Security Now Episode 899 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte / Steve Gibson (00:00:01):
It's time for security Now. Steve Gibson is here with a pori of security stories the end of a famous caller ID spoofing service taken over by the feds. Now, a funny little scam involving misplaced decimal points. A web surfer from the dark ages that's unfortunately still being widely used. And when Pasky is not really pasky, it's all coming up next on Security Now. Podcasts you love from people you trust.

... (00:00:38):

Is tweet.

This is Security Now with Steve Gibson. Episode 899 Recorded Tuesday, November 29th, 2022, freebie, bots and evil cameras. This episode of Security Now is brought to you by Kolide. Kolide is an end point security solution that uses the most powerful untapped resource in it end users. Visit to learn more and activate a free 14 day trial today, no credit card required. And buy PlexTrac the premier cybersecurity reporting and collaboration platform with PlexTrac. You'll streamline the full workflow from testing to reporting to remediation. Visit plex to claim your free month of the PlexTrac platform today. And by, NordLayer, NordLayer is a secure network access solution for your business. Join more than 7,000 fully protected organizations by going to to get your first month free when purchasing an annual subscription. It's time for Security Now, the show. We cover your security of privacy online with the hero of the hour.

Mr. Steve Gibson. Hello, Steve. This is the podcast, which is just has a boring start every week because everything works. We're not spending half an hour trying to get like stuff on screen or the lighting ride. You just don't see that part. <Laugh>, I wa No, I In the old days we did that all the time, didn't we? Yeah. I mean, well, and I mean like with different hosts and like juggling things and, and all that. But it is easier to do a one on one podcast than this, the thing you're doing with anybody else. You saw these, the rocky start of our previous program. Yeah. And it's generally like half an hour before things. Yeah, I know. It's a little weird. Yeah. Yeah. <Laugh>, it gets a little weird. It's go weird. I know, I know. Speaking of which, yes. This is episode 8 99.

Oh, dear. For oh dear. Oh, I know. And this is the birthday episode. For those who don't know, Leo is celebrating number 66. Look at that Route 66. Route 66 in on his for those who don't have video, he just held up an old sign that won't mean anything to anyone much younger than us. Cookie. Cookie, lend me your comb. That's all I have to say. So, yes. So this was one of those weeks where nothing really stood out, but a lot of interesting things happened. So I grabbed two of the items we're talking about as the title basically taking from the typical naming of your other podcasts, Leo, where you think, okay, what do we talk about? Let's, you know, come up with something about that. So this is freebie bots and evil cameras for 8 99, which, and, and during this podcast, we're gonna answer a few questions.

What happens when you run a caller ID spoofing service? Or when you miss list an underprice online goods or click on a phishing link for a cryptocurrency exchange, or consider working for an underworld hacking group, <laugh>, or, oh, no, this is a great podcast. Or use a web server from the Dark Ages in your IOT device. This is not all one story. These are multiple stories. Oh, yes, yes, yes, yes. Good. Or Oh, otherwise, that would be one of really confusing. Yes. Yeah. Or rattle your sabers while attempting to sell closed network systems to your enemies, or decide whether or not to continue to spread your Twitter at, to, sorry, to suspend your Twitter ad buys or log into carnival cruises with a passkey. Yes. Or use hardware to sign your code. This week's podcast answers all of those questions and more. Now, that's a tease.

You are, you are. Absolutely. Now, finally, after 899 episodes, conforming to the twit way, it only took 17 years, my friend, and we were gonna, we were heading your way and you headed our way. So we've met that, and then we're gonna defra a zebra, just, you know, oh wait, you'll see this. That is our picture of the week and a good week. That's right. It is. Our show today brought to you by Kolide. I love this idea. I think you will, to Kolide, is user centered, cross-platform endpoint security for teams that slack. But let me explain what that all means. See, Kolide came along at a time when we are all, you know, every security professional, every IT person dealing with this idea that work is for forever. Now gonna be hybrid. Some people are gonna be in the office, some PE people are being home on the road all over the place, which means endpoint security has gotten much more complex.

Of course, we live in an era of B Y O D, which means not only do we have to manage our own estate, but we've got this, this, you know, this shadow it to worry about. And I think the tendency of a lot of security professionals is lock it down, whether communicated explicitly or implicitly. The message is the users are your enemy and you have to wrangle them to make sure they don't do anything bad. You know, treat every device like Fort Knox, put glue, crazy glue in the USB ports, that kind of thing. Here's the problem with that. And you might already be sensing there's a problem with that old school device management tools like MDMs for, you know, these disruptive agents onto employees devices, they slow performance employees know they no longer have any privacy, right? They, they're being spied upon.

They know they feel it the enemy. So by doing it this way, it admins and end users are, are, are now at each other's, you know, kind of like pushing one against the other. And that creates its own security problem because users, what do they do? They got their own laptops, they got their own phones, they turn to shadow it just to do their jobs, just to protect their privacy, just to get performance. It's just not working. You probably already know this, right? It's kind of not the ideal situation. Kolide has a better way, and I think this is really clever. Instead of forcing changes on users, Kolide sends them security recommendations via Slack. Dms Kolide will automatically notify your team when devices are insecure and give them step by step instructions on how to solve the problem. For instance, you know, an employee saves their private SSH key in a in a publicly viewable folder.

This is obviously a bad idea. You know, this, the employee doesn't, or maybe Disney thinking about it, colo automatically via, like, sends him a DM saying, Hey, you know, this is why this is a problem. Here's what's happening and here's how to fix it. And the employee fixes it and suddenly they're on the team. Because it turns out employees, you know, want your company to succeed. They wanna, they wanna be secure, they wanna be you, you know, private. They, they want it to work. So Kolide is, is actually helping them, giving them step by step instructions on how to solve the problem, educating 'em about company policies and helping you build a culture in which everyone contributes to security because everyone understands how and why to do it. Now, as an IT admin, you'll love Kolide because it provides a single dashboard, lets you monitor the security of the entire fleet, whether Mac, windows, Linux, it's completely cross platform.

You can see a glance which employees, for instance, have their discs encrypted or are up to date with their patches or are using a password manager. And more importantly, which ones aren't making it easy to prove compliance to your auditors, your customers, your leadership, getting employees to do the right thing cuz it's the right thing. Now they know. So that's Kolide. Again, user centered, cross platform endpoint security for teams in Slack. You can meet your compliance goals by putting users first, and I want you to try it. Go to Kolide, k o l i d now to to find out how, if you follow that link, they're gonna hook you up with a goody bag, including these great Kolide t-shirts. They've got beer coasters, see on the other side. I love this one. There's several of them, but this is the one I like.

It's got Pinocchios with their noses going out and then honest security with a Pinocchio without his nose out. It's just a great t-shirt. Feels nice too. There's the, the Clyde stickers for your laptops. We put 'em on our refrigerator at work, things like that and all that just for trying a free trial, no credit card needed. K O L I d e Now user endpoint security done right, Kolide, thank you Kolide for supporting security now. And Steve appreciates that and I appreciate it. And you as a listener supporters, when you go to that address so that they know you saw it here, Now, I feel like this is almost a dad joke. This picture the week, you know. Well, and I, I think we've, we've used it before mean it looks familiar to me, but if so, it's kind of fun.

Anyway, so for those who are not seeing our video stream the caption on this, I know it's really good. It says I defragged my zebra and what we have is what looks like a horse with the front half black and the rear half white. You know, it's obvious, it's different. Yeah. All of the in use clusters got pushed to one end and the, the free space is on the other. And anyway, it's just very clever. I love it. So it kind of is talking about defragging, you don't, you don't, you don't really do that anymore, right? A most modern operating systems that's handled the Correct. Well actually you would, the the argument that Microsoft has always made, although, eh, this is not really as true, is that there is no, they were always saying there was no need to defrag ntfs file systems.

It was clear that over time, fat 32 file systems became fragmented. And as what we were saying before we, we got on the air was I was opposing rhetorically the question, how many user centuries of time were lost watching with us just staring at the defrag screen? Yeah, yeah. While the little squares jumped around. It was just wonderful. And I mean, it served no constructive purpose whatsoever, but, you know, we love it. Really. It was fun. You maybe it was a way of, for a geek to have a timeout. It was a it was meditative. Exactly. Yeah. Yeah. But not necessarily anymore. That's right. Right. well, okay, so Windows says that it defrags like automatically in the background. Yeah. Which may be the case. The, the one place it can be useful is for data recovery. If your, if your files have been de fragmented and you lose somehow some catastrophe, the entire meta structure of your file system and you really desperately have to have some file back.

But basically if you've lost all of the metadata, there's no directory hierarchy, no directories, anything somewhere out on your drive is a blob of space that a file occupies. And if it's contiguous, if it's, if it is de fragmented, you can find it, right? I mean, it's there in whole, but if it's, if it itself is scattered all over the place and it was dependent upon the file systems pointer structure in order to reconstruct that file on the fly you're probably, you're really not gonna be in such a great shape. So, you know it, it, it, but in the old days, the reason we of course de fragmented was that if, because seek times were so long that if, if pieces of a file were scattered physically around the drive, the the drive's head would have to go jumping back and forth around in and out on different tracks, grabbing little pieces of the file in order to get the whole thing.

