A security company CEO has some harsh words for Microsoft and the security it relies on for its Azure cloud platform. Microsoft itself warns that Russian hackers are using Microsoft Teams to target a small number of organizations in an effort to get login credentials. And the FBI finds that the FBI was partly responsible for illegal activity.
Welcome to Tech Stuff, a production from iHeartRadio. Hey thereon Welcome to Tech Stuff. I'm your host, Jonathan Strickland. I'm an executive producer with iHeartRadio and how the tech are you. It's time for the tech news for Thursday August third, twenty twenty three. Over in the UK, the Competition and Markets Authority or CMA has re entered negotiations with Microsoft regarding the long awaited acquisition of Activision Blizzard. Now, you might recall that there were a lot of regulators around the world who initially resisted this deal, but over time most of them came around to giving the acquisition the green light after the companies had made multiple assurances that they weren't going to freeze out competitors like Sony from having access to stuff like Call of Duty, specifically that franchise. Here in the United States, a judge denied the Federal Trade Commission's attempt to secure an injunction against this deal, and then the FTC subsequently withdrew its case, but it could still file that case again in the future, so that's not necessarily over here in the US. But right now, the one remaining hurdle for these two companies is in the UK. Microsoft has committed to a ten year licensing arrangement with Sony regarding the Call of Duty franchise and an effort to remove concerns about this arrangement. The CMA is seeking comment from companies and individuals, leaving open the option to respond to the CMA until the end of the day tomorrow. It's unknown if the CMA will reverse its decision, but if it does, that would be the first time the CMA has done so since Brexit. According to the Financial Times, the CMA has until August twenty ninth to rule on this matter, so by the end of this month we should know if this acquisition can move forward or not, at least until the FTC makes its next move. Dan gooden Over at Ours Technica has a great piece about how Microsoft is reeling after security experts have blasted the company's security practices or lack thereof for its cloud based products like Azure. In case you're not familiar with Azure or Asure if you prefer, it's Microsoft's cloud platform and it lets customers use Microsoft's cloud services to develop apps and that kind of thing. So it's similar in many ways to Amazon Web Services or Google Cloud or countless other cloud platforms anyway, Gooden quotes Amit Juran, the CEO of internet security firm Tenable, who called my Microsoft quote unquote grossly irresponsible, which doesn't seem to be mincing many words. You know, the complaints aren't unfounded. Earlier this year, Chinese backed hacker groups penetrated Microsoft's systems and stole boatloads of emails from Microsoft customers who were using Azure. And there are open questions as to how that actually happened, because it would have meant the hackers somehow gained access to what should have been a heavily protected encryption key. Juran took to a LinkedIn post and sent a very lengthy description of how Microsoft is continuing to fail its customers. In his opinion, while the company initially claims to have fixed the security issue, Uran says that his team was able to gain access to quote, authentication secrets to a bank end quote. Yeah. All that definitely doesn't sound like things were fixed inside cybersecurity terms. This is very bad for Microsoft and also for its customers. Heck, it's also bad for cloud computing in general, because the promise of cloud computing is that a company can benefit from some other company's investment in computing and storage capabilities. Right, There's no need for you to build out your own server farm and databases, or to heavily invest in compute power if instead, you can offload those responsibilities onto a cloud based product that you purchase or subscribe to. But that only works if customers are confident that the system is secure and that the provider will respond quickly and sufficiently to any vulnerabilities in the system. Failing to do that essentially boils down to a breach of trust. Microsoft reps have said that the threat of sophisticated attas makes cybersecurity more challenging than ever, which is undoubtedly true, but Microsoft's critics say this doesn't excuse the company's response to this particular breach and how that's been handled so far. In other Microsoft hacking news, the company warns that a Russian backed hacking group is trying to steal login credentials at various specific organizations by sending fraudulent Microsoft team's messages while posing as it support, which is of course an age old trick, right. We call it social engineering. It's where you convince someone to hand over the keys to a system, and it's one of the most effective tools in hackers arsenals because it's usually way easier to trick someone into being an unwitting accomplice to giving you access to a system than it is to brute force your way into a system. Anyway, Microsoft says the attacks are quote unquote highly targeted, with the hacker sending messages to people working at less than forty unique global organizations fewer than forty This isn't a wide phishing net. In other words, this isn't like just trying to see what you can catch. This is more like spear phishing, where you have specifically identified the targets you're interested in. Now, the name of this hacking group is APT twenty nine, but it's better known as Midnight Blizzard, and US authorities say this group has links to Russia's intelligence service. So if you use Microsoft teams, then you happen to work for one of these unnamed organizations. I don't know which ones specifically we're being targeted, but presumably a lot of them are like government agencies and things of that nature, and high profile tech companies that sort of stuff. I would recommend against responding to weird requests from it, especially if they're asking you to share multi factor authentication information. That