The Scammers Are Warning Me

Some days you can’t make this stuff up.

A relatively easy way to get around spam/phishing filters is to send phishing emails from a legitimate source. Google Groups — real-life mailings lists from Google — have become a popular option recently. On the surface they look like an email from the Geek Squad or something, even though they are actually a phishing email.

To send someone an email from a Google Group you need to add them to mailing list first, and this is where the new accidental, warnings come in: Google emails me when I get adding to a phishing group:

This is a legit email, basically just letting me know that I’ve been signed up for a mailing list. But, of course, Geek Squad is NOT using Google Groups to send me emails, the scammer abduasah[at]gmail.com is.

The next email from this group will be a renewal notice “from” the Geek Squad asking me to call to cancel a service I don’t have…

What Made the Lahaina Fires So Destructive? “The truth is that I believe that God was angry”

News | 0 Comments

The Washington Post published a relatively short article with analysis of the fire based on video, along with showing some of those videos.

I recommend you read the article but here is the short version:

There are three major land parcels that run north to south on the West side of Lahaina.
None of the three landowners took significant responsibility to keep the land free of grasses that created a tinder box
The fire started by a down power line; the Maui fire department said they had contained it in the morning
But by the afternoon things had dried out and the fire restarted.
The direction of the wind ensured that the fire actually warmed up and dries out fuel further down its path. Combined with all of that grass, and eventually hitting areas of the town not built to withstand fire, it all went to hell

But the most interesting part of the story is the absolute denial of responsibility of any of the landowners. I’m sure that there will be more blame to go around, but this is ridiculous.

Developer Peter Martin, who was reached by phone, told The Post that the invasive grass was a “red herring” to divert attention from the government’s water resource regulations, which he said were so restrictive that they prevented farming or development of the land he owns. “The truth is that I believe that God was angry,” Martin said, that these lands were not being used “as God intended.”
(Large parcel land owner)

Good lord.

“We have managed our lands in an effort to heal the ʻāina (land) and create a thriving resource for our lāhui (community),” said Sterling Wong, a spokesperson for the Kamehameha Schools.
(Large parcel land owner)

Yes, well, it’s cauterized now.

The state’s Department of Land and Natural Resources (DLNR) told The Post it has tried to mitigate fire risk with limited resources, including applying for federal grants to create fire breaks and reduce invasive species across state and private lands in West Maui.
(Large parcel land owner)

The only honest response, perhaps an acceptance of responsibility but not a straightforward denial.

Large land ownership by parcel near Lahaina. By the Washington Post

More stories will come out and there will be more blame to go around (unless God takes responsibility): these parties should still take responsibility for their own inaction. People burned to death over this inaction.

Post-Webinar Thoughts on Huntress’ M365 MDR

MSP | 0 Comments

Edit 2024-02-12: I am going to leave this post up, but at this point you really ought to find some newer and more relevant information.

All edits on 2023-10-10.

Edit: it’s definitely a SOC.

Some initial analysis on their newly announced product:

An MDR/SOC solution for 365 is very attractive right now, if I know that it works, but I don’t know that: Huntress didn’t provide any objective data that their protection works.

Huntress never fails to put on an engaging marketing event: that includes their ability to dig into technical details of attacks, and narratives, instead of a focus on their service or tool.

Kyle also didn’t inspire a lot of confidence that their MDR is fully baked. To dig in for a moment: I really don’t understand how they can possibly have 486 incidents across 730k users¹, that seems impossibly low. With about 2m events per day that is 0.000162 events per day. I went back to re-listen and this is what they said, “[we] went back and checked these numbers right before we went live.”

I also don’t understand how it is different than Rocket Cyber (Edit: the Huntress tool is a SOC.). I wished I had dug into that. That matters quite a bit: RC’s SOC is more proactive in remediation across a much wider range of tools.² It’s not clear why Huntress’ SOC would be any better and could be worse. RC is also a quasi-SIEM, which Huntress clearly is not.

Some of the things that were missing are important. They can’t block any logins. They don’t support geo-fencing (and unreasonably dump on the idea). MFA isn’t in the reports.

Their response appears to be limited:

Question: What are some remediation steps that Huntress can take in M365?