If the file was de fragmented, the head would just go to the beginning and just maybe tick over sequentially a few tracks, depending upon how large the file was. But so it was less wear and tear on the drive cuz it wasn't having to jump all over the place just to get one file read. And it was a lot faster because you weren't embedding all these seeks in, in, in the middle of a, a file read. Of course there's zero seek time on SSDs, so you, right. And so that's what changed. It's when we went to solid state, suddenly all of that head seeking disappeared. And, and, and, you know, it made no difference in terms of performance. Although Microsoft quite cleverly, I think instead of defragging SSDs, if you issue the defrag command, cuz you still have a defrag, I believe you still have defrag.

Yeah. Microsoft says, yeah, well, we'll just trim the ssd. It's a way to invoke trim. And so Alan Maana always said, you should still be defragging because you're now trimming your SSDs. Although I think modern SSDs do trim as well in the background. It's kind of Yeah, that's, that's kind of necessary to keep the speed up. Yeah, well it, it, it's actually an OS level thing because the SSD has no knowledge. Oh, it doesn't know the date. Oh, right. But it could be in the controller. I thought it maybe was in the controller. No, no, it's gotta be in the os. Okay. So, so the idea is that, that that, that the drive itself has no knowledge of the file system. It's file system agnostic, but all of the operating systems now Linux does it and, and Windows does it. In fact, it, it came up relative to spin, right, recently because if you were to do a, a right level, like, which is level three or four in, in spin, right?

Six one that leads the drive to believe the SSD to believe that the its entire space is now in use. Because when you write to something, it basically, it flags that area as in use. So, so what you can then do is un under windows, there is a way to say, please trim this drive. And under Linux it sort of does it more easily, but, but you're also able to force it. And so that is one sort of a power user tip that we'll be getting to at some point in wi with spin, right? Is, is once you do a something on an SS D that writes to the whole thing, you then need to put a back into the operating system to let the OS say, okay, calm down here, <laugh>, these, these are the areas that are actually in active use and all the rest of this.

No. That, that's just completely free. And, and, and the point is, it's hard drive garbage collection. We've been talking like about bad memory garbage collection. It's, it's hard drive garbage collection. Yes. Yeah. Yes. Yeah. Okay. So I asked the question at the beginning of the show, what happens if you run a commercial caller ID spoofing site? Well, you get the, your site turns into the top of this podcast. It's on the second page here. Yes. It's, it's, and anybody who's interested can go there now, or I went there yesterday, I presume it hasn't changed. I is is the domain name I S P O O And what you get is a big page that says this website has been seized and the various emblems of, of global law enforcement. And it says, this domain has been seized by the Federal Bureau of Investigation and the United States Secret Service in accordance with blah, blah, blah, blah, blah.

Anyway, then we got it. Euro Poll and London City Police and Cyber Police and all, you know, everybody's involved. Wow. Yeah. So, okay. Get a little bit, a bit of this interesting bit of happening. Euro poll and law enforcement agencies from several countries, including the fbi, have seized the servers and websites of ICE spoof, which was a service that allowed users to make calls and send SMS messages using spoofed identities. And Leo, if you were curious, oh, actually I have a link on, on the page below to the, to the web archive way back machine of I spoof from before it was seized. And it's quite interesting. Anyway, so the service launched in December of 2020 and advertised itself as a way for users to protect their phone numbers and identities online. But Europol said that ICE spoof was widely abused, yet no kidding, for fraud because it allowed cyber crime gangs to pose as banks and other financial organizations an investigation into ice.

Boof began in 2021 after Dutch police identified the service during one of its fraud investigations. The Dutch police said they linked the service to a web host in Almere, where they deployed a wire tap that allowed them to map the site's, reach and learn the identities of its registered users at administrators. Officials said ICE spoof had more than get this 59,000 registered users before it was taken down just earlier this month. UK Metropolitan Police said that 142 suspects were detained throughout the month of November. So they did a big sting operation globally with more than a hundred individuals detained in the UK alone, including I spoofs administrators. Europol said, I spoof was being used to place more than 1 million spoofed calls each month. That administrators made more than 3.7 million euros. And that the service has been linked to fraud and losses of more than 115 million euros worldwide.

The UK police said they plan to notify all UK users who received spoofed calls made through ice poof, which is nice of them. So anyway, as I said, I was curious to see what the site looked like before the global takedown, which displayed the, you know, that site, that site seizure page above. So I turned to internet archive projects way back machine, and I found, you know, what I found was just sort of, you know, head shaking the top of the sites, very modern looking homepage, which has sort of has a floating iPhone there on the right. Proclaims Protect your privacy with custom Caller id. And it says you can show any phone number you wish on call display, essentially faking your caller id. And then down in their features, they said, get the ability to change what someone sees on their caller ID display.

When they receive a phone call from you, they'll never know it was you. You can pick any number you want before you call. Your opposite will be thinking you're someone else. It's easy and works on every phone worldwide, exclamation point <laugh>. So, yeah. You could imagine that, you know, all kinds of bad people with, with ill intent would be abusing this thing. I mean, like, you know, ex-boyfriends or stalkers or spouses or whomever, you know, whose calls you are not accepting would just, you know, figure out whose call you were accepting and then spoof it in order to get you to answer the phone. I mean, it's, it's awful. Anyway, we've talked a lot about how insecure all of this is. You know, the, the, what is it? SS seven, the current signal links. System seven is still allowing this to go on. I finally gave up and disconnected.

Actually, I had three, I had a one a fax line and two landlines because all I was ever getting was just junk calls. They were just, you know, it was awful. So for me, the most disturbing thing about this story is that the site was up and running for nearly two years before it was brought down. You know, that was a ton of damage to be done. And, you know, you can imagine how the word of mouth of this was no out spread, you know, in, you know, among the world's shadier types as this thing was allowed to continue. So, for what it's worth, I hope there are not alternative sites that are already up and going. I would be surprised, frankly, if there weren't, I should have done a Google and looked around. It didn't occur to me until just now, but still just, you know, sad that it took that long to get this down.

 And you know, we are hearing about, about the encryption and the tightening of the inter the, the, the intercar communications. It, it's one thing for a carrier to be secure within itself, but it, it is the, it's the gap between carriers where we need security and then, you know, they're just not in a hurry. That is like, why, you know, we have to make them do this. And there so far that hasn't happened. Okay. What is a freebie bot? You ask, A new class of bot has been identified and this one does something that would be difficult to predict, but once you hear what it does, you think, huh? Is that illegal? Last Tuesday, the anti-bot research and security provider, Cassada, who we've spoken of before, shared the results of their latest threat intelligence, which detailed the growing prevalence of so-called freebie bots. Freebie bots automatically scan and scrape retail websites, searching for and purchasing mispriced goods and services, purchasing these discoveries at scale before the error is found and fixed.

Cassada get a little of this, Cassada research has found that more than 250 retail companies recently being targeted by freebie bots with over 7 million messages being sent monthly. Monthly within freebie communities. <Laugh>, okay now just, just to be, but this isn't illegal, is it? No, not. Well, this is capitalism, baby. I screw up <laugh>. So just, just to be clear, these are not furry communities, these are freebie communities, you know, nor are they furbee communities, but that's something else. <Laugh> members within one popular freebie community used freebie bots to purchase nearly 100,000 products in a single month with a combined retail value of 3.4 million. But kass's research revealed that due to significant under pricing, the total purchase cost of the goods for the, for the freebie bot users was $882. This allowed some individuals to realize a monthly profit of over $100,000. Top items purchased using freebie bots during this period of time included off brand sleeveless, halter, neck mini dresses, get this apple MacBook, air laptops, and deep cleansing facial masks.

Many pricing. It's an interesting Venn diagram. That's right. <Laugh>, what's your overlapping customer matrix? Many pricing errors were the result of a decimal point. Mis misplacement granting discounts as large as 99% using the speed and scale of a bot attack to rapidly purchase as much stock of these erroneously priced goods as possible. Actors then turn around and resell the goods at the price they should have been reaping a large profit. So you can, you can see how this could happen, right? Someone keying in a new items retail listing gets into the habit of entering a decimal point before the last two digits of the price. But then they encounter a price formatted as a whole integer number of dollars without any sense and without thinking. They place a decimal point before the last two digits, thus inadvertently reducing the listings price by a factor of 100.

It turns out that at scale across the entire internet, these mistakes happen enough to have spawned the creation of a new class of bot automated retail mistake finding bots, which will instantly purchase as much of something that's been mispriced as they're able to. So human ingenuity knows no bounds. I suppose that while this might not be technically illegal, you know, it certainly is unethical and dishonorable. Is it? Is it? Well, no, you know, I mean you, I'm buy at the listed price <laugh>, you know, when the MacBook Air is offered for 50 bucks. Not my problems. Something there. It's not my problem. Something wrong. That's a good deal. I'll take it. <Laugh>. How many could I have? I just, I guess it depends if this is happening to, you know, your local goodwill store. That's terrible and that's probably more likely where it is. Apple probably never makes a mistake like this cuz they have good software, but still you're right, it's probably taking advantage of people who can afford small retailers.

