If you think a password prevents scanning in the cloud, think again:
Microsoft cloud services are scanning for malware by peeking inside users' zip files, even when they're protected by a password, several users reported on Mastodon on Monday.
Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.
While analysis of password-protected files in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password "infected."
[...] Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of an email or the name of the file itself. Another is by testing the file to see if it's protected with one of the passwords contained in a list.
"If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find (and feed MS detection)," he wrote.
[...] The practice illustrates the fine line online services often walk when attempting to protect end users from common threats while also respecting privacy. As Brandt notes, actively cracking a password-protected zip file feels invasive. At the same time, this practice almost surely has prevented large numbers of users from falling prey to social engineering attacks attempting to infect their computers.
One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can't be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files.
(Score: 5, Interesting) by Rosco P. Coltrane on Thursday May 18, @12:17AM (2 children)
If you decrypt someone else's encrypted file, you run afoul of the DMCA - 17 U.S. Code § 1201.
But somehow I'm willing to bet Microsoft will not even be charged for doing this systematically on all their patrons' files...
(Score: 3, Insightful) by Anonymous Coward on Thursday May 18, @12:57AM
(Score: 5, Insightful) by Gaaark on Thursday May 18, @01:11AM
I thought you signed all of life over to Microsoft when you clicked agree?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Funny) by DadaDoofy on Thursday May 18, @12:30AM (4 children)
What is Mastadon?
(Score: 0) by Anonymous Coward on Thursday May 18, @01:05AM
le fed-iverse [wikipedia.org]
(Score: 5, Informative) by istartedi on Thursday May 18, @03:44AM
You know how a lot of people, myself included, have been saying that Twitter should have been a protocol not a company? Mastodon is the embodiment of that.
It's still kind of rough around the edges, but it's very promising. Filters aren't perfect, but compared to Twitter they rock. I use them to filter out "rage bait" and it's a fairly happy experience. I use Twitter a lot less now. The downside is that it hasn't reached critical mass, so there are still some independent news sources, especially related to California fires that are easier to follow on Twitter. A lot of those are on WatchDuty, but that sucks on a PC.
It's interesting times in social media. Twitter was already circling the drain for me. Musk's mucking around with it helped push me to Mastodon.
Now, if I could just figure out how to follow Iran news without all the German language coming through. It looks like it's supposed to be able to filter that too, but it's either not obvious or not really capable--like I said, rough around the edges; but so far it hasn't been corrupted.
I strongly suggest giving it a shot. Because it's distributed, there isn't just one to chose. Imagine you're back in the 90s and your ISP didn't have mail servers. It's like that, so you went out looking for some other mail provider like HotMail. Each instance is it's own Hotmail, but because of federation they exchange toots (their word for tweet), the way USENET servers all shared stories.
The instance I use is Universeodon [universeodon.com]
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by driverless on Thursday May 18, @05:10AM
It's what Vulgaris Magistralis rides around on on Sundays [youtube.com].
(Score: 2) by hendrikboom on Friday May 19, @08:28PM
It's actually spelled 'Mastodon', with a central 'o' instead of 'a'.
Here [joinmastodon.org] is some information about it [mastodon.social].
(Score: 3, Informative) by Anonymous Coward on Thursday May 18, @01:34AM
It's why anybody in the know's been using rar and 7z for basically decades now.
(Score: 2) by Reziac on Thursday May 18, @02:09AM (11 children)
....then I want a tool to recover the data from a broken .DOCX file, which is just XML in a ZIPfile.
None of the usual recovery tools worked.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 3, Insightful) by krishnoid on Thursday May 18, @05:33AM (10 children)
Probably a trivial suggestion, but did you try uploading it to Google Docs, or letting LibreOffice have a crack at it?
(Score: 4, Funny) by Reziac on Thursday May 18, @06:12AM (9 children)
LibreOffice threw it back. So did Word. Got farthest with WinRAR -- managed to extract the background graphic, that was it. PKZipFix and 7Zip didn't get that far, tho could see some filenames. Appears the ZIP header is messed up.
Also assaulted it with a hex editor, but couldn't tell what was broken.
It's a client's file ... apparently Word corrupted the document during the final save-to-disk (did not appear to be a disk error), and by the time it was noticed, the bad copy had replaced the backups. (Client did not understand how to do incrementals.) Client didn't want to pay for the commercial solutions, which one strongly suspects are just PKZipFix in a GUI wrapper. The one trial version I messed with didn't accomplish anything.
That was the day I began railing against ZIP containers as a document save format. (ODT too.) I now beat my clients with a stick until they see the merits of RTF, which at least I can hand-fix at need.
