Security Now Episode 917 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Ant Pruitt (00:00:00):
This week on Security Now, Mr. Steve Gibson joins me to share some great information about the wonderful World Cybersecurity. And I gotta tell you, it was a little bit scary at first, but it got better, huh? So what's going on with ai? Are we going to name our AI overlords? Once they arrive, Italy decides to say no, there's not gonna be any more chat. G P T. We're shutting that down. Oh boy, what does that mean? The Pentagon said, Hey, hack us. And you know what? It worked. <Laugh> was not a bad idea. So more details on that, and in doing bug bounties. And lastly, zombie software. Oh, this is such a great story from Mr. Gibson. You don't want to miss it. Y'all stay tuned.

... (00:00:48):
Podcasts you love. From people you trust. This is TWiT.

Ant Pruitt (00:00:58):
This is Security Now, episode 917, recorded Tuesday, April 4th, 2023, Hosted by Ant Pruitt and Steve Gibson. Zombie Software.

(00:01:12):
This episode of Security Now is brought to you by Kolide. Kolide is a device trust solution that ensures that if a device is a secure, it can't access your apps, it's zero trust for Okta. Visit kolide.com/securitynow and book a demo today. And buy thanks Canary. Detect attackers on your network while avoiding irritating false alarms. Get the alerts that matter for 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter the code twit in the how did you hear about a Box. And by Cisco Meraki with employees working in different locations, providing a unified work experience seems as easy as herding cats. How do you reign in so many moving parts? The Meraki Cloud Managed Network. Learn how your organization can make hybrid work, work. Visit meraki.cisco.com/twit. Hey, what's going on everybody? Hey, this is security now here on twit.tv.

Steve Gibson (00:02:20):
Wait am inute, you're not Leo.

Ant Pruitt (00:02:21):
Yeah, yeah, yeah. I'm not Leo Laporte. I am Aunt Pruit. Y'all, I'm gonna be hosting the day with the one and only Mr. Steve Gibson. Steve, how are you sir?

Steve Gibson (00:02:33):
Hey, l Anmp, great to be with you for the first of our three weeks while Leo is off on some trip. And we're gonna hold a fort down here and just keep the ball rolling. So

Ant Pruitt (00:02:46):
We shall do our best, sir.

Steve Gibson (00:02:48):
Yeah. Security now, number nine, eight or nine 17 for the 4th of April. And as we've been doing recently, we're going to answer a bunch of questions which have arisen over the past week. When is an attack, not an attack? When our AI overlord arrives, how shall we call him? Why is Italy said no to chat? G p t? What is Twitter's posting of its code to GitHub? Tell us why is India searching for commercial spyware less well known than Pegasus? And what does the Summit for Democracy have to say about that? Has the FDA finally moved on the issue of medical device security updates? And seven years after the first hack the Pentagon trial the Pentagon remains standing, or does it then? Oh boy. Then after addressing a quick bit of miscellaneous, some listener feedback and an update on my ongoing work on spin, right? We use the SISs Kev, the known exploited vulnerabilities database to explore the question of how exactly we define zombie software. And answer the question of whose brains will the zombies eat?

Ant Pruitt (00:04:08):
Oh boy. Oh boy. Those questions

Steve Gibson (00:04:10):
And more answer this week.

Ant Pruitt (00:04:13):
I, I gotta, I gotta go ahead and ask Mr. Gibson, you, you're saying we're going, what happens when our AR overlords arrive? What are we gonna call them? I thought they were already, that's right here.

Steve Gibson (00:04:23):
Well, there's some concern about that, and in fact, some unfortunately Washington has been caught flatfooted and are trying to say, wait a minute we don't understand what any of this stuff is, so everybody should stop. Anyway, we'll be talking about that today.

Ant Pruitt (00:04:41):
Oh, joy. Oh, joy. Well, folks, this is gonna be a fun episode. We're gonna get into our picture of the week momentarily, but first I'd like to take it few moments to think this week's fine. Sponsor the folks at Kolide. Hey, collide is a device trust solution that ensures unsecured devices can't access your apps. Lyde has some big news. If you're an Octa user, Lyde can get your entire fleet to a hundred percent compliance. Lyde Patch is one of the major holes in Zero Trusts architecture device compliant. Now think about it. Your identity provider only lets known, known devices logged into apps. But just because of devices known, that doesn't mean in a secure state. It's a big difference there. In fact, plenty of devices on your fleet probably shouldn't be trusted. Maybe they're running on an out of date operating system version, or maybe they've got some unencrypted credentials lying around.

