Security Unlocked

Share

All Your Pa$$w0rd Are Belong to Us

Ep. 12

Special Edition! 

We’ve been told for years how important passwords are, taught how to make them stronger and longer and better, and we frantically tear up our home or office when we can’t find that sticky note where we wrote them down. Life feels like it comes to a screeching halt when we’ve lost our passwords, but… what would life be like if we didn’t need them? Can your passwords truly become a thing of the past? Sounds a bit unnerving, but we can promise you, it’s always security first here at Microsoft.  

 

On this special edition episode of the Security Unlocked podcast, hosts Nic Fillingham and Natalia Godyla explore the journey of becoming passwordless with Alex Weinert, Director of Identity Security at Microsoft, as he explains why your passwords don’t matter and how going passwordless can protect you from attackers.


In This Episode, You Will Learn:    

• The risks that are being mitigated through passwordless authentication 

• Where the challenges lie within using passwordless authentication 

• The functions of Windows Hello, Microsoft Authenticator and FIDO tokens 

• How ML is used in these technologies 


Some Questions We Ask:   

• What does passwordless mean? 

• What are some common misconceptions or risks? 

• Where are customers on their journey to going passwordless? 

•What is the end goal for passwordless authentication? 


Resources:

Alex’s Blog Post 

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 

 

Alex’s LinkedIn 

https://www.linkedin.com/in/alexweinert/ 

  

Nic’s LinkedIn  

https://www.linkedin.com/in/nicfill/  

  

Natalia’s LinkedIn  

https://www.linkedin.com/in/nataliagodyla/  

  

Microsoft Security Blog:   

https://www.microsoft.com/security/blog/ 


Related:

Security Unlocked: CISO Series with Bret Arsenault

https://SecurityUnlockedCISOSeries.com


Transcript

(Full transcript can be found at https://aka.ms/SecurityUnlockedEp12)


Nic Fillingham:

Hello, and welcome to Security Unlocked, a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft security engineering and operations teams. I am Nic Fillingham.


Natalia Godyla:

And I am Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science.


Nic Fillingham:

And profile some of the fascinating people working on artificial intelligence in Microsoft Security. If you enjoy the podcast, have a request for a topic you'd like covered or have some feedback on how we can make the podcast better ...


Natalia Godyla:

Please contact us at securityunlocked@microsoft.com or via Microsoft Security on Twitter. We'd love to hear from you. Hi Nic, how's it going? Welcome to Episode 12 and welcome to three months of podcasting.


Nic Fillingham:

Yeah. Thanks Italia. This episode marks the, us passing the, the three-month mark, which is pretty cool, of Natalia and I being professional podcasters. I've actually put that on my LinkedIn profile now. So I think that makes it, uh, that makes it official. And I see you, we're obviously an audio only podcast, but as part of the recording, we have our cameras on. I can see Natalia that you appear to have embraced outward, which we, we talked about in the last episode. And you now appear to be in a small cave-like environment.


Natalia Godyla:

It does feel like a-


Nic Fillingham:

(laughs).


Natalia Godyla:

... cave-like environment. I can tell you that. I did transform my closet into my podcast studio. So it was a whole project this weekend. It's swanky, but I can tell you, there are some drawbacks. It is about 3,000 degrees in here.


Nic Fillingham:

(laughs).


Natalia Godyla:

I did not plan for that this podcast episode. So I'm, I'm dying a bit.


Nic Fillingham:

You're in the right place, though, if you decide like, "I'm not appropriately dressed for the temperature." You, you're actually in the perfect place to make that-


Natalia Godyla:

Yes, I, I mean-


Nic Fillingham:

... make that change.


Natalia Godyla:

... theoretically, yes. The other hazard of my current setup is getting locked in the closet, which has happened already. I did have to email for help.


Nic Fillingham:

(laughs). Who did you email?


Natalia Godyla:

So I emailed my partner who proceeded to Instagram, a picture of my email. It's just me in all capital letters asking him to get me out of the closet. So I'm glad that posting a picture to Instagram was of high priority in that circumstance.


Nic Fillingham:

Your partner was like literally feet away, right? Just, just drywall and framing away from you.


Natalia Godyla:

Yes, but I, I did an amazing job with my podcast studio. These blankets are intense.


Nic Fillingham:

Yeah. So like, were you banging on the window and the door and all that stuff? And he just couldn't hear you because the, the soundproofing was so phenomenal?


Natalia Godyla:

There was no knocking. Immediately, emails.


Nic Fillingham:

You were not, not even gonna to try, not even gonna try and knock. 'Cause I know, I know that I've done such a great job of deadening all sound. The only thing I can do is send a, an all caps email (laughing) subject.


Natalia Godyla:

The only option. This is all for our audience.


Nic Fillingham:

You know what? We had to, because our guests were coming on with better and better microphones, including the person you're gonna, you're gonna hear from today, Alex Weinert, who has a recording studio in his home basement. And he and I geeked out on bass guitars. But that, that wasn't the, the goal of the conversation. The goal of the conversation, um, was to talk about passwords.


Nic Fillingham:

And in fact, this conversation with Alex was so, was so awesome that we couldn't really edit it down. We've decided to do a special episode, which we haven't, we haven't done this before. Natalia, you're grieving away. Is there music coming through your headphones? What's going on?


Natalia Godyla:

No. I'm that interested in what you're saying, Nic.


Nic Fillingham:

(laughs).


Natalia Godyla:

I'm just grooving along with it.


Nic Fillingham:

L-, Natalia is literally like bopping away. I c-, I, she's bopping away to invisible music. Well, you, you take it from here. Tell us about the, uh-


Natalia Godyla:

(laughs).


Nic Fillingham:

You're obviously very excited. Tell us about the conversation we (laughing) had with Weinert.


Natalia Godyla:

Yeah. So we had a special episode with Alex, as you were saying. We talked about the future of passwords or perhaps the lack of future for passwords. So the inherent risks in continuing to use passwords is ... And some of the risks also with, uh, SMS, which I found really fascinating, the, the concept of it being out of bound, out-of-band and potentially then being intercepted.


Natalia Godyla:

Um, and then we just really dove into the reality of passwordless. What is the science behind building some of these password technologies? How real is it? How many customers are using it? So it was great to s-, get that substantive approach to passwordless, something that we keep hearing as a buzz term.


Nic Fillingham:

Yeah. This is a great episode to listen to after you, uh, get through Episode 8, which was with, uh, Maria Maria Puertas Calvo from the Identity team who talked about how that group utilizes artificial intelligence and machine learning. And then after we spoke with Maria, I think we might have been, we might have stopped recording at that point.


Nic Fillingham:

That Maria recommended that we then sort of move that conversation forward by getting on the phone or, or Teams as it is, uh, and chat with Alex to talk about passwords and the future, the history, the past, the, the good, the bad, the ugly of passwords. So it's a great conversation. We hope you enjoy it. On with the pod?


Natalia Godyla:

On with the pod.


Nic Fillingham:

Welcome to the Security Unlocked Podcast, Alex Weinert.


Alex Weinert:

Hey, how are you? Nice to be here.


Nic Fillingham:

Thank you so much for joining us, Alex, um, from your, uh, from your home recording studio, which we might, might touch on a little bit later. It looks, it looks pretty awesome. Alex, we normally ask people to first of all, sort of introduced themselves, and, and talk about their role. We will get to that, but I think I just want to sort of set the stage here. You are probably best known to our audience.


Nic Fillingham:

So let me know if you think it's fair to say you're best known to our, our audience as the, the author of the, All Your Passwords Belong to Us. Did I get that right? Or Your Passwords Don't Matter. You have some great blog posts, which really talk about the fact that passwords are bad. Don't use password. Is, is, is-


Alex Weinert:

Yeah, Your Password Doesn't Matter as a blog, that kind of took off. And then in my, in my, my non-blogging time, I'm the director of Identity Security for Microsoft.


Nic Fillingham:

Got it. And what does that look like? Like what, what does your team do? Sort of, what does, what does the day-to-day sort of look like for you, Alex? If there is-


Alex Weinert:

(laughs).


Nic Fillingham:

... if there is a, a standard day.


Alex Weinert:

Day-to-day. Um, I often joke that, um, I have a calendar that tells me what I'm, you know, I think I'm going to do on a given day. And then we have-


Natalia Godyla:

(laughs).


Alex Weinert:

... you know, various actors that, uh, change that agenda rapidly, uh, at times. First of all, you know, I think you, you spoke to Maria Puertas earlier. She's on the team. She's, uh, an amazing part of that group. And, and basically there are a set of functions that we do. We do internal security. So this is kind of thinking about, you know, how do we do secrets, um, management?


Alex Weinert:

And how do we set up our environment for dev ops, you know, security and, you know, pipeline security and operational security and all that kind of thing? And just making sure that the core of our identity system stays safe. And then, uh, we have an incident response team, which is sort of ... It would be nice to say the pointy end of the spear, but it's more like the windshield that catches the bugs, right?


Alex Weinert:

Like they, they deal with all the nasties that come in and, and try to hurt our customers or hurt Microsoft, uh, or customers via Microsoft. So that's another major function. And then what's cool is that this is where the sort of a flywheel starts, which is the things we learn from those investigations and those incidents go into Maria's team, right? And then Maria's team develops the refined, like data science that tells us, how prevalent is the pattern?


