Security Now Episode 867 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. There is another Chrome, zero day it's third of the year, but that's nothing compared to Microsoft's 128 patch Fest. Last Tuesday, Steve takes a look at some of them, including 47 critical vulnerabilities. And one will take a look at in greater detail. The RPC R E plus. Yes. Another problem with WordPress plugins. It's all coming up next on security now podcasts you love
... (00:00:30):
From people you trust.
... (00:00:33):
This
... (00:00:34):
Is TWiT.
Leo Laporte (00:00:36):
This is security. Now is Steve Gibson. Episode 867 recorded Tuesday, April 19th, 2022, a critical windows, R P C R C E. Security. Now is brought to you by JumpCloud, your complete platform for identity access and device management. Work smarter, not harder by securing SSO MDM, MFA and more from one plane of glass fully evaluate JumpCloud for free today at cloud.jumpcloud.com/securitynow And help your organization move to a modern secure hybrid work model. And by Thinkst Canary. Detect attackers on your network while avoiding irritating, false alarms. The alerts that matter for 10% off on a 60 day money back guarantee, go to canary.tools/twit and enter the code TWiT in the, how did you hear about us box. And by Zentry Security. Remote work is here to stay XRY security. Zero trust private access solution is a modern loud hosted alternative to a VPN. Enhance your security posture today.
Leo Laporte / Steve Gibson (00:01:48):
Try trusted access with a 30 day free trial by visiting zentrysecurity.com/twit. It's time for security. Now the show where we protect you, your loved ones, your privacy online with this guy right here, Steve Gibson. It's a Tuesday. It must be Stevie G. Hi Steve. Yes, indeed. In fact, this is a, this is the third Tuesday of the month, which makes it the patch Tuesday retrospective edition L and boy it's. We have really, in fact, there was one that was so bad that it became the title of the podcast. We're gonna examine Chrome's third, zero day of the year followed by, as I said, as you led me into Microsoft's massive 128 patch Fest last week. And, and we note that we don't even bother counting the windows zero days. Yes, it's a big deal that it's Chrome's third windows, eh, why bother counting?
Leo Laporte / Steve Gibson (00:02:53):
They had two this month alone and that was amid the 47 critical vulnerabilities that were patched. One of them being so worrisome that it captured this week's podcast title, which will cover at the end before we conclude. But we also have more WordPress add on troubles, the return of a longstanding problem in, and everybody knows this term, Apache Strutz, which of course gave Equifax of some serious heartburn back in 2017. We've got some interesting commentary about the current hackability status of the United States nuclear arsenal. Oh, which of course is sort of an issue now that Putin's been rattling his saber I wanna share a bit of closing the loop feedback with our listeners and give everyone a bit of a snapshot into the recent work on spin, right. Which I haven't mentioned for a few weeks then we're gonna wrap by taking a close look at the one flaw out of the hundred and 28 that Microsoft just patched last week that truly has the entire security industry now on pins and needles, because it enables a zero click internet worm.
Leo Laporte / Steve Gibson (00:04:17):
Whoa, that's not good. That's that it'll ruin your day that'll that'll or some people days. Yeah. That we do have a fun picture of the week as always. Okay. We're gonna get to all of that in a moment, but first a word from our sponsor for this portion of security now, and a new sponsor, we wanna welcome JumpCloud to our microphones jump cyber security. Of course, that's the topic of the day on this show. And it's a key issue. That's top of mind for every organization. In fact many continue to spend a large portion of their it budget every year to buy more complicated cyber security tools and to higher, expensive, hard to find staff to integrate and run those tools. But it doesn't have to be that way. Good security does not mean more complicated security finding the right solution to solve your specific needs without burdening your overworked it and security staff.
Leo Laporte / Steve Gibson (00:05:15):
You know, that's critical to your success and JumpCloud can help. That's why JumpCloud is recognized by I G two is a leader in five count. 'em Five categories. It's a top five security vendor. You can read the 1000 plus positive reviews on G two and find out why more than 150,000 organizations use JumpCloud today. I already see people in our chat room saying, oh yeah, we use JumpCloud. It's mark choice. They help you build a strong cybersecurity foundation by doing the basics, right? You can reduce 98% of the issues that lead to cyber incidents by just doing a few things. Well, multifactor authentication, applying least privilege access, patching your systems. You know, these, if you listen to the show, protecting data using Annie malware, and you can do all of that from JumpCloud in the form of a single platform, a single pane of glass, which means you're reducing it sprawl.
Leo Laporte / Steve Gibson (00:06:15):
That's a actually a very real problem. Complexity leads to greater cyber risk because it can lead to brittle systems, misconfigured security. We've seen this happen, alert fatigue. Oh yeah. Another one, another one, another one or other challenges having to do with some sort of piecemeal solution a, a bunch of different solutions, many different vendors. Jump cloud reduces the administrative overhead and reduces complexity. So you can do more with the resources you have turn on zero trust. For instance, today's reality. Working anywhere means device and user identity and access management is absolutely critical. Granting secure access without JumpCloud can be a painful multi year process that requires a variety of identity, SSO and other capabilities for vendors to implement. Nope, not with JumpCloud. It's seamless with JumpCloud to provision and grant access only to what each employee needs from a single integrated platform.
Leo Laporte / Steve Gibson (00:07:12):
You love the ability to enable hybrid work without risking and reducing your posture. The past few years obviously have accelerated remote work, but as employees begin to return to offices in 2022, it administrators now face the increased demand for a hybrid work solution. We see it here. I see we see it everywhere. Jump cloud makes it easy for administrators to securely manage users, devices, and access wherever those users are, wherever those devices are. So I want you to try JumpCloud. You can fully evaluate it for free right now. Go to cloud dot JumpCloud.com/security. Now cloud dot JumpCloud.com/security. Now help your organization move to a modern secure hybrid grid work model. You owe it to yourself to at least take a look at this, a free, full evaluation at cloud.jumpcloud.com/security. Now we thank JumpCloud for supporting the work we do here and the work you do there.
Leo Laporte / Steve Gibson (00:08:14):
Jump cloud.jumpcloud.com/security. Now picture of the week time, Steve, wonder if.cloud is a top level domain. I think that would, I feel like there is sense. That's a good question. Yeah. Then they could be cloud.jumpcloud.cloud. That's a few too many clouds, right? I'm ready for the picture of the week. I was saying to you before looking at picture the week that I, I was, I, I was, this made me ask myself if I like physical humor because you know, one of the things I got the biggest kick out of, one of our like legendary pictures of the week was that ground wire stuck into a pale of dirt. I know, you know, you love this is like it it's grounded. And then, and then the other favorite, one of mine was when the hardware store had bolt cutters, which it was securing against theft by looping a completely bolt cutter, a bowl cut, you know security cable through the bolt cutters.
Leo Laporte / Steve Gibson (00:09:21):
It's like you know, the bolt cutters are designed to cut the cable that you're using to hold them. So I don't know thing, I don't think that works anyway. This one is sort of another, we have like the third one here. This is like, it looks like an old school, like industrial control panel with like big indicator lights. And it's got those, those labels that are like, you know, like where engraved, where the top plastic layer of the label is white, but it's on a black plastic backing. So when you like engrave it, the black shows through. So like, you know, they can't fade. They're like, you know, made forever and it looks, so it looks like it's Soviet era technology is what you see. Yeah. Okay, perfect. Yes. Yes. And, and the, the controls are these big, like clunk switches that you would like turn left or right.
Leo Laporte / Steve Gibson (00:10:17):
You know, rotate left or right. In order to like engage the, the, the, the dump of the bad fluids or whatever out of some, you know, turn the pumps on. And then the whole, and the lights dim a little bit. Cause I was like satisfy chunk when you turn anyway, somebody, somebody wanted to make absolutely sure that one of these pristine knobs would never be twisted. So, so they took a, a big CRE, is that a Crescent wrench or a plumber's wrench, pipe wrench, pipe wrench. And it looks like it's been around for a while. Cause it's really rusty. I know. I love that. That, yeah. And so, so I kind of completes the picture. And so they, they first, you know, screwed this wrench down onto the handle of this twisty knob. So like, so that it was like not gonna move anymore.
Leo Laporte / Steve Gibson (00:11:15):
Then they, they, they took a piece of metal, metal kinda sheet metal, strapping tape, I guess, but, but metal strapping tape and bent it over the, the handle of this wrench and then screwed it to the front of the panel. And, you know, as I'm looking at this, I'm thinking, could you not have opened up the panel and jumped across that switch if you wanted it to always be on or disconnected it if you wanted it to always be off. But apparently that was beyond these people who decided instead we're gonna, we're gonna like screw a permanent wrench onto the outside of this and, and then fix it to the panel with some she sheet metal strapping tape. It's like, okay, well, it did make for a great picture of the week. So it's really bizarre. And somebody just tweeted it to me in the last couple days.