(00:05:42):
Cuz yes, that does happen. If a device isn't compliant or it, it isn't running the Kolide agent, it can't access the organization's SaaS, apps or other resources. The device user can't log into your company's cloud apps until they fix the problem on their end. It's that simple. All right, so lemme give you an example. A device will be blocked if an employee doesn't have an up to date browser. Using end user remediation helps drive your fleet to a hundred percent compliance without overwhelming your IT team. Cuz you gotta face it, the IT squad, they're already busy with a bunch of other things. Let the users handle simple stuff like that. Update your dagum browser on your phone. Shes without collide. IT teams have no way to solve these compliance issues or stop insecure devices from logging in. With Kolide, you can set and enforce compliance across your entire fleet.

(00:06:38):
This includes Mac, windows, and Linux. Kolide is unique in that it makes device compliance part of the authentication process. So when a user logs in with Okta collide alerts them to compliance issues and prevents unsecured devices from logging in, it's security you can feel good about because Kalia puts transparency and respect for users at the center of their product. To sum it up, collides methods mean fewer support tickets, less frustration, and most importantly, a hundred percent fleet compliance. So visit ka.com/security now to learn more or to book a demo, that's K O L I D e.com/security. Now, let them know the folks at twit and Steve Gibson sent you on over there. Thank you. So thank you so much for supporting the show collide. All right, Mr. Steve, the

Steve Gibson (00:07:42):
Picture our picture of the week I got a kick out of this actually. We're going to, there's, we have a couple things that are sort of about this topic in general. So we have a single frame cartoon and a woman is staring at her computer screen talking to someone standing behind her. And the, the, the balloon above her head says, Congress finally has a better understanding of how TikTok works. Almost half of them now know it's not a breath mint. So, yes. Not tac folks. We didn't, we didn't say tac, we said TikTok. Oh, oh, oh, not okay. Yeah. So that's right. We're gonna give, we're gonna give the politicians control of technology and see how well that works. So

Ant Pruitt (00:08:37):
Does a, does a younger person know what a tic-tac is? Or TikTok is <laugh>. So TIC t

Steve Gibson (00:08:43):
Is no, tic-Tacs are still around? Yeah,

Ant Pruitt (00:08:45):
Probably. They still are. Right? Okay. All right. Yeah,

Steve Gibson (00:08:48):
Yeah. There are, I think in general where we have, you know, old fogies doing podcasts, there is a danger of a generation gap in some of the, in some of the terminology <laugh>. You knows sometimes when I say somebody was asleep of the switch, I think, does anyone know what that means? I mean, both people know that we're talking about train tracks, but I'm not sure that you know, what, what asleep of the switch, what switch? What are you talking about? What? Switch? <Laugh>. Okay. So, oh goodness. Recall that two years ago all of the fuss bother and more than a little bit of horror arose over the attack at a Florida water treatment plant in Oldsmar, Florida. Now the report that the world received was that a caustic and potentially poisonous concentration of lie had been dumped into the facility's municipal water treatment plants remotely over the internet.

(00:09:51):
That is that the, the, the control of the, of the, of the water treatment plant's equipment was been, had, had been done remotely. And that was conducted, we were told by a disgruntled former employee whose remote access credentials had not been canceled and deleted after his departure. And the story had so much flare in detail recall, cuz we talked about this a lot then, that the reports of the incident described how a worker at the plant saw his computer being remotely accessed and controlled, like right in front of him, his mouse, we are told move to open functions to control the plant's water treatment protocols. And then the amount of sodium hydroxide, which is the, the chemical formula for ly in the water, was changed from 100 parts per million, which is what it was supposed to be to 11,100 parts per million. Where upon the operator who saw this horror immediately reduced lies level back to its proper level and aver and alerted his supervisor and everyone got in on the act.