Alex Weinert:

How do we, you know, build detections into the product? How do we intercept those attacks and apply it in the product, so that we can keep them from ever hurting our customers? And then there's a set of teams that are kind of oriented around that signal that, that Maria's team produces. There's a signals intelligence team, which essentially packages that, so that customers can see it.


Alex Weinert:

There's the prevention team, which is basically about stopping fraud in the system and doing things in an automated way. So like one thing not a lot of people know is that we block, uh, something like 80 million attacks a day that customers never even know about, but we're able to see them. And, and so defending the system and defending customers from fraud, from account takeover attempts, that sort of thing.


Alex Weinert:

It's something that we do in an automated way on that team. So, um, the configuration by admins as to what credentials are allowed in the organization, and then the combination of that information with usage information and security information to decide, what's the right challenge sequence to show to a customer at a given time? That's, that's another team.


Alex Weinert:

And then finally, we have a team that is all about empowering end users. So we sort of jokingly call it the, like the karate school, right? Like it's, how do I teach my end users to defend themselves in a world where there's a lot of hostile activities? So the authenticator, which has the password manager feature.


Alex Weinert:

So that, that feature is part of that team, as well as things like self-service password reset and other, you know, the, the sign-ins logs that you can go look at and tell us whether you think the recent sign-in was fraudulent. And then all of that actually goes back into Maria's team and feeds that information to tune the algorithm.


Alex Weinert:

So when people, either administrators or users tell that they see something that we didn't notice, or that we got it wrong, that actually goes back in to make us more accurate. So that's kind of the flywheel, right? We go from incidents of bad things happening through data science and then ultimately out to the customer and to the end user and then right back into data science. And then, you know, by, by doing this, we're able to continuously train our systems.


Nic Fillingham:

Just for sort of scale, number of, of customers or, or number of sort of identities? I do-, I'm not sure what the right metric is here, but sort of we're talking in the hundreds of millions or are we in the billions category?


Alex Weinert:

Oh no. (laughs). No, like 40 billion log-in events a day, 170-


Nic Fillingham:

Wow.


Alex Weinert:

... terabytes of data, data generated per day. Yeah.


Nic Fillingham:

Wow, and, and, and the number of humans on the planet that are utilizing this, how's, ha-, how do we, how do we measure that? We measure that in the hundreds of millions as well?


Alex Weinert:

Mmm, billions.


Nic Fillingham:

In the billions.


Alex Weinert:

Yeah.


Nic Fillingham:

Wow. Okay. So these are bi-, pretty big numbers.


Alex Weinert:

Yeah.


Natalia Godyla:

(laughs).


Alex Weinert:

Yeah. (laughing). Relatively large numbers. Yeah.


Nic Fillingham:

Awesome. Thank you for that context there. So the, the, the, the topic that we sort of really wanted to start with here was, was passwordless. And, and we'll jump into that in just a sec, but I actually want to start with the fundamental of, you know, there's a lot of ... You know passwordless is, is, is sort of a newish term. It's sort of a buzz term. It's, it's being thrown around.


Nic Fillingham:

Can you define for us ... It may sound like a very simple question, but what is passwordless? What da-, what does it mean and what does it mean to us?


Alex Weinert:

Yeah. I mean conceptually, it is exactly what it sounds like, which is passwordless is when you authenticate yourself into a system without ever typing a password. The blog you mentioned earlier, you know, Your Password Doesn't Matter, it kind of goes into all the ways that, you know, short of using a password manager, it's basically impossible to have a, uh, a password that isn't in some way crackable.


Alex Weinert:

Um, so multi-factor authentication becomes a mandate, right? Like you have to have a second. If you're using a password basis, and you have to have something else. But the thing about it is that given how easy passwords are to crack, multi-factor auth reverts back to single factor auth pretty quickly in a world where your password gets guessed, right?


Alex Weinert:

So if your password gets guessed and you don't notice it, or you don't do anything about it, then you're now relying on a single factor, because the original factor is compromised, right? So the challenge we said is, you know, how do we get into a multi-factor authentication system where no password is present and actually try to not make that, you know, more challenging, but actually lower the usability bar? Like make it easier to use, right?


Alex Weinert:

And so what we looked at, uh, sort of in the initial way was Windows Hello, right? So in Windows Hello, you know, once you set up a device as your own, you can like literally just look at the camera and sign in, or you can touch the fingerprint reader and sign in. And the reason for that is that you have a biometric, right? Plus the device possession, and the device possession is hard mound.


Alex Weinert:

And so, you know, that model, like you think about that as FIDO is the same thing, except for it just takes ... It, it gives you more portability of the device you're using. So, you know, your, your FIDO tokens are, uh, you know, like on a USB form factor or in your phone PhoneFactor.


Alex Weinert:

And that allows you to then go from computer to computer and have that same, very strong authenticated experience on devices you haven't been on. And then the last one is the phone app, right? And the, the authenticator app is a way of doing passwordless, because we hard-bind into your phone. And then, again, there's some sort of, uh, secret. In the case of the phones, mostly it's Device Unlock.


Alex Weinert:

So it's, there's a, either pin or biometric unlock, right? So you're still doing two factors, but you're never having to interact with a password. So you don't forget your password. You don't write your password down. You don't pick a stupid password that ... Oh, I'm sorry. I, you don't pick a easily guessable password.


Nic Fillingham:

(laughs).


Alex Weinert:

Um, but I mean, seriously, password 1, 2, 3, come on. And by the way, the most common passwords in use are still things like 1, 2, 3, 4, 5, 6 and "I love you," and like, uh, things that are, you know, QWERTY I, uh, UIP, which is just about running your finger along the keyboard. It's like, so clearly people want less effort to go into their authentication rituals, right?


Alex Weinert:

So we're trying to figure out how to lower that effort bans, at the same time, make it stronger. The thing that is kind of unique, I think, in ... When we say passwordless right now in, in our authentication systems, we're talking about the authenticator application, Windows Hello and FIDO tokens. But I think we can extend that over time. FIDO gives us a nice framework, nice standards-based framework for extending that over time.


Alex Weinert:

There's an underlying thing that happens, which is really important. And I wrote about this in All Your Creds Are Belong To Us, which if you're old, like me, and you play old video games, you recognize the reference. Um, and, uh, and in All Your Credits Belo-, Are Belong To Us, we talked about something called verifier impersonation resistant. And that's sort of a heady technical term maybe.


Alex Weinert:

But what it basically means is that you can't put a machine in the middle of the ritual and trick the user, right? So one of the big problems we have with like tools like Modlishka is that Modlishka, um, does a pretty good job of exactly replicating the UI that the user's expecting to see. So the only thing that's protecting them in that case is that they ignore the ... If they ignore the cert warning, right?


Alex Weinert:

If they're not paying close attention to the URL they're going to, and that's really ... Unfortunately, most users aren't gonna to either get it, or they'll just literally bypass the warnings. So, um-


Nic Fillingham:

S-, sorry. What is, what is Modlishka? That's, uh, identity [crosstalk 00:14:07]?


Alex Weinert:

So Modlishka is a, is a red team ... It's like a pen testing tool.


Nic Fillingham:

All right, yes.


Alex Weinert:

And, and you can download it from GitHub, right? Like you can go search for it and download it. And what it does is it effectively, you point it at the server you're trying to intercept, request for. You're, so you're trying to machine in the middle, the request between the client and the, the legitimate server. And so this is actually ... We'll, we'll go super geeky for just a second.


Alex Weinert:

'Cause this is actually really an important aspect of passwordless that I think most people don't quite get. So basically what happens is when we have a, a situation where like you type in a password, and then you get, uh, an OTP code on your phone. The problem with that is that the communication is out-of-band, which means that the server is gonna say ...


Alex Weinert:

You know, they're gonna send or transmit a message to your phone and saying, "Hey, please approve this." Or, "Please," you know, "re-key this number." And then the user needs to key that number back in. If the user is tricked to going to, into a machine that is impersonating the identity provider, so if it's impersonating like Azure AD, that impersonalization is facilitated by a tool called Modlishka or other tools like it, that actually scrape all the UI code off of the original server and then replay it on their local server.


Alex Weinert:

So that's what Modlishka is doing is it's like replaying everything forward. So from a user perspective, this isn't like a hacky, lousy old version of the UI that doesn't look right. It's, it's going to look exactly right. It's going to behave in exactly the same way as the, as the code on the original server. So for a user interacting with that, they're like, "Well, this must be the real thing."


Alex Weinert:

The server will notice the anomaly. Like our server will notice the anomalies saying, "Hey, I don't think I've seen you on that machine before. So I'll challenge you for MFA." The problem is now the request for the MFA challenge is played forward to the user. And if we have an out-of-band authentication mechanism like SMS, the challenge now goes directly to that user's phone.


Alex Weinert:

Well, the user thinks they're interacting with us. So then they just key in the code that they got on their phone, right into the, the machine in the middle. The machine in the middle turns around and plays it back to us. We see that as an authentication pass, and then we would issue a token to that machine in the middle. And so that's how it's called OTP phishing. This is how like MFA bypass OTP phishing happens.