Yeah, yeah, yeah. I mean, I'm Apple's never gonna miss prices. Apple Gared site. I have seen oddly price things on Amazon. You probably get too late Sure time. Yeah. Where it's just like, what? That can't be right, you know, and I just, you know, I mean it's, it's for a left-handed screwdriver, so I don't need one, but I, I still, you know, I mean, I I'm the kind of guy and I know you are too, that probably would go, that's a mistake. I'm, I'm not gonna take advantage of that. So maybe it is unethical. I I wouldn't do that, but still depends I guess on the size of the company. The problem is, as I said, once you hear the idea, no one is surprised. Oh, it happens all the time. Yeah, yeah. Well, no, I mean that, that a bot has been created Oh yeah.

To go scan Oh yeah. For these mistakes in real time. Absolutely. And buy up the inventory. Wow. Okay. We have the anatomy of a real time cryptocurrency heist. The group PI X M security, whose business is to protect end users from credential fraud recently blogged about the details of an attack group. They've been monitoring the lengths. This group will, will and does go to, to circumvent, you know, like one of the newer protections, the, the, the, the deliberate authorized device protections. We're beginning to see more and more where like if you go use a new device, you log in with some, like somewhere you haven't logged in before, there's like, whoa we haven't seen this device before. So we're gonna jump you through some extra hoops. So, okay. What's interesting here is I think you're gonna find this really interesting, Leo, is the, their report in detail of, of what's behind a, a true real life fishing exploit.

So, okay, and just to give you a hint scammers will use in browser chat to initiate a remote desktop session on a victim's device, approve their own device as valid to access the user's account, then drain the cryptocurrency from their wallet or wallets. So, okay, here, here are the details behind this. When PI x, M's threat research team first started tracking the group, they were only targeting coin Coinbase, right? Like the premier Exchange. Then over the past month, the group has increased their coverage as the bad guys has have increased their coverage to add support, if you call it that for meta mask and KU coin in it's KU U C O I N in addition to Coinbase. So now four, the spoofed domains are the typical slightly misspelled in this case, sub domains of Azure So that's the, the hub of where they are.

And so it'll be like, you know con or something like that. The group employs working effective second factor relay interception. When a user is spoofed into going to a lookalike site, regardless of the credentials the user enters, whether they're legitimate or not, since the spoofing site cannot determine that, initially, the user will be moved to a two step verification page after clicking login, where depending upon the platform in question, they'll get what they're expecting, which is either prompted for a, a second factor code or their phone number is prompted and used then to receive a two factor code. The criminal group will first attempt to relay the credentials they've been given and second factor codes to the legitimate login portal, which is associated with a platform they're spoofing. Once the user clicks verify, they will be presented with a message no matter what happens, telling them unauthorized activity has occurred on their account.

Well, <laugh>, it turns out it's true actually, but you know, this is the bad guys trying to reel them in Further, as with the original Coinbase attack this group, which this group started with, this will initiate a chat window to keep the user on the Phish page in the event the two factor code should fail, which of course the bad guys don't know yet, cuz they're, they'll get re they'll get prompted for that after they attempt to log in. And the threat actor needs to start, or, and should the threat actor need to start a remote desktop session with the victim to continue with this attack, P X M wrote that in their experience, regardless of whether the victim enters legitimate credentials or not, the group will chat with the victim to keep them in contact should they need to resend a code or proceed to the second phase of the attack.

The criminal gang's willingness to do this significantly increases, I'm sad to say end user engagement, you know, and their belief that like they're talking to the real guys, right? Because there's someone there for the majority of the attacks, which this group carries out, they engage in direct interaction with the user. Their spoofed login and verification portals will by default return a login error, as I mentioned, regardless of the actual standing of the user's account or, you know you know, on the actual exchange and the wallet. Of course, this process is intended to initiate a chat session with a member of the criminal group posing as a customer support representative from the exchange. The criminals will use this interface to attempt to access the users if their initial credential relay failed or if might have time expired, right? Because we know that these one time passwords only are limited to 30 seconds and then they change, so it may have expired.

If so, they'll prompt the user for their username, password, and second factor authentication code again, directly in the chat window. The criminal will then take this directly to a browser on their machine and again, try to access the user's account. Should this also fail for any number of reasons. Most common of which is that the device the attacker is using to access the victim's account or wallet is not, as I mentioned before, an authorized device in the user's profile, which probably means unknown IP or it doesn't have a persistent cookie, which the, their, the user's browser would have. Even if they, they've said, I don't want to remain logged in, they would still have a, you know, that would be a session cookie. Separately, they'd have a persistent cookie, which says this browser has logged in in the past. In that case, the attacker will proceed to phase three with the victim.

The group uses the talk T A W the Talk to Chat plugin on all the sites and each with the same customer support representative named Veronica. So, you know, be be wary if Veronica is talking to you. If the previous efforts have not succeeded in giving the criminal group access to the victim's wallet, they'll instruct the victim to download the team viewer remote access control app. They instruct the victim that this is to help them diagnose the issue with their account directly on the user's machine. Once the victim has installed team viewer on their device and entered the code provided by the group right to initiate the session, the criminal now has full control of this poor user's device and will guide them through the steps required to authorize their device. That is, you know, their own machine wherever they are to the victim's account and hijack their session.

The criminal has the user navigate to their email inbox associated with the crypto exchange or wallet account. They'll instruct the user to log into their account on the exchange or wallet site while the user's logging in. The attacker who has control of the victim's device will enter a random character while the victim is entering their password, right? Like interject a a, a character midstream, which will, which will force it to fail. The attacker will then will click into the team view chat box with the victim's knowledge and ask them to enter their password again, which is just of course, sending the password now to the criminal in plain text. When the user re authenticates, the attacker will simultaneously log into the user's account on their own device, which will prompt a new device confirmation link to be sent to the user. The criminal then takes over the user's desktop desktop session and sends themself via the team viewer chat feature, the device confirmation link.

They can now use this link to validate their own device to access the user's account. The final draining of the user's Cryptocurrency funds may then be initiated during, you know, like will be initiated during any of the previous attack phases. As soon as the bad guys have access to the wallet, it's of course only contingent upon the attacker finally being able to successfully authenticate to the victim's account from their own machine being recognized as an authenticated machine if it hasn't already been. And of course, once the criminal is in the victim's account, they'll immediately begin transferring the cryptocurrency held in any of the victim's wallets to their own. And they keep the victim engaged and waiting as they steal their funds in, in the background on their own machine. In the event that the service they're draining funds from might require some sort of email or additional phone confirmation of funds transfer.

If that's the case, the attacker will assure the victim that this is normal, an expected activity related to their account restoration. Once all the funds have been sent from the victim to the criminal's wallet, they end the communication with the victim having emptied the target's wallet. So that, that should give everyone a sense for how much, how much effort bad guys in some sort of, you know, big cyber farm you know, cryptocurrency, exchange farm are willing to do to, to fish people who have cryptocurrency and relieve them of that burden. Was <laugh> amazing. I wonder if they'll move on now that crypto's gotten less and less valuable. I don't know. It's nicely anonymous. It's a great thing to steal because yes, it's hard to track and yes, and toward the end of the podcast, I'm gonna talk briefly about my own experience with having an a, a open web server where anyone is able to create an account.

Yikes, Leo, the internet has become a sewer, and, and, and I know from my experience in trying to prevent that, that there are, and in fact from, from talking to some of the anti forum spam people who I struck up a dialogue with, that there are rooms full of people sitting at screens and keyboards who do nothing but that all day long. And there are different rooms full of similar people who do nothing but respond to phishing cryptocurrency, link clicks, and then perpetrate all of this draining people individually of their cryptocurrency. So, you know, it costs, I mean, if they're willing to do that to create an account against all odds on a web forum, they are certainly willing to do something not that much more in order to get a hold of someone's cryptocurrency wallet that may have a bunch of money in it. Unbelievable.

Okay. Let's take a break. Yes. And I'm gonna sip on some water. Yes. And we're gonna tell everybody why we're here. Why, why? I ask you why, why <laugh>? Why are we here? I'll tell you. We're here for you, Steve. There's no question about that. But while you're listen to the show, we like to throw in mentions of some of our fine advertisers because they're almost always products that people who listen to this show might be able to use. Like Plex Track, which is the premier cybersecurity reporting and collaboration platform, transforming the way cybersecurity gets done. Communication is essential in every bit of everything we do, right? You've gotta be able to communicate it. It's all the more true. If you've got a red team and a blue team, and the red team is doing the pen testing and comes up with the problems and the issues and the things that need to be fixed, and the Blue Team does the remediation communication between the two is Vital Plex Track makes that easier.

Are you ready to gain control of all the, all your tools and data to, to build more actionable reports more easily, to focus on the right remediation? Are you working now to mature your security posture, but struggling to optimize efficiency and facilitate collaboration within your team? Flex Track is the perfect solution for you. It's a powerful but simple cybersecurity platform that centralizes all your security assessments, all your pen test reports, all your audit findings and vulnerability tracking in one place. It transforms the risk management life cycle, allowing security teams to generate better reports more easily, more quickly, aggregate and visualize analytics. It's nice to have those pictures and to collaborate on remediation in real time. How does it do this? The Plex Track platform addresses pain points across the spectrum of security team workflows in roles. Plex Track is second and un, for example, in managing offensive testing and reporting security findings codes.