(00:11:01):
The hack immediately gained worldwide notoriety after the local Pinellas County Sheriff held a press conference, which in turn prompted an investigation led by the FBI and the US Secret Service, as well as a joint federal advisory warning water treatment facility operators throughout the country of the dangers they faced from hackers and urging them to upgrade their security systems. Okay, now Christie, as that story was for our mill what if that's not what happened at all? <Laugh> <laugh>. That's right. A according to former Oldsmar city manager, alre, wait Bri wait, who was the, who was with the city at the time? The incident was never a hack or an attack at all. It was just a case of an employee still with the water treatment facility mistakenly clicking the wrong button. Wait, then I know, I know. Then alerting his superiors to his error.

(00:12:16):
 The, this now the former city manager brief wait, describes the incident as a total quote non-event, which was resolved in two minutes. He, but he said law enforcement and the media for some reason seized on the idea of this being a cyber attack and just ran with it. He said the attention resulted in a four month F B I investigation with which brief weight said, reached the same conclusion that employee error alone was to blame. And somehow we never heard the result of that after four months. That sort of slipped through the cracks now. Oh, okay. Yeah. Wow. I mean, this was a big deal. Everyone was like, you know, alarms were ringing and, and, and water treatment plants elsewhere were, you know, being put on alert. And actually that there might have been some upside to all of this because you know, all municipal water treatment plants likely did and probably do still need to be more alert and aware of threats to keep their security tight.

(00:13:28):
Because, you know, the thing that was so galvanizing about this, it was like, whoa, you know, poisoning the municipal water supply, that's a big deal. So if the report of this dastardly attack, which wasn't happened to serve, to get some inattentive management at other treatment plants in the nation to tighten up their grip change employee discharge policies, perhaps delete a bunch of old and unused access credentials and so forth, you know, then this bizarre inflation of this minor event probably, you know, helped security overall in the long term. So, you know, it's not the way any of us want to be used for having, you know, security improved, but it, you know, it, it's better to know, I think ultimately what happened than

Ant Pruitt (00:14:19):
Not. Yes. Somebody had to really take a sacrifice, if you will to help everybody else raise awareness. And, and this is good here. My only thought on that though, Mr. Gibson, when that happened, it, I wanna say I heard it was like through R D P or something like that,

Steve Gibson (00:14:36):
And yeah, apparently he was team viewer and they had

Ant Pruitt (00:14:38):
Team viewer, that's what it was, team viewer. And so when you are using team viewer, if, if someone pops onto your screen and moves the mouse around, can't you move your mouse back to try to take control and kill the session? I'm like, what, what's going

Steve Gibson (00:14:50):
On here? So that, that story just, and so your point is that it never really made that much sense to you. Right? Right. <Laugh>. Right, right, right. Geez. Okay. So it's not gonna be news to anyone that the sudden explosive popularity, adoption and use of lag of large language neural network models such as chat, G P T, and I know an you've been following along a lot of this stuff. Mm-Hmm. <affirmative>, you know, has caught pretty much everyone flatfooted, everyone's running around trying to figure out what it means, whether it's some sort of apocalypse and you know, that the, like, the subject that, that the public should be protected from. So a couple weeks ago, the US Chamber of Commerce issued a report from the AI Commission. Apparently we have an AI commission now. The report claims to highlight the promise of ai and almost, you know, you almost wanna put promise in air quotes cuz they're like, they're not so sure while calling for a quote, risk-based regulatory framework.

(00:15:59):
And the, the subhead of the report says, quote, report finds policymakers must enforce existing laws. Okay. Whatever they would be and develop policies to steer the growth of responsible ethical ai. Okay. Ethical ai, we got a lot of unused undefined terms here. So what's actually happening is kind of clear to see the politicians and the bureaucrats have no idea what any of this is. I mean, most of us don't, right? Correct. I mean, that's kind of like a wait and see what happens next because this is so new. But not knowing scares the crap out of them. And these people you could say confusing TikTok and tac, they're not the brightest bulbs <laugh> as our picture of the weaker explained you know, so these people are apparently the ones who have appointed themselves to shepherd us into the land of ethical ai.

