The Axios supply chain attack used individually targeted social engineering
simonwillison.net47 points by cmitsakis 2 days ago
47 points by cmitsakis 2 days ago
As a general rule I install none of these web conferencing things on my machine. Either the browser version works fine, as Google Meet, Zoom, Teams and even WebEx all do, or this is not a meeting I need to be on.
Exactly the same. Moreover my main work machine, the one I call my "workstation", doesn't even have sound. No videos. No meetings from that one. And that's the machine to which the Yubikeys are hooked.
I've got plenty of machines, including that one shitty laptop I trust even less than the rest. Arguably the only way to operate securely is to consider that most devices in your house (and at work) are compromised and hostile, that most networks are trying to fuck you up (for example not HTTP at my home: simply none, it's not allowed) and that they're really out there to get you. And, yet, to have a setup that works.
Same things with my phones: I've got one real phone, with two apps I added to it. Country's mandatory EID app and brokerage's 2FA app. And that's it. Nothing else. Nada. Zilch. One phone, two apps. No email account. Nothing.
Then I've got another phone, with another subscription, where I've got Telegram, that app to see the targets at the shooting range (long distance shooting: there are webcams in front of targets so you can see where you hit), the home automation apps, etc. All those shitty phone apps developped by clueless devs: they go on that phone. The email? Some throwaway email account I don't care about. You can 0-day that phone: I wouldn't give a shit. And I tell people: "My name on Telegram ain't my real name" and they love it. Non-technical people: they begin to understand and they love it.
People are going to need to step up their security game big times now for I think we're in for quite a wild ride.
I know it's bad but I'm not going to say there's not some schadenfreude seeing what happens to those who were calling others "paranoid".
I mean: we're talking about people "quickly installing software (as admin/root)" on their main machine.
The road is going to be long for it's an entire shift of mindset that's now required.
Convenience vs security: you pick. Video call vs major project compromised: you pick.
The vindictive side of me hopes the cybersecurity "rug" is pulled out from underneath all these companies (new & old) who don't appreciate craftsmanship. I don't think we need regulations, but companies need to suffer when they drop the ball
"the meeting said something on my system was out of date. i installed the missing item as i presumed it was something to do with teams, and this was the RAT."
Oh dear.
I had a job offer interview sent to me a couple weeks ago that ended like this.
Everything was normal messaging. Back and forth. Got the invite to schedule a google meet. All looked like all the other things.
Day of meeting, click the google meet button in the email.. redirect to a browser screen showing that google meet needs an update, this is the microsoft store.
Rush, hurry, meeting will be late!
except it was not the msoft store it was all fake.
I wish indeed and other job sites shared more info about these (like fake company signed up with a fake email from a vpn to publish this job listing that possibly infected 1,000 computers- and some are reporting X Y Or Z (ransom, whatever)
That's the bit that scares me. I've often found myself installing software in a hurry to join a meeting on some platform that I've not previously used via my current machine.
The time pressure means I'm less likely to pay attention to what I'm installing.
IMO, rushing things never helps. If possible, I investigate external calls/meetings well in-advance, at worst case, I add 30-minute calendar block before those. (To prepare and install/update things).
As a DevOps, I have seen the quote about "premature optimisation's root of all evil" in real life quite often. In fact, optimising one bottleneck quickly yields another one -moving the goalpost further-, potentially increasing business-impact if the flow is not contained properly.
Especially during incidents, _rushing_ to fix often yields more problems. I've seen people isolating/shutting-down mildly misbehaving instances. Causing excessive load to the remaining and starting the cascading failure like dominos falling one after another.
Which reminds me a scene from "The Office", where Dwight goes rogue and conducts a "Fire-Drill" by locking doors and deliberately causing smoke. Everyone panics and hell breaks loose. This is at the beginning of the episode, maybe 5-minutes tops. I show this at the incident-management training, this is how people behave in real life. No joke.
To give more concrete aspect on the moving goalpost: SWEs improve transaction processing with multi-threading, but that causes more connections/transactions to the database. Even though theoretical gains are Nx (n-times depending on threads/cores), real life gains are 1.2x-1.3x, because database connections are getting occupied. As the next step, increasing number of DB connections helps, maybe add another master node (risk of having deadlocks increase, but ignore for now for the sake of argument). But then the disk IO becomes the bottleneck due to write-heavy (payments domain). Then we add Redis to reduce load, and maybe some asynchronous processing. At this point complexity increases and we need to solve rare occurrences of duplicate data or race-conditions because it is not single-threaded process anymore...
I wonder if I would have been saved by my absolute disdain for installing anything Microsoft Teams-related on my computer. The web version works fine, thanks.
Up to usual Microsoft Teams standards
I don't want to pile on this poor guy, but video conferencing software in browser works, and does not require software installation.
Use the browser sandbox to protect yourself.
[dead]