You can embed drag and drop, put in code samples, screenshots, videos in any finding. You can import findings from all the tools you use, the, you know, Nessus Burp, all the major scanning tools you can export to custom templates with the click of a button. Analytics and service level agreement functions help you visualize your security posture so you can quickly assess and prioritize and ensure your tracking remediation efforts to show progress over time. It's absolutely got built in compatibility with all the leading industry tools and frameworks, all the vulnerability scanners, pen testing as a service platforms, bug bounty tools, adversary, emulation plans. And that's always a problem. Cause you have all these tools, right? But they don't talk to one another. Plex Track is the in between. It's the in-between, it's the glue that puts it all together easily, quickly. You can have templates, you can have automated reporting.

You've got robust integrations with Jira and ServiceNow. So you're always closing the loop on the highest priority findings. It just, it just makes sense. It's the piece of the puzzle that's been missing. You've got all these tools, now you've got a way to synthesize, to act upon it, to remediate it promptly. But also very important to show the boss, the board, the C-suite, the compliance auditors, what you've done, what you're doing. Enterprise security teams use life extract to streamline their pen tests and security assessments, their incident response reports and much more. Plex Track clients report up to a 60% reduction in time spent reporting. That's the temp lighting. You're not sitting there typing this stuff in by hand doing all manually. 30% increase in efficiency, and this is probably important to your boss. Five x ROI in year one. All in all, Plex Track provides a single source of truth for all stakeholders transforming the cybersecurity management life cycle.

I, I really think you want this book a demo today to see how much time Plex Track could save your team. Try it free for a month. But I gotta warn you, do that. You're never gonna want to give it up. See how much it will improve the effectiveness and efficiency of your security team. By the way, this is great because it's very fast to get up and running. It's easy to learn, simple. But boy, the it is, it is the lever that you want to move what you're doing ahead. Go to plex claim your Freemont P l e x t a w I t. This is a must have tool for everybody in the security business. Plex We thank em so much for supporting security now, and you, you support us too, but you gotta go to that address so they know you saw it here.

Plex Now back to you, Steve. So if any of our listeners are looking for something to do, the carer group with known ties to former KTI gang members and known for its hack and leak extortion operations announced this week that they are recruiting people to breach networks code malware socially engineer people and extort companies for payments. And of course, I'm not serious about any of our listeners wanting a job there, but their <laugh> their, their online posting was wonderful. So, just to back up a little bit, Kaur, K K A R A K U R t Kara Curt gets its name for my type of black widow spider. It's not a ransomware gang. They don't bother with encryption. They're known for extortion and for demanding ransoms between 25,000 and as much as 13 million payable in Bitcoin. They don't target specific sectors or industries.

They're an equal opportunity. You know, <laugh> denin the gang backs up their claims of stolen data using screenshots and copies of extra exfil files as proof that they've been in someone's network and they threaten to sell or leak the data publicly if they don't receive a payment and they're not very patient. Kara Curt typically sets a one week deadline to pay until they're paid. They bully their victims by harassing their employees. Business partners and customers with emails and phone calls, all aim to pressure the company into paying the ransom. So not nice people, okay? Their site on the dark web is a tour hidden service. So, you know, it's a dot onion domain. It contains several terabytes worth of previous victim data along with press releases, naming organizations that had not paid, you know, up in terms of, you know, getting ransom and instructions for buying victims' data.

The site serviced in May, the MIS Koreans usually break into networks by either purchasing stolen login credentials, using third party initial access brokers that we've spoken about extensively previously. You know, of course those are brokers that sell access to Compromise Systems or by abusing security weaknesses in the network's infrastructure. Okay, so this brings us to their so-called great recruitment posting recently last week on the dark web. Since it was interesting and someone entertaining, I thought it would be worth sharing. Now they're Russians. But I found myself thinking, wow, okay. They're not having a translation problem into English in this instance. The, the, the posting is well translated into English. They, they wrote in this posting the car, Kurt ga the car. Kurt team is glad to announce some news more than a year in private mode. But now we open the great recruitment. You can join our honorable mission to make compu to make companies pay for the existing gaps in their cybersecurity and for the inaction of their IT staff.

So our dear hack lovers, what we have for you, Colin, are you an experienced pen tester and for some reason do not wanna work with ransomware operators? We can find a better place in our team, meaning they don't do ransomware otherwise, they're, they're every bit as evil. Do you work for a company that you hate with all your heart? Or maybe your boss fired you but forgot to turn off your, your network access? You can find solace in our arms. You are a bearer of a sacred knowledge of malware coating, dissembling exploit, developing the car. Curt team is ready to set interesting and non-trivial tasks for research implementation of specialized software and modification of toolkits. Are you from the financial industry? Do you know how to make money on quotes of companies who shares are in poor condition? Know how to sell data in a specific market.

We will hug you and love you more than anyone has ever loved you before. Are you from a data recovery company and know us. Let's be friends, maybe even best friends. Do you have social engineering experiences? There is also a vacancy. Want to take revenge on capitalism through cyberspace. We will find you both a vacancy and a psychologist. Perhaps you're a, a crazy researcher. We're really wanting, we're really waiting for you, bro. The best hacker group carer is waiting for you, our dear hack lover. So the good news is that's not being seen by most people who are not visiting the dark web. And I assume if you're visiting the dark web, you're either a security researcher who is not interested or you're a bad guy who might be anyway. Now you know, Kara, Kurt has their wide, has their arms wide open ready to love you more than you've ever been loved. Okay? And speaking of job offers over the summer, <laugh>, the, the US government held what they called a cybersecurity apprenticeship sprint. As a result of that, 7,000 apprentices were hired in official cybersecurity roles with around a thousand of the new hires being sourced from the private sector. The sprint was launched in July by the White House and the Department of Labor as a way to boost the government's cybersecurity workforce.

Okay? I mentioned a web server from the Dark ages. The security firm recorded future found that a Chinese advanced persistent threat actor had leveraged a vulnerability in an IOT device to gain access to an electrical grid operator in India. And in a report last week, Microsoft said that they had identified the entry point for the attack. It was a tiny, somewhat obscure web server known as boa. It's And actually, I was surprised that it, there was a three Those are rare. And it's only due to the fact that it's been around for a long time. Boa, which is said to be widely used across the I O T and ics, that's industrial control system space. Okay, as we all know, it can be very handy to have a nice, simple and tight little web server you know, so tiny that it could even be considered a component.

Although BOA is written for Unix like operating systems, it doesn't use the traditional Unix fork and spawn approach of creating multiple instances of itself to handle individual incoming connections. I didn't study Bo long enough to determine whether it's multi-threaded, thus spawning a new thread for each request. It might be purely serializing. Since the Unix Berkeley sockets, T C P I P stack supports a queue of waiting connections. BOA might simply accept one connection after another using a single thread of execution that would indeed make it quite lean. And apparently BOA is also quite fast. Of course, you get that until you overload it by a, an HTTP server. That is so simple. Okay? All of that is okay. But here's the problem. It's, it's not that BOA was first written and released 27 years ago in 1995. That's fine. The problem is that the last attention its source code received was 17 years ago, back in February of 2005.

And looking through BO'S development history, I noticed the the website Yes, my friend <laugh>, it looks very, that makes mine look modern. It's very not last updated February, 2005, uhhuh. And it's, you know, I couldn't pull it up cuz it's not https s I had to just, oh, no, no. Nor is the web server. Leo. Yeah, Uhhuh. Okay. So if, if you click on news that, that first link there, click on, and then if you scroll down to the the 2002 Developers Conference. Oh yeah. The big BOA Developers Conference. Who could forget that? Well, yeah. In fact, I have a picture of the developer conference attendees party in the show notes. I noted with some interest, it was just two of them on October 4th and of 2002, the Bo Developers Conference was held. The official minutes of the event noted Larry and one of his sons stayed at John's house October 4th and fifth, 2002. While the reasons were unrelated to BOA development. And in fact, Larry and John spent only a few hours discussing BOA computers and the free world. It seemed appropriate to refer to the event as a developer's conference. <Laugh> here is a picture. What's the team here is? Yeah. The, the entire team in one location. Here is a picture of Larry and John at John's house. Left to right, John Larry.

Now, oh my goodness, this, this web server is in the, is is in an i t device who just being used by the grid operators of, what was it that I said? Israel, India. India, India. Right. so, you know, well the price was right, I guess. Oh, it certainly was <laugh>. I have no doubt that these two have their hearts in the right place if they're still beating, if they're around. Yeah. But a but a web server they wrote 27 years ago and last tweaked 17 years ago, which has no support for secure connections is currently in use and apparently widely. So cuz it's apparently very popular among other places, the operation of an electrical grid operator in India, Lord only knows where else this boa constrictor might be lurking. <Laugh>, there are a lot. I mean you know, there are a lot of mini specialty web servers.

That's a simple thing. Yeah. It takes an afternoon to write one these days. Yeah. but wow. Why they chose this one is a baffling Well, it's tiny, right? Yeah. So it's like, well, we're gonna put it in rom who got the smallest server? Oh, look, boa Oh, and you didn't pick a bring up their logo page on that site. Leo, it's pretty good. The, these are, if you want to put a logo on your homepage when you've used the boa constrictor server in order to serve your pages, you can pick from any of these <laugh>. I wanna put this on my website just for fun. <Laugh> powered by boa, the high perform when you feel the need for speed. I like the one with the colored scales. Oh yeah, that's good. That's, that's nice. Yeah. That'd look good on my site, <laugh>.