Answer: A Huntress analyst can disable and lock an account without partner intervention. We can also provide an assisted remediation to remove malicious inbox rules. We also provide manual remediation steps beyond that to kick out threat actors.

Is this MDR or quasi-MDR? (Edit: it’s definitely a SOC.)

To sum it up: I’m not sure how this is different from any other SOC, except for it’s brand name and narrow focus.

Edit: this last line was 100% accurate.

In the comments Huntress (Josh) said, “730K *identities* includes a lot more than users!
” but the slide clearly said “monitored users”

Edit: I later verified this number with Huntress directly. They defended it as accurate and appropriate, i.e., they caught most or all stuff.
↩︎
Edit: After RC’s most recent webinar I don’t know that it is more proactive. It does work with more tools. ↩︎

Huntress MDR for Microsoft 365

MSP | 0 Comments

Edit: it’s definitely a SOC.

This post is from the live webinar put on by Huntress on August 30th, 2023. The style is half product, half attack stories, similar to the endpoint marketing.

About This Article

None of this is confidential, a point Huntress (Rich) made explicitly during the webinar. Quotes are best effort, I’m typing them up as they go, so they might not be exact. Some quotes have been cleaned up for grammar and spelling. Finally, the post isn’t chronological, I ordered things so that it fits into understandable narrative.

Panelists: Kyle Hanslovan, Nadya Duke Boone, Josh Lambert (Sr. Project Manager), Chris Bisnett (CTO and Founder), Kyle Hanslovan (CEO). 400+ attendees.

Early access pricing, good through end of September. Lock in price for 2 years.

An interesting tidbit, Huntress is a fully remote company. I assume that they bring this up to demonstrate why they are in a unique place to create MDR for 365.

“We’re providing real fucking value.”
Kyle Hanslovan

Kyle and Chris think that there is not another product that does something like this. Chris: I ” feel like we’re pretty big, but there has to be some other MSSPs consuming a lot of data.”

Overview

This is like Huntress for M365 instead of for endpoints: it is a “fully managed” MDR tool. It looks at events inside M365 and flags them for human review at the Huntress SOC. Remediations can be taken from there, either by the SOC or the MSP.

Those are the two primary selling points: it’s managed, and there is a human looking at it.

It is clearly a competitor to SaaS Alerts and probably RocketCyber as well. I don’t see why most MSPs would use more than one of three of these. (It isn’t clear where Augmentt fits in)

You can skip to the questions and get the jist of the rest of it.

“Why did we build this?”

“We’re gonna go where the hackers go.”

Kyle: “If you wait [to launch a product] until you [have everything perfect] you waited to long… this was our approach to endpoints.”

Is this an MVP? “This is a Huntress-ready product… remember that V in MVP… a product that will take care of your ass.”

Chris: When we [originally] started, Huntress noticed that everyone had antivirus but it wasn’t preventing attacks. Context helped solve that, files that weren’t clearly malicious in the temp directories, etc. [I.e., this is the same idea]

History of Huntress product development:

Kyle: “You can see what we built and released in 2015 isn’t anything like what we’re offering in 2023”

Kyle: [Even] Microsoft is experiencing their own issues. [See post/tweet to the right here]

Hacker tradecraft is changing, shift towards identity theft.

“The tradecraft is still really immature.”

[I think Kyle said that they started going after mid-market and enterprise? not sure]

Huntress even went to Blackhat — sounds like to go after enterprise customers.

Product Demo

Chris: “We really believe in building for the future.”

Use CSP to add tenants. A second account is required to implement. An Exchange license needed for a smooth implementation, to handle inbox rules and “a tighter integration.

The CSP account needs… basically permissions to everything.

“We require a bunch of roles. You can see the exact roles we need via our KB:

https://support.huntress.io/hc/en-us/categories/19906075516051-Huntress-Managed-Detection-and-Response-for-Microsoft-365“

Huntress pulls all of your tenants in CSP and lets you map them to Huntress customers. You can only integrate a single CSP at a time.

You can MFA report across all users.

What is Huntress Seeing?

Kyle: “When you build an early product, you don’t always see what you were expecting.”

“This is a fully managed MDR product.” The third incident would not have been captured without humans looking at it. “Managed teams and managed security can really be a win.”