(00:17:06):
Again, what, as opposed to unethical ai, I don't know. Right. Okay. So here, here's what the US Chamber of Commerce is thinking. They wrote, quote, the use of artificial intelligence is expanding rapidly. I'd like to start off with the obvious. These technological breakthroughs present both opportunity and potential peril. Oh, AI technology offers great hope for increasing economic opportunity boosting incomes, speeding life science research at reduced costs and simplifying the lives of consumers with so much potential for innovation. Organizations investing in AI oriented practices are already ramping up initiatives that boost productivity to remain competitive. Like most disruptive technologies, these investments can both create and displace jobs. Uhoh, if appropriate and reasonable protections are not put in place, AI could adversely affect privacy and personal liberties or promote bias. Policy makers must debate and resolve the questions arising for these opportunities and concerns to ensure that AI is used responsibly and ethically.

(00:18:29):
This debate must answer several core questions. What is the government's role in promoting the kinds of innovation that allow for learning and adaptation while leveraging core strengths of the American economy in innovation and product development? How might policy makers balance competing interests associated with ai, those of economic, societal and quality of life improvements against privacy concerns, workforce disruption there that is again, and built in biases associated with algorithmic decision making. And how can Washington establish a policy and regulatory environment that will help ensure continued US global AI leadership while navigating its own course between increasing regulations from Europe and competition from China's broad based adoption of ai. And oh boy, of course that's a good, there's a buzz word, Uhhuh <affirmative>. You hog tie us innovators with needless, fuzzy and ill-conceived regulations and the rest of the planet is gonna leapfrog the US with their high-speed plans for unethical ai Apparently.

(00:19:49):
So they said the United States faces stiff competition from China in AI development. This competition is so fierce that it is unclear which nation will emerge as the global leader raising significant security concerns for the United States and its allies. Ooh, we might not win this. Another critical factor they said that will affect the path forward in the development of AI policy making is how nations historically consider important values such as personal liberty, free speech and privacy to maintain its competitive advantage. The United States and like-minded jurisdictions such as the European Union, you know, we like them, need to reach agreement to resolve key legal challenges that currently impede indu industry growth. At this time, it is unclear if these important allies will collaborate on establishing a common set of rules to address these legal issues. Or if a more competitive and potentially damaging legal environment will emerge internationally.

(00:21:00):
Well, that's interesting. So like, are we gonna have different rules and regulations and different definitions of ethical ai? We don't know, right? Who knows? Finally, ai, nobody knows any of this. AI has the capacity to prof to transform our economy, how individuals live and work and how nations interact with each other. Managing the potential negative impacts of this transition should be at the center of global public policy. There is a growing sense that we have a short window of opportunity to, some people would say narrow, but okay to address key risks while maximizing the enormous potential benefits of ai, which we don't understand at all. No, they didn't say that at the end <laugh> the benefits of ai. Wow. So you know, I doubt that anyone knows what any of that really means, right? But like, okay somebody must have said, you need to publish a position paper on

Ant Pruitt (00:22:08):
Make a supplement. Whatever that statement is, we need to make a statement. That's what they did, you know?

Steve Gibson (00:22:14):
Yeah. So, you know, it's, it, it, it's clear it's coming on like a speeding train and it's unclear to me that there's any way to slow it down. They're obviously, their concern is if they impede the, the, the, the innovation in the us then countries that don't impede their researchers and we know who they are. They're going to, you know, get ahead of us and take over and we're gonna all be working for them. So that's not good. Anyway,

Ant Pruitt (00:22:43):
Again, to their credit, like most innovative technology, they're things can be great for, for mankind, but then in the hands of the wrong actor, it could cause a lot of problems. I mean, oh my God, I'm glad they're not that man. Look,

Steve Gibson (00:22:56):
What this podcast, this podcast is all about is about, you know, technology which is inherently neutral. We get a lot of leverage and benefit from it. And boy, there awful lot of bad guys who are, you know, spending so much industry on just, you know, trying to subvert it.

Ant Pruitt (00:23:14):
Unfortunately. So

Steve Gibson (00:23:16):
I should mention that at least one country bizarrely has chosen to adopt a much more like an immediate knee jerk position on ai. Believe it or not, Italy has banned chat G P T. Okay? I'm not kidding. The, the, the news is that the Italian data protection authority has issued a temporary ban on chat G P T as the agency investigates a possible breach of its, its G D P R regulations with the agency accusing the open AI service of quote, unlawful collection of data. Okay? Now, a and that appears to be the point of this, someone has apparently freaked out Italian legislators because they believe that the chat G P t is sucking up all of the Internet's data on their Italian citizens without any regard for their GDPR guaranteed privacy. Hmm. Now, yeah, it's odd. The only thing I could find to bring some clarity to this was a press release originally written in Italian and poorly translated into English.

