When an associate of mine accessed their personal email account on their work computer, they opened an email from a friend purporting to be an invitation to a holiday party, and it contained a link that it claimed was to RSVP. In fact, the link was to a malicious MSI file hosted on Cloudflare's r2.dev service. Not knowing what an MSI file was, the associate ran the file and installed an instance of ConnectWise's ScreenConnect software operated by an attacker. The attacker promptly took control of the associate's computer for a couple of minutes before the associate wisely powered the computer off. Sure, the obvious answers are that people shouldn't click on suspicious links in emails they weren't expecting, even if they come from a friend or trusted colleague, and that they really shouldn't use work computers for personal tasks and vice versa. But this incident also revealed troubling concerns about how some large companies like Cloudflare have double standards about security.
The neighbor's computer was compromised by the same attacker, who accessed their GMail account and apparently sent a single email with the phishing email with the entire contact list as Bcc recipients of the email. This was probably a large number of contacts, and it really should have been automatically flagged by Google as potentially a spam email. A reasonable approach might be to delay sending the email until the sender confirms they really intended to Bcc a large number of people on a potentially suspicious email. The sender would then get a notification on their phone asking to confirm if they really intended to send a mass email, which they could either confirm or reject. Google is keen to push multi-factor authentication and require that users associate phone numbers with their accounts, so it seems like this might be a rational approach for outbound emails that ought to be flagged as suspicious.
But I'm more frustrated with Cloudflare, who seems to act as a gatekeeper many websites, arbitrarily blocking browsers and locking people out of websites, especially for the dastardly crime of using a non-Chromium browser like Palemoon. The malicious file was hosted on r2.dev, which is a cloud-based object storage system. Although the actual file might not trip malware scanners because ScreenConnect has legitimate purposes, R2 storage buckets and Cloudflare's other hosting services are also often used to host malware and phishing content. This is probably because Cloudflare has a free tier and is easy to use, making them a good tool for attackers to abuse. One of the logical actions I took was to try to report the malicious content to Cloudflare so they would take it down. They encourage reporting of abuse through an online reporting form. The first time I accessed the abuse reporting form, it was blank. I reloaded the page, and Cloudflare informed me that I had been blocked from accessing their abuse reporting page. The irony here is that Cloudflare has arbitrarily blocked me for no apparent reason, as if I am malicious, preventing me from reporting actual malicious content being hosted on their platform.
The problem here is that large companies like Google and Cloudflare have positioned themselves as gatekeepers of the internet, demanding that users conform to their security standards while themselves not taking reasonable steps to prevent attacks originating from their own platforms. In the case of Google, reCaptcha is mostly security theatre, making users jump through hoops to prove they're not malicious while harvesting data that can be used for tracking users through browser fingerprinting. As for Cloudflare, they use methods like blocking browsers with low market share, supposedly in the name of blocking malicious traffic. The hypocrisy is very blatant when Cloudflare's arbitrary and opaque blocking prevents users from reporting actual malicious content hosted by Cloudflare itself. Unfortunately, this doesn't seem particularly uncommon.
It's becoming increasingly difficult not to see companies like Google and Cloudflare as bad actors. In the case of Cloudflare, I finally sent complaints to their abuse@ and noc@ email addresses, but I expect little will be done to actually address the problem. How do we demand accountability from companies that act gatekeepers of the internet and treat ordinary users like potential criminals while doing little to prevent their own platforms from being vectors for abuse? In this case, is the best solution to complain to a government agency like the state attorney general, state that the malware may have caused harm, and that Cloudflare has made it next to impossible to get the content taken down?
(Score: 3, Informative) by Anonymous Coward on Monday January 05, @10:38AM (1 child)
As of today https://www.dshield.org/block.txt [dshield.org]
Can't seem to get it to display as preformatted text. tt, code and pre doesn't work.
FWIW, for the sites I take care of, WRT to hack attempts the US IP ranges have been worse than Russia and Russia has been worse than China. 🤷♂️
(Score: 2, Informative) by Anonymous Coward on Monday January 05, @10:43AM
Oh yeah, forgot to point out the GOOGLE-CLOUD-PLATFORM to back up the article claims, in case anyone thinks it's off topic.
https://dshield.org/about.html [dshield.org]
(Score: 5, Interesting) by pTamok on Monday January 05, @11:03AM (5 children)
I have long felt that email clients should have a configuration option that pops up a confirmation dialogue if the client determines that the total number of emails in the To: CC: and BCC: lists exceeds a certain number, or contains an identifiable mailing-list address, and a second confirmation dialogue if it exceeds a second number, and so on (possibly triggered by order-of-magnitude transitions).