Oh, anyway, unfortunately IOT devices on the net are powered by boa. And we did, there was, Microsoft didn't specify the way in, but China found a way in, and it's not surprising, I did a search on their, on their erratic page fornell. And I found lots of null pointer problems in the past. So presumably not all of them, but good news, it's Y2K compliant. Yes. Yes. Your concerns from 22 years ago about Y2K have been addressed. Larry and John did it by phone. They did. They decided not to have a developer's conference for that because and there actually is, they go on at some length on their explanation page about y2k. And while the underlying OS may have a problem with it, at least their code doesn't. Yeah. So rest assured, if your clock is set wrong, you'll be okay. They, I noticed they copied their their Y2K statement from the Apache Project <laugh>.

So I guess they were aware of their invent little web server out there. No, yeah. No need to reinvent the wheel. No, that's right. Unfortunately, they didn't copy their, their TLS support from Apache, so they don't have any Wow. Wow. Okay. So the dilemma of closed source Chinese networking products. I dislike the idea of, and I know you do too, Leo, of banning foreign companies from selling their products to whomever wants to purchase them. And the idea that networking and surveillance cameras of Chinese origin might incorporate designed in Trojan capability. It does seem a little bit farfetched to me. Presumably such cameras are not phoning home to China, but our networked locally. So the first instant that unexplained data was caught transiting the wire there would be held to pay. But at the same time, we cannot prove the negative. Right? We have no way of proving that there isn't any backdoor Trojan capability present in Chinese network and surveillance cameras.

So I suppose that the recent actions from the US and the UK are understandable. Last Friday, November 25th, both the US and UK governments banned the use of Chinese networking and surveillance equipment citing national security related fears as the grounds for their decisions. The US Federal Trade Commission has banned the import and sale of networking and video surveillance equipment from Chinese companies. Dow Hick Vision, wawei and zte, and I know that at least do Dow and Hick vision are state owned companies. And and we talked about Hick vision not long ago with regard to some badness that they were caught with. So in the uk, the parliament has instructed government departments to seize the development of security cameras, I'm sorry, the deployment of security cameras from Chinese companies on sensitive sites such as government buildings and military bases. British officials said the Chinese made security cameras should not be connected to core networks, and that government departments should also consider removing and replacing existing equipment even before scheduled upgrades.

US and UK bans come after both countries. Intelligence agencies warned against the use of equipment from Chinese companies cautioning that Chinese equipment could be used for digital surveillance, digital sabotage and economic espionage. Again, of course they're not wrong, but we already do lots of even dumber things like deploying proprietary design, closed source voting machine technology in critical elections. You know, how do we know what those machines are doing? Both da Wow. And Hick vision had already lost a large chunk of their market in the US after the US Treasury Department sanctioned the companies for providing the Chinese government with facial recognition and video tagging solutions in the government's efforts to oppress the Uyghurs. And I recall, as I mentioned, that hick vision was on our radio, was on our radar separately for something that they were doing maybe six months ago or so. We've talked about this a lot in the past.

I noted that it was hard to believe that Russia was still using the American made closed source windows Os when hostilities between the US and Russia have been so aggravated. And it's also amazing that until now the US has been deploying Chinese, made networking gear while having absolutely no idea what's inside the box. In the past we've even discussed the existence of counterfeit Cisco networking gear. Since Cisco equipment is all manufactured in China, both the real and the clearly counterfeit equipment all comes from the same place. How do we know what the counterfeit systems are gonna do? And the burden of trust is really not symmetrical due to Chinese massive manufacturing and fabrication capability. They receive Western technology from US and the West purchases the resulting Chinese products from the East. Thus, more trust is required from the rest then is from the east.

So I suppose my point is we cannot discount such concerns as being, you know, purely hyperbolic and inflammatory. Our dependence upon our networks and digital infrastructure has slowly but surely been growing through the last several decades. So it's only natural that at some point someone at the national government level is gonna wake up one morning and pose the big, but what if question to their staff, you know, it's that. But what if that was the driving factor behind the recent decision to just say no to Chinese networking and video equipment and unfortunately their protectionism, that results I think as both sane and rational, even if you can't prove that anybody's doing anything wrong. You know, what if, and you know, the, the equipment we're buying is just a black box. We plug it in and we assume it's gonna be okay, but we have no ability to prove that that's the case.

It really is a dilemma that we've gotten ourselves in. And all I can see is that over time between co between countries where there are clear hostility we're just not gonna be able to trust equipment from each other. And, you know, I think that's what's, that, that's what has to happen until and unless open source ultimately wins, as I argue. And I know you agree, Leo. Wow. It ultimate, it ultimately should. Oh, I didn't realize you were, you were a complete fan. Oh yeah. Good. Yeah, I am too. Yeah. Yeah. I absolutely think, I think we're really learning that lesson over and over and over, frankly. Yes. Yeah. Yes. MIT recently published its rankings of national cyber defense by nation. Interestingly, at the top of the list for the best defense, cyber defense is Australia. In second place is the Netherlands.

Third place goes to South Korea, and we here in the us we, we just eek out Canada a little bit. We're in fourth place with Canada's in fifth. So those are the top five. Australia, Netherlands, South Korea, US and Canada. Then the way the way mit, so they did the top 20. So the way they organized it is top five is green. Then the middle 10, they lumped together. That's Poland, the uk, France, Japan, Switzerland, Italy, China, Germany, Spain, and Saudi Arabia in descending order. And then the bottom five, they, they set them out separately as red. And that's in order of descending security, Mexico, India, Brazil, Turkey, and Indonesia. So anyway, just sort of an, an interesting ranking. And it's interesting that Australia you know, is solid and their, they got a 7.83. This was all ranked out of 10, so they got a 7.83.

 The US is 7.13, so a bit of a drop. Although Indonesia at the very bottom of this 20 is 3.46, so it's possible to be doing a bad job. I just wanted to make a quick note for our listeners to be careful about Docker hub images. It turns out that the security firm assist dig scanned the official Docker hub portal and identified 1,652 malicious Docker images, which have been uploaded, as I said, on that official Docker hub portal. More than a third contained crypto mining code, you know, making somebody some money if, if you just run that docker and don't pay any attention to what it's doing, while others contained hidden secret tokens that the attacker could later use as a back door into a server that was running a, a Docker and exposed publicly. Other Docker images contain proxy malware or dynamic DNS tools.

So anyway, just be careful, you know, they are seductively easy to grab and deploy. They're very cool, but not everyone who's creating and making them available for everyone is doing so out of the goodness of their heart. So a, a board of warning we've been tracking zero days for a while. I wanted to note that Google just fixed Chrome's eighth zero day of the year. So they're doing better than they were last year. They updated Chrome to eliminate CVE 20 22, 41 35, which no surprise was a heap buffer overflow. It was found and exploited in Chrome's GPU component. The vulnerability was discovered by one of Google's tag researchers and is now history. So eight for Chrome for the 8, 8 0 days for 2022. And, you know, they'll, I imagine they'll get through the rest of the year. We'll see cisa the you know, cybersecurity information security administration is now on Mastodon Leo, after a fake account was spotted for CI's director Jen Easterly on Mastodon.

SISA now has an official account on the, on the platform. The account is at the very popular server, which is turning out to be where most of the industry security researchers have been hanging out and hanging their hat. So sign SISA cyber is the handle. C I S A C Y B E R. They need to add a <laugh>, a icon <laugh> and some verification. Yeah, they didn't, I'm not gonna follow 'em until they put a little more effort into their account. They didn't do very much. It's one of the nice things about MA time, by the way, 1400 people already do follow 'em, is that it's very easy to verify that you are who you say you are. All sisa has to do is put a Macon link in the sisa homepage, even can be hidden. It doesn't have to be visible.

And and they would be verified, but they have very cool, so far not posted anything. They're not following anybody. They haven't put in an icon or have they verifying their links, but I'll take your word for it. They're the real, you've seen this posted at SISs site or something, or No? I did. I picked up a news blurb about it in, in the InfoSec community. Yeah. So yeah, that is a good server, by the way. If you're an InfoSec, it's a good one to follow. So sisa Gen is not real. Correct? That account has been suspended, but but sisa, which is sisa Cyber at InfoSec Do Exchange, is apparently the real guys, I'll follow 'em. I'll let you know if they, if anything, and you're right, let, let's they go the next step because Come on guys. Come on. That's sloppy.

Oh, you have to do <laugh>. Follow 'em. One's person's very cool. Yeah, very. It's good that they're there. You know, InfoSec exchange has a lot of really good people on it. And I should mention that Alex Stamos, speaking of InfoSec, will be on Twig tomorrow. Oh, cool. Yeah, he is, of course was in charge of InfoSec at Yahoo and then at Facebook left over the Cambridge Analytica scandal. Not his fault, he left because they weren't doing the right thing. And he is part of the Cribs stamos group. He's working with Chris Krebs now doing cybersecurity. So he'll be a great guest tomorrow. Yeah, Alex was first and then and they added Chris Yeah. To it. Yeah. To, to the group. Yeah. It's really good. And in fact, he was involved with Zoom in the early That's right. Covid 19.

He was the first person they went to when that people got mad at them. <Laugh> for not doing it right during encryption, right. Or kind of misrepresenting their encryption. He's also a professor at Stanford, so I think he will be a good guest. Yeah. Tomorrow. Yeah. I have a one piece of miscellaneous, it's not directly security related or privacy, but everyone's talking about Twitter and its uncertain future under the reign of Elon. I stumbled upon something that I thought our listeners might find interesting, and I think you might Leo as I did, because it appears to contain some actual facts. This is a note written by an unnamed executive director at an unnamed business to business organization, but it looks authentic. I presume it's anonymous, because he would prefer not to have Elon Musk retaliate against his firm. The title of his posting was, I told my team to pause our 750,000 per month.

