Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, May 31, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
Joining me for this episode is Terry Cutler, head of Montreal’s Cyology Labs.
This week we’ll discuss Microsoft’s controversial new tool to help find that website you know you went to, lessons learned from the hack of the MITRE organization and how to implement a zero-trust model.
 |
 |
 |
(The following is a transcript of the first of four topics discussed)
Howard: Ever have trouble finding a website you recently visited? Fruitlessly poured through the browser History? Last week Microsoft announced a new automatic screen capture tool called Recall to solve that. But critics say it could open a serious privacy vulnerability. Recall takes periodic screenshots on an employee’s Windows 11 computer every few seconds and stores the images there — not on Microsoft servers, not in the cloud — so the employee can use the Microsoft Copilot artificial intelligence search tool to — hopefully — find the website they remember. The data store is encrypted and so supposedly safe from being copied and cracked by a hacker. And Recall doesn’t take screenshots of anything in an open private browser window. Windows administrators will have the power to create group policies to turn Recall off. But a lot of privacy experts are worried. For one thing, if Recall takes a screenshot as an employee logs into things it will be able to capture passwords that are entered in plaintext. Terry, what do you think of this tool?
Terry: We’ve been using these investigation tools on potential customers for a long time to see which employees are wasting time and get more insights into productivity. I’m more worried about what cybercriminals can do with Recall. Things like data exfiltration: What happens if cybercriminals can breach Recall security and can access all the encrypted screenshots? There’s going to be all kinds of things in there that can be used for identity theft or extortion or even for ways to further their attacks into the network. The other thing that can happen is that they might be able to develop ransomware tactics to access the data store and potentially exfiltrate that data as well in a ransomware attack, and use that as further leverage for the customer to pay.
A lot of things that can go wrong. I know it’s an easy button [to turn Recall on] for the user, but this could turn into a nightmare, a security breach, especially around surveillance and espionage. If the attacker gained physical access to the machine or to the device it could be used to monitor user activity over time and it’d be collecting information about user habits or maybe the company’s operations or even sensitive negotiations. We don’t know what we’re going to see.
Howard: I think it’s a privacy and cybersecurity risk. Threat actors will know there’s an extra target to go after if you can get into anyone’s PC that’s using the Recall feature. Now, to be fair, at the moment, it’s limited to PCs branded Copilot + and running Windows 11 on the just-introduced Snapdragon X ARM platform. But Microsoft wants it expanded to Intel-powered PCs, AMD-powered PCs, if those companies agree. On the other hand, everything has risks, but they have to be managed properly. And, in this case, as I said, the data, the snapshots that Recall stores is going to be encrypted. But you still think that from what we know so far it’s a risk.
Terry: Yeah … Imagine if there was a big data breach a couple of years ago and you got access to the source code from Microsoft and then you got access now to Recall and could find ways to exploit that. The sky’s the limit after this. The amount of data harvesting, credential theft, maybe even remote access tools. There might be ways that cyber criminals can create tools that’ll keep them under the radar inside an environment for longer than [the average dwell time of ] 286 days. I think it’s gonna be a, it’s gonna be a mess.
Howard: On the other hand, experts note that IT and security administrators already can use behavior monitoring and analytics software, some of which includes covert still or video screen captures. And in fact is that employee PC monitoring is mandatory in some industries.
Terry: We’ve been using monitoring tools for a while now, but there’s a difference between the two. Recall stores screenshots locally on the user’s device with encryption. Whereas the monitoring solution that we [as security pros] typically use stores data on a secure server up in the cloud and it has strict access to who can see the data. Yes, Recall can offer encryption on local storage, but it may not provide significant safeguards against physical access. So if I’m able to gain access to the box could I gain access to all that stored data? Whereas in a monitoring solution, it’s all centralized. It’s got security tools in there. It may have some SIEM [a security information event management suite] to see who’s trying to access it. It’s a different ballgame.
Howard: What do you think about this argument: Crooks won’t want to be bothered with encrypted data in the Recall store when there’s so much unencrypted data on employees’ computers.
Terry: They love low-hanging fruit … They obviously prefer to target unencrypted data because it doesn’t require much effort and they can use it in extortion tactics right away. But encrypted data is going to be more sensitive and high-value data. The thing I’m worried about is that Recall could capture very sensitive information, passwords, sensitive emails, which could lead to targeted attacks. So what we [IT defenders] need is make to sure we have a proper layered security in place, because encryption is not foolproof. Make sure you have MFA turned on. Do you have things like dual MFA for the administrator’s account? Not only that you need to train the users on how to use Recall because there could be misconfiguration attacks.
(Our discussion continues on lessons learned from the MITRE cyber attack, myths surrounding zero-trust and IT asset management. To hear those parts of the conversation play the podcast)