Alex Weinert:

So it's a slightly more sophisticated attack. The difference between that and password is that, uh, a pass should only attack is that if I have your password and there's no other protections, I can go anywhere I want and get new sessions. Whereas in this world, I have to trick you into giving me a session on one machine. And I've only got that session for as long as that token lasts, right?


Alex Weinert:

So it's a somewhat more limited attack, but it's still a very serious attack. And it's, it's a way to bypass e-, existing multifactor auth methods. So one of the really important things that's built into things like Windows Flow and, you know, FIDO and, and our passwordless methods is that we are looking at the, at the point where you issue the credential, at the point where we say, "Hey, that FIDO token can be used to sign into Azure Active Directory," for example, right?


Alex Weinert:

The credential is actually looking at the certificate of the machine that it's, it's taking a credential for. And built into the FIDO standard is this, this idea that you would never give the user an option to sign in to something that they haven't signed into before. So it won't ... The token itself will never even present the UI to the user to offer that token, because it'll say, "Nope, this is not a server that I've ever interacted with legitimately before. So I'm just not willing to give you a cred for it."


Alex Weinert:

So it defeats the machine in the middle of the attack, which is a really important and cool thing that it does. So that thing where you look at the credentials of the service that's asking for the credentials, that's called verifier impersonalization resistance. So that was super nerdy, but it's a really important aspect of this thing, which is that we have a cryptographic relationship between the token that's being used to sign in and the service that it's being used to sign into.


Alex Weinert:

That's two-way. The trust is both ways. So the, the token has to trust the service too. So if you try to impersonate that service as a machine in the middle, your host, like you're not going to ... It's not going to work. And that's a really cool thing about passwordless. So not only is it, you know, you're not going to write down the password, you're not going to choose to use the guest password, all the other issues with passwords.


Alex Weinert:

It also bypasses many of the vulnerabilities of existing multifactor auth that is out-of-band in nature.


Natalia Godyla:

So you've outlined a number of risks that we're trying to mitigate through passwordless. Uh, just thinking about it from the other side, wh-, what are the risks that are still inherent and passwordless? What are, what are some common misconceptions on what it can solve? What should people be continuously aware of even after they've implemented passwordless, other identity technologies that need to be paired with it?


Alex Weinert:

That's a great question. Um, I think that for those of us who've been around the identity industry and the security side for a long time, uh, the, the thing that we probably worry the most about is, uh, what happened around smart cards, right? And so smart cards ended up being a very secure mechanism that was very niche-y in nature. And the reason for that was that there were serious usability issues and, and manageability issues at the, at the organizational level.


Alex Weinert:

So for example, if you lose a smart card, you know, you leave your smart card at home, you come to work without it, how do you go to that person, authenticate for the day? And it turns out you need a way to manufacture a new smart card. And that is, uh, an expensive process. And you need to physically get somebody down to a desk and, and issue and all that sort of thing.


Alex Weinert:

So the form factor, specifically the fact that we had to embed credentials using specialized hardware was kind of a big deal in, in those days. And so, as we went into the new generation of passwordless technologies, we wanted to get the security benefits of, of the, sort of the old PIV and smart card model. But we wanted to do it in a way that we could get great usability as well.


Alex Weinert:

And so the major things that I think we worry about are actually on that usability spectrum. Like if I have a really strong credential ... Le-, let's, let's first back up. Let's talk about passwords. How many places will give you a password reset based on knowing your mother's maiden name or your last address?


Natalia Godyla:

(laughs).


Alex Weinert:

Right? Why would we have-


Natalia Godyla:

Sounds familiar.


Alex Weinert:

... such a weak mechanism to, to recover a password? And the answer is because passwords are so intrinsically weak that a weak mechanism in some senses is like a rational response. But when we get to a place where we have like a FIDO token, which is a cryptographically, you know, like ha-, hardware-based cryptography, and it's awesome, right? Do we still want to use your mother's maiden name as a way to recover the credential?


Alex Weinert:

And so recovery becomes one of the brass ring things that we need to go make sure we get right. So issuance recovery, all the things that are about getting you started. Now, for organizations that can use phones, like this is a great way to go for a lot of organizations, if you're allowed to use your mobile phone in the organization. So you can use the authenticator app.


Alex Weinert:

We've done a ton of work to have essentially the ability to generate a temporary credential issuance code as a help desk, and then have somebody simply point their phone to the screen and get their new credential. And so some of that, we've like massively lowered the cost and the effort involved for an organization to manage these things.


Alex Weinert:

But then there's organizations where you're not allowed to use a phone, right? They're either, because you're in a secure environment where phones aren't allowed, you're on a retail floor, or there are union or governmental regulations that prevent requiring, or allowing a customer ... Um, I'm sorry, a user to use their personal devices. Right?


Alex Weinert:

So then you have this whole issue around, okay, so now you've got hardware. And, so what happens if somebody has a two-hour commute to work, gets there and realizes that they left their, you know, FIDO token on their other key chain, right? Like what happens if, you know, you're borrowing the car or your car is in the shop, whatever?


Alex Weinert:

So the thing that is of concern when you go into these really strong credentials is that you have to have a pair-wise, really strong, you know, lost, forgot recovery and issuance flow. Like we've had the basic login to windows with a FIDO token working for, I think, a couple of years now, right? Like that's not where the energy is going right now. The energy is going in the usability piece.


Alex Weinert:

Like how do I get to a place where you can go order a FIDO token from your favorite online retailer, have it show up in your house, you know, via Speed Delivery? Right? So one of the scenarios we talk about is if I'm traveling and I get robbed, right? Like, and I need to get into my machine, what do I do? Right? So I can order one of these things, retail off the shelf.


Alex Weinert:

I can interact remotely with my help desk. And then I can actually reprovision the strong credential from right there on my, my laptop, you know, in my hotel room, right? Like that ... And I realize this is, you know, the pre-COVID version of this, but it's in fact more relevant now. I've hired, I think, you know, something like 10 people onto my team since March. Not one of those people has had physical contact with anyone from the corporation, and they're all doing strong credentialing. Right?


Alex Weinert:

And so that, that bootstrapping process is really important to get right, especially now. That's where the real challenges are. I don't think that there's a significant argument to be made for, for the security side of this at all. Like the security here is as good as it gets, short of ... I mean, we're certainly just as good as it gets, right?


Alex Weinert:

You, you could add other rituals, like manager approvals and that sort of thing. Well, you can do that now. From a credentialing perspective, you don't get much better than a cryptographically strong device where the crypto's being done in hardware and you're validating everything all the way down the chain. The people that worked on FIDO2 did a good job, right? They, they nailed the security promise.


Alex Weinert:

What we're trying to nail now as the usability promise. And even that on the mainstream line isn't that hard, but when you get into the, "Oops, I," you know, "I washed my FIDO token in the laundry today," right? Like that becomes more of a problem. And so how do you reestablish trust? That's a place where we're putting a lot of investment. And I think that that will be the make or break for, for strong credentials.


Alex Weinert:

The thing about passwords that, as much as I would like to see them eradicated from usage, the thing about them is, you know, there's essentially an infinite key space. They're super easy to reissue. The user can self-reissue. Like there's a bunch of ease of use stuff around passwords, until you forget that, and that's a whole different problem.


Alex Weinert:

When you, once you get to a really strong credential, you have to kind of match up the ease of use piece. And that's a big investment.


Natalia Godyla:

So where are customers on their journey to passwordless? We're at a point where we're improving what we already have. And so, like you said, we're focusing on usability. Are our customers actively using these methodologies? Is there one that is preferred over others? What does that look like for people?


Alex Weinert:

In broad strokes, adoption of Windows Hello is terrific. Like we have many, many, many customers that their primary sign-in mechanism every single day, as you open your laptop and you get to work. And there's a cryptographically strong handshake happening there, but you don't as a user, think very much about it. You can use a pin, face print, thumbprint. I use a pin ...


Alex Weinert:

Confession time, uh, because I'm on this crazy deck here, and my, all my scanner, all my actual computing hardware is way over on the side. So the pin is an easy way to do it from the keyboard. But if you were using a, a, like a face scanner, which is built into most laptops, the camera will work in same way that you would look at your phone to unlock it. Then you're just signed in and you don't think about it. And that's a really great user experience.


Alex Weinert:

And that's actually the experience you're used to on your mobile devices. It's the experience customers are used to on their, on their Windows devices. Then the next place that we see really good traction in, you know, here, it's tens of millions is in the authenticator app, right? So the authenticator app is a very popular option for people to use. It's on the phone. So you want to sign in.


Alex Weinert:

You gotta, you know ... Thing flashes on your phone, it says, "Please approve." And then you push the number, you know, that matches the screen. And that I think has driven a lot of adoption of the authenticator app. So the authenticator app is the second most popular. And then with FIDO, I'd say people are dipping their toes in the water. Like organizations are getting serious.


Alex Weinert:

people that wear a lot of tinfoil hats like me, you know, the overall Net/Wall or mission full hats, right? Um, are, are deep into the FIDO experience. And so I sign in every day, uh, using FIDO because I, I know the, you know, the security promise behind it is just outstanding. So m-, my personal accounts, I don't have passwords that I know on any of my personal accounts. I intentionally put random, random strings into all of my password fields as-, and then destroy the strings, so I don't have a copy. All of my sign-ins every single day are passwordless.