So three quarters of a million dollar per month Twitter ads budget last week. So here's what he wrote. He said, I've seen a lot of technical and ideological takes on Elon, Twitter, and I <laugh>, I got a kick outta that. I I wonder whether it was a play on Tim Apple. Anyway, I said, but I wanted to share the marketing perspective. For background, I'm a director at a medium size B2B tech company, not in financial services anymore. Running a team that deploys about 80 million in ad spend per year. Twitter was eight to 10% of our media mix. And we have run cost per engagement, ie. Download a white paper, register for an event, et cetera, campaigns successfully since 2016, I had my team keep our Twitter campaigns live for two weeks post takeover on the bet that efficiency would improve with fewer advertisers, and that the risks were managed and probably overblown.

I was wrong. And I think the things we saw in these last two weeks means many more advertisers will bail on the platform in the coming weeks. And he says, perens for non-logical or virtual cig virtue signaling reasons. So then he has some four bullet points. He says, performance fell significantly. Cpms didn't drop, meaning same number of eyeballs. He said, but our engagement went way down. Maybe it's a shift in users on the platform. Maybe it's ad serving related. Second point, serious brand safety issues. He said, our organic social and CS teams got dozens of screenshots of our ads next to awful content replies to our posts with hardcore antisemitism and adult spam remained up for days even after being flagged. Third, our entire account team at Twitter turned over multiple times in two weeks. We had multiple people. He said, AE a m analyst, creative specialist supporting our account, and they all vanished without so much as an email.

We finally got an email with a name for an aam, I guess that means account manager last week, but they quit and we don't have a new one yet. And finally he said, ads UI is very buggy and log with single sign-on, and two-factor authentication broken. One of my campaign managers logged in last week and found all our paused creatives from the past six years had been reactivated campaign changes, don't save these things cost us real money. Anyway, I thought, I wonder if they put any prices with the decimal point in the wrong place up. <Laugh>.

Now that could cost you, you know, I, since I hadn't encountered anything as substantive as that, I thought that it was interesting to see, and, and I understand a bit about what's going on from the perspective of, you know, one of Twitter's advertisers who's, who, you know, who views the service dispassionately. He doesn't care one way or another who's doing what except he dislikes the idea of their ads appearing, you know, appearing to endorse horrific content, which it's now appearing next to or in, in, in the comments that, that follow an ad. You know, for him, Twitter is just either an ends to a means wait a means to an end <laugh> or maybe not. So his thought that was a business person, right? Yeah. Yeah. Oh. And in a related piece, in a security newsletter I recently scanned, the statement was made some threat intelligence companies are telling their customers that they can no longer guarantee take downs of malicious or reputation damaging content from Twitter, as there is nobody in Twitter's abuse team to respond to requests anymore.

Hmm. So another data point from a a different direction and for what it's worth tweet deck is behaving weirdly now, you know, I always go in, in order to pull feedback from my mo largely my dms, although I scan the, the public feed, you know, the at sg GRC postings and, and I, it, it was definitely not working the way it used to, and not in a way that I liked. So something is changing or has changed and I, you know, I don't know, I don't care to know <laugh> what that is. Did we do our last spot? I don't think we, we have one more if you'd like to. I think, I think we need to pause in the, it's we're an hour and 11 minutes in, and I need, I need some water <laugh>. This episode of Security now is brought to you by Nord layer.

Nord layer safeguard your companies network and data, and it does it in a very clever, and I think a very useful way. A lot of companies really will appreciate what Nord layer does with a surge of ransomware attacks, employees choosing a remote work businesses have become more vulnerable than ever. That's kind of the, that's kind of what every ad says these days. I mean, it's clearly the case, and if you're working in network security, it's tough. Nor Layer is a really nice tool for all of this. It secures and protects remote workforces as well as business data. And it can help you ensure security compliance with nor layer. It's easy to start, it'll take less than 10 minutes to onboard your entire business onto a secure network. So that's where it starts, right? The nor layer secure network, you can easily add new members, you can create teams private gateways.

You can even do things like IP whitelists, allow lists site to site connection. Network segmentation is possible. Setting up secure network access. Right now, what I would say, if you're at all interested, go to nor layer N O R D A Y e You can get one month free right now with the purchase of an annual subscription. It's easy to combine. It's easy to combine with other tools. It's hardware free. It's compatible with all major operating systems. It allows you to implement security features across all teams. We always talk about security as being layered. This is an important layer. You can add two factor authentications, single sign-on. You can even require biometrics, threat, block, smart, remote access, nor layer scales easily. As you choose a plan unique to your business requirements and your rate of growth, you'll have everything centrally in one place where you can check server usage, monitor connections to your gateways, view the activity log.

 One Nord layer user said we were looking for an easy way to securely connect our remote workforce to our infrastructure. This is it. Awesomely quick, friendly, efficient support, cut us up and running in no time. Another said simple to install and operate. No funny business <laugh> and so fast that our teams don't notice they're using it. That's pretty important too, with most modern businesses already adopting network solutions like sassy Zero Trust, hybrid Work security. Nord Layer does that. All of that and more built in don't lead your businesses vulnerable. Tri Nord layer today, join the more than 7,000 fully protected organizations Nord layer. If you wanna secure your business network, go to, get your first month free when you buy an annual subscription, N O R D L A Y E r, Thank 'em so much for supporting security now, and we thank you for supporting security now by going to nor

That's important, that slash twi part, so they know you saw it here back to Steve as otherwise they think that their ads on the shopping channel or they don't know, or they don't know. How would they know? They don't know. You came in the door, you got the stuff. We just want them to know that you heard it here. That's all. Okay, so Carrie on aan is his name. It's Dr. Or Mr. Indigo is his Twitter handle. He's said, hi, Steve. Finally listening to the last, I'm sorry, latest episode 8 98. And I started wondering, is quantum computing going to be just a faster way to guess passwords or is there another attack vector? In other words, is it just gonna be a faster way to brute force attack passwords? Okay. Interestingly enough, once we get quantum computing, assuming that we ever get quantum computing, it won't be any faster at brute forcing passwords.

In fact, it would likely be far slower and vastly more expensive than br than conventional hardware accelerated hash based password boot forcing. Oh, how interesting. That's not the problem. No, there's just a class of things. It's good at the rest. It's really crappy at <laugh>, you know, it's like, you know, it's like weather prediction. That's it. It can do that, but it can't tell you where a specific drop of rain is gonna land. And that's what you need for symmetric crypto and hashing is, you know, is that kind of exact operation. The important thing to understand here is that some of today's crypto, but only some of it depends upon the traditional time proven difficulty of factoring a very large number into its two half as large prime number components. That's it. That's all that the, you know, fervor surrounding quantum computing is about the ability to do that, that to do, you know, a couple of things quickly that are entirely insurmountable, that is this factorization problem, but it's only the asymmetric key crypto that quantum computing might be able to someday weaken.

None of the other crypto that we also depend upon a day will be affected symmetric key crypto, like our beloved AEs ciphers or today's strong hashing algorithms will not be affected at all, and they don't need to be changed. I was thinking about quantum computing after I read this guy's note and, and I was looking for a good analogy of the effort, you know, it's promise and the difficulty that it presents. And what popped into my head as being an almost like in almost every way similar was power generation at scale via nuclear fusion. It's a useful analogy. It requires crazy way out there. New physics and new materials and new technologies and like quantum computing fusion has been chased for decades driven by the promise of what if, just like quantum computing has and incredible amounts of ingenuity and money have been sun into it.

Many different approaches have been tried and discarded. And yes, we are creeping forward little by little inch by inch tantalizingly just enough to keep the investment cash flowing. But boy is fusion a difficult nut to crack. In order to fuse matter, we must create, contain and compress the hottest plasmas humans have ever handled hotter, it turns out than the sun. And at this point, it's as much art as science. You know, will we get there someday? Maybe, maybe not. It's still not clear. But as with quantum computing, we do appear to be making some progress year after year learning as we go. So as for quantum computing, my feeling is that there's no reason not to replace that small but crucial portion of our large crypto library of algorithms which are believed to be currently unsafe. If quantum computing ever happens, we we can replace it with algorithms which are believed to be quantum safe.

We just don't want to make any mistakes with our replacements, and there's no reason to believe that there's any big hurry. We might well have free electricity once we figure out how to burn water before quantum computers threaten our current dependence on today's asymmetric crypto. So not to worry. Another listener who requested anonymity, and I'll explain why in a second. He said, hi, Steve, in the last episode of security, now you talked about pass, which lists web applications that support pass keys. I wanted to share my observations with you. First. The website owner chose to manage it with no transparency. When I saw it, I thought there must be a GI repo where I could open an issue for a change request. Surprisingly, they chose to use Google forms, which masks all the review and approval process, and he's talking about, you know,

Second, he said, I've noticed that many companies in this list are also customers of OWN id, which is listed as the authentication provider, including Carnival Cruises. Oh, interesting. Yes, yes, it's, they did not do it natively. And he says, and then investigating the own ID flow, he said, when Leo pressed the fingerprint button, the QR code encoded a URL that said his iPhone to with a session identifier. Then he performed a web authentication on his iPhone. Once completed, the session got updated on the server and the browser on his laptop logged in the flow is using web off ends pass keys, but not likely the way it was designed to be used. Web off end phishing resistance mechanism works in a way that a JavaScript API called on the browser triggers the underlying, underlying library and matches the domain key sorry, matches, matches the domain.