(00:24:40):
Now of course, the translation would be great if they had just let chat G p t do it, but no <laugh>. So here's what was announced from, from which you can get a sense for their somewhat hysterical concern, and again, pardon the translation, but, you know, this was a, a, a dumber bot did did the translation. So it reads no way for chat G P T to continue processing data in breach of privacy laws. The Italian SA imposed an immediate temporary limitation on the processing of Italian users' data by open ai, the US-based company developing and managing the platform. An inquiry into the facts of the case was initiated as well. A data breach affecting chat G P T users conversations and information on payments by subscribers to the service had been reported on March 20th. Okay? Now that's like neither here nor there, that's got nothing to do with this, right?

(00:25:50):
Or, and AI, bro. Okay. Then they said chat G P T is the best known among relational AI platforms that are capable to emulate and elaborate human conversations in its order. The Italian SA highlights that no information is provided to users and data subjects whose data are collected by open ai. More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to train the algorithms on which the platform relies as confirmed by the tests carried out so far, the information made available by chat G P T does not always match factual circumstances so that inaccurate personal data are processed. Finally, the Italian SA emphasizes in its order that the lack of whatever age verification mechanism exposes children to receiving responses that are absolutely inappropriate to their age and awareness, even though the service is allegedly addressed to users aged above 13 according to open AI's terms of service. Okay, <laugh>? Woo. So this is all a bit weird, right? So far as anyone knows, no private data has been or is being harvested by chat G P T. The system is simply ingesting vast quantities of publicly available information and merging it into an evolving large language model, which has an interactive conversational interface in a very similar fashion. Google's Google bots crawl the web following links and indexing everything they encounter. So there's really no difference between what Google collects and what chat g p t collects

Ant Pruitt (00:28:00):
Exactly.

Steve Gibson (00:28:01):
The difference. The difference, yeah. Is in the accessibility and presentation of the information, Google maintains a massive index, whereas chat G P T and similar systems maintain a massive model anyway. I imagine that things will likely calm down in Italy once someone who knows something actually talks to those who need to know more than they apparently do at the moment. One thing seems clear though, which is that Italy would not want chat g p t to be ignorant of everything that country has to offer. It would represent a huge blind spot that would ultimately hurt them economically. As you know, the world's inevitable adoption of and reliance upon this emerging technology continues. If someone asks their favorite AI bot for recommendations about where to stay in Rome, you don't want the world's AI's asking what's a Rome

Ant Pruitt (00:29:07):
<Laugh>? And totally, totally screwing up that economy there from all of those fasting visitors

Steve Gibson (00:29:14):
That where did all of, where did all the tourists go? No. Well, you told chat GP to forget about us, and it did.

Ant Pruitt (00:29:23):
You know, we spoke about another AI offered by Adobe here on the network last week. And the key difference between what Adobe's doing and the, the other ais out there is, is Adobe is scraping data based on information submitted to them directly from their to Adobe stock. So they could figure out text phrases, text strings, or what have you to apply it to art. I wonder if that would be a problem in Italy or somewhere else over there in Europe with concerns of gdpr, even though there's a consent by the users of Adobe products to say, you know what, whatever you create in our software, we are going to use it to train our models, but you can opt out of it. So I wonder if there's any connection there between what's going on in Europe there versus here.

Steve Gibson (00:30:17):
Also, this, this raises an interesting question, or, or, or, or you have, which is I wonder if the, the, the user's input into chat. G P T influences the model. I mean, we know that it influences it in the short time, right? And after a while it goes insane and you have to restart it, you know, cuz it loses it's mind or doesn't, it starts

Ant Pruitt (00:30:39):
Halluc, they say it hallucinates or something. That's what the he is saying now. Exactly. <laugh>.