Event Data

730,000 users monitored already, 486 incidents reported. [That seems really, really low to me]

Sample Incident — Huntress Says This Was Real

Attacker gets in

Chris says this was happening over ExpressVPN

Foothold established

Attacker able to regain access [until huntress kicks them out]

Second Incident Example – Weird Rules

RSS rules are created, but travel is all over the place, changed from Windows to macOS

Third Incident – Shadow Workflows

Huntress has even seen attackers create their own MFA inside M365.

Roadmap

Uses Microsoft Graph to pull in data. On a per-user basis, expects that to change this year [so per user licenses aren’t needed?]

Chris: Other products that came before us use polling and try to see what changed between polls, that has its own limitations, it doesn’t scale.

Chris: This is MDR today, but we’re going in a direction for Managed Microsoft 365. You’ll see us adding configuration among other things.

Kyle: The Three Best AVs

[Kyle takes a brief left turn here]

These change up, management is key: S1, Defender and high-end version of CrowdStrike. “I’d say Huntress managing Microsoft Defender will crush it all day… you’re not going to get a better offer. [A number of] our partners run huntress and S1 side-by-side [so you can do that].”

James: “…we definitely can be used in tandem with SentinelOne, however there is a lot of crossover with between us, we definitely should chat, I’d get in touch with your Channel Account Manager to help with that decision further”

M365 Licensing

No topic had more questions than what licensing is required. Currently, P1 is required per user. This is expected to change in September with a change in how Microsoft handles logging and licensing.

How does this compare to SaaS Alerts?

Huntress doesn’t hold any punches here, which is appreciated.

So, is a product like SaaS Alerts a competitor? If I am about to sign a multiyear contract with SA or Huntress, do I need or want both?

SaaS Alerts would be a competitor to MDR for Microsoft 365 – if you’d like some information on how we differ to help you decide which to use, please do reach out to your Channel Account Manager

Can Huntress MDR for 365 work with tools like SaaS Alerts?

We do not currently have an integration planned with SaaS Alerts. [There is no reason that they would, this is clearly a competing product at the core.]

Is there any other selling points as far as differences between you guys and SaaS Alerts?

Everybody is looking at the same data! We think the human element between you and those alerts is REALLY REALLY important!

Do you plan on having recommended conditional access policies, similar to SaaS Alerts? Also we’re finding DNS filtering being important does Huntress recommend any products on this or may have something in the pipeline?

“This is definitely on the roadmap. Stay tuned, we should get to talking about this soon.” [Unclear if this is about SaaS Alerts or DNS filtering]”

What Isn’t On The Roadmap

Email filtering
…other products… Chris Bisnett says that for other products, “you can expect a similar path,” but I didn’t hear him give us any specific answers.
Email analysis: “We do not analyze email content with this product”
DLP

Questions

Pricing & Billing Questions

Is Pax8 on the roadmap?

If we went through Pax8, it would be 20% more expensive than buying direct to make up for the margin they charge us to sell through Pax8. Even though we love the Pax8 team, our partners have given us the feedback that paying 20% more isn’t worth the benefit of consolidated billing Pax8 provides.
Kyle Hanslovan

How much?

No real answer: “[W]e currently have Early Adopter pricing available. If you have a Huntress account manager already, reach out to them for more details.”

Will the pricing information and documentation be sent to us after this meeting?

It won’t be sent as part of the webinar follow-up email, but it also isn’t a secret! Feel free to reach out to feedback, sales, or your account manager for more info.

is there an NFR program for internal use?

Yes

What is a billed user? a m365 with any m365 license or only licenses with email? Unlicensed users? Shared Mailboxes?

“We do our very best to ONLY bill you for actual user identities. It’s a little more difficult to discern that with something on the order of 3000 different license types out there. If you see a license type listed as “billable” that you think shouldn’t be, you can always reach out to Support to get some clarification.”

Feature Questions

Can you push MFA and verify that it’s enforced?

“We do not currently make config changes to your Microsoft tenants.”

Is there a push button baseline config that automatically gets activated upon turning this on?

“Not yet! Stay tuned.” [But see the previous question]

If MDR has been connected after a breach, will this still show detection, etc. after the fact?

We will detect and report existing malicious inbox rules after you enable the integration.

I use MS365 without email, in other words email carrier is a different company. Would MDR work in this case?