A key was registered in and the domain asking to authenticate by implementing web A as it is in Carnival, the phishing resistance mechanism suffers from a flaw as an attacker. You can spoof carnival's login page, so the user sees the same page, only a different domain. When you click the biometrics button, the attacker's backend will send a request to Carnival to get a QR code, which encodes the password list, do Then the phone would ask you for your face or fingerprint to authenticate with a pass key, which will update the session on the back end and the attacker gets in. Actually, this is the thing that I spent a lot of time on squirrel solving completely. And you know, it's crucial. He says the right way to implement past keys is by calling the web authentic API on the laptop's browser. He says, instead of presenting the QR that will open a browser on the mobile phone and letting the browser do its job, presenting native web off end screens, including a qr, which is scannable from a mobile phone.

This way the domain you're authenticating to is passed in a side channel that is, you know, push versus ble Bluetooth low energy. You know, from the browser to the phone, he says to the mobile phone directly from the browser, and a phishing site will be blocked as the credential on the phone was registered under the original domain. Okay, so first of all, our listener who wrote this to me is a hundred percent correct. And by the way, he's a developer for an authentication provider who asked for anonymity. Another way to say this is that rather than doing the work of upgrading their own servers to become a first party pass keys provider, carnival cruises, and unfortunately a lot on that list has outsourced their authentication responsibility to a third party provider in this case own id. But in doing so, by punting in this way, they've bypassed past keys fishing protections.

This gives their users the false belief that they're getting the hack proof benefits of past keys without actually getting them. This could be transient, we can hope not, but on the other hand, own ID is in the business of doing this. So they're gonna presumably keep selling their instant onboarding services, and most websites will simply want easy login without really caring about their visitor's security. So we've seen the first way that pass keys will fail, and that is, it is when implemented like this, you can be fished and that was a big deal. It was supposed to be anti fishing. Well, it's only anti fishing if you don't turn the responsibility over to a third party. And if you do and this page of people have, you're not getting the benefit of PAs keys. All you're getting is disappointing, but of course, to be predicted.

Yeah, exactly. Yeah. Christopher uch, he said SN topic request hardware security modules. He said, you said you had one besides the technical crypto, can you describe how you interact with it in practice to sign your code? Sure. Just as there are ev you know extended validation TLS certificates for web servers, there are EV code signing certificates. I have no idea whether any be whether they are any better or more trusted than non EV code signing certificates, but I'll take every advantage I can get. And one requirement of EV code signing is that they must, without exception be protected by a hardware security module so that the EV private key can only ever be used for signing and cannot possibly escape into the wild. The EV code signing key, which I purchased from DigiCert, was packaged in Aalto USB dongle, which is paired with the SafeNet authentication client.

Somehow, when I use the same authentic code code signing command in Windows, as I've always used, that SafeNet client is invoked. The hash of the file I'm signing is sent to the key and signed inside there and it returns a signed blob. So it's just a matter of having a free USB port and installing a hardware interface client part of the effort, which I'll be engaged in toward the end of the work to publish the final spin, right? Six one code, which will be like six zero is a hybrid DOS and Windows app will be automating this code signing process server side. Since each owner's copy of Spin right embeds their license information, which makes their executable unique, each one needs to be individually codesign on the fly by the server as it's downloaded. What's gonna be really annoying is that Windows Defender will always be complaining for every single user that the user specific custom spin right file is not commonly downloaded, thus needlessly warning and alarming its users.

You know, we've seen that no degree of reputable signing is able to bypass this alarm. I discovered that when I, you know, signed, you know, the final version of squirrel when I, and I updated the the DNS benchmark, you know, people said, Hey windows defender's not happy. And I said, I know, no matter, it doesn't matter if you sign. And those were EV certificates signed. Windows Defender says, ah, I haven't seen this a lot before. And, and you can understand it's gonna take a hash of the things that you, you want to download, and it's obviously sharing those in the cloud. And when it sees enough of those and no complaints, then it goes, okay, it must be okay and stops, you know, bringing up warning messages. Unfortunately spin rights users are just gonna have to get used to that because every one of those that they download is gonna be unique.

 Two people, Dan Garde asked Steve, how can I get access to, to test the pre-release version of spin, right? Six one, feel free to email me or just respond here. Thanks so much for your work on spin, right? I have drives waiting for 6.1, and SD Holden asked, Hey, Steve, not sure the best way to reach you about the get server for spin, right? So I thought I'd start here. When I try to create an account, I get a dialogue box asking me to sign in instead of allowing me to create a registration. He says, dot, dot, dot question mark. Okay. So to both listeners and everyone else in case some of you hadn't noticed, the internet has sadly become a sewer full of both bots trolling constantly, and even human labor farms paid, you know, being paid for creating accounts online. I've been running two web form servers for years, despite having all manner of entrance barriers erected, like even requiring the correct answer to the question, what software is Steve best known for in order to create an account?

Five out of six of the account registrations were bogus in those forums. <Laugh>, how, how, how does a bot, how hard is that? How hard is that to Yeah, a bot wouldn't know, but <laugh> No, I know at one point we had 6,500 users registered in GRCs forums, and I was thinking, wow, I haven't even talked about it that much. Okay, now that number is a bit over 1100 after I spent several days working to get that under control. Yeah, 5,500 of those were registered in Afghanistan and Turkey and Indonesia. I mean, it just like, and Russia and, you know, it just, it just, it was so annoying. Spammers love forums. They really did. Oh my God, yes. So I've erected much tougher barriers since, and I've mostly gotten it under control. And since I erected those stronger barriers, 20,204 additional account creation attempts have been thwarted.

So I'd have an additional 20,000 bogus users on top of the 5,500 I had before. The reality is that today, as you said, Leo, running any sort of open web service results in a torrent of bogus registrations. And even with all that in place, the wonderful volunteer moderators I have who make time to read everything are still removing users who attempt to, to subtly pollute our content. So here's the problem. Grcs forums need to be open. So I have no choice other than to erect the strongest account creation barriers. I can then apologize to those who we mistakenly reject as false positives and also weed out those who do slip past the barriers due to false negatives. But GRCs GitLab server has no need to be open. So it's closed. Its account creation page is protected by a magic incantation, which must be provided before the troll that guards the bridge will allow newcomers to pass.

It requires insider information, which can only be obtained by participating in GRCs old school Blessedly wonderful text only N NTP news groups. Once someone shows up there and is able to post, they can ask how to satisfy our cantankerous GitLab troll. But also note that we're not using GitLab for any social interaction. We're only using it for issue management At this point. What I, what I need is feedback from people who are testing spin, right? Six one, since we have a handful of known issues to fix, you know, I'll get to that in a moment. It's best for newcomers to join and catch up on all the various threads in the news group in order to eliminate duplicate postings of already known problems. So if anyone is really and truly interested in participating in Spin write six one s testing, you're invited to head over to GRCs discussions page.

That's the page at grc. If you google space discussions, it'll take you there and create a connection to our news server. Find the GRC dot spin group and say hi. And speaking of spin, right, it's working as I planned, I updated GRCs primary server to handle downloading of pre-release versions of spin, right? And last Friday morning after Thanksgiving, I posted the information in GRCs spin news group about where any existing spin right owner could go to grab their own copy. I'll share three news group anecdotes, which I've edited just a bit for Podcast Clarity. A few hours after my first release announcement, someone whose handle is dark win x posted on Friday at 2:44 PM Well, I can already report success with a USB in my race to find something to eagerly test on. With the short time I had, I grabbed an old USB I received with the purchase of StarCraft two.

I figured I'd reformat it with a knit disc and run spin right from there. So I put it in the computer and started a knit disc. It waited and waited for about 30 seconds. Eventually the USB was recognized by Windows and showed up so I could nuke it. I tried it again and it still took around 30 seconds to load. So I figured maybe not the best USB to run spin right from. So I found another, I thought, why not run spin right on the problem USB as a target. So that's what I did. After a level two scan, without finding anything wrong, I rebooted plugged it in an instant success that USB now loads inside windows instantly every time. Looking forward to testing some more. Second comment, Saturday morning, 8 39, mark Ping posted, finished the level two in two hours for a one terabyte, then ran level four and it took nine hours, 37 minutes for one terabyte compared with 150 hours before.

And then he finished spin right's back baby. And finally, Dale f Saturday evening at 10:12 PM posted, I have a 500 megabyte laptop drive that I put in a SA portable enclosure after I dropped it about two years ago. It could not be recognized by any PC or by spin, right? 6.0. So I said to myself, just have to wait for 6.1 on Friday, I ran a level two with spin right's first alpha release, and one hour later it was good as new. Thanks, Steve. Okay. So frankly, spin right's first functional pre-released debut could not have gone much better, and it went far better than it might have over the weekend. Using the feedback provided by the large group of avid testers, we moved Spin right through three more releases to its fourth alpha release by mid-afternoon on Sunday. And with only a few exceptions, it is now working well for everyone.

