HPR4379: Mapping Municipalities' Digital Dependencies

This show has been flagged as Clean by the host.

In this episode, I discuss my ongoing project aimed at mapping the dependencies municipalities have on major third-party digital services, particularly focusing on Microsoft and Google , given their dominance in the market.

The aim of this research isn't about debating the quality of these products—it's assumed that with thousands of employees, these services meet most quality expectations. Instead, the focus is on the critical implications of widespread dependency and potential risks related to service interruptions or supply chain attacks.

Why is this important?

• Supply Chain Attacks : High dependency means higher vulnerability to targeted disruptions.
• Business Continuity : Significant risks were illustrated by incidents such as the CrowdStrike outage in July 2024 , which forced Brussels Airport back to pencil-and-paper operations temporarily.

My Research Approach:

Primarily, I analyze the DNS MX records of municipalities:

• MX records typically reveal if mail services are hosted on Microsoft (Office 365/Exchange Online) or Google (Workspace).
• A high probability that using these providers for email also means municipalities likely depend on the respective cloud office suite (e.g., Word/Excel/SharePoint or Docs/Sheets/Drive).

Preliminary Observations:

• Belgium, Finland, Netherlands : Over 70% of municipalities rely heavily on Microsoft mail services, a significant warning sign of dependency.
• Germany, Hungary : Fewer than 5% of municipalities use Microsoft or Google explicitly via MX records, though caution is necessary. Here’s why:

Challenges Identified:

• Local MS Exchange Servers : Municipally hosted local installations aren't externally identifiable via MX records.
• Mail Proxies : Some municipalities use mail proxy services (spam/phishing filters) obscuring the actual mail service used behind proxy domains.

Techniques Tested:

• SPF Records : Often reveal the underlying email service, though they may contain outdated information, lowering reliability.
• Telnet EHLO Commands : Municipalities commonly obscure their SMTP headers, limiting usefulness.
• Cloud Provider IP-Ranges : Investigating if mail servers run on Google, Amazon, or Azure infrastructure. Even if identified, this alone doesn't clarify if proprietary or replaceable services are used.
• TXT Records : Occasionally contain subscription keys or mail-related settings (e.g., MS subscriptions, Mailjet), but again, could be historical remnants.

Unfortunately, none of these get to show me all of the third party services.

Community Call:

I'm reaching out to listeners and the broader community for ideas or techniques on reliably fingerprinting the actual digital service providers behind mail servers. Specifically:

• How to accurately determine if servers run Microsoft or Google services ?
• Any ideas to detect deployments of Nextcloud or similar open-source alternatives?

Resources:

• Project Webpage : jurgen.gaeremyn.be/map.html
• Source Code : gitlab.com/jurgeng/mxcheck

I'm looking forward to all your suggestions in the comments!