Yes

MDR Response Questions

How far behind real-time does huntress detect and report an event?

We’re at the mercy of Microsoft here but generally a few minutes

Could you filter based on IP Adress registration? Example: If the IP used to login is from a known VPN host then it is blocked.

We do not block logins. If an analyst believes that a login is coming from a malicious actor (via a compromised IP), they can lock out the account

Does Huntress/can Huntress block accounts that are found to be compromised? / What are some remediation steps that Huntress can take in M365?

A Huntress analyst can disable and lock an account without partner intervention. We can also provide an assisted remediation to remove malicious inbox rules. We also provide manual remediation steps beyond that to kick out threat actors.

Can Huntress Geofence M365 logins?

Not at present

Kyle and Josh both pile on that geofencing provides limited value.

Will Huntress flag [not block] a suspicious login if it comes from a “legitimate” (Proto, etc.) VP service?

Potentially. If our SOC analysts deem that the legit VPN is being used maliciously, they will issue a report

I see that you guys are detecting events, does a ticket get generated for intervention with the MSP’s ticketing system or does this have automated responses?

We have integrations into some of the most common MSP ticketing tools out there, some of our remediation steps can/will have a ‘One Click’ button to remediate issues without the need of additional steps

Technical “How Does this Work” and Compliance Questions

Can we connect to GCC High tenant?

“..we currently don’t have GCC High tenant support…”

Is this GPDR compliant?

No, we do not have the ability to segment our data in that way. We do our best to comply with as much of GDPR as we can.

How long are logs kept?

2 weeks. [It sounds like they don’t want to be a SIEM. Not sure how they can export to partners without excessive egress bandwidth costs.]

Huntress Gets Push Notifications?

“Correct, we leverage a webhook so Microsoft pushes us data.”

Does this use CPV AppConsent API to configure CSP customer permissions on GDAP agreements, or is it a per-tenant permission acceptance?

“MDR for Microsoft 365 can do both :)”

Are you scraping/streaming Microsoft Defender for Office 365 and Microsoft Advisor recommendations as part of the MDR?

Not yet. We are ingesting events directly from the Azure logs

NSFW on Bing Homepage Images

Big Tech | 0 Comments

Microsoft Bing is returning some NSFW images on the Images tab by default with filters on:

Screenshot of Bing Images showing a woman in a transparent dress with a visible butt.

Screenshot of Bing Images showing a woman in a transparent wedding dress with visible breasts

Screenshot of Bing Images showing a woman in a dress upside, without pants, clearly revealing her genitals.

These are from Bing Images, no search criteria, from an InPrivate window. The results are the same from multiple IP addresses. I assume that this has something to do with their integrations into OpenAI & ChatGPT.

Even the more innocuous results are… something else:

Screenshot of Bing Images showing a woman in a dress with a V neck. The image itself is not risqué, but Bing suggests that the user click roughly where her right breast is to do a visual search.

While the image itself is relatively tame it is from a Pinterest board dedicated to transparent dresses. And the default “search inside this image” includes a suggestion that you search from the bottom of the V-Neck.

These results aren’t buried deep, you don’t need to go looking, two of these are literally on the top row:

It actually gets tamer as you go further down, it appears that this is pulling from images marked “inspiring” in some way or another, especially from the number of wedding dresses that are shown (inspirations) further down the page.

It is isn’t surprising that AI would surface these, if you “Grew up” on the internet you know how much of the geeky-male culture has always pushed the envelope (4chan anyone?) and openly let fetishes come out, at least under pseudonyms.

(You might notice that there aren’t any NSFW images of men, clearly reflects internet culture)

So, it isn’t shocking that an AI would bring this sort of thing up, just that Microsoft didn’t put in some basic filters.

Bing has long been known for being more willing to serve up NSFW, but I’ve never seen something like this: where it does so by default.

Edit

I wanted a way to replicate this beyond an Incognito window and different IP address, so I west webpagetest.org to run a test that captured screenshots from a browser in EC2. The initial test (14 hours after the original post) showed at least one of the same images, if not all of them:

Screenshot from WebPageTest.org of Bing images, showing NSFW photos from a completely neutral location.

You can see one of the tests here. I can’t scroll in the test, so viewing anything below the fold isn’t possible.

« Older Entries

Next Entries »