should be a dead giveaway every single time if someone's asking you to share some multi factor authentication stuff, like they're like, hey, I need to log into your account, can you give me the the the six digit you know number so I can access and authenticate? Obviously your answer should be no every single time, no, no, no, no no. But you know again, it's a trick that works. So Microsoft has raised the flag on that one. Speaking of Russia, a court in Moscow has fined Apple four hundred thousand rubles, which is, let me do the quick calculation here, around two hundred and seventy dollars. And the reason is Russia says that Apple failed to delete what the court was calling inaccurate content, specifically about the ongoing quote unquote special military operation in Ukraine. Apple, which by the way, stopped all products sales in Russia more than a year ago after Russia first invaded Ukraine, has not commented on this fine. I mean, two hundred and seventy dollars, that's not even enough money to even read as a thing to Apple, that's nothing, And really it's another example of how Russian institutions are trying to define the narrative on Russia's war on Ukraine and anyone who doesn't toe the line in that they're trying to punish. Although four hundred thousand rubles, I mean, I just like it, Why would you even bother? Anyway, Apple joins Wikimedia as one of the companies that the Russians have declared are in violation for disseminating incorrect information. TorrentFreak dot com reports that Putin's government in Russia is trying to lock down internet within the country even more than it already has. A New law that will go into effect later this year will make it illegal for any Russian Internet platform to allow someone to sign up for their services if that person is using a foreign email system. For example, if someone has a Gmail email account, they cannot use that email account to sign up for one of these Russian internet platforms. It would be against the law. Further, these platforms will not be allowed to offer services to customers until those customers go through a verification process to prove their identities first. Now, obviously that means that anything the customers then access or post or whatever is linked directly to them there's no anonymity here. They have a trail that leads right back to them, assuming that it is the person who created the account who's actually using the account. So that's a real big concern too. Right, it's like a form of government tracking. As I have talked about in previous episodes of this show. Russia is also cracked down on virtual private networks or VPN services within Russia. Like all outside VPN services have had real problems working within Russia because Russia wanted to crack down on that internally, some of the VPN services that were originating out of Russia chose to just shut down operations in the country because the only way they are allowed to operate within the country is to also agree to certain criteria with Russia's government. Those are the only VPN services that are allowed to operate within Russia, So that brings into question if the Russian government can demand that a VPN service within Russia must share its logs that show what customers were doing on the VPN, which kind of defeats at least one of the purposes of using a VPN in the first place. Right, Like, a lot of the reason to use a VPN is to kind of make sure that snoops don't see what you're doing. Like it may be that you know you need to handle some sensitive information, or maybe you're a whistleblower, or maybe you're a journalist or whatever, and so you don't want to be tracked down. That's obviously a big danger to you and your work. But if the government can come to the VPN and demand, hey, you've got to hand over all your logs and show us who was accessing what, then the VPN doesn't really serve its purpose anyway. Russian law also makes it illegal to talk about using VPNs and other methods like tor in an effort to circumvent Russian controls. So not only are they limiting things, you can't even talk about the possibility of using tools to get around these controls because that in itself is illegal. So yeah, really cracking down over there. Okay, I've got a bunch of other news items we're going to cover today. Let's take a quick break to thank our sponsors. We're back, and now for some the left hand doesn't know what the right hand is doing news. The Washington Post reports that the FBA has actually discovered who was at least partly responsible for directing a contractor to purchase a spy tool from the Israeli company in SOO. Now you might remember NSO is the company that was behind Pegasus. That was a tool that could turn a targeted iOS device like an iPhone into an espionage gadget. You could activate the microphone on the phone and listen in on conversations that were happening within the room. You could activate the camera, you could look through the phone's information like it really was an incredibly dangerous espionage tool that NSO sold to lots of different customers. Anyway, back in April, the New York Times found that a contractor had bought and used a tool from NSO and had done so on behalf of a US government agency, though it wasn't known which agency, it was, just that this this contractor had purchased this from NSO. However, the Biden administration had put NSO on a blacklist saying no US government office or company or anything like that should purchase products from NSO. So the White House directed the FBI to track down who the heck authorized a contractor to purchase this tool from the NSO, and the FBI says it was the FBI sad trombone. But the FBI says they toats didn't know that the invasive surveillance they were relying upon was thanks to a tool from the NSO group, so it's not really their fault. The Contractorriva Networks secured the use of a tool from NSO called Landmark. This tool allows for geo tracking targets without their knowledge and was specifically used for people in Mexico, people like connected to drug cartels, such spooky stuff. And also, the FBI says once they found out the Reva Networks had been naughty and the purchased this tool from NSO, the FBI totally