Natalia Godyla:

So you mentioned that, uh, the scenario in which you find out that there has been something suspicious in your account and you respond to the request. But ultimately there's something in the technology identifying something as suspicious. How does that work? Are we using machine learning for that use case? Uh, uh, how do we use it across all of the technologies that you've described?


Alex Weinert:

Yeah. So back in the beginning of my journey with this team in, I guess it was 2013, we were struggling with the fact that we would, um, go through this process where we would figure out a new attacker signal and we would update our algorithms. And that would take a certain amount of time. And then we would test and we would package and we would deploy to servers all over the world and the fix would go live and the attackers would be disrupted for about a day.


Alex Weinert:

And then they would adopt to our new algorithms and we had to start over. So we were on like a sort of six-week cycle, you know, to get changes made. And then they were on a sort of a two-day cycle to respond to the changes. And so we were on, you know, what, I think a lot of people who have a long background in defender technology know, which is that it can feel like a treadmill.


Alex Weinert:

Like you, you take a step, that you take a step and then you're right back where you started. And so we made a bet on adaptive defenses, on adaptive technology for defenses. And that was a really hard bet. I mean, it diverted a bunch of resources and stressed a lot of people out and it went on ... You know, we had a lot of false starts. We've talked to other f-, friends in the industry who, you know, started and abandoned their efforts in this area, because it, it can be frustrating.


Alex Weinert:

But we got to a place where we could beat our static heuristic algorithms with our machine learning algorithms. And at the time, we looked at like 30 different features. A feature is just an aspect of a log-in, right? Like some ... It could be your IP address. It could be your browser, you know, your agent string, whatever, but we'd look at these things.


Alex Weinert:

And we looked at like 30 and we would say, "All right, given this combination of factors, what's the probability that this thing is going to be a good log-in or a bad log-in?" When you get into data science, you, you're working with two things. There's precision, which is the number of times, if I say it's bad, how often is it r-, is it really bad? And precision is really important, because it's, it gets into how many times do you artificially challenge a user?


Alex Weinert:

And that results in user friction and like bad experiences and help desk calls and costs. And people will turn off security technology that gets in their way. And this is an unfortunate truth, right? Like if you put technology in front of your users, that frustrates them. Even though it's the, doing the right thing from a security perspective, the organization will turn it off, because productivity is the higher order bread for every organization.


Alex Weinert:

And so every CSO knows this and has to live with a sort of balance, right? So one of the things that we have to do as security professionals is we have to put experiences in front of people that actually enhance their experience to the extent possible, or at least minimally disruptive. So precision is the thing that we look at for that when we match the precision of our then best algorithm, which was at around 17%.


Alex Weinert:

Which means that eight out of 10, roughly eight out of 10 challenges that went to users were unnecessary, right? We were, you're throwing MFA challenges that users are blocking them incorrectly, eight out of 10 times. When we match that with our la-, machine learning stuff, when the machine learning got as smart as our current static algorithms, we started blending the two together and then the machine kept on getting better and better and better.


Alex Weinert:

And over the close of about four or five years, it got up to, north of 85% precision. On the enterprise side, you're given some flexibility. You can say, essentially, "Hey, I'm more risk sensitive," or "I'm less risk sensitive." And so you can tune that precision. But the other side of the equation that moves is recall. Right? And so recall is how much of the bad traffic are you actually catching? Right?


Alex Weinert:

So I can get precision to a hundred percent if I simply never challenge, right? If I basically never ever challenge, then I will never bother a good user. And I can say, "Yeah, yeah, yeah, I have nothing wrong," but the problem is I'm also catching no attackers. And in that world, um, I want the best possible recall. Or I could simply challenge everyone, and I can get a hundred percent recall, right? I can bother every good user and everybody. I'll get all the bad users.


Alex Weinert:

So you, the, the thing that's super tricky in this space is turning that dial to the right place. And so machine learning has done huge amounts for us in that space. So we just recently had an algorithm that was static. And when I say static, I mean that is not machine learning, right? Is traditional heuristic algorithm, that detected a, a, an attack called password spray.


Alex Weinert:

And our password spray algorithm was about 98% precise, which means that, like, if we said it was a bad user, it was a bad user, you know. 98% probability. We were able to double the recall of that by applying machine learning to it. Like we took the supervised machine learning technology and applied it. And after a brief training period, we released it and we hit, doubled the recall without moving precision at all. Right?


Alex Weinert:

So that's fantastic. Right? Our precision stayed high and we doubled the amount of bad actors we're, we're catching. And one of the things about recalls, you never know the, the total number, right? 'Cause you don't know what you don't know, unless you're in, in like a thing where you can ...


Alex Weinert:

There are machine learning environments that you'll see if you go to like conferences, which are all like, "Okay, I had temperatures of cats and temperatures of dogs. And my machine learning algorithm is training." And in a world where you're like in a constrained dataset fine, but attacker's whole job is to be invisible. Their whole job is to, to defeat the machine learning system.


Alex Weinert:

So when we look at a r-, like doubling of recall, that's a significant step to do that without moving precision at all. And, uh, the team was able to do that. That particular system looks at over 200 aspects of every log-in. And then you're, it uses the machine learning algorithms to, to figure that out. But the most important thing about it is that it will, without our investment, without significant investment, continue to get better.


Alex Weinert:

And of all the things machine learning did for the team and for the defenses of customers, I think the most important is that it freed up innovation cycles. Like the humans were able to go back to really innovating on, how do we find new attacks? How do we defeat these attackers, w-, while the system continues to do the things that we used to do manually? Which is, "Oh, look, a new parameter. Let's tweak the parameter and propagate it." That's now happening for us automatically. So we can go off and invest in innovation.


Nic Fillingham:

I just want to maybe get some clarity on, on one little piece there. So I use the authenticator app myself. Obviously, you know, I'm a Microsoft employee, so I, I have to use that for my, my job, but I also use it personally for, for personal services. Every now and then, I do get a ping on the authenticator app that doesn't appear to be from something that I've initiated. It's rare, but it does happen.


Nic Fillingham:

Can you ... This is a slight digression here, but like what's, what's happening there? Is it always a sort of a malicious act happening on the other side of the, of the coin and the fact that I'm ignoring them, obviously, because I don't initiate it? Is that good? Am I doing the right thing? And is that actually helping the model get better? What, w-, what, what happens in those sort of, I guess, false positives? Is that what it's called?


Alex Weinert:

Yeah. Well, so that's not necessarily a false positive. I mean, I'm not sure I would call it a false positive. So let me tell you about the, the things that will cause that. The two things that will cause that are an attacker has tried to log in. If you're getting a, you know, the, the three codes presented thing, and, and you have a account that's set up for passwordless, and they might've just typed in your username and they're trying to sign in, obviously you should never hit approve on a request that you don't know where it came from. Right?


Nic Fillingham:

Right, yes.


Alex Weinert:

I'd like to be very clear. The other possibility is that you have legacy software that is like, you've, you've left a client running somewhere. And this was the cause for a lot of, um, multifactor authentication and things that don't get answered. Because we have blocks in the system, like you have to complete your phone number entry or whatever, that, that require that before you take that next step.


Alex Weinert:

But if you have software that is like, "I'm gonna try to log in," and that trips a, a multi-factor authentication challenge, then that can be the other thing that happens sometimes. That's pro-, the primary two. Um, we're, we're doing a bunch of work right now and I, I won't get super specific, but I'll say we're doing a bunch of work to make it hard or nearly impossible to approve a malicious attempt at logging in.


Alex Weinert:

And so, you know, we have ... The wonderful thing about the authenticator app is in some sense, like our systems, we can adopt it very rapidly, and we can adapt the UX for it very rapidly. So the team's putting a bunch of energy right now into this question of, how do we tune the authenticator, so that users don't do accidental approvals and they don't, you know, respond to those, those kinds of challenges?


Alex Weinert:

But yeah, the majority of those will be caused by either an attacker who has your username and password, and is tripping the, you know, the last step of the authentication or, uh, an old application that doesn't know that it's triggering MFA.


Nic Fillingham:

Got it. And so me, me ignoring that, though, am I actually helping? Is there some other step that I should take to say like, "Oh, I don't think I actually requested this?" Like, how do I actually help the machine learning models get better to reduce the times that, that I would see those challenges when I don't request them?


Alex Weinert:

You can review in, uh, My Sign-ins. You can review that either on the web or on your phone. And then you can indicate that a given log-in request was, or wasn't. You know, they can also help you understand whether your, uh, password is compromised. So for example, if you see someone who got through the password challenge, but got stopped at your MFA challenge and it's coming from a country you've never been to and on a device you would never use, right?


Alex Weinert:

You click, "This wasn't me," and then we will actually step you step by step, how to re-secure your account. And so this is an important part of our security apparatuses to, you know, get the user involved, and we can walk them through re securing their accounts at that point. So that's kind of the best thing to do. If you're getting challenges, you're not expecting, go look at your sign-in logs and, and then react, you know, if you see something out of, out of whack.