Thanks for trying, tho ... it's very frustrating. Client lost an entire finished novel, six months of work. (And I hate being defeated by mere software.)
And there is no Alkibiades to come back and save us from ourselves.
(Score: 3, Funny) by Mojibake Tengu on Thursday May 18, @09:06AM (6 children)
True writers write LaTex in texmaker. And use mercurial. Or at least git.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 3, Touché) by maxwell demon on Thursday May 18, @09:10AM (4 children)
LaTeX and mercurial, sure. But texmaker? No way. Either vi or Emacs.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Funny) by Mojibake Tengu on Thursday May 18, @11:03AM
Psst! Too heavy indoctrination does not apply well on beginners. While nurturing GUI-dependent digital toddlers, tread lightly...
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 3, Funny) by Reziac on Thursday May 18, @01:02PM (2 children)
Well do I remember my first (and last) encounter with Emacs...
Could not for the life of me figure out how to exit the durn thing, had somehow got it fullscreen, and wound up hitting reset to get out of it.
In my defense, I think it was also my second encounter with anything in the *NIX sphere (the first having been the Darwin PC beta... "Okay, it took two days to download on dialup, it installed, and I have a command line -- largest installed CLI in the history of computing. What do I =do= with it??")
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by HiThere on Thursday May 18, @01:59PM (1 child)
I tried EMACS 3 or 4 times. It seemed like with so many proponents that HAD to be some good aspect. I was unable to find it. Even vi is better. (Note: I started off using things like ed, or ptss, but that didn't make me prefer that interface. These days I normally use geany.)
Also, however, the original claim was that "writers" should use it. This does NOT mean programmers. Programmers are an extremely small subset of writers, and have quite different needs from most of them.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Reziac on Thursday May 18, @02:48PM
Yeah, that was where I was with Emacs... it's such a big deal, it should be great, right?? RIGHT?!
Not a programmer but I like Kate, tho mostly use it as a Notepad replacement. Unfortunately we do not seem to even =have= a proper, dedicated RTF editor on linux. Or =any= RTF editor. (No, LibreOffice doesn't count, have you =seen= what it does to the formatting??! I can hand-write the formatting codes faster than I can clean that up.)
And everyone knows that REAL programmers do COPY CON PROGRAM.ZIP :D
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Reziac on Thursday May 18, @12:57PM
REAL programmers do COPY CON PROGRAM.ZIP
:D
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by DannyB on Thursday May 18, @06:42PM (1 child)
Let me introduce you to Java's JAR files. Those are the Java platform-neutral executable equivalent of EXE and DLL.
They are zip files as an executable file or dynamic library format.
However they are platform neutral, this compiled code will run on a Raspberry PI or a giant IBM mainframe with strange processor architecture.
How often should I have my memory checked? I used to know but...
(Score: 2) by Reziac on Thursday May 18, @07:48PM
Yep, there's an advantage... have peeked inside JARs, as I do any unfamiliar file. A habit developed in the ancient DOS era, when I'd peer at everything with Vern Buerg's LIST.
RPMs too... have occasionally unpacked an RPM and run whatever directly, rather than installing it. Poor man's container; that way it doesn't touch the OS.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 4, Interesting) by ShovelOperator1 on Thursday May 18, @03:34PM (3 children)
I was sending an encrypted ZIP file to my friend, we were doing some numerical research. My mailbox is in my University's servers, his mailbox is on his, but their IT got brib^W protected having a Google's anti-virus monitoring on e-mail. So my mail got out and got bumped back because the attachment "contains malicious software".
The "malicious software" was a set of source code patches for a mechanical simulation software. In FORTRAN.
How the hell you can write malicious software in FORTRAN? It will do what? Calculate matrices starting from 0?
(Score: 1, Funny) by Anonymous Coward on Thursday May 18, @04:21PM
Upload a blank windows executable (literally nothing beside an entry point, no default library init etc, that calls ExitProcess) to virustotal or jotti and watch AVs have a meltdown over it. AVs love their false positives because it scares grandpa into renewing his subscription for it.
(Score: 2) by Reziac on Thursday May 18, @07:51PM
[remembers Fortran, mods +1 WTF??]
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by corey on Friday May 19, @07:56AM
Yeah I’ve had stuff blocked by big G. Usually 7z with AES-256 encryption. It was just my personal files, tax, etc. They don’t need to scan it, learn about me etc. Anyway I think I got around it by instead using Google Drive. But otherwise I just avoid these players. I pay for my own email these days (Posteo.de, Protonmail) and they don’t treat me like an idiot.