Leo Laporte / Steve Gibson (00:12:14):
So thank you very much for that. And to our, the rest of our listen audience, you now know where my funny bone is. It is in, you know, a, a pale of dirt that has a ground wire stuck into it, which, you know, that's classic and the, you know, similar ilk. I also love those water flow ones where like the wa the pipe is broken, but somehow the water is, is going through the air into a hole that someone cut in the pipe in order to get the mission to be accomplished anyway. Okay. So on our zero day, watch last Thursday, Chrome received an emergency update, bringing desktop Chrome to version one hundred.zero 48 96, 1 27. And that's for windows, Mac, and Linux desktop chromes. The exploit is once again, a type confusion flaw, which we've talked about in, in detailed before. So I won't go into it again.
Leo Laporte / Steve Gibson (00:13:14):
Also found in Chrome's V8 script processing engine and this one was found by Google's own threat analysis group, but it's a zero day because they found it in use somebody. And I, and I love it when their description says, this could do this, or could do that. Well, you think because someone was actually using it to do exactly that. So, yes, it's not that it, if exploited, it could do this, it's like, well, we, we watched it doing that and were embarrassed. We're sorry that that's the case, but, you know, update Chrome. Anyway, this is the third this year. It's the second of the it's the second type confusion flaw. And the first one was a use after free in Chrome's animation support and as usual users of chromium based browsers, the other ones, right? Edge, brave opera, and, and Vivaldi will be getting updates, probably have, hopefully already, since this thing, would've been able to be leveraged against any chrom based browser.
Leo Laporte / Steve Gibson (00:14:26):
And Leo, I've heard you several times lament this monoculture that the browser monoculture that we're slipping into. And then here's another like, perfect example is you, you, the bad guys see that everybody now except safari and Firefox are, are gonna be victims to a single flaw if they can find it, which of course is the, the, the liability on the good news is when you fix one, you fix it for all the others. But on the other hand, they were all vulnerable in the first place. So still browser mono culture is a bad place to be. Anyway, Google never tells us more about this because why would they that, that they say that they're not gonna talk about it until everybody's been well patched. And then by then no one cares. So they don't talk about it. So basically never. Okay. this is the, the official name of the week after patch.
Leo Laporte / Steve Gibson (00:15:28):
Tuesday has become follow up Tuesday because in this case we get to talk about what happened and this one won't disappoint users of windows received a total of one hundred and twenty eight one. This is like, I think it was since 2020 was the, the, the previous month that had this number of problems fixed all at once 128 fixes for known security vulnerabilities, pretty much everywhere desktop and server defender, office exchange, server, visual studio, prince Pooler, windows, DNS server, had a bunch we'll talk about and, you know, V everything. So, yeah, pretty much, you know, if you're gonna have 128 fixes, at least they're well distributed of the 128 bugs, which were addressed 10 were rated critical with a few even earning that rare 9.8 CVSs, which frankly it is fortunately rare for windows. We don't actually see a lot of nine point eights in windows.
Leo Laporte / Steve Gibson (00:16:39):
This time we got a couple we'll get back to those in a moment a whopping 115 of the others. So we had 10 that were critical hundred and 15, others were poor and the final three were considered to be moderate. As I mentioned, two, we got a pair of zero days, one that's known to be actively exploited in the wild so that we gotta call a real zero day. And then what MI, but Microsoft calls a zero day, because even though it had, hasn't been seen in use, somebody talked about it and that upset them it's been publicly disclosed. So the spread of these problems break down as follows. There are a total of 47 remote code execution vulnerabilities. Okay. Just take that in for a second 47 remote code execution vulnerabilities that they have fixed and the same number of elevation of privileged vulnerabilities, also 47.
Leo Laporte / Steve Gibson (00:17:47):
And remember, lest anyone thought that troubles with prince Pooler were all behind us, 15 of those 47 privileged escalation or elevation vulnerabilities were found in prince Pooler. There were also 13 information, disclosure problems fixed nine denial of service and three spoofing vulnerabilities. And aside from all that edge also separately had 26 flaws fixed, you know, and Chrome hasn't had that many. So this, you know, as we know, Microsoft is kind of trying to edgey the Chrome core sounds like, or looks like maybe they're having some problems doing that securely. The flaw that's being actively exploited. That is the true zero day is an elevation of privileged vulnerability occurring in the windows common log file system. And that one, even though it's the zero day is not one of the 9.8, it's a 7.8. And it was interestingly found and reported both by the NSA, the USS national security agency, and some researchers at CrowdStrike.
Leo Laporte / Steve Gibson (00:19:03):
So everybody, or several people saw that in use and said Microsoft a little problem over in the windows common log file system. Now the other zero day, which has been publicly disclosed, but is not known to be under active exploitation. Most likely because it's difficult to leverage is also a PED escalation. This one occurs in the windows user profile service, where actually we've been seeing some problem recently since its successful exploitation requires an attacker. They said to win a race condition where timing is critical. That's probably explains its somewhat lower CVSs of 7.0. And probably also why, although it's been talked about publicly, it hasn't as far as we know, been used, probably cuz it's tricky to somehow, you know, win that race condition. However, there are two biggies among the crop, both coming in with, as I said, rare for windows CVS S's of 9.8, the least worrisome of the two is in windows network file system and the other 9.8 or that has the security industry.
Leo Laporte / Steve Gibson (00:20:17):
As I said at the top of the show a bit on edge is a remote code execution flaw in the often exposed windows, remote procedure call runtime library. That's the RPC of this podcast's title, remote procedure call other RCE flaws Reno remote code execution flaws were fixed in windows server, windows, SMB and Microsoft dynamics 365 DNS Microsoft's DNS server. We touched on this in a, a couple podcasts ago, so that suggests that people have been looking at it more recently. And as we have seen, it's often the case that when attention gets turned to a specific item in Microsoft's repertoire, lots of problems get found there. Well, that's the case here again, the well known security researcher, the Yuki Chen focused on N S since Microsoft credited Yuki with discovering and responsibly disclosing a total of 18 previously unknown problems in their DNS server, one being an information disclosure flaw, but the other 17 being remote code execution.
Leo Laporte / Steve Gibson (00:21:48):
And that's again, 17 remote code execution flaws in their DNS server coming to light. Now we don't know how long they've been there. It's just astonishing to me anyway. I mentioned that Yuki was well known and apparently especially soda Microsoft last summer, he tweeted made number one this year. He said, thanks to at Ms. Ft, secure response and the bounty team congrats to all researchers on the list. He said, I personally know some researchers who reported nice bugs, but are not on the list this year hat tipped to their great work too. So that was gracious of, of Yuki. And we haven't shown this for a while. We did several times before this is MSS, you know, the Microsoft resource security response center, 2021, basically their MVP, their most valuable security researchers list. In this case, it's the top 58 Yuki is number one.
Leo Laporte / Steve Gibson (00:23:05):
And then there's just, you know, 57 others. So anyway, think it's cool that Microsoft has given them recognition. There was an, an interesting story that didn't didn't have enough meat in it to make the podcast, but it was that Microsoft had increased the bounty for some of their products, some of their 365 things. So anyway that's Tuesday and we will be getting to this most worrisome of all RCE in the in the remote procedure call runtime library by the end of the show. Okay. So WordPress, once again is in the cross hairs and it's not surprising there are just a constant barrage of problems with their plugins and WordPress is, is so highly used on the internet that the vulnerabilities matter there, a site named and a service named plugin vulnerabilities. I don't think that was wisely named my, if I were to tell my trademark guy that I want to call a site plugin vulnerabilities, he would say, no, that's, that's a bad idea.
Leo Laporte / Steve Gibson (00:24:26):
You probably can't actually trademark that. Cuz it's just not unique enough. Anyway, they explain or they explain themselves as a service to protect your site against vulnerabilities and WordPress plugins. And as we'll see, not only will that keep them busy, but what's happened is we've seen sort of a, a sub-industry get created from from third party services that are all jumping in to, to perform that function there. This plugin vulnerabilities site and service most recent posting from last week is titled five plus million installed WordPress plugin Elementor contains authenticated, remote code execution, paras, RCE, vulnerability. They wrote late last week, third party data we monitor showed what was possibly a hacker probing for usage of a WordPress plugin named Elementor, which has more than 5 million active installs according to WordPress. And this, this hacker probing for the file slash WP hyphen content slash plugins, hyphen Elementor hyphen read me dot text. So that makes sense if that directory were world readable. And I guess it sounds like it is if they thought that they were gonna get it, that would, that would allow somebody to the contents of read me dot text, if they were able to do that, that would tell them that that site was had the element or plugin installed and then they would do whatever it was. They were gonna do.