Nic Fillingham:

That's great advice. Thank you. And I want to touch on one, one other thing that you said. So is the end goal for passwordless that there are no passwords anywhere, or is it simply that a password may exist, but the end user basically never enters it? Is that, is the end goal that on my, my identity, my account, my user entity-


Alex Weinert:

No.


Nic Fillingham:

... there is no actual password in any shape or form associated with that, and instead it is things like a FIDO key or some other authentication mechanism? Or is it simply that the password does exist, the user just never, never has to enter it?


Alex Weinert:

Yeah. Well, so we should be clear with that. I think th-, there are, you know, there are systems that still run FORTRAN. There are systems that still run COBOL. Like-


Nic Fillingham:

(laughs).


Alex Weinert:

... VAX assembly systems are still out there. Like you're going to have, you're going to have a long tail of technology that is highly coupled to passwords for a very long time. And, and so some passwords will still exist in the environment. Our, our goal is, uh, as we get users into their sort of daily ritual, that that does not involve a password.


Alex Weinert:

If you have a password you don't know that is also cryptographically strong, so it's, you know, it's completely, what's called entropic, which means that it's a string that doesn't have any patterns in it at all and it's totally random, then that, and not having a password at all are about the same thing. Right? Which is why I've essentially rendered my accounts passwordless without actually like having a system underneath it that deletes that thing from the environment.


Alex Weinert:

So yes, the goal, I think long-term ... And I, um, say two things here. First of all, the goal here long-term is absolutely the eradication of what is the weakest possible link in s-, in cybersecurity. And we have moved on from the world where I might want to do the, you know, Tom Hanks, Meg Ryan, you know. You've got mail thing. Like that, that's one bar. And now we're talking about like national infrastructure and like global economies and healthcare, and, you know, like lives on the line who are behind these passwords. Right?


Alex Weinert:

So we, we have to realize that we've kind of shifted our, our security mandate in a pretty substantial way when we're betting the world's infrastructure on the integrity of logins. And so to say it's okay to have like QWERTY I, uh, UIOP as your password, if your password is guarding something like whether the trains run in Europe or whether, you know, lights come on in Minnesota in the winter, right?


Alex Weinert:

Whether the heaters can come on, like, these are bigger deals than somebody like intercepting a personal mail from the days of bulletin boards. Right? So I think we have to, we have to say, we, we have a mandate to get past the password. So I believe very strongly that yes, our goal here is to find ways that are, that, that are in line with our expectations, for security, for the kinds of systems we're securing now.


Alex Weinert:

The second thing I will say is that, okay, so it's a long tail. The mitigation for passwords is MFA, right? The mitigation is multifactor auth. And as much as I would say your best bet for multi-factor auth today is probably the, the ma-, the authenticator app where you're doing cryptographic communications and, you know, you have all sorts of other hardening, any multi-factor auth at all of any kind dramatically reduces your risk of compromise, like really dramatically, like more than 99.9%.


Alex Weinert:

So when we go look at the body of compromised logins that we have, we'd say, "All right, here's all log-ins that we definitively said these were bad, right? These were cases where an attacker got in," only one in 10,000 of those will be a non or will be an MFA'd account. Okay? So that, that's how like radical this is. So if I go look at all my compromised accounts, all the compromise that happens in the system, only one in 10,000 of those will have MFA.


Nic Fillingham:

And therefore, if you have MFA-enabled, you are protecting yourself from ...


Alex Weinert:

Vastly, vastly. Right? Like, and even targeted accounts, targeted attacks very often are defeated by conventional MFA. Because as much as we would rather ... Like when we, if you look at something like the radio intercept stuff I write about in the Hang Up The Phone blog, we should be clear that like that radio intercept stuff is, um, it requires proximity in most cases. SS7 doesn't, but the other ones do.


Alex Weinert:

So if I want to intercept your cell communications, I need to get close enough to you to do it. So I have to get, you know, physically close. Well, a lot of attacks are taking place from around the world. Right? And so it's, it's hard to get close to somebody. So once I have MFA, that requires proximity, I'm going to like, "Meh, I'll give it up." You know? So as long as you're, you're not blind approving things, um, and your phone provider isn't giving away your account, right? Which is an issue. You are probably okay, you know.


Alex Weinert:

And you were certainly a whole lot better off in not using MFA at all. So I think we have to think of this as tiers. Like password-only is the worst. Password p-, plus MFA is, with, with phones is the next. It's much, much, much better. Right? And then we would say password plus MFA with non-phone mechanisms is the one after that. And then we would go from there to say, "Okay, let's go passwordless with, you know, pho-, with the phone authenticator.


Alex Weinert:

And to be clear, I'm talking about an application, not the, not SMS, right? Or Windows Hello or FIDO. Like now you're into the brass ring neighborhood. You're like, you're doing as good as you can possibly do.


Natalia Godyla:

Understandably, Alex, we still have a lot of work with securing the institutions and enterprises. As you said, uh, organizations like utilities still need to adopt passwordless, but what's next after passwordless? Let's say everyone goes passwordless. What is the remit for your team? What are you going to focus on?


Alex Weinert:

On my tie, uh-


Natalia Godyla:

(laughs).


Alex Weinert:

(laughs).


Nic Fillingham:

More, more bass guitars. More, uh, more music recording?


Alex Weinert:

Yeah. More bass guitars in a warmer climate. Yeah. The, um ... No, I think ... So there are a couple of inevitable places that attackers will be forced to move, um, once, once we get to secure authentication for users. So if everyone was using ... Let's be very clear. If everyone was using MFA, we would see a big surge in, uh, MFA phishing. Right? We'd see more, uh, Modlishka style attacks, like I talked about before.


Alex Weinert:

Um, if we get everybody to FIDO and we say, "Okay, now it's impossible to forge a token," then what we have to look at is token theft, which is where an attacker is trying to get into your box as a system, as system memory, lift the token out and take it somewhere else. Um, so for that reason, we're investing very heavily in proof of possession token binding, and, uh, trying to make that an impossible thing to do.


Alex Weinert:

So I think that the key things here, as we, as we think forward become things that are less user-centric in nature. Like we ha-, once we get users using the right kind of credentials, then we shift into the underlying systems to really harden against, you know, malware attacks, token theft attacks, um, and other things that are very nuanced and, and require a conversation between all the components to get right.


Natalia Godyla:

Thank you. Thank you for that look-ahead and for joining us on the podcast today, Alex.


Alex Weinert:

Thanks a lot. It was really fun.


Nic Fillingham:

I'm gonna go change my password from QWERTYUIOP on my Hotmail account. That's probably out of date now.


Alex Weinert:

Right. And add MFA while you're on it. Well, your, your Hotmail account has MFA, but (laughs).


Nic Fillingham:

Perfect. Thanks Alex. We'd love to see you again on a future episode of Security Unlocked.


Alex Weinert:

All right. And we'll have to talk bases again some other time.


Nic Fillingham:

Definitely. Thank you.


Alex Weinert:

(laughing), all right, see you.


Natalia Godyla:

Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.


Nic Fillingham:

And don't forget to tweet us, @msftsecurity, or email us at securityunlocked@microsoft.com with topics you'd like to hear on a future episode. Until then, stay safe ...


Natalia Godyla:

Stay secure.

More Episodes

6/2/2021

Pearls of Wisdom in the Security Signals Report

Ep. 30
It’s our 30thepisode! And in keeping with the traditional anniversary gift guide, the 30thanniversary means a gift of pearls.Sofrom us to you, dear listener, we’ve got an episode with somepearlsofwisdom!On today’s episode, hostsNic FillinghamandNataliaGodylabringback returning champion,Nazmus Sakib, to take us through the newSecurity Signals Report. Sakib walks us through why the reportwasdoneand then helps us understand the findings and what they mean for security.In This Episode You Will Learn:How pervasive firmware is in our everyday livesWhy many people were vulnerable to firmware attacksHow companies are spending the money they allocate towards digitalprotectionSome Questions We Ask:What was the hypothesis going into the Security Signals Report?How do we protect ourselves from vulnerabilities that don’t exist yet?Wereany of the findings from the report unexpected?ResourcesNazmusSakib’sLinkedIn:https://www.linkedin.com/in/nazmus-sakib-5aa8a6123/Security Signals Report:https://www.microsoft.com/security/blog/2021/03/30/new-security-signals-study-shows-firmware-attacks-on-the-rise-heres-how-microsoft-is-working-to-help-eliminate-this-entire-class-of-threats/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.com
5/26/2021

Securing Hybrid Work: Venki Krishnababu, lululemon

Ep. 29
On this week’s Security Unlocked we’re featuring for the second and finaltime,a special crossover episode of our sister-podcast, Security Unlocked: CISO Series with Bret Arsenault.Lululemon has been on the forefront of athleisure wear since its founding in 1998,but while many of its customers look atitexclusively as a fashionbrand,ata deeper level thisfashion empire is bolstered by a well thought out and maintained digital infrastructure that relies on ahard workingteam to run it.On today’s episode, Microsoft CISO Bret Arsenault sits down with VenkiKrishnababu, SVP of Global Technology Services at Lululemon.Theydiscuss the waysin whichtechnology plays into the brand, how Venkileada seamless transition into the remote work caused by the pandemic, and how he’s using the experiences of the past year to influence future growth in the company.In This Episode You Will Learn:Why Venkifeels sopassionatelyabout leading withempathyWhy Venki saw moving to remote work as only the tip of the iceberg; and how he handled whatlaidbelow.Specific tools and practices that haveleadto Venki’ssuccessSome Questions We Ask:What is the biggest lesson learned during the pandemic?How doesone facilitate effective management during this time?Howdoes Lululemonviewthe future of in-person versus remote work?Resources:VenkiKrishnababu’sLinkedIn:https://www.linkedin.com/in/vkrishnababu/Brett Arsenault’s LinkedIn:https://www.linkedin.com/in/bret-arsenault-97593b60/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.com
5/19/2021

Contact Us; Phish You!