terminated that contract with Reva Networks. Now I might just be a humble technology podcaster, but I find the FBI's excuses to be not fully satisfactory. Firstly, the FBI had already used Reva Networks in the past to purchase tools from NSO, including Pegasus, and this was before NSO was on the blacklist, so arguably it was kind of in the clear. But anyway, this was not an unprecedented event. FBI had worked with Reva Networks in the past, and Reva Networks had been using NSO products as part of the contract work they were doing with FBI. Secondly, I would argue whether the tool came from NSO or from Reva Networks itself or from some other developer, there are issues that are really more about what this tool does that concern me, rather than where it came from. The lack of oversight and accountability for the FBI and for its various contract partners raises some really troubling questions about the FBI's authority. I mean, part of the reason ANSO Group is on the blacklist is not because of these incredibly invasive tools it makes. I mean, you would think that's the case, but that's not really why it's on the blacklist. The reason why it's on the blacklist is that company counts among its most loyal customers some of the most dangerous dictators and authoritarians in the world, who subsequently use those tools to target people like journalists and activists. And it would look really, really bad if the US government said, you know what, it's okay for us to do business with them. So you could argue that optics are a really big part of why NSO is on that blacklist. However, if we were to be more generous and say, maybe the US government said no, this is a step too far, This is too invasive, the surveillance is too dangerous. There are too few checks and balances on authority and overreach. If we were to say that, well, I mean a lot of US authorities say right now that using geotracking technology doesn't technically violate the Executive Order against NSO, so no harm, no foul. If you find some other place that makes the same sort of tools, oh brave new world. On a different note, researchers at Technical University Berlin, along with a researcher named Oleg Droken, demonstrated that they could exploit the infotainment system on recent Tesla vehicles to gain root access to the vehicles systems. This would let someone activate features that normally Tesla reserves for paid customers, meaning you could activate stuff that is already available in your vehicle and you could do it for free rather than have to pay Tesla to unlock it. Things like you know, heated seats and full self driving, that kind of stuff. They also were able to do even more things like remove geolocation restrictions on full self driving. They were able to transfer a driver's profile to a different Tesla vehicle using this method. However, it's not easy to do. It actually requires some electrical engineering, some soldering, you know, it's not just software. Hardware is involved too. However, if a Tesla owner has the knowledge and skill and about one hundred bucks worth of equipment, they could potentially do the same thing. They've also said that bad actors could possibly use the same method to gain access to things like data logs in a Tesla, which could include the owner's private information, or otherwise tamper with someone's vehicle. It would not be easy. Again, it would require physical access to the vehicle, but it is possible, and they plan to present their findings at black Hat USA, which happens next week in Las Vegas. For what it's worth, they actually praised sless security measures. They said that they're really leaders in the automotive space on that front. This week, the US finally officially banned incandescent light bulbs, and you might be thinking, I thought we already did that, but no, what we did do is announce the plan to ban incandescent light bulbs, but hadn't actually put in action. The decision actually traces its history all the way back to two thousand and seven during George W. Bush's administration, when the White House called for a twenty five percent improvement in efficiency for light bulbs. In twenty seventeen, Barack Obama planned on facing out incandescent bulbs by twenty twenty. Trump reversed that decision. Biden reversed the reversal, although technically it doesn't target incandescent bulbs specifically. Rather, it says, hey, light bulbs need to be able to produce forty five lumens, which is a measurement of brightness per wat of electricity, and incantestant bulbs just can't do that. They max out at around fifteen lumens per watt. They are banned effectively, just not by name. Also, there are a lot of exceptions to this, like there are a lot of light bulbs that are incandescent that get an exception to this rule, like black lights, so your wicked band poster can still light up in the dark. Yay, okay. I got two article recommendations re all before I sign off. The first was published yesterday on ours Tetnica. It was written by John Broadkin. The article is titled Internet providers that one FCC grants try to escape broadband commitments. As the headline indicates, The story covers various ISPs that had agreed to participate in the US program to provide broadband to rural communities, but now they either want more money to do that or they just want to get out because I guess it's just too darn hard. The second article I recommend is from the Washington Post. It was written by Joseph men and the headline is hacking group plans system to encrypt social media and other apps. So we live in a world where lots of places are trying to chip away at privacy and encryption. It's not just a auauortarian states like Russia. I'm looking at you, UK and also parts of the United States. Anyway. This article talks about how the hacker group called Cult of the Dead Cow is working to create encrypted alternatives to social media, and it's well worth a read. But that's it for the Tech News for Thursday, August third, twenty twenty three. I hope you are all well, and I'll talk to you again really soon. Tech Stuff is an iHeartRadio production. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple podcasts, or wherever you listen to your favorite shows.