Leo Laporte / Steve Gibson (00:26:22):
The guys at plugin vulnerability said we couldn't find any recent disclosed vulner abilities that should explain that. So we started doing our standard checks. We do in a situation where a hacker may be exploiting an unfixed vulnerability in a plugin. What we immediately found was that the plugin isn't handling basic security correctly shock. I know they said, he said, as we found many functionalities where capabilities checks were missing, where they shouldn't be while some of those were not to users that shouldn't have access, we found at least one that is, and the functionality accessible leads to one of the most serious types of vulnerabilities, remote code execution. That means that malicious code provided by the attacker can be run by the website they wrote. In this instance, it is possible that the vulnerability might be exploitable by someone not logged into WordPress, but it can easily be exploited by anyone logged into WordPress who has access to the WordPress admin dashboard, unless another plug restricts access to the admin dashboard.
Leo Laporte / Steve Gibson (00:27:46):
That would mean anyone logged into WordPress would have access. The vulnerability was introduced in the plugin in version 3.6 0.0, which was released on March 22nd. So that's interesting that about over a month ago or rather not, yeah, just about exactly a month ago. And they said, according to WordPress's latest stats, 30.3% of users of the Elementor plugin are now on version 3.6 point something. So that's it there interesting sta by itself. So that says that a month after a, the 3.6 0.0 was published one month later, only 30.3% of users of that plugin using 3.6 point something, meaning that first of all, 70% that had not upgraded hadn't had avoided vulnerability as a consequence of that. But unfortunately, in this case, because the vulnerability was introduced with 3.6 0.0 and we don't know when it was removed, then actually we'll, we're gonna find out in a minute, but at, you know, 30% of users were vulnerable and apparently some bad guy perhaps knew that and was poking around the internet trying to find victims.
Leo Laporte / Steve Gibson (00:29:22):
Anyway, they conclude based on what we, what we saw in our very limb, it a checking we would recommend not using this plugin until it has had a thorough security review, meaning that overall they were not impressed with the, with the design of the plugin that they found. They said, and all issues are addressed that it has five plus million installs and hasn't been properly secured should be very concerning. They wrote it certainly isn't for a lack of money at the developer as they raised 15 million in 2020. It also, it also isn't for, or a lack of reason to be concerned. As two years ago, it was claimed a zero day vulnerability in the paid version of the plugin was being exploited. So their English was a little spotty, but, you know, they appear to be legitimate security concern. Although having said that a as I dug deeper, more deeply into this I became a little, I guess their, their background became a little more questionable.
Leo Laporte / Steve Gibson (00:30:35):
They posted snippets of code, which demonstrated and detailed the vulnerability. And apparently this disclosure or their disclosure was made deliberately and irresponsibly over a dispute with the WordPress plugin forum moderators. It seems that these plugin vulnerabilities guys have long been unhappy with the way WordPress manage the reporting of security vulnerabilities and reading between the lines. It sounds as though WordPress downplays in their, in their opinion, WordPress downplays, vulnerability reports, which annoys these guys. And it sounds like there's been sort of a back and forth clash of egos, a different firm known as patch stack in the same business as, as the plugin vulnerability guys, that is another one of these companies in the addon WordPress, we're going to try to keep you safe business wrote. They said the widely popular WordPress website be older plugin Elementor, which has over 5 million active installations has recently released version 3.6 0.3, which contains an important security fix.
Leo Laporte / Steve Gibson (00:31:58):
So that tells us that 0.0 0.1 and 0.2, we're not fixed. Point three was, they said this vulnerability allows an authenticated user regardless of their authorization to upload arbitrary files to the site. The arbitrary file upload vulnerability could allow some to take over the entire site or perform remote code execution, please update immediately exclamation point. Then they added that patch stack pro and business users. And this is, you know, them promoting their service patch stack pro and business users have re have received a virtual patch to be pro to be protected from this vulnerability and the previous group. You know, the, the, the plugin vulnerabilities guys who had their bruised egos also produce what they call a WordPress firewall to autonomously protect their are subscribers from this danger when it's been configured to do so in this case to limit the types of files, which can be uploaded because it's by allowing you to upload something that you're then able to execute that the, the attacker is able to cause it to get executed, thus running their code on your site.
Leo Laporte / Steve Gibson (00:33:16):
So word is undeniable vulnerability. I mean, undeniable popularity, excuse me, their undeniable popularity coupled with a constant stream of problems, mostly created by insecure and poorly written WordPress plugins has, as I said, spawned an in of addon WordPress protectors in the past, we've often referred to the firm word fence where a lot of these vulnerabilities were found and reported always responsibly. Those are good guys and their businesses protecting the sites that, that, that are their subscribers until the add-in has been patched. So they're as proactive as they can be. And of course, we just talked about plug-in vulnerabilities and patch stack. There are many others. I saw a list of about 30 recently. And although it was obviously self-serving recall that it was as patch stack who, and we cited them a month ago released a research white paper, observing that last year saw a 150% increase in reported WordPress vulnerabilities compared to the previous year 2020 with the alarming news that 29% of the critical flaws in WordPress never received a security update.
Leo Laporte / Steve Gibson (00:34:47):
You know, they've, they've their plugins that have their developers have wa have wandered away from yet later, a critical flaw is found and it never gets fixed. They also observed comfortingly that only 0.58%. So what about one in 200 problems were found in the word press core with the rest being in themes and plugins written by anyone else and typically offered without review. They also noted that almost all of the problems, 91.38% of the flaws were found in free plugins, whereas paid slash premium WordPress add-ons only accounted for 8.62% of the total. So the, the takeaway walk away advice is stick with the most bare bones, WordPress installation possible because the WordPress core is solid. If you want more, take your time, look around, find the most reputable source of WordPress add-ons that you can, which probably means you have to pay for it, but you're paying for some security.
Leo Laporte / Steve Gibson (00:36:10):
That's probably worthwhile. And, and in making this trade off, except that as all, we, there will be a trade off between security and ease of use. You just need to decide where you want your site to sit along that tradeoff and Leo, I'm gonna get some water while you tell us that's a trade off of a kind, you get water. I get ad seems talk about Apache struts, which is, is a interesting problem. I like to talk about this and you know about it because we've talked about forever. Oh, yes. I'm just holding up my Canary here. This is a a honey pot. It doesn't look like a honey pot just looks like a little black device sitting on my desk, but let me tell you it looks like a honey pot to me, to the bad guy. This Canary looks like something valuable.
Leo Laporte / Steve Gibson (00:37:08):
In my case, I've connected this up to make it look like, and it's very easy to do this. There's a, there's a webpage. You just go into your Canary console and you can say, oh, I want you to be a skated device or a NAS server or a Linux box or a windows server. And you can light it up like a Christmas tree with all kinds of, you know services turned on, including RPC, if you want. That could probably be a good one to turn on, right. Say, oh yeah. I'm windows seven. Running RRP. Yeah. Oh yeah. In my case, this is a, a NA it has a Mac address of a Sonology NA when you go and hit it, you log in, it's got the login page indistinguishable from Sonology. There's a difference though. It isn't a Sonology NA, and as soon as somebody tries to log into it, I'm gonna get an alert that lets me know.
Leo Laporte / Steve Gibson (00:37:56):
And that's the whole point of these things can areas. If there's anything we've learned from the last couple of years, companies need to be prepared, not just at the perimeter, but for a bad guy to be in the network, an advanced, persistent threat, wandering your network, looking at all your security, maybe even ex trading information as they have done now from Envidia and Samsung. So many companies, of course, Sony was the poster child for this it's. If unfortunately, it's often companies find out that there was somebody in the network way too late. They've spent millions on perimeter protection. Somebody got in and they didn't know about it. In fact, on average, it takes 191 days for a company to find out there's been a data breach. Not if you have these little devils, these little canaries on your network. These were designed by, by guys who have spent the last two decades training companies and militaries, governments, how to break into networks, they're experts.
Leo Laporte / Steve Gibson (00:39:04):
And it's that knowledge that they used to to build the Canary. You'll find canaries deployed all over the world. It's really one of the best tools against data breaches. It's not perimeter protection. It's detection of a bad guy already in the network. You, and if they're in you, you wanna know you could do a whole bunch of things with this, besides say, you know, it's a server or whatever. You can enroll it in active directory, say it's a file server or file share. You can create many infinite number of document with this. They call 'em Canary tokens. They look like PDFs or Excel spreadsheets or word documents, scatter them around the network. If somebody tries to open them, they phone the Canary here and it phones home. And I tell you, you will love the way Canary reports. There's an attack to you.
Leo Laporte / Steve Gibson (00:39:53):
Basically. You'll love it, cuz it's how you want it. Whether you want you know, Canary gives you a console. It supports syslog. They have an API, it supports slack. You get a slack message, an SMS message, an email, basically any way that you want and you won't get a lot of, you know, spurious reports or false positives. In fact, I love this. I haven't heard from, I can area in months. It's been a long time, but that's a good feeling. That means there's no one on the network cuz this thing doesn't look vulnerable. It looks valuable. That's the whole idea. Think of it as trip wires on your network, invisible trip wires that an attacker can't help, but set off. I just think this is such a great idea. I think you should take a look at a Canary. Let me give you an idea of the cost.