Ep. 28
Threat actors arepeskyand, once again,they’reup to no good.A newmethodologyhas schemers compromising onlineformswhere userssubmittheir information like their names, email addresses,and, depending on the type of site, some queries relating totheir life.This new methodindicatesthat the attackers have figured out away around the CAPTCHA’s that have been making us all provewe’renot robotsbyidentifyingfire hydrantssince 1997.Andwhat’smore,we’renot quite surehowthey’vedone it.In this episode, hosts NataliaGodylaand Nic Fillingham sit down with Microsoftthreat analyst, Emily Hacker, to discuss what’s going on behind the scenes as Microsoft begins todigintothis new threat and sort through how best to stop it.In This Episode You Will Learn:Why this attack seems to be more effective against specificprofessionals.Why this new method of attack has a high rate ofsuccess.How to better prepare yourself for this method of attackSome Questions We Ask:What is the endgame for these attacks?What are we doing to protect againstIceIDin these attacks?Are we in need of a more advanced replacementforCAPTCHA?Resources:Emily Hacker:https://www.linkedin.com/in/emilydhacker/Investigating a Unique ‘Form’ of Email Delivery forIcedIDMalwarehttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.comTranscript[Full transcript can be found athttps://aka.ms/SecurityUnlockedEp26]Nic Fillingham: (00:08)Hello and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nick Fillingham.Natalia Godyla: (00:20)And I'm Natalia Godyla. In each episode we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research, and data science.Nic Fillingham: (00:30)And profile some of the fascinating people working on artificial intelligence in Microsoft Security.Natalia Godyla: (00:36)And now, let's unlock the pod.Nic Fillingham: (00:40)Hello, the internet. Hello, listeners. Welcome to episode 28 of Security Unlocked. Nic and Natalia back with you once again for a, a regular, uh, episode of the podcast. Natalia, how are you?Natalia Godyla: (00:50)Hi, Nic. I'm doing well. I'm stoked to have Emily Hacker, a threat analyst at Microsoft back on the show today.Nic Fillingham: (00:58)Yes, Emily is back on the podcast discussing a blog that she co-authored with Justin Carroll, another return champ here on the podcast, called Investigating a Unique Form of Email Delivery for IcedID Malware, the emphasis is on form was, uh, due to the sort of word play there. That's from April 9th. Natalia, TLDR, here. What's, what's Emily talking about in this blog?Natalia Godyla: (01:19)In this blog she's talking about how attackers are delivering IcedID malware through websites contact submission forms by impersonating artists who claim that the companies use their artwork illegally. It's a new take targeting the person managing the submission form.Nic Fillingham: (01:34)Yeah, it's fascinating. The attackers here don't need to go and, you know, buy or steal email lists. They don't need to spin up, uh, you know, any e- email infrastructure or get access to botnets. They're, they're really just finding websites that have a contact as form. Many do, and they are evading CAPTCHA here, and we talk about that with, with, with, uh, Emily about they're somehow getting around the, the CAPTCHA technology to try and weed out automation. But they are getting around that which sort of an interesting part of the conversation.Nic Fillingham: (02:03)Before we get into that conversation, though, a reminder to Security Unlock listeners that we have a new podcast. We just launched a new podcast in partnership with the CyberWire. It is Security Unlocked: CISO Series with Bret Arsenault. Bret Arsenault is the chief information security officer, the CISO, for Microsoft, and we've partnered with him and his team, uh, as well as the CyberWire, to create a brand new podcast series where Bret gets to chat with security and technology leaders at Microsoft as well as some of his CISO peers across the industry. Fantastic conversations into some of the biggest challenges in cyber security today, some of the strategies that these big, big organizations are, are undertaking, including Microsoft, and some practical guidance that really is gonna mirror the things that are being done by security teams here at Microsoft and are some of Microsoft's biggest customers.Nic Fillingham: (02:52)So, I urge you all to, uh, go check that one out. You can find it at the CyberWire. You can also go to www.securityunlockedcisoseries.com, and that's CISO as in C-I-S-O. CISO or CISO, if you're across the pond, securityunlockedcisoseries.com, but for now, on with the pod.Natalia Godyla: (03:12)On with the pod.Nic Fillingham: (03:18)Welcome back to the Security Unlocked Podcast. Emily Hacker, thanks for joining us.Emily Hacker: (03:22)Thank you for having me again.Nic Fillingham: (03:24)Emily, you are, uh, coming back to the podcast. You're a returning champion. Uh, this is, I think your, your second appearance and you're here-Emily Hacker: (03:30)Yes, it is.Nic Fillingham: (03:30)... on behalf of your colleague, uh, Justin Carroll, who has, has also been on multiple times. The two of you collaborated on a blog post from April the 9th, 2021, called Investigating a Unique Form-Emily Hacker: (03:43)(laughs)Nic Fillingham: (03:43)... in, uh, "Form", of email delivery for IcedID malware. The form bit is a pun, is a play on words.Emily Hacker: (03:51)Mm-hmm (affirmative).Nic Fillingham: (03:51)I- is it not?Emily Hacker: (03:53)Oh, it definitely is. Yeah.Nic Fillingham: (03:54)(laughs) I'm glad I picked up on that, which is a, you know, fascinating, uh, campaign that you've uncovered, the two of you uncovered and you wrote about it on the blog post. Before we jump into that, quick recap, please, if you could just reintroduce yourself to the audience. Uh, what, what do you do? What's your day-to-day look like? Who do you work with?Emily Hacker: (04:09)Yeah, definitely. So, I am a threat intelligence analyst, and I'm on the Threat Intelligence Global Engagement and Response team here at Microsoft. And, I am specifically focused on mostly email-based threats, and, as you mentioned on this blog I collaborate with my coworker, Justin Carroll, who is more specifically focused on end-point threats, which is why we collaborated on this particular blog and the particular investigation, because it has both aspects. So, I spend a lot of my time investigating both credential phishing, but also malicious emails that are delivering malware, such as the ones in this case. And also business email, compromise type scam emails.Nic Fillingham: (04:48)Got it. And so readers of the Microsoft Security Blog, listeners of Security Unlocked Podcast will know that on a regular basis, your team, and then other, uh, threat intelligence teams from across Microsoft, will publish their findings of, of new campaigns and new techniques on the blog. And then we, we try and bring those authors onto the podcast to tell us about what they found that's what's happened in this blog. Um, the two of you uncovered a new, a unique way of attackers to deliver the IcedID malware. Can you walk us through this, this campaign and this technique that you, you both uncovered?Emily Hacker: (05:21)Yeah, definitely. So this one was really fun because as I mentioned, it evolved both email and endpoint. So this one was, as you mentioned, it was delivering IcedID. So we initially found the IcedID on the endpoint and looking at how this was getting onto various endpoints. We identified that it was coming from Outlook, which means it's coming from email. So we can't see too much in terms of the email itself from the endpoint, we can just see that it came from Outlook, but given the network connections that the affected machines were making directly after accessing Outlook, I was able to find the emails in our system that contains emails that have been submitted by user 'cause either reported to junk or reported as phish or reported as a false positive, if they think it's not a phish. And so that's where I was actually able to see the email itself and determined that there was some nefarious activity going on here.Emily Hacker: (06:20)So the emails in this case were really interesting in that they're not actually the attacker sending an email to a victim, which is what we normally see. So normally the attacker will either, you know, compromise a bunch of senders and send out emails that way, which is what we've seen a lot in a lot of other malware or they'll create their own attacker infrastructure and send emails directly that way. In this case, the attackers were abusing the contact forms on the websites. So if you are visiting a company's website and you're trying to contact them a lot of times, they're not going to just have a page where they offer up their emails or their phone numbers. And you have to fill in that form, which feels like it goes into the void sometimes. And you don't actually know who it went to in this case, the, the attackers were abusing hundreds of these contact forms, not just targeting any specific company.Emily Hacker: (07:08)And another thing that was unique about this is that for some of the affected companies that we had observed, I went and looked at their websites and their contact form does require a CAPTCHA. So it does appear that the attackers in this case have automated the filling out of these contact forms. And that they've automated a way around these CAPTCHAs, just given the, the sheer volume of these emails I'm seeing. This is a good way of doing this because for the attacker, this is a much more high fidelity method of contacting these companies because they don't have to worry about having an incorrect email address if they have gotten a list off of like Pastebin or a list, you know, they purchased a list perhaps from another criminal. Emily Hacker: (07:52)A lot of times in those cases, if they're emailing directly, there's gonna be some, some false emails in those lists that just don't get delivered. With the contact form, they're designed to be delivered. So it's gonna give the attacker a higher chance of success in terms of being delivered to a real inbox.Natalia Godyla: (08:11)And so when we, we talk about the progression of the attack, they're automating this process of submitting to these contact forms. What are they submitting in the form? What is the, and what is the end goal? So there's malware somewhere in their-Emily Hacker: (08:27)Mh-mm-hmm (affirmative).Natalia Godyla: (08:27)... response. What next?Emily Hacker: (08:29)Yeah. It's a really good question. So the emails or rather the contact form submissions themselves, they're all containing a, a lore. So the contents themselves are lore that the attacker is pretending to be a, um, artist, a photographer, and illustrator, something along those lines. There's a handful of different jobs that they're pretending to be. And they are claiming that the company that they are contacting has used an image that belongs to the artist, illustrator, photographer on their website without permission. And so the attacker is saying, "You used my art without permission. I'm going to sue you if you don't take this down, if you wanna know what aren't talking about, click on this link and it'll show you the exact art