Overall, it's a hundred percent functional in every way that matters. There are a number of things that I need to fix, like spin rights. Various clocks are not continuing to operate while it's in de while, while it's deep into data recovery. I recently re rewrote that entire data recovery system and I just forgot to periodically update the clocks while I was in there. So actually, I'm gonna change the entire way that works so that it's much better. Another example is that spin right's predictions of its remaining time to run is not working right when it started midway into a drive rather than at the beginning. You can start it wherever you want to. Anyway, it was working once and something I did broke that. So I'll fix that. So right now, the news group gang is continuing to pound away on the fourth alpha release, logging everything they encounter in our GitLab instance.

While that's underway, my own now highest priority is to make a decision about that next operating system that I'm considering purchasing and moving to. It's licensing deadline, as I mentioned before, is the end of the year. I, it's either by then or never. So I expect that to take, that's what I'm gonna be doing this evening. I'll start that. I only think it'll take a couple days. I just wanna make sure that I can boot something, you know, the classic Hello World app, both from a BIOS and from a u a I based machine. Then I'm gonna, then that says, yes, I'm gonna go with this os then I'll return to and get spin rights dos executable, completely finished. I should mention, I told you this Leo, before we began recording today, one thing happened this morning that completely caught me off guard.

I hired Greg, who's everyone has heard me refer to through the years 32 years ago tomorrow. Tomorrow is his 32 year anniversary of employment with, with grc. That means that tomorrow he will have been providing technical support for Spin, right? For 32 years. Yesterday he fired up the latest spin, right? Six one Alpha. And he'd never seen it before. I haven't, he's seen nothing until, you know, I, I'd been keeping him and sue a page of what was going on. I sent them both an email saying, well it works to my amazement. So he fired up the latest spin, right? Six one Alpha, ran it on a bunch of drives. He had a round. He said that he ran it on a one terabyte spinner, which took about two hours. And that's about right. Remember, I've, I've thought about half a terabyte per hour is, is good performance for spinning drive.

 You know, and that certainly beats two weeks. You know, and still it wasn't instantaneous cuz it was a spinning drive. Then he said he scanned a 1 28 gig SS d in five minutes, <laugh>. And he was stunned. So he told me on the phone this morning that he knows the number one question he is certain people are gonna be asking once spin mights previous users start using six one is how spin right. Six one could possibly be so much faster. It was like, it's like the difference is, is too much to believe, you know, either six was like way slow or is six one actually doing anything. On the other hand, I should also mention that a number, a whole bunch of people in the news group have actually had it recovering data, recovering drives, things that could never be copied before we're we're, we're seeing green Rs on the map showing data was problematical and was recovered. So anyway I'm very excited that I will be able to soon stop talking about it and have it in everybody's hands.

Woohoo. Yeah. Very, very good news. Thank you for the hard work. Well thank, thank everybody for their support. Yeah, I really appreciate. So I, you said in NTP your news groups for an ntp I thought it was Zen for, or does Zen for use n ntp? Is that why? No. Zen for is the web is the web forums. Oh, you have news groups in addition to the web forums. I get it. Yes, I get it. News groups I've had forever. Yeah. And I, and I love them. They're little backwater. Yeah. They, we just, we we get real serious work done where how do you read a news group these days? Thunderbird is a really good news group reader. Okay. It does a good job of it. On the discussions page, I list, we, I, I asked the question of, of everybody like six months ago, and there's like a list of maybe 30 different news n NTP clients.

 There's, there's only one for iOS, which is called News Tap. It's a great little new, a little news reader for iOS. There's a bunch of news readers for Android and a bunch for Linux and Mac. And, and so you, you go to your, you you host it. It's on your GRC site, right? It's it's Nice. And that's, it's been one of the things I've had, you know, well, okay, so here, here's the reality spin, right? Six one will ship, it will be perfect. The news groups are why, right? It will be perfect, right? In this day and age, once upon a time, you know, back when we had Doss two or three or four, I could write a program and it would work everywhere. That is, those days are gone. Yes. I, I could never, I could never do this if it weren't for, for the guys in the news group.

And as I said before, I've got like all these motherboards around now and all these old hard drives because it was like Steve, the Aus Cran 3 27 oh, is it working? So I go into eBay, Aus Cran 3 27. Oh yeah, there it is. And I buy it. You know, so Laurie is saying, do we still need all these <laugh>? No, just, just a little bit longer. A little bit longer. Little bit longer. Yeah. It used to be the, all the browsers could handle news groups, but they've slowly stripped that out of every browser. So I'm glad. And of course, FGP is gone now too. It's gone too. That's right. They take all reasonably, so if nobody uses it to secure this, but a good generic, a good generic news reader is Thunderbird. Yeah. It's multi-platform. And, and it's, it's pretty good for getting the job done.

Good. I have to check out the news groups. I, for some reason, I, I spaced that you have a news group, I thought it was all forums, which forums are fairly old fashioned news groups are po positively any delusion. That's good. Yes, I like it. And the for the forums are where support will be for spin, right? I'm gonna engage community support, but I'm never gonna allow, you know, I mean like the news groups are my sanctum sanctorum, is that the right term? Do you still, does it do you use U U C P and send it off and everybody in in the world gets to see it? Or is it just hosted on your site? Actually, we block it going anywhere else. Yeah, yeah. Because Google groups would like to be pulling from an N NTP server. The problem is people were responding to, to postings that Google had sucked out and nobody was ever seeing their responses. Right. Right. So it is closed. I actually have a technology where the, the, the IP address of the entity, which pulls the article is added to the headers. So if we ever see postings out in public, we can look at the headers and see the IP address that is pulling them, and then I block them. Oh, so smart <laugh>.

So there <laugh>. Wow. So it's really, I mean, to call it a news group is really not exactly right cuz those, the whole idea was news groups were federated and they would be copied every night from university, university. Oh, we've got, I've, I've written a whole bunch of extra code at you. Just use the N NTB protocol for your server. We have something called a Cecil id, which is also added to a posting. Huh. Which is a hash of the person's username and password. Oh. Which allows, which allows them the postings to be owned by them. Right. Nobody else can delete them, but they can delete their own. Perfect. And, and so this, and there's a whole bunch of other, you know, benefits that we've added over time. So, very interest. It's, so I just, you know, I will, that's what I'll be using like forever when somebody comes, when somebody comes along to turn off the servers after I'm gone, <laugh>, they'll be, they'll be shutting down the news groups. <Laugh>.

Oh, that'll be sad. <Laugh>. All right, Steve, always a pleasure. He is a, he does, he's the old, the old fashioned way. He does it the old way, but the old ways are often still the best. Steve Gibson, along with his news groups. That is the <laugh>, the Gibson Research Corporation. You'll find spin right there. The world's best mass storage, recovery and maintenance utility now faster than ever. It really wor it's really working. It is, it's really doing something honest. <Laugh> if you have, if you don't have a copy, get 6.0 now, you'll have a free upgrade to six one when it comes out. You can also participate in the development and all of that as he, as he said, While you're there, you can get a copy of this show. Security Now is hosted at twit tv, but

Steve has two unique versions. A 16 Kilobit audio version for the bandwidth impaired. He's always done that from day one. And for his transcriptionist actually, lane Ferris, cuz she writes this all out and she's living in the country with a lot of horses, doesn't have a lot of bandwidth. You can get the transcripts there as well. Grc.Com as a 64 Kilobit audio file. We have audio and video at our website, TWI tv slash s n there's a YouTube channel for security. Now that's a great way to introduce somebody to it. Or, you know, if you hear something on here you wanna share with other IT professionals, your boss or friends, your spouse then just clip it at YouTube. That's probably the easiest way to do it. They make that a fairly simple thing to do. Of course subscribing in your client might even be the best way to get it.

That way you'll get it automatically the minute it's available, you can build your collection of all 899 episodes. Whew. That's a lot of episodes, Steve. We will be back here next Tuesday, one 30 Pacific. Four 30 Eastern 20, I'm sorry. Yeah. 20, 21 30 utc. Had to do the math. You can watch us live, live, do TV chat with us, live at IRC tv or if you are fortunate enough to be in the club, you can do it in the Club. TWI Discord. Actually you should join the club, if you know how I remember it supports Steve's efforts plus everything we do here. $7 a month for ad free versions of the show, access to the Discord. You also get stuff that we don't put out in public, like hands on Macintosh and on Windows, the Untitled Linux show and all of that. Thank you my friend. Yes, happy birthday again. Thank you for your 66th. I want you to hold onto that sign so that in 33 years you can turn it upside down, <laugh> and celebrate 99 at to <laugh>. Good thinking, Steve. I'll save that. I bet you save old calendars too, don't you <laugh> Steve, have a great week. We'll see you next time on. Bye.

Jonathan Bennett (01:58:33):
Hey, we should talk Linux. It's the operating system that runs the internet bunch you game consoles, cell phones, and maybe even the machine on your desk. And you already knew all that. What you may not know is that Twit now is a show dedicated to it, the Untitled Linux Show. Whether you're a Linux Pro, a burgeoning SISed man, or just curious what the big deal is, you should join us on the Club Twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills. And then make sure you subscribe to the Club TWI exclusive Untitled Linux Show. Wait, you're not a Club TWIT member yet. Well go to and sign up. Hope to see you there.

... (01:59:14):
Security Now.

All Transcripts posts