By Scott Hamilton
Senior Expert Emerging Technologies
On March 2 Microsoft announced that there wee known vulernabilities in Exchange Server. This is the leading calendar and email server software used by a large majority of global companies. Microsoft admitted that it was aware of the vulnerability going back nearly ten years, and have known that a Chinese hacker group has been exploiting the known vulnerability since January.
The Chinese group dubbed Hafnium has gained information from defense contractors, schools, hospitals and other U.S. Entities according to a blog post by Microsoft Vice-president Tom Burt. Microsoft believes the hack will lead to additional network security software spending and adopting cloud-based email instead of running services in house.
Here is where he problem comes in, guess what Microsoft uses to run their cloud based email services, Microsoft Exchange Server. The vulernablity exists in Hotmail, and outlook.com the same as on in house Exchange server platforms.
This hack is one that will stand out in history as one of the top cybersecurity events of the world. This lead one to ask, what are we supposed to do to ensure that we are safe online. The first recommendation is to make a shift to Open Source software. There are replacements for a majority of the tools you use every day available for free from large groups of developers with a focus on security and privacy.
I need to remind you that there is a large difference between free software and open source software. Free software, also known as freeware is proprietary software given to you for free, usually in exchange for your data or privacy. Open source software is free, but you also have the option of reading, modifying and sharing the underlying source code that makes the fee tool work. This means that you can have full control over what the software is allowed to do on your computer.
I realize that it is not possible for most of you to read computer source code and understand if there are risks with the software, but that’s part of the beauty of open source. There are on average 10,000 developers on the larger projects and thousands on the smaller projects. They all use and rely on the software they develop and like myself, want to keep their private data secure.
The last major security issue in the open source Linux software was over a decade ago related to security key generation where a seemingly insignificant code change caused the key generation algorithm to generate the same set of around 1000 random keys, making it possible to easily guess a user’s key to login as the user, but this only worked if the system used key based authentication which was fairly uncommon. The error was introduced on a Tuesday, recognized Wednesday morning and a patch was available before then close of business that day.
It is clear big tech companies are not concerned with your safety and security when they admit to knowing about a security flaw for over ten years and doing nothing to resolve it.
Until next week stay safe and learn something new.