Opinion The calls are coming from inside the house! Lately, Outlook users have been getting their own version of this classic urban horror myth. The email system is alerting them to suspicious activity on their accounts, and helpfully providing the IP addresses responsible.
Those, it seems, belong to a shady organization called… Microsoft.
What the hell are we supposed to do with this information? Is this an error in the suspicious activity detector? Is this the result of hacking attempts via compromised Microsoft systems? Is it Microsoft bungling some sort of management task? At the time of writing, nobody knows. Microsoft hasn’t offered an explanation. That means that nobody can be sure how to react. There’s clearly something wrong, but what is the risk? If you don’t know, you don’t do much about it. Wise?
Things can go the other way. “Why is nobody writing about this?” one correspondent asked this week, going on to say they did their most sensitive work on pre-2005 technology air-gapped from the internet.
Why 2005? Because that’s roughly the date that undocumented independent processors like Intel’s Management Engine started to be widely deployed on motherboards and in CPUs. That’s quite a remarkable response to a threat that’s difficult to enumerate. It’s possible because it happens that manufacturers plant secret backdoors in systems at the behest of state agencies, but are they coming for our correspondent? Are they coming for you?
No, they are not, not unless you are doing things that interest state-level agencies. And if you are, you can’t stop them by vintage computing. Talking to friends around the world and scared of supply chain compromise? You could build a worldwide network of completely unbreakable encrypted voice circuits using ZX Spectrums sourced from eBay. The Spectrum has a 1970s-vintage processor that is guaranteed not to be backdoored, with just enough horsepower to do one-time pad encryption. There’s literally nowhere for a hardware or software intercept to hide. But if your messages are important enough to an attacker, they’ll burgle, bribe or bug their way to the data before or after it’s encrypted.
This basic equation, the cost to the attacker versus the value of what they might get, is the cheapest yet most effective infosec aid on the market. There’s always a cost to an attack, whether it’s the risk of detection or being traced, or in the use of exfiltrated data giving the game away. As a defender, you need to be in the Goldilocks Zone of infosec paranoia – not too much, not too little, but just right. A sober view of your attractiveness as a target will get you there.
Applying that to the Outlook mystery helps diagnosis, even in the absence of any help from Microsoft, the curs. Pretend you’re Evil Haxxor who’s got into Microsoft’s systems. Have you done this to conduct random acts on random users, risking triggering the tripwires? Bad guys pay opportunity costs just like the rest of us. Time spent building a major compromise can’t be blown on low-value results, not while phishing and other intrusions work so much better.
Conclusion: cock-up, not criminals. And so it was. When Microsoft eventually responded, it waved the white flag of fiasco. “We’re working to resolve a configuration issue causing some customers to receive these notifications in error.”
Take another of last week’s security stories, the tired old tale of out-of-date WordPress plugins opening up millions of sites to automated attacks. Extremely low cost to le chapeau noir, who can get a script, make a coffee, and come back to a list of interesting targets who clearly don’t have much of a clue.
If you have a WordPress instance, is it worth the extra vigilance keeping up with plugin patches? You might find a better, simpler way of doing whatever it is you’re doing, or decide it’s not worth doing at all. Aerospace engineers know the safest, cheapest component to fly is the one that’s not there. You don’t need to understand plugin vulns to come to the same conclusion, just by being clear about what things cost compared to what’s on offer.
Some things can’t be helped. Should you apply security patches as soon as they’re available? Yes, of course. Everyone says so. Unless they’re broken, then you should wait a bit for others to take the pain. It’s not a winnable war, and that’s OK.
If you’re not paid to spend all your time as a security professional but have to make decisions about security, and that’s most of us, it’s a numbers game.
Think like an attacker – and their accountants – and a lot of hard decisions become easier. You won’t make all the right calls, but you’ll do a lot better than the average bear. That’s OK too. ®