. Fortunately, I have multiple domains I own and maintain, including this one, TimeHorse.com.
I probably should have used my writing group domain, RestonWriters.org. After all, the whole reason I wanted to get a paid Google account is because Meetup was moving to Online-Only meetings, following the outbreak of SARS-COV-2, and I needed a tool that allowed for video conferencing.
Skype was a non-starter. For one thing, it’s great for person-to-person communications, but for group chats, it has this annoying habit of muting everyone except the current speaker and you have to wait until that speaker stops to get a word in edgewise. My understanding is WhatsApp has the same problem.
Meetup actually suggested using Google Hangouts or Zoom. I happen to like Zoom. I use it for my regular NPVIC Grassroots strategy meetings and for Toastmasters and it’s always worked great. Zoom does support up to a hundred participants, both free and Pro. The only problem is, each of those Zoom sessions are either limited to the free forty-minute block or are using an up-to-24-hour Zoom Pro Account. Since most of my Meetups are at least an hour, breaking meeting up into forty-minute chunks would be tedious. And, at $14.99 a month, the professional account is well out of my price range.
Just before the first week of Virtual meetings began, my writing colleagues and I, including Elizabeth Hayes, who runs The Hourlings, tested both free Zoom and Google Hangout. Despite being limited to ten people, we decided on Google Hangout and I mapped it to our official Virtual Meeting URL.
Ten people worked fine for Reston Writers and for the Saturday Morning Review. The Saturday Morning Review actually worked out quite well because Meetup, despite suggesting we move to a virtual platform, still won’t let you delete the venue from your event and mark it as virtual, which, when editing events can cause some confusion. But when the Library cancelled all our events, I just deleted them all from the Meetup Calendar, and recreated them with no Venue and just announced them as occurring in Cyberspace.
Stay with me folks, I’m getting to the email…
As Sunday approached, I new ten participants wouldn’t be enough. Google Hangout would be fine for Bewie Bevy of Brainy Books and Saturday Morning Review, and likely The Science Book Club, as they all usually have fewer than ten participants for each meeting. The Hourlings, on the other hand, often had twelve, and sometimes as many as sixteen!
I new Zoom was $14.99 a month, but I read that Google App accounts could up the number of participants to twenty-five. Unfortunately my 2TB Google Drive account didn’t qualify. I had to get a Google Apps account.
And that’s where my troubles began.
At first, I could only sign up for the $12 per month account, even though I’d read it could be had for $6. Since the setup has a fortnight trial period, I didn’t worry about the financial discrepancy. I set up the account with my business email address for TimeHorse, LLC. I associated it with with that email, it connected to my Gandi Registrar, and my account was ready to go. I created a Google Hangout and assigned it to the Virtual Meeting URL, hoping it would allow twenty-five. The plan was to use it with the Hourlings to verify that fact.
It failed! We still could only get ten people into the meetup despite it being a paid account.
Unfortunately, since Monday I’ve been on Weather and Safety Leave from work because my Telework agreement was revoked, but that’s a story for another day as this post is long as it is! However, it did allow me to speak to Google and they suggested I try Google Meet. Meet was included with all Google App paid accounts, and it would allow for up to a hundred people and could be as long as I needed. Also, I could downgrade to the $6 per month account and I would still be able to use it. I thus downgraded.
We tried it with Reston Writers Review and it worked wonderfully. We had up to twelve connections simultaneously! But I’m getting ahead of myself.
At around 10:30 am, that Monday, after chatting with Google, I was examining my Google Apps account more closely. It was telling me I had one last step I needed to complete: integrate me email with Gmail.
That’s when my troubles began. You see, what this innocuous, turn-key step says it does is it says it sets up GMail for your company. What it actually does is obliterate all the MX Records (email routing information) of your DNS (Internet routing information) Zone File (routing configuration file) on Gandi and replace it with MX Records that point to Google. The setup wizard doesn’t actually tell you this and I’m totally oblivious.
At current writing, I have 188 forwarded email addresses set up on Gandi with their MX Servers. One of those is my business email, the one Google took over and is my Google Apps login. That’s the email google set up as the official email address used in GMail. Once the GMail setup goes through and I send an email from the GMail interface to my personal email address on the timehorse.com domain.
It never arrives. All day long, I watch my email and, strangely, nothing arrives after 10:30 in the morning. I refresh and refresh, and it’s still nothing. Where have all my emails gone?
It’s not until I’m setting up for Reston Writers that I decide to contact Google about this. I’m crazy-busy setting up the Google Meet, opening up the pieces we’d be reviewing on my computer, and, simultaneously, chatting with Google, trying to figure out why I’m not receiving any email.
Eventually, Google Tech Support starts talking about MX Records and a chill runs down my spine. As you probably gathered by now, I am well versed in DNS records and Zone File manipulation. I even have a Python script which updates my DNS A Record when the IP Address for this server changes.
With trepidation, I logged into my Gandi account and saw the damage. Google had modified my Zone file and added a bunch of strange new MX Records pointing to Google. They had nuked all my Gandi Email forward since they’d redirected all email traffic to google. As google only had one account registered on the domain, timehorse.com, namely my business email address, every other email address I possessed was either being deleted or bounced by google!
Fortunately, Gandi’s Email Forwarding page provides a warning when the Zone file doesn’t point to their email server, listing the correct MX Record settings to use Gandi as the mail hosting server. I quickly commented out the Google MX Records and pasted in the Gandi MX Records around 7:30 pm, in the middle of my Reston Writers meeting.
Needless to say, I was miffed that I could not give my full attention to my writers during our weekly writing gettogether. But it’s good I finally did figure out the disastrous actions committed by Google after only nine hours, and not a day or more.
I may never know what was contained in those nine hours of lost emails. I suppose there is one blessing, though. I get too much email already and still have dozens of unread messages I’m desperately trying to catch up on. One Covidapolis, novel-length email after another from every business under the sun. STFU companies, you’re all doing the same thing and I don’t like reading the same message again, and again, and again! You have a plan, that’s all I need to know!
Maybe Google was doing me a favor?
In the end, I was able to solve the problem because I got skills and I’m available for hire!