Leo Laporte / Steve Gibson (00:40:41):
I think it's quite affordable. Actually. You can buy one. You can buy a thousand. Some big banks might have 'em all over the place. A small business like ours might have a handful. Let's say five, just as you know one possibility that'd be 7,500 bucks for all 5, 1 7500 payment. For all five, you get the canaries, you get your hosted console, all upgrades for a year, all support for a year maintenance for a year. If you sit on it, if you hit it with a hammer, whatever, they'll send you another one. And by the way, if you're gonna buy a Canary, use the offer code TWiT in the, how did you hear about a box? And that way you're gonna get 10% off, not just for the first year, but forever, as long as you're using canaries. So that's a big, big discount.
Leo Laporte / Steve Gibson (00:41:28):
Yeah, I know you're saying, well, I don't know. Is there a try before you buy, how about a two month money back guarantee for a full refund, 60 days to try this? And then if, if for any reason you say no, it's not for me full money back refund. We know you won't, that's why they can offer that because everybody's ever tried. The Canary has great things to say. If you go to the website, canary.tools/love, you will see a page loaded with tweets all about the Canary from some of the very biggest names in security canary.tools/twit to get your discount, canary.tools, C a N a R Y like a Canary in a coal mine. Get it. That's the little Tweety burden, a cage that if there's somebody in your network, it goes, Hey, Hey canary.tools/twit. Don't forget to put TWiT. And how'd you hear about a box for 10% off for life. Honey pots are hard to set up on your own. The Canary couldn't be, look, I set it up. It couldn't be easier. Canary dot tool.
Leo Laporte / Steve Gibson (00:42:36):
And now back to Steve Reno, Steve. So when we hear the phrase Apache Strutz certainly longtime listeners to this podcast will immediately think back to the historic equi fax breach of 2017, which was the result of Equifax not having updated their Apache Strutz Java web framework for several months after a critical must patch update had been published, wired magazine's coverage of the event at the time was titled Equifax. Officially has no excuse with the subtitle, a patch that would've prevented the devastating Equifax breach had been available for months. So that, you know, as our listeners know that infamous breach con the data of 143 million users as hackers, exfiltrated the names, social security numbers, dates of births addresses. And in some cases driver's license numbers. In other words, everything you need to perpetrate identity theft, which of course was the big problem there. What wasn't mentioned at the time was that the flaw was in an historically troubled struts component and actually not only struts, but a historically troubled component known as OG N L that's the object graph, navigation language and guess what, it's a powerful interpreter.
Leo Laporte / Steve Gibson (00:44:21):
And then some O G N L is an open source expression language for Java, which simplifies the range of expressions used in the Java language among other things OGN L enables coders to more easily manipulate arrays. But as it turns out, parsing O G N L expressions based on untrusted or raw user input has long been dangerous. Okay. I got a kick out of what Wikipedia had to say, listen to this, and don't try to understand all of it. Just sort of let it wash over you. Wikipedia said OGN L began as a way to map associations between front end components and back end object using property names. As these associations gathered more features, drew Davidson created key value, coding language KV, C L Luke Blanchard, then reimplemented KV C L using a N T L R, which you know, antler and started using the name OGN L the technology was again, reimplemented using the Java compiler compiler, Java CC OGN L uses Java reflection and introspection to address the object graph of the runtime application.
Leo Laporte / Steve Gibson (00:45:56):
This allows the program to change behavior based on the state of the object graph, instead of relying on compiled time settings, it also allows changes to the object graph and, and finally, due to its ability to create or change executable code OG N L is capable of introducing critical security flaws into any framework that uses it. Yeah, we'd like to please Mo multiple Apache struts, two versions, Wikipedia rights have been vulnerable to O GNL flaws as of October, 2017. The recommended version of struts two is 2.5 0.13 users are urged to upgrade to the latest version. As older versions have documented security vulnerabilities. For example, struts two versions, 2.3 0.5 through 2.3 point 31 and 2.5 through 2.5 point 10 allow remote attackers to execute arbitrary code Atlassian confluence has been affected by an OGN L security issue that allowed arbitrary code remote execution and required all users to update in other, okay.
Leo Laporte / Steve Gibson (00:47:30):
In other words, as we've seen before, not all ideas are good and OGN L appears to be way too powerful and also particularly gifted at being bad where it's used. It appears to reek havoc back in 2020, a different OGN L injection bug, which is what all of these O GNL problems are called was assigned a CVE 20, 20 17,005 30 within tension grabbing severity rating of 9.8 back then a pair of researchers responsibly reported to the struts team, their discovery of a, what they called a double evaluation flaw in struts two versions, 2.0 0.0 all the way through 2.5 point 25. So sweeping, and, and basically from the beginning of struts two to then, which could occur under certain circumstances. The advisory for that CVE states that some of the tags attributes could perform a double evaluation. If a developer applied forced O G N L evaluation by using the percent and then curly braces syntax, and using forced OGN L evaluation on untrusted user input can lead to a remote code execution and security degradation.
Leo Laporte / Steve Gibson (00:49:13):
I guess you'd call it a security degradation if somebody's remote code was being executed on your system. Okay. So finally, although Apache had resolved that known 2020 flaw back then in the succeeding release, which was struts 2.5 point 26, since everything before that was had this problem researcher, Chris McOwen later discovered that the applied fix was incomplete. And, you know, that's what you get when these things are just this complicated. Like this is mind bogglingly crazy. So he responsibly reported to Apache that the so-called double evaluation problem could still be reproduced in struts version, which they thought they fixed 2.5 0.26 and above, which resulted in the assignment of a recent CVE. Actually it was last year, but it's just been patched. It was CVE 20 21 31, 8 0 5. So today users are advised to immediately upgrade to what is now current Strutz 2.5 0.30 or greater, and to avoid using forced O GNL evaluation in the tags attributes based on untrusted user input, because that's never gonna turn out well it's, you know, it's just not safe.
Leo Laporte / Steve Gibson (00:50:48):
And given what happened after E after Equifax apparently ignored similar advice back in 2017, I would be inclined to do whatever was necessary to stay current with stretch two, if you, or your organization or anybody, you know, or care about is using it, be sure that you're running the latest, which is now 2.5 0.30, because my sense is this is exceedingly difficult to, to to execute. This is, you know, this is not the low hanging fruit that the script kits are going to use, but if it, if it was found that a site is using a vulnerable version of struts two and you know, based on the statistics we keep seeing of, of upgrade inertia it's doubtless that some are it's then gonna take somebody who's who really understands this stuff to engineer an exploit, but it's clear it's possible. So, and, and it's obviously even hard to fix this thing.
Leo Laporte / Steve Gibson (00:51:59):
So it's, it's unfortunate that this OGN L is anywhere near struts, but, you know, it sounds like it's, it's very, very much more hour than, than probably is necessary, or that should be in there, but it is okay. Our America's nuclear systems so old that they're hackable, which is an intriguing question. And I was put in mind of my meeting back in 1984, a dear friend of mine who was incredibly non computer savvy. She was a realtor. We met when I purchased my home from her in 1984, she needed to access the realtors, MLS the multiple listing service. And she was using something at the time, which she called her modem. She just called it the modem. It was actually, I was humored to see a Texas instruments, silent 700 thermal printing terminal. And remember with those original rubber caps or cups on top, that you would press telephones handset down into after first dialing into some computer.
Leo Laporte / Steve Gibson (00:53:17):
Well, we became lifelong friends and when the internet happened, this MLS service moved online. So I set her up with a windows 95 machine windows, 95 was, you know, current at the time, then many years went by with everything working fine until someone she had over to her home was shocked that she was still reusing windows 95. I don't recall where the rest of the world was by then, probably at, on XP. So she immediately phoned to ask why her computer had been allowed to become obsolete. And I said, Judy, does it work? Which gave her pause. And she said yes. And I said, is there anything you need to do with it? That it doesn't? And she said, no. So I explained that there was a growing problem on the internet with security. People were getting their computers hacked by clicking on the wrong thing.
Leo Laporte / Steve Gibson (00:54:17):
And she said, oh yeah, that's happened to several of my friends. She said they got viruses in their computers that were sending out email to all of their friends and infecting them too. And so I said, Judy, did you receive those emails? And she said, yes. And I asked, and did you get infected too? And she said, no. And I said, that's right. And that's because your computer is too old to get in to, to get infected by modern viruses. It uses an older and original sort of code, which is in many ways better, especially for the few things you need your computer to do. You know, basically she just used what she called the Google, which she did not understand. She did not know that the Google was not the internet because that was what she addressed. She confronted the Google. So she continued to use that machine happily for many more years, until someone convinced her to buy a new one after which she pretty quickly got herself infected.
