Archive for March 5, 2023

Microsoft Is Adding iMessage To Windows 11…. With Limitations

Posted in Commentary with tags , on March 5, 2023 by itnerd

Microsoft “is adding iPhone support to its Phone Link app on Windows 11” according to a blog post from Microsoft. Typically, iMessage has been a locked down environment that non-Apple devices are unable to use because Apple doesn’t play nice with others. But there are limitations:

Once the guided installation completes and your iPhone is paired to your PC and the right permissions given, Phone Link will deliver basic iOS support for calls, messages, and contacts. This means you will be notified directly through your Windows notifications. Phone Link does not support replying to group messages or sending media in messages.

That’s not exactly great. But the fact that any level of support for iMessage on a non-Apple device is something. At present, a small group of people who are part of the Windows Insider program has access to this, but it may expand and may get access to this feature which to be clear, is a beta. But the key thing to think about is that you have to wonder what Apple is going to do to stop this. You have to imagine that people at Apple Park can’t be happy about this, and will do everything they can to break this support long before it hits the streets for the general public. That way, Apple users have to stay in Apple’s really pretty, but really restrictive walled garden.

LastPass Was Hacked Again Because An Employee Didn’t Do A Software Update

Posted in Commentary with tags on March 5, 2023 by itnerd

Frequent readers of this blog know that I always advocate installing the latest software updates for your operating system and application as soon as possible. That’s because threat actors will often look at software updates and reverse engineer the flaws that they fix so that they can go after those who didn’t install those updates. Or they may fix an issue that threat actors are exploiting right now. Either way, I strongly believe that you can’t go wrong installing software updates. So in short, what I’m saying is that you increase your chances of getting pwned by not installing software updates. And since a lot of us work from home, your employer could get pwned as well.

And apparently, that is what happened to LastPass according to PC Magazine when they got pwned in August:

This week, LastPass revealed the hacker pulled off the breach by installing malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered. 

At the time, LastPass said only that the hacker exploited “a vulnerable third-party media software package,” without naming the vendor or the exact flaw. That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way. 

PCMag has since learned the hacker targeted the Plex Media Server software to load the malware on the LastPass employee’s home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago.

Plex told PCMag the vulnerability is CVE-2020-5741, which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.

“At the time, as noted in that post, an updated version of the Plex Media Server was made available to all (7-MAY-2020),” a spokesperson for Plex said. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”   

So the employee didn’t stay up to date in terms of their Plex install, and now the employee and the employer have been pwned. If I were the employer, in this case LastPass, I’d be not only mad but I would fire the person. Because while LastPass was not at fault here, trust in the company is non-existent because of the previous instances of being pwned by threat actors combined with this. And this employee is at least partial fault for that because what is clear here is that this did not need to happen.

And it also makes the perfect argument for employer supplied laptops if people work from home. Those laptops of course need to be locked down so employees cannot install anything that they want, and they have to be encrypted to protect sensitive data. Preferably using self encrypting drives which are commonplace today. And multi-factor authentication needs to be present as well so that it makes it extremely hard for a threat actor to break into the laptop and steal data. Because if you control the platforms that your employees use, and you make them as tough to hack as possible, it’s less likely that bad things will happen to you.