that I'm talking about or the exact photo." What have you, all of the emails were virtually identical in terms of the content and the lore.Emily Hacker: (09:21)The attacker was using a bunch of different fake emails. So when you fill out a contact form, you have to put your email so the, the company can contact you, I guess, in reply, if they need to. And the attackers, almost every single email that I looked at had a different fake attacker email, but they did all follow a really consistent pattern in terms of the, the name, Mel and variations on that name. So they had like Melanie, I saw like Molina, like I said, there was hundreds of them. So the email would be Mel and then something relating to photography or illustration or art, just to add a little bit more credence, I think to their, to their lore. It made it look like the email address was actually associated with a real photographer. The, the attacker had no need to actually register or create any of those emails because they weren't sending from those emails. They were sending from the contact form. So it made it a lot easier for the attacker to appear legitimate without having to go through the trouble of creating legitimate emails. Emily Hacker: (10:16)And then the, um, the email itself from the recipients view would appear other than the fact that it felt fishy, at least to me, but, you know, I literally do this for a living. So maybe just everything feels fishy to me. Other than that, the email itself is going to appear totally legitimate because since it's coming through the contact form, it's not going to be from an email address. They don't recognize because a lot of times these contact forms are set up in a way where it'll send from the recipient's domain. So for example, a contact form, I don't know if this is how this works, but just as an example at Microsoft might actually send from Microsoft.com or the other large percentage of these that I saw were sent from the contact form hosting provider. So there are a lot of providers that host is kind of content for companies. And so the emails would be coming from those known email addresses and the emails themselves are gonna contain all of the expected fields, all in all. It's basically a legitimate email other than the fact that it's malicious.Nic Fillingham: (11:17)And, and just reading through the sample email that you, that you have in the blog post here, like sort of grammatically speaking it's, it reads very legitimately like, the-Emily Hacker: (11:26)Mh-mm-hmm (affirmative).Nic Fillingham: (11:27)... you know, the s- the, the grammar and the spelling is, it's colloquial, but it's, but it seems, you know, pretty legitimate. The idea of a photographer, a freelance photographer, stumbling upon their images being used without permission. You know, you hear stories of that happening. That seems to be somewhat plausible, not knowing how to contact the, the infringing organization. And then therefore going to the generic contact us form like this all, this all seems quite plausible. Emily Hacker: (11:52)And, definitely. And it's als one of those situations where even though, like I said, I do this for a living, so I read this and I was like, there's no way that's legit. But if my job was to be responsible for that email inbox, where stuff like this came in, it would be hard for me to weigh the consequences of like, is it more likely that this is like a malicious email? Or is it yeah. Is it possible that this is legit? And if I ignore it, my company is gonna get sued. Like, I feel like that kind of would give the recipient that, that weird spot of being like, "I don't want to infect the company with malware, or, you know, I don't wanna click on a phishing link if that's what this is, but also if I don't and then we get sued, is it my fault?"Emily Hacker: (12:33)I just, I, I feel for the recipient. So I, I understand why people would be clicking on this one and infecting themselves. And speaking of clicking on that is the other thing that's included in this email. So that was the last bit of this email that turns us from just being weird/legitimate, to totally malicious. All of the emails contain a link. And, um, the links themselves are also abusing legitimate infrastructure. So that's, uh, the next bit of abused, legitimate infrastructure that just adds that next bit of like believability if that's a word to this campaign.Nic Fillingham: (13:05)It is a word.Emily Hacker: (13:06)Okay, good believability. Is that the, the links, you know, we're, if you don't work insecurity, and even if you do work in security, we're all kind of trained like, "Oh, check the links, hover over the links and make sure it's going somewhere that you expect and make sure it's not going to like bad site dot bad, dot bad or something," you know, but these don't do that. All of the emails contained a sites.google.comm link. And I've looked at literally hundreds of these, and they all contain, um, a different URL, but the same sites.google.com domain. If you click on the link, when you receive the email, it'll take you actually to a legitimate Google authentication page that'll ask you to log in with your Google credentials, which again, every step along the way of this, of the email portion of this, of this attack, the attacker just took extra steps to make it seem as real as possible, or to almost like every piece of security advice. Emily Hacker: (14:01)I feel like they did that thing. So it seemed more legitimate because it's not a phishing page. It's not like a fake Google page that's stealing your credentials. It's a real where you would log in with your real Google credentials. Another thing that this does outside of just adding an air of legitimacy to the emails, it also can make it difficult for some security automation products. So a product that would be looking at emails and detonating the link to see if they're malicious and this case, it would detonate the link and it would land on, you know, a real Google authentication page. And in some cases it may not be able to authenticate. And then it would just mark these as good, because it would see what it expected to see. So, outside of just seeming legit, it also makes, you know, security products make this think it's more legit as well. But from there, the, uh, user would be redirected through a series of attacker own domains and would eventually download a zip file, which if they unzipped, they would find the IcedID payload.Emily Hacker: (15:06)So in this case, it's delivering IcedID, although this technique could be used to deliver other stuff as well, but it's not necessarily surprising that it's delivering IcedID right now, because pretty much everything I feel like I'm seeing lately as I study. And I don't think I'm alone in that there's murmurings that IcedID might be replacing Emotets now that you Emotet has been taken down in terms of being, you know, the annoyingly present malware. (laughs) So this is just one of many delivery methods that we've seen for IcedID malware lately. It's certainly in my opinion, one of the more interesting ones, because in the past, we've seen IcedID delivered a lot via email, but, um, just delivered via, you know, the normal type of malicious email if you will, with a compromised email sending with a, a zip attachment, this is much more interesting.Emily Hacker: (15:56)But in this case, if the user downloaded the payload, the payload would actually do many things. So in this case, it was looking for machine information. It was looking to see what kind of security tools were in place to see what kind of antivirus the machine was running. It was getting IP and system information. It was getting, you know, domain information and also looking to access credentials that might be stored in your browser. And on top of that, it was also dropping Cobalt Strike, which is another fun tool that we see used in every single incident lately. It feels like, um, which means that this can give attacker full control of a compromised device.Natalia Godyla: (16:38)So, what are we doing to help protect customers against IcedID? In the blog you stated that we are partnering with a couple of organizations, as well as working with Google.Emily Hacker: (16:52)Yes. So we have notified Google of this activity because it is obviously abusing some of their infrastructure in terms of the sites at Google.com. And they seem to be doing a pretty good job in terms of finding these and taking them down pretty quickly. A lot of times that I'll see new emails come in, I'll go to, you know, click on the link and see what it's doing. And the site will already be taken down, which is good. However, the thing about security is that a lot of times we were playing Catch Up or like, Whack-A-Mole, where they're always just gonna be a step ahead of us because we can't pre block everything that they're going to do. So this is still, um, something that we're also trying to keep an eye on from, from the delivery side as well. Emily Hacker: (17:34)Um, one thing to note is that since these are coming from legitimate emails that are expected is that I have seen a fair bit like, uh, a few of these, uh, actually, um, where the, the customers have their environment configured in a way where even if we mark it as phish, it still ends up delivered. So they have a, what is like a mail flow rule that might be like allow anything from our contact form, which makes sense, because they wouldn't wanna be blocking legitimate requests from co- from customers in their contact form. So with that in mind, we also wanna be looking at this from the endpoint. And so we have also written a few rules to identify the behaviors associated with the particular IcedID campaign. Emily Hacker: (18:16)And it will notify users if the, the behaviors are seen on their machine, just in case, you know, they have a mail flow rule that has allowed the email through, or just in case the attackers change their tactics in the email, and it didn't hit on our rule anymore or something, and a couple slipped through. Then we would still identify this on the endpoint and not to mention those behaviors that the rules are hitting on are before the actual IcedID payload is delivered. So if everything went wrong in the email got delivered and Google hadn't taken the site down yet, and the behavioral rule missed, then the payload itself is detected as I study by our antivirus. So there's a lot in the way of protections going in place for this campaign.Nic Fillingham: (18:55)Emily, I, I wanna be sort of pretty clear here with, with folks listening to the podcast. So, you know, you've, you've mentioned the, the sites.google.com a, a couple of times, and really, you're not, you're not saying that Google has been compromised or the infrastructure is compromised simply that these attackers have, uh, have come up with a, a, you know, pretty potentially clever way of evading some of the detections that Google, uh, undoubtedly runs to abuse their, their hosting services, but they could just evasively has been targeting OneDrive or-Emily Hacker: (19:25)Mh-mm-hmm (affirmative).Nic Fillingham: (19:25)... some other cloud storage.Emily Hacker: (19:25)That's correct. And we do see, you know, attackers abusing our own infrastructure. We've