Leo Laporte / Steve Gibson (00:55:29):
And I sort of felt a little responsible for that because I had never needed to like lecture her on safe computing. She, she had no antibodies. She exactly, she had never been exposed. I had exactly that thought Leo. Exactly. Okay. So that brings us to really interesting piece that ran in the record last week that I wanted to share some parts from, it was intriguing to me. And I think it will be intriguing to our listeners because it was interesting to see how much of the general philosophy of complexity and security and the, if it's not broke, don't fix philosophy, which we've developed on this podcast. You know, as a matter of self preservation through the years and how much of that was in quotes from this story. So to set up their piece, the record first establishes the context of the moment they wrote as the cold war drew to a close, a surprising contender emerged as the third largest nuclear power on earth Ukraine, the country was home to some 5,000 nuclear weapons placed there by Moscow.
Leo Laporte / Steve Gibson (00:56:50):
When Ukraine was still part of the Soviet union, Keve sent the weapons back to Russia in exchange for security guarantees from the us and Britain and a promise from Moscow that it would respect Ukraine's sovereignty. Ben president Vladimir Putin invaded in February, the nuclear option, which many thought had been largely removed from the table was one of the first sabers Putin chose to rattle. When he announced that Russian troops were moving into Ukraine in February, he reminded the world that not only did Russia possess nuclear weapons, but it was prepared to use them. Anyone who tries to stand in our way, he said will face consequences, such as you have never seen in your entire history.
Leo Laporte / Steve Gibson (00:57:52):
The threat raised an uncomfortable question after decades of pursuing disarmament talks and assuming nuclear confrontation was a bridge too far was the United States ready for the ultimate confrontation with Russia. And of course, nobody wants that. Okay. But, so that's interesting amid all the talks of cyber offense and defense. I have found myself wondering as I imagine our listeners may have how strong our nuclear deterrent is in the face of reportedly quite capable, foreign cyber attacking adversaries. What I'm gonna share from what the record wrote and which I've edited for the podcast speaks to exactly that they said, and I've again, I've I of edited this to make it more understandable verbally, right up until three years ago, us nuclear systems were using eight inch floppy discs in an IBM system. One computer first introduced in 1976. It was not, not connected to the internet and required spare parts, often sourced from eBay.
Leo Laporte / Steve Gibson (00:59:12):
Some analysts think America's slow walk toward modernization of its nuclear systems may turn out to have been a cany strategy because the systems are so old much like Judy's old windows, 95 machine. They are practically hackable, herb Lynn, a professor at Stanford university, an author of a new book titled cyber threats and nuclear weapons said there is a truism about computers, which is that when we have a computer it's we always want it to do more. His book looks at the risks of cyber attacks across the entire nuclear enterprise. He says, the more problem inevitably introduces vulnerability into systems and Def and defense officials have to think carefully about how to modernize. Amen, please. He said, if you'll grant the point that the more you want a computer system to do a more complex, the system is that you have to build, then you take the second step and you realize that complexity is the enemy of security. Yeah. Where have we heard that before? I think it was Admiral AMA in Battlestar gal gala, actually.
Leo Laporte / Steve Gibson (01:00:43):
Yeah. Remember that's why gala Galactico survived the attack of the signs. He still had phones with wires on them coming out of the wall. They hadn't adopted the new technology and they were the only ship in the fleet that survived. Nice. You see, couldn't be hacked. Yep. There it is. Yep. So Lynn says that this is where things start to go wrong. As, as much as it happened with the gala galactic of fleet, he said, run the probabilities. And there's a chance that one of those many complex components could be vulnerable to a hack in a way. No one had considered before the cautionary tale is stucks net. The virus in worm that found its way into the naans uranium enrichment plant in Iran in 2009 and 2010 stucks net, which appears in, in this writing to have been the brainchild of us and Israeli intelligence services was able to take control of centrifuges, used to enrich uranium gas inside the giant plant.
Leo Laporte / Steve Gibson (01:01:55):
And without anyone noticing get them to spin so fast, they broke for a long time. The cause of the centrifuge failures was a complete mystery. Scientists were fired. Officials thought they were sleeping on the job or not maintaining the systems properly. It never occurred to anyone until much later that a cyber weapon could possibly find its way into a system that was air gaped from the internet. And so closely watched stucks net had probably been in their systems a year before they even discovered it. And of course, this is a cautionary tale because its that may be sticking with eight inch F floppies was a good idea. The thinking has been, they write that America's geriatric nuclear weapon systems may actually provide an inoculation from this kind of attack. Lynn wrote many of the systems right now are so old that there's nobody or few, very few people who know how to get at them. So right now the current assessment is that the nuclear command and control system anyway is mostly robust against a cyber threat. And of course that bar is high. Wouldn't you say when you're gonna say we're robust against, you know, the nuclear command and control system being compromised. Good.
Leo Laporte / Steve Gibson (01:03:31):
Hiat Alvie a professor at the us Naval war college studies, these kinds of nuclear weapons issues. She spoke to the record in her personal capacity. She says she has a mantra when it comes to our nuclear weapons system. And I love it. If it's not broken, it doesn't need to be fixed. Alvi says the calculus is pretty simple. Why try to change something that has worked for decades, assuming you change them to upgrade them to modern te you are actually inviting more risks and potential threats and sabotage into the system. While officials have tinkered at the edges of the nuclear weapons systems, John Lauder, who used to direct the CIA's non-proliferation center says most of the systems were using are from the seventies and eighties. And I'll just remind everybody that, you know, we've been, it's like staring at the chips on motherboards, which all come from China, you know, like wondering and worrying whether that EPROM like might be more than it looks like. Or whether that, you know, the ethernet connect or could have a chip hidden, you know, inside it it's. So it's like, you know, just please leave everything alone. He said there has been a general sense from people who worked in arms control that we had put together a set of agreements that would keep peace and to bill, as a result, modernizing nuclear weapons systems seemed less important since there was a general sense that the weapons would eventually be phased out. But Ukraine, he said was a wake up call
Leo Laporte / Steve Gibson (01:05:21):
In 1979, about three years after the us nuclear weapons program adopted that state of the art at the time. IBM series one, computer William Perry, who was a top Pentagon official at the time, got a phone call the voice on the other end, identified himself as the watch officer Perry, who would later go on to be defense secretary in the Clinton administration recounted in his podcast at the brink. He said, the first thing the watch officer said to was that his computers were showing 200 nuclear missiles on the way inbound from the Soviet union, yikes to the United States. And for one horrifying moment, he said, I believed we were about to witness the end of civilization. I mean, this actually happened as Perry weighed the possibilities. He concluded. This had to be some kind of mistake. There was nothing going on in the world at the time that would've caused the Soviet union to suddenly strike Perry, asked the watch commander to find out what had gone wrong with the systems.
Leo Laporte / Steve Gibson (01:06:44):
So he could explain what happened to the president in the morning. It turns out someone had accidentally put a training tape into the computer instead of an operating one. As a result, what the computer saw was a simulation of an actual attack. It looked real because it was designed to look real Perry says that night fundamentally changed the way he thought about nuclear weapons. He came to the conclusion that simple human error could indeed lead to nuclear war. He said, quote, it has changed forever. My way of thinking about nuclear weapons up until this a false alarm, an attack by mistake, starting a new clear war by mistake was a theoretical issue until it wasn't.
Leo Laporte / Steve Gibson (01:07:48):
So there have been many questions raised and interesting movies made surrounding the question of whether a human being would be able to follow an order would chew to follow an order to turn the keys, to launch a strike. So understandably, there's a huge urge on the part of those who are given the responsibility of protecting us to remove the human factor from the loop on the basis that it introduces a wild card, an unknowable uncertainty that cannot be relied upon the good news is that there are now so very many lessons which have since been learned about the true fragility of our supposedly advanced technology that it's at least reasonable to hope that ultimate control will not be centralized. And after all, all the strength of the internet arises from its inherently and brilliantly decentralized design. You know, the, the good news is that, you know, William Perry was in the loop, got the call, did like a reality check and said, wait a minute, this, it makes no sense that this could a, that there's actually 200 inbound nos from the Soviet union.
Leo Laporte / Steve Gibson (01:09:16):
You know, let's double check our systems. So anyway it's gonna be interesting to see what happens. A little bit of, I thought interesting insight that, that, because our weapons just, you know, we, no one has believed we were gonna probably ever need these things again. You know, I'm sure they're being dusted, you know, oil is, is, you know, they're, they're, they're kept in functioning condition, but the technology has been pretty much left as it was in the seventies and eighties. And I say good because, you know, the only way, the only way it would be safe would be if, if we ourselves designed the chips and used our own foundries to make them and build systems that did it, like from this, from the sand on the beach, up to working Silicon in order to function, everything else, everything in our systems these days we get, you know, offshore and I the world has changed too much recently.
Leo Laporte / Steve Gibson (01:10:44):
Okay. A couple of bits of feedback from our listeners max fine leave. He said re E the coin base segment. That's where I was talking about the, the unsatisfying login experience or trial I had with Coinbase. I mentioned that last week, he said, Gmail also has the same login process where you enter your email and then your password on another screen. And so I thought, well, okay, they don't have to be the same screen. It's just that the entering your, your username, your email has to not provide any feedback. Okay. Many other listeners have written since then to note that this or that online service does the same thing as Coinbase. I distinctly recall Leo that once upon a time, we use Gmail as an example of this being done. Right. But sure enough, I tested Gmail. I, I went to Gmail using an, an incognito mode, so it wouldn't have any knowledge of who I already was.