So if you send to a single recipient - the email is sent when you request it to be sent.
If you send to more than 10 recipients and request it to be sent, a confirmation dialogue appears asking if you are sure that you want to send to more than 10 recipients, and if you confirm, only then is it sent.
If you send to more than 100 recipients and request it to be sent, a confirmation dialogue appears asking if you are sure that you want to send to more than 10 recipients, and if you confirm, then a second confirmation dialogue appears asking if you are sure that you want to send to more than 100 recipients and only if you confirm a second time is it then sent.
If you send to more than 1000 recipients and request it to be sent, a confirmation dialogue appears asking if you are sure that you want to send to more than 10 recipients, and if you confirm, then a second confirmation dialogue appears asking if you are sure that you want to send to more than 100 recipients and only if you confirm a second time does a third confirmation dialogue appear asking if you are sure that you want to send to more than 1000 recipients and only if you confirm a third time is it then sent.
Similarly, the presence of 1,2,3 or more mailing list addresses triggers the same.
Obviously, this would be really annoying for some people, so you be optionally capable of being disabled: but for corporates it could well be forced to be mandatory by policy, with the numbers of emails triggering each level variable according to local preferences.
It would help to stop inadvertent 'Reply All' storms, but not prevent legitimate mass mailings.
When someone paid me for my time and expertise, I would also have like a confirmation dialogue that popped up if I was sending to an email address external to the organisation. I have seen too many embarrassing situations caused by people accidentally replying to customer emails instead of forwarding them to colleagues, intending to make comments that are private to the organisation and finding those comments sent to the customer instead. A road hump for that kind of thing is useful.
People make mistakes. It is human, and is not going to change. Technology should help people to avoid making mistakes, and mitigate their effects, where possible.
(Score: 4, Interesting) by pTamok on Monday January 05, @11:13AM (2 children)
Oh - and the escalating number of dialogues is on purpose, to try and avoid the 'muscle memory' click-though to just get the email sent. Another improvement is to get the dialogue to specify how many email addresses is has counted, and only let you continue if you type in the same number as confirmation that you want to send that many messages. This is all to try and break through the automated thinking on 'Send'.
Are you sure you want to send to 124 recipients? Type 124 to confirm, or press 'Return' to cancel.
Are you sure you want to send to customerdomain.org? Type External to confirm, or press 'Return' to cancel.
Another way to stop inadvertent external emails is for the mail server to look for a text attachment that has the single word 'External' in it. If it is missing, the mail server should return the message undelivered with accompanying text along the lines of 'External delivery requested without proper 'External' tag attached' or something. This would be deeply irritating for some people, and a lifesaver for others.
(Score: 5, Informative) by PiMuNu on Monday January 05, @12:42PM (1 child)
nb: thunderbird already has a pop-up if many recipients are in To or Cc field (I guess for GDPR reasons)
(Score: 2, Interesting) by pTamok on Monday January 05, @12:50PM
Excellent: as a Thunderbird user myself, I did not know this. Perhaps I have not sent to enough recipients in a single message for it to be triggered. Thank you for pointing this out.
(Score: 2) by krishnoid on Monday January 05, @04:14PM (1 child)
Ugh, that's such a normie approach. I'd go with log2 tiers :0)
(Score: 2, Interesting) by pTamok on Monday January 05, @04:24PM
Why not natural logarithms (loge/ln)? The world is not binary.
But actually, I did, briefly consider base 2, but I think being pinged at 2,4,and 8 emails would be excessively annoying. But, as I said, the numbers to set up the additional dialogue would be configurable, so you could choose whichever natural number ( ℕ ) you wanted.
(Score: 4, Interesting) by Runaway1956 on Monday January 05, @01:06PM (1 child)
My network is locked down pretty tight. It's so tight, no one in the house sees advertising. Telemetry doesn't work. Phone home applications fail. Malware servers are blocked. Google collects little information, Facebook gets almost nothing except from my wife's computer, Apple gets almost nothing, Microsoft is starving for data from us. My biggest security hole is email, and we have had a go-around with that. "Please install the "inviteascammerintoyourbank.exe" now please, so we can help you recover your money!"