seen them abusing OneDrive, we've seen them abusing SharePoint. And at Microsoft, we have teams, including my team devoted to finding when that's occurring and remediating it. And I'm sure that Google does too. And like I said, they're doing a pretty done a good job of it. By the time I get to a lot of these sites, they're already down. But as I mentioned, security is, is a game of Whack-A-Mole. And so for, from Google point of view, I don't envy the position they're in because I've seen, like I mentioned hundreds upon hundreds of these emails and each one is a using a unique link. So they can't just outright block this from occurring because the attacker will just go and create another one.Natalia Godyla: (20:05)So I have a question that's related to our earlier discussion. You, you mentioned that they're evading the CAPTCHA. I thought that the CAPTCHA was one of the mechanisms in place to reduce spam. Emily Hacker: (20:19)Mh-mm-hmm (affirmative).Natalia Godyla: (20:19)So how is it doing that? Does this also indicate that we're coming to a point where we need to have to evolve the mechanisms on the forms to be a little bit more sophisticated than CAPTCHA?Emily Hacker: (20:33)I'm not entirely sure how the attackers are doing this because I don't know what automation they're using. So I can't see from their end, how they're evading the CAPTCHA. I can just see that some of the websites that I know that they have abused have a CAPTCHA in place. I'm not entirely sure.Nic Fillingham: (20:52)Emily is that possible do you think that one of the reasons why CAPTCHA is being invaded. And we talked earlier about how the, sort of the grammar of these mails is actually quite sophisticated. Is it possible? This is, this is a hands on keyboard manual attack? That there's actually not a lot of automation or maybe any automation. And so this is actually humans or a human going through, and they're evading CAPTCHA because they're actually humans and not an automated script?Emily Hacker: (21:17)There was another blog that was released about a similar campaign that was using the abusing of the contact forms and actually using a very similar lore with the illustrators and the, the legal Gotcha type thing and using sites.google.com. That was actually, it was very well written and it was released by Cisco Talos at the end of last year, um, at the end of 2020. So I focused a lot on the email side of this and what the emails themselves looked like and how we could stop these emails from happening. And then also what was happening upon clicks over that, like I said, we could see what was happening on the endpoint and get these to stop. Emily Hacker: (21:55)This blog actually focused a lot more on the technical aspect of what was being delivered, but also how it was being delivered. And one thing that they noted here was that they were able to see that the submissions were performed in an automated mechanism. So Cisco Talos was able to see that these are indeed automated. I suspected that they were automated based on the sheer volume, but I Talos is very good. They're very good intelligence organization. And I felt confident upon reading their blog that this was indeed automated, how it's being captured though, I still don't know.Natalia Godyla: (22:35)What's next for your research on IcedID? Does this round out your team's efforts in understanding this particular threat, or are, are you now continuing to review the emails, understand more of the attack?Emily Hacker: (22:52)So this is certainly not the end for IcedID. Through their Microsoft Security Intelligence, Twitter account. I put out my team and I put out a tweet just a couple of weeks ago, about four different IcedID campaigns that we were seeing all at the same time. I do believe this was one of them. They don't even seem related. There was one that was emails that contained, um, zip files. There was one that contained emails that contained password protected zip files that was targeting specifically Italian companies. There was this one, and then there was one that was, um, pretending to be Zoom actually. And that was even a couple of weeks ago. So there's gonna be more since then. So it's something that, like I mentioned briefly earlier, IcedID almost feels to be kind of, it feels a little bit like people are calling it like a, the next wave of replacement after Emotech are taken down. Emily Hacker: (23:43)And I don't know necessarily that that's true. I don't know that this will be the new Emotech so to speak, Emotech was Emotech And IcedID is IcedID but it does certainly feel like I've been seeing it a lot more lately. A lot of different attackers seem to be using it and therefore it's being delivered in different ways. So I think that it's gonna be one that my team is tracking for awhile, just by nature of different attackers using it, different delivery mechanisms. And it'll be, it'll be fun to see where this goes.Nic Fillingham: (24:13)What is it about this campaign or about this particular technique that makes it your Moby Dick-Emily Hacker: (24:17)(laughs) Nic Fillingham: (24:17)... if I may use the analogy.Emily Hacker: (24:20)I don't know. I've been thinking about that. And I think it has to do with the fact that it is so, like, it just feels like a low blow. I don't know. I think that's literally it like they're abusing the company's infrastructure. They're sending it to like people whose job is to make sure that their companies are okay. They're sending a fake legal threat. They're using legit Google sites. They're using a legit Google authentication, and then they're downloading IcedID. Like, can you at least have the decency, descend to crappy like unprotected zip attachment so that-Nic Fillingham: (24:49)(laughs)Emily Hacker: (24:49)... we at least know you're malicious, like, come on. It's just for some reason it, I don't know if it's just 'cause it's different or if it's because I'm thinking back to like my day before security. And I, if I saw this email as this one that I would fall for, like maybe. And so I think that there's just something about that and about the, the fact that it's making it harder to, to fully scope and to really block, because we don't want to block legitimate contact emails from being delivered to these companies. And obviously they don't want that either. So I think that's it.Nic Fillingham: (25:22)What is your guidance to customers? You know, I'm a security person working at my company and I wanna go run this query. If I run this, I feel like I'm gonna get a ton of results. What do I do from there?Emily Hacker: (25:33)That's a good question. So this is an advanced hunting query, which can be used in the Microsoft Security portal. And it's written in advanced hunting query language. So if a customer has access to that portal, they can just copy and paste and search, but you're right. It is written fairly generically to a point where if you don't have, you know, advanced hunting, you can still read this and search and whatever methodology, whatever, you know, searching capabilities you do have, you would just have to probably rewrite it. But what this one is doing the top one, 'cause I, I have two of them written here. The first one is looking specifically at the email itself. So that rejects that's written there is the, um, site.google.com.Emily Hacker: (26:16)All of the emails that we have seen associated with this have matched on that rejects. There was this morning, like I said, I was talking to a different team that was also looking into this and I'm trying to identify if she found, um, a third pattern, if she did, I will update the, um, AHQ and we have, we can post AHQ publicly on the Microsoft advanced hunting query, get hub repo, which means that customers can find them if we, if we change them later and I'll be doing that if that's the case, but point being this rejects, basically it takes the very long, full URL of this site.google.com and matches on the parts that are fairly specific to this email.Emily Hacker: (27:02)So they all contain, you know, some of them contain ID, some of them don't, but they all contain that like nine characters, they all contain view. It's just certain parts of the URL that we're seeing consistently. And that's definitely not by itself going to bubble up just the right emails, which is why have it joined on the email events there. And from there, the, I have instructed the users to replace the following query with the subject line generated by their own contacts, their own websites contact submission form. What I have in there are just a few sample subject lines. So if your website contact form generates the subject line of contact us or new submission or contact form, then those will work. But if the website con-, you know, contact form, I've seen a bunch of different subject lines. Then what this does is that it'll join the two. So that it's only gonna bubble up emails that have that sites.google.com with that specific pattern and a subject line relating to the contact form. Emily Hacker: (28:02)And given the searching that I've done, that should really narrow it down. I don't think there's going to be a ton in the way of other contact emails that are using sites.google.com that are showing up for these people. I wouldn't be surprised if this did return one email and it turned out to be a malicious email related to this campaign. But if the contact form generates its own subject line per what the user inputs on the website, then, you know, the screenshots that are in the blog may help with that, but it might be more difficult to find in that case. There's a second advanced hunting query there, which we'll find on the endpoint.Natalia Godyla: (28:37)And I know we're just about at time here, but one quick question on endpoint security. So if a customer is using Microsoft Defender for endpoint, will it identify and stop IcedID?Emily Hacker: (28:49)Yes, it will. The IcedID payload in this case, we're seeing Defender detecting it and blocking it. And that was what, one of the things I was talking about earlier is that Defender is actually doing such a good job. That it's a little bit difficult for me to see what's, uh, gonna happen next because I'm limited to, um, seeing kind of what is happening on customer boxes. And so, because our products are doing such a good job of blocking this, it means that I don't have a great view of what the attacker was going to do next because they can't, 'cause we're blocking it. So it's of mostly a win, but it's stopping me from seeing if they are planning on doing, you know, ransomware or whatever, but I'd rather not know if it means that our customers are protected from this.Nic Fillingham: (29:32)Well, Emily Hacker, thank you so much for your time. Thanks to you and Justin for, for working on this. Um, we'd love to have you back again on Security Unlocked to learn more about some of the great work you're doing.Emily Hacker: (29:41)Definitely, thank you so much for having me.Natalia Godyla: (29:47)Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.Nic Fillingham: (29:54)And don't forget to tweet us @msftsecurity or email us at securityunlockedatmicrosoft.com, with topics you'd like to hear on a future episode. Until then, stay safe.Natalia Godyla: (30:05)Stay secure.