Leo Laporte / Steve Gibson (01:11:51):
And I entered the email. Bingo Dingo lingo, gmail.com. And I never had the chance to enter a login password. Gmail immediately told me that they had no record of that account. So it appears that over the years, ease of use has prevailed even at Google over stricter, but less user friendly and less forgiven, forgiving login policies. And I guess, you know, it, it certainly is the case that not all websites should or need to set the bar at the same height. I guess I could see lot. Don't like the idea of, of Gmail having, you know, broken this login process into something which can be, can be decomposed into two separate things. What was it? It was, it was not, we, it was w I want, I wanna say WPA a D it was that it was that pro that wifi protocol where you had to enter in the eight digit code WPS and it w WPS yes, it was WPS.
Leo Laporte / Steve Gibson (01:13:05):
Yeah. An eight digit code. Well, first of all, the final digit was a check digit for the other seven. So that didn't count. You always knew what that was. And then we, what we learned was that you didn't, the, the protocol was broken such that you could separately guess the first three digits separate, or maybe it was the first four separately from the final three, plus the check digit. And of course that hugely reduce the security. The fact that, you know, it was no longer all seven, cuz you could compute the eighth, all seven had to be right. Instead you could decompose it into four and three, which reduced the strength by a factor of a thousand. Anyway it does look, I just wanted to acknowledge max and everybody else tweeted me and wrote saying Steve, you know, your favorite password manager does the same thing.
Leo Laporte / Steve Gibson (01:14:02):
And it's like, oh really? Okay, well that's too bad. Why do they do that? I don't understand besides the security issue, why ask the email first? I don't, I've never, everybody seems to do do that now. What is there some thinking, well, it, it is how they find your account, right? So they, they, you know, that's how they identify you, but I would like them to be mom about it until then ask you for your password. Right. And then say, we're sorry, we had a problem now from a customer service standpoint. Right. It's much, it's much easier if you tell the user, oh, we don't know you. Yeah, yeah, yeah. You, you have a typo in your email. Right. Then, then the user goes, oh, but the problem is that's exactly that same ease of use. Right. Makes it ease of hack, right? Yeah.
Leo Laporte / Steve Gibson (01:14:56):
Cuz you can try email addresses to you find one that they do know right now. You're halfway there. It's yeah. And if it's coin, I mean, and if it's one thing, if it's Gmail, that's not good. But if it's Coinbase, like if, or if it's your bank or like, you know, something where security really matters. Wow. Now we can fish you. Yeah. Yes, exactly. Dana J Dawson. He wrote, he said at SG GRC on SN 8 66 and today's 8 67. So that was last week. You seemed unimpressed. Yeah. With the new Ms. Windows auto update service, you think but in other SN episodes, you've imp you've I implored home router makers to include an auto update feature. Could you elaborate on this apparent contradiction on an upcoming security now episode? Yes.
Leo Laporte / Steve Gibson (01:15:51):
The issue Dana and anyone else? The issue of auto updates isn't is not settled because it's not black and white. There are pros and cons and tradeoffs and there isn't a single right answer. The biggest difference arises due to the environment being addressed. For example, a complex enterprise network has many moving pieces and it presumably has some dedicated it staff who knows who know those pieces intimately and are competent to test any changes and validate that updates are safe before they're applied throughout the entire network. Contrast that to a cute little router box, sitting alone and forgotten in a closet, which was installed by an elderly couple's grandson after they asked him how they could get wifi.
Leo Laporte / Steve Gibson (01:16:54):
If when it was installed that little router offered the option for automatically keeping itself up to date, we can hope that the grandson had the foresight to enable it. If it wasn't the default, my feeling is that given the set and forget environment, which most routers find themselves in coupled with the fact that those routers are bristling with features and run complex Linux operating systems where new problems are being found and that there's an active, there's active pressure to find and compromise these autonomous little devices for incorporation into botnets, crypto mining, and perhaps some die. You know, something more, I believe that the default setting should be to allow the router to self in the event that a critical remotely exploitable flaw is discovered and reported to its manufacturer. Yes, the option should be, there should be an option to disable it. You should be able to say, and maybe even explicitly ask the user, if you're nervous about having it on by default, this router will update itself only if it really needs to. Is that okay? Or maybe even have it be like three settings off all updates or super ultra mission, critical updates only. I don't know. But the point is it feels to me like that's the case of, of the, of, of the forgotten router in the closet and grandma and grandpa don't even know what it is. You know, it probably has socks covering up now. So it's, it's overheating.
Leo Laporte / Steve Gibson (01:18:44):
Okay. The enterprise and the router in the closet scenarios are obviously different. But with they have in common is their use of complex software, which we still haven't figured out how to get. Right. I think that the use case of auto patch that is windows auto patch is the very large middle ground. I'm unconvinced that it will make sense for any significant enterprise that employs their own. In-House it staff to turn over control of updating to this level, to Microsoft, but most small businesses do not have in-house it staff. They've got some guy who comes in when they call to fix something that broke. If Microsoft has found that their monthly updating is breaking more things than it's fixing, then having a way to detect when something has gone wrong and revert, you know, in other words, auto patch may sense and you know, auto patch sounds more appealing than windows ate.
Leo Laporte / Steve Gibson (01:19:59):
So the problem is to me, this whole thing, this auto up this auto patch thing, and we're gonna, you know, we've got four rings of, of testing. We're going to stick our toe in the water and see if, you know, if, if something breaks and, and if so, we're gonna back out and we won't go any further. This, this all feels eerily like capitulation as if somewhere inside Microsoft somewhat acknowledged that they cannot actually fix windows. So they're gonna automate it, not being fixed, but you know, I still love windows. I think it's an amazing piece of work it's in front of me right now. I think it's incredible that it works as well as it does. And I very rarely have any trouble with it, although, no, don't know if you noticed Leo in the middle of this first sponsor break, zoom just shut down.
Leo Laporte / Steve Gibson (01:20:53):
Oh, I didn't. Yeah. Oh, how funny? The win, the window disappeared. And I just like stood there with my mouth opens what it never happened before. Well, it's perfect. Not timing. It was. So I just restarted it and re-entered our connection. And there you are. It was transparent, so, okay. Every, so often my cable modem does the same thing and I just kind shrug and restart it. I think it only happened once so far during I know Leo. I don't understand how they how we survive. Really. I did, I did. I I've been silent for the last couple weeks about spin, but I thought I would share like what has been going on cuz it's kind of interesting. And I, and I ignore our listeners who are waiting for six, one will find it. Interesting. work has continued without interruption.
Leo Laporte / Steve Gibson (01:21:42):
We've just emerged from an interesting sideline where we learned some surprising things about many of our systems, one of the big changes being made in spin, right, 61 is the use. I've mentioned this many times, a very large 16 megabyte transfer buffers. The theory was that this would allow maximum performance by reducing the overhead in between many little transfers, you know, inter transfer overhead. And for SSDs, this theory has panned out big time spin right is like two or three times faster than any biases that anyone has. And often as I did mention months ago, we're like right up at the ceiling of the ma the maximum theoretical transfer rate on the wire. But this also holds for some spinning drives, which we now in the news group refer to as spinners. But it turns out out that not all spinning drives perform best when their hand is huge transfers to perform.
Leo Laporte / Steve Gibson (01:22:58):
I don't recall why I thought to look, but we were finding that some biases were outperforming spin rights, own native drivers, which I've just written, which should not have been possible. So I added technology to benchmark drives both ways using spin rights, new native hardware level drivers, and using the bios with the intention to use the bios when it was faster than spin, because speed matters. The bios has never been able to transfer in its history still can't more than 127 sectors at a time. That's just a fundamental limitation of the bio's API, but spin right can ask drives to transfer 32,768 sectors at once into a waiting 16 megabyte buffer. You know, now we got lots of Ram, so why not? Through experimentation? We discovered that some spinners would perform better when asked for 258 individual transfers of 127 sectors each rather than a single transfer of 32,768 sectors.
Leo Laporte / Steve Gibson (01:24:18):
But my code was still not keeping up with the bios. When I realized that the way I was breaking up, the large transfer into smaller transfers was introducing 258 times the inter transfer overhead. I fixed that. I redesigned my drivers to be maximally efficient when large transfers needed to be divided into smaller pieces. And then finally rights own drivers were always at least as fast as the bios and often, especially for SSDs up to several times faster. So spin right now never needs to use the bios when it's able to communicate with the drives hardware directly and spin right now, measures the speed, both ways of each drive using smaller 1 27 sector transfers. And these mega 32,768 sector transfers and remembers which one is best for that drive and adapter. So it, it that's part of the drive enum process. It basically figures out how this drive wants to be talked to and then that's what it does.