But, the security of my browser has to be checked everywhere I go. My network and browsers are too secure, it looks suspicious to all of the online giants.
I'm going to buy my defensive radar from Temu, just like Venezuela!
(Score: 1, Interesting) by Anonymous Coward on Tuesday January 06, @05:53AM
"Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot."
😉
After confirming the problem is Google and not me (via blacklist checks e.g. https://mxtoolbox.com/blacklists.aspx [mxtoolbox.com] ) I've switched to DDG and Startpage.
(Score: 5, Insightful) by Thexalon on Monday January 05, @01:29PM (1 child)
What the various high-profile security breaches have taught companies over the decades is that the long-term penalty for major security failures is approximately nothing.
And the simple proof of that is that Equifax is still operating as a broker of personal data, long after it thoroughly demonstrated that it should not have been trusted with any of it.
Until that changes, security concerns will not be prioritized by any for-profit company.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2) by driverless on Monday January 05, @02:27PM
"Marjery, send this asshole the usual bedbug^H^H^H^H^Hwe-take-security-seriously letter".
(Score: 4, Interesting) by VLM on Monday January 05, @02:45PM (1 child)
The summary of the wall of text is I demand that tiny automated shell scripts become smarter than the smartest people who get scammed by frauds.
Yeah good luck with that.
Like whining about why the post office dares to deliver mail, that smart enough people can sometimes recognize as a pyramid scheme. Shouldn't the mailman with a PHD and IQ over 150 open and read all your email to make sure its safe before delivering it? Yeah .... we'll get right back to you on that.
(Score: 1) by pTamok on Monday January 05, @04:27PM
The current proposed approach is for an 'intelligent agent' to scan messages before they are sent, to check if they are suitable for sending. For some odd reason people are protesting against this.
( Yes, I know. )
(Score: 1) by Marvin on Monday January 05, @04:20PM
what are you smoking? They can do whatever they want.
(Score: 5, Interesting) by fliptop on Monday January 05, @04:30PM (2 children)
IMHO the worst of the major cloud providers are, in this order, Digital Ocean, AWS, Google, Microsoft, Cloudflare, Akamai, Alibaba, Oracle. Either Oracle doesn't have many malicious hosting customers or they keep their network locked down well b/c I rarely receive any vulnerability scans from their IPs. Of the smaller providers, off the top of my head the worst ones are FranTech, HE, The Constant Company, Ace Data Centers, and there's more I just can't think of them all.
To answer TFQ, we can't keep them accountable. All we can do as sysadmins is block the offending IPs. Twenty years ago I would send reports for particularly malicious scans but not anymore, my experience is it's pointless and a waste of time.
Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.
(Score: 5, Interesting) by Whoever on Monday January 05, @04:50PM
A couple of months ago, I noticed a particularly large attempts at brute force login against our SSH servers. This particular range of IPs piqued my interest because it was assigned to a company in a small town in which I used to live about 30 years ago. I looked at the address on Google Street view and there was no company there, no office, etc.. So I reported what looked like a fraudulent IP address registration to RIPE (it was in Europe). The IP addresses were actually being used in Romania. The person at RIPE appeared to be sympathetic to my report, but was unable to do anything, because the company's registration in the UK was apparently OK.
(Score: 1, Interesting) by Anonymous Coward on Tuesday January 06, @06:05AM
You've helped confirmed that I was right to have blocked Digital Ocean's ASN.
Yeah I have blocks based on the Dshield top 10. I also currently run Suricata which has lots of false positives but I have a perl script that checks the Suricata EVE logs and if there are lots of different SIGs from a particular external range (using something like the Misra-Gries heavy hitters algorithm to try to keep RAM usage under control), it blocks that range.
I just hope that Suricata itself doesn't get pwned... 🤣
(Score: 0) by Anonymous Coward on Monday January 05, @10:03PM (1 child)
It only means, "Don't follow the example I set".
That's good advice.
(Score: 4, Funny) by pTamok on Tuesday January 06, @01:49PM
Frankly, I think my rôle in life is to act as a shining example for other people not to follow.
(Score: 0) by Anonymous Coward on Wednesday January 07, @01:57PM
It was about control. Your palemoon can block ads, your VPN hides your metadata. You are being bribed with convenience to give up your privacy and security is the excuse to assuage low information users. The company's own security practices don't matter. In the future they will be retroactively erased from the news or never reported in the first place. Total information control is the goal.
Security and "hate speech" are the #1 trojan horse.