Leo Laporte / Steve Gibson (01:25:36):
So, you know, as for the spin rights development, I know all of this is taking time. The only thing I can say is that what is emerging is gonna be a truly high functioning piece of software where something that everyone will be proud to own and use. And also it's creating a strong new foundation for spin rights future in 6.1. Yay. Yeah, that's exciting. Our PC in a RCE RCE coming up in just a sec, but first I wanna talk about Z E N T R Y zero. Trust with remote work is here to stay. I'm sorry to say for all the bosses is a said, no, you gotta come back. At least we're in hybrid in many cases, remote when the pandemic started, of course everybody went home. Everybody learned what a VPN was. Problem is VPN isn't really the answer to the zero trust conundrum.
Leo Laporte / Steve Gibson (01:26:40):
They, they were designed for a much friendlier for one of a better word landscape where the only threats you had to worry about were internet worms and protecting yourself at the perimeter was all you had to worry about, but things have definitely changed. Threat. Actors are specifically targeting remote workforces. Now with Phish attacks exploit vulnerabilities in RDP. We're gonna hear about that in just a moment. Vpns give you broad network level access. They allow EastWest propagation for authorized users, but also unauthorized ones. And that's why almost everybody is saying now we gotta move to a better model, zero trust and the best way to do iTry security. It's a perfect solution. It allows only authorized users to access applications in the cloud. In the data center. You don't need VPN. VPN's not even enough. You don't need a lot of configuration. You don't need a lot of headaches and it works with employees.
Leo Laporte / Steve Gibson (01:27:44):
Yes, but even contractors, third parties, regardless of their location, because they're only getting application level access to the apps you specify to the resources you allow based on a globally applied natural language policies defined by your it guys. Everybody's happy, dispersed workforces, get secure, streamline access, but they only get the applications they need to do their jobs. And all they need to use is a browser on their preferred device. So it's very easy for them. This is so much better than, than providing network access by a VPN. And we, you know, remember that water company where they had a VPN account still open, never changed the credentials and somebody got in and started putting poisonous chemicals in the water in effect. That's a VPN doesn't do the job had they had century security. Wouldn't have been an issue. Wouldn't have been an issue. Every connection of course is encrypted end to end that reduces the attack surface and increases your organization's security profile.
Leo Laporte / Steve Gibson (01:28:50):
But the key really is restricting access to just the apps and the resources that person needs with true strong authentication. Everyone wins. It's easier for users. They're happy. Everyone's more productive and your it can finally maybe rest a little bit, relax, enhance your security posture today. I want you to try it cuz it's very cool happens in the browser. You specify what apps they can use, what sources they can access. It's very, very powerful, but also very easy to use. XRY Z E N T R Y. XRY trusted access. Try it for 30 days free at least do yourself this favor. I think you'll be really impressed by the UI, by the simplicity of it. And, and by the basic fundamental security XRY Dory, Z E N T R Y security.com/you track for free right now. And I think you will be very, very impressed. All right. Speaking of RPCs and our CES. Yes, you're right, Leo about not letting things be exposed. This is gonna be another big lesson on, on that, along those lines. So it's CVE 20 22, 20 6,809 with a CVSs. And we'll see why of 9.8 last Tuesday when along with 127 other lesser problems. Mike, Microsoft patched this flaw in windows, remote procedure, call runtime library, DLL that's RP C R T4 dot DLL. It was unknown to anyone other than Microsoft and its independent discoverer bug hunter who is with the Chinese coun lab.
Leo Laporte / Steve Gibson (01:30:50):
He had privately and responsibly disclosed it to Microsoft. What we've learned is you can look at patches and reverse engineer them. As the implications of this freshly patch flaw began to emerge. The entire security industry started sitting up straighter in their chairs because what we have here is something rare in any, not yet patched internet exposed windows machines. We have the basis for another zero click internet worm reminiscent of 2000 three's Ms. Blast worm and the 2017 wanna cry attack. Cert cc's will. Doman tweeted that right now, 1,329,075 windows machines are publicly reachable and until patched are vulnerable and all of those machines, which remain unpatched once the discovery is made of how to exploit this vulnerability will be susceptible to full a unauthenticated remote takeover Microsoft's own page disclosing and summarizing this vulnerability categorizes it as attack vector network attack complexity, low privileges required, none user interaction, none confidentiality impact, high integrity impact, high availability, high exploitation, more likely.
Leo Laporte / Steve Gibson (01:32:45):
In other words, Microsoft is quite aware that it doesn't get any worse than this. And at this very moment everywhere, everyone. And I mean, everyone is working right now around the clock to figure out how to turn this into an active exploit security companies are trying to do it in order to build proactive defenses for their clients. They need to know what patterns to look for on the wire in order to block this. And those who know say that this is going to be very difficult to block. We don't know what that means. We also know that all of the usual suspects in North Korea in China and Russia are burning the midnight oil to design packets that they can send to any listening server to take it over remotely. We all know that when we start off with more than 1.3 million vulnerable windows machines, one week ago, they were all, all of those machines were vulnerable a month from now, somewhere between what 10% and 25% will still be vulnerable.
Leo Laporte / Steve Gibson (01:34:06):
And it will be their misfortune, a working exploit for this would be extremely valuable and it would likely fetch a high price even though a patch already exists since everyone knows that merely reduces the size of, but does not eliminate the target population. So if an exploit were developed, it would be kept quiet since anyone selling it would want it to be rare and anyone paying a high price would want to keep it for themselves or for their own selective resale. So I actually wouldn't expect to see a worm appear initially deploying this bad boy in targeted attacks makes a lot more sense. Last Wednesday, the day after last week's patches became available, optimize security people, seeing how Microsoft had characterized this and seeing its 9.8 CVSs became curious themselves about this change that Microsoft had made. And they posted a blog about the vulnerability because it's very light gonna become famous or infamous I've excerpted and edited from their blog to give everyone a sense for what Okai did they wrote.
Leo Laporte / Steve Gibson (01:35:26):
The CVE stated that the vulnerability lies within the windows RPC runtime, which is implemented in a library named RP C R DLL. This runtime library is loaded into both client and server processes utilizing the RPC protocol for communication. They said we compared versions 10.0 point 22,000 4, 3 4 unpatched from March, 2022 to 10.0 point 22000.6 13 just patched in April, 2022 to produce a list of changes in various functions. The functions processed response and process received. PDU caught our eye. The two functions are similar in nature, both process RPC packets, but one runs on the client side and the other on the server side, we went on to diff you know, as indifference to diff process received PDU and notice two code blocks that were added to the new version in the patched code. We saw that a new function was added after Q put on Q zooming in on the new function and inspecting its code.
Leo Laporte / Steve Gibson (01:37:00):
We saw that it checks for integer overflows. Namely the new function was added to verify that an integer variable remained within an expected value range after having another value added to it, diving deeper into the vulnerable code, get coalesced buffer. And by the way, that is where the problem is. We noticed that the integer overflow bug could leap to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it. This in turn allows data to be written out of the buffers bounds onto the heap. When exploited properly, this primitive could lead to remote code execution. A similar new call to check for integer overflow was added to three other functions as well. The integer overflow vulnerability and the function that prevents it exists in both client side and server side execution flows. So that's what Okai did. Basically they did what anyone would start off doing what every, everybody who is trying to figure out how to exploit that is doing right now, it's only been a week.
Leo Laporte / Steve Gibson (01:38:22):
Marcus Hutchins. Our friend has posted a seven and a quarter minute video on YouTube titled exploiting windows, RPC CVE, 20 22, 26, 8 0 9 explained and APA analysis where he basically walks the P his viewers through a seven and a quarter minute tutorial on exactly what I just talked about Akamai doing. And the sands Institute has posted an hour long YouTube video titled CVE 20 22, 20 6,809, Ms. RPC vulnerability analysis in the videos description Sam's introduced. Oh, and by the way, I have links to both of those in the show notes, who, for anyone who's interested in the videos description, Sam's introduced the topic by writing on Tuesday, April 12th, Microsoft released patches for CVE 20 22, 20 6,809 reportedly a zero click exploit targeting Microsoft RPC services. At the time of the publication of this abstract, there is no proof of concept available in the wild, however, based on the rating that exploit, but based on the rating, that exploitation is more likely.
Leo Laporte / Steve Gibson (01:39:47):
We expect this won't last long. And of course I expect they're correct. I've gotten this far into the subject without having made any of ports. Part of the reason is that RPC is not constrained to any single port though. It is typically carried over several and one in particular, believe it or not. The number one culprit is SMB port 4 45, which is used for window as infamous file and printer sharing. Everyone who's been listening to this podcast for any length of time will have heard me lament many times, depending upon how long you've been listening, that Microsoft's security for their internet services has never unfortunately been or the of trust. I, I mean, come on their DNS server just, just now had 17 remote code execution of flaws repaired just last week. The troubles with their remote desktop server had been numerous and file and printer sharing has never been trustworthy.
Leo Laporte / Steve Gibson (01:40:56):
You cannot expose it to the internet. Everybody's heard me saying that the research, okay, despite that obviously many people have not heard me say that the research company census said 1,000,300, 4,288 hosts are running the SMB protocol as of last Wednesday of those 824,011, which is 63% of the total were positively identified by census as running a windows based operating system. Meaning that one of those 824,011 machines was vulnerable last Tuesday and census noted that they were unable to determine the OS behind approximately 28% hosts running SMB. So maybe some others were, they don't know, but they know that it least that 63%, 824,000 on 11 machines were definitely running windows. The majority of the systems running SMB are in the United States with count of 366,000 systems. And we've got a chart, a, a nice glow map of the world where they all are 360 6, China's completely dark, but I don't think that's because they don't run S and B no 366,000 systems in the us.
Leo Laporte / Steve Gibson (01:42:28):
Russia came in second place with a count of 144,620. And you can see it glowing there. Hong Kong had 70, almost 73,000 Germany had just shy of 71,000 and France had 76,659. So this is a widespread problem. Last the 13th search will Doman tweeted CVE 20 22, 20 6,809. He said, yes, blocking 4 45 at your network. Perimeter is necessary, but not sufficient to help prevent exploitation if by April, 2022, you still, and he has it in all caps have SMB exposed to the broader internet. You've got some soul searching to do now about those hosts already in side, your network.dot dot. And the day after that, sand's tweeted. Please remember port 4 45 is just one of the ports that may reach RPC on windows. MSRP C does port 1 35 or in some cases HTTP as well. And it's actually, it's a weird port on HTTP it's 5 39 or something I don't recall.
Leo Laporte / Steve Gibson (01:44:03):
And another researcher Ned pile tweeted CBE 20 22, 20 6,000 8 0 9 has nothing to do with SMB. It's an RPC V where a variety of transport can be used, like TCP 1 35 and SMB 4 45. Okay. So no matter how much you want to, no matter how much you may need to, other than a HTTP and HTTPS, and I suppose exchange server is necessary to windows services and their ports must not be exposed to the public internet. This is why site to site packet filter ring by IP and port is crucial. And it's a perfect solution when IP endpoint are fixed or even relatively fixed. And some other solutions such as a VPN SSH or port knocking needs to be used when a roaming IP must be able to obtain access. So I just wanted to say that my choice at this point would be to run a wire guard VPN from a server.
Leo Laporte / Steve Gibson (01:45:24):
We've talked about wire guard before. It's a lovely recently written state of the art. 100% free, an open source VPN, which exchanges certificates for authentication, not passwords. So it is very strong and unlike open VPN, it deliberately leaves the kitchen sink where it belongs in the kitchen. It does just one thing and it does it well. And there are clients for all platforms now. So connecting to it is no problem. Although it was originally built on Linux, windows is now officially supported, and it's a single click install. So you could run a wire guard, VPN server on any Linux, Mac, or windows machine on your network, work to which any number of roaming users could securely connect to obtain access to everything that you want them to on the inside. It's, you know, www.wireguard.com. And there's an install page that offered that asks you, which, you know, platform you wanna download the installer for.
Leo Laporte / Steve Gibson (01:46:35):
There are now somehow two set up wire guard VPN on windows pages. I've got them in the show notes also. But for those 1.3 plus million systems, which cert says were vulnerable last Tuesday, it's gonna be interesting to see what we're talking about in the next few weeks to come. This thing really looks like once somebody figures out how to take advantage of it it's gonna get loose. Before we wrap up this talk, this topic and podcast, I need to mention what others have also mentioned, which is that the threat from this unpatched RRP C R C E exploit is not only external it's bad. Yes, because it know it allows bad guys to get into your network, but there is, there is no chance that bad guys who gain entry into an enterprise's network once this thing has been weaponized will not be adding a test for this patch being present to their rule movement toolkits.
Leo Laporte / Steve Gibson (01:47:52):
Remember that many initial network penetrations are with low and limited privilege. This is why, you know, the, you know, and, and the low and limited privilege is just the operating system trying to protect itself. And this is why privilege escalation or elevation exploits are almost as highly prized as remote code execution exploits. This RP C R C will doubtless be added to all post penetration kits, because it would allow any unprivileged attacker who has, who has obtained a minimal would hold inside a network to hugely expand their reach by moving laterally to other more valuable machines while simultaneously elevating their privileges on that destination machine, probably to system level, which is where RPC typically runs. In other words, a as those tweets were reminding, this is not just about preventing external public exposure to these services. The threat from internal abuse is very real too.
Leo Laporte / Steve Gibson (01:49:02):
And so we have last Tuesday, a, an extremely rare, extremely worrisome problem that, you know, we, we just know there's no way that even in the us though that 866,000 machines are all going to be patched and the race is on now to find a way to exploit this. Everybody is able to look at the code, reverse engineer, the code, see what's gone on, and then work on figuring out how to send a packet in from the outside that will get some bad stuff done. In fact, given that it's been a week unless it's impossible to leverage this, and it seems unlikely to be impossible, unless it's impossible, it's probably been done. And we just don't know it publicly yet. Well, there you have it. The inside story of the R P C R C us. See, thank you, Steve, as always. This is why we look forward to Tuesdays, Tuesdays security nowaday you we do this show at about 1:32 PM Pacific, depending on when Mac break weekly is over, that would be four 30 to 5:00 PM Eastern time, you know, roughly 20, 30 UTC, you can watch us do a live@livedottwi.tv.
Leo Laporte / Steve Gibson (01:50:29):
You can you can, of course, if you're watching live chat live either@ircdottwi.tv, or if you're in a club TWiT, if you're a member you can do it inside the discord, always a lot of fun in there. We've been having some good conversations. In fact, we always do. That's where Stacy's book club is. Steve did an AMA, I think it point we're gonna do a VI. We gotta do a vitamin D episode in the in the club. We have the untitled Linox show. We have the GIZ fizz that's where we launch this week in space. We'll be launching, we'll announce it soon, another show in the club because the club members support it. We don't have to worry about when a show's starting out, if we can get advertisers, that kind of thing. And really it is a very important part of our operation these days.
Leo Laporte / Steve Gibson (01:51:10):
And we thank everybody. Who's a member. If you wanna join it's seven bucks a month, you get ad free versions of all the shows, the TWiT plus feed the discord. We have seven bucks a month, or you can buy a year ahead of time, which makes it a great gift as father's day coming. I think I think it might be, be a good father's day in mother's day. He's also coming gift for somebody you care about for more information corporate memberships are also available TWiT TV slash club TWiT. You can get a copy of this show directly from Steve. He has actually two unique versions, the 16 kilobit audio, which sounds terrible, but it is small. He also, he also has a 64 kilobit audio sounds a little bit better. I must say he also has transcripts, which is really great.
Leo Laporte / Steve Gibson (01:51:56):
So you can read along as you listen or search those transcripts for a part of this show or any of the 867 other shows. That's all@grc.com while you're there pick up spin, right? Yes. I know it's only version six right now, the world's best mass storage, maintenance and recovery utility, but you will get a free copy of six one when it comes out. If you buy it now and you'll get to participate in the development as we get closer and closer to the release of 6.1 and all it's shiny new features, Steve has lots of other free things there, like shield up and great reading, all sorts of stuff. Grc.Com. If you wanna leave a message for Steve, you could do it there. Grc.Com/Feedback, but probably the best way to reach out to Steve is through his Twitter account. He is SG GRC on Twitter and his DMS are open.
Leo Laporte / Steve Gibson (01:52:46):
So if you've got a picture of the week or a question or a comment or a suggestion just DM him there, twitter.com/sg GRC. We have copies of the show at our website, of course, twi.tv/sn. There's a YouTube channel with all the videos. You can also subscribe, right? That's sometimes that's the easiest thing to do. The RSV is available from that webpage, put that into your favorite podcast client, and then you'll automatically get security. Now, the minute it's available, which is a nice thing you can, and some of those clients review the show. And if you would leave us a five star review, I'm sure Steve would just be glowing with happiness. Steve, have a great week. We'll be back here next Tuesday on security. Now by you, he dad he's glowing or is that his glasses? I'm glowing.
Rod Pyle (01:53:37):
Hey, I'm rod Pyle, editor of ad Astra magazine. And each week I'm joined by taTrik Malik, the editor in chief over space.com in our new this week in space podcast, every Friday Tark. And I take a deep dive into the stories that define the new space age what's NASA up to when will Americans, once again set foot on the moon. And how about those samples in the perseverance Rover? When are those coming home? What the heck is Elon must have done now, in addition to all the latest and greatest and space exploration will take an occasional look at bits of flight history that you've probably never heard of and all with an eye towards having a good time along the way. Check us out on your favorite podcast. Catcher
... (01:54:14):
Security.
... (01:54:15):
Now.