Steve Gibson (00:30:44):
And so, but so I wonder if like, if children were talking to it and giving it information, which is not on the public internet, if that, if that, if the information they'd voluntarily disclose ends up being captured in the long term. I, you know, I don't know one way or the other. But anyway you know, it just seems like every, like, the, the, everyone's having a different reaction to, you know, the craziness of this. But, you know, the, the, the reason I was put in mind of this you know, you know, if you asked the ai, whereas a good place to stay in Rome is, I was watching the livestream sometime in the last week. I don't remember which podcast it was on, but Leo was talking about Chad g b t four and demonstrating it, and he literally, he said we're gonna be, I think it was in Rome, we're gonna be in Italy. What, what would you recommend as an itinerary? Well, it spit out like half a page and Leo said, wow, I gotta a copy that, that looks really good. Right? And it so like literally he, it had some good ideas that he hadn't considered, and in fact, it, it estimated how long the various things would take. So, so that it, that's awesome. It showed you like where during the day you would be, and Leo said, oh, I gotta make a copy of this. So the world is clearly changing

Ant Pruitt (00:32:08):
That Would that, that that would be awesome to have that though, sort of a predetermined itinerary. And I'm sure all of the merchants there <laugh> in the locale would appreciate your patronage too. That's right.

Steve Gibson (00:32:20):
So last Friday Twitter officially posted the source code that it uses for selecting which tweets users will see. This of course, has been the source of much controversy and hand ringing and po you know, social media postings everywhere, but Twitter and on Twitter, you know, since the, it's, we, we've learned that the tweets people see turns out to have an outsized effect upon the beliefs they hold. So for anyone who may be interested, it's now there on GitHub. Since I'm not a Twitter surfer, I'm not very curious, but I'm sure we'll see some analysis of the algorithm once those who do care have invested the time in learning what it all does. Ours Technica shared their take after a very quick look, and from what they saw, it mostly looked like what any student of social science would predict. Watch what each person does, what they click, what they search for, how long they remain, how far down they scroll, and so forth.

(00:33:31):
You know, collect every possible meaningful scrap of data from their interaction, figure out what sorts of things they want to see, then show them more of that. All of that seems logical, right? That's basically the algorithm, right? And of course, you know, we, we, we've talked a long time ago that, that the pro, the, the so-called filter bubble effect, right? Mm-Hmm. <affirmative> is where if you show people things that they've shown, that they've seen, that they've already demonstrated, they wanna see you, you end up amplifying their positions and hardening their positions and essentially radicalizing them to a position chamber as opposed to just showing them everything going on and exposing them to all possible, you know, positions. So what observer did note that Twitter is actively burying tweets about Russia's invasion of Ukraine, apparently that's in the algorithm there. So that mystery is resolved for anyone who might have wondered where those tweets went after Twitter became an Elon property, because it was, it's been observed that that suddenly disappeared.

(00:34:46):
 We talked about how Elon's starlink satellite system was turning out to be hugely instrumental in helping to keep Ukraine connected to the rest of the world as Russian missiles continued to batter Ukraine's communications and other utility infrastructures. So, you know, he seems to be, you know, he seems to be helping Ukraine. I don't understand why burying those tweets, you know, like specifically biasing against that is a thing that he would want to do, but then it's a little hard to be in Elon's head. So <laugh> not clear right? Why he does anything <laugh>. So an I think we should tell our listeners about our second sponsor, and then yeah we're going to talk about ISR Israel's Pegasus and why India doesn't want to use it.

Ant Pruitt (00:35:37):
Oh boy. Another, another fun story coming up <laugh>. So yeah, let's go ahead and talk about our next sponsor here on security now, and that's the fined folks that thanks Canary. Everyone knows Honey Pots all a great idea when it comes to InfoSec so wide. Don't all internal networks run 'em well? Simple because all of your network problems nobody needs one more machine to pretty much babysit and administer and worry about. We know the benefits of honeypots but the cost and the effort of deploying them are honeypots. It, it tends to just push 'em down on the list of priorities when it comes to the bottom line of the business, if you will. Things canary changes that Canaries can be deployed in minutes, even on a complex network giving you all the benefits without the admin downsides. The canary triggers are simple.

(00:36:33):
If someone accessing your, your L files or brute force in your fake internal s SSH server, you have a problem. Canary uses deceptively uncomplicated high quality markers of trouble on your network. Now here's how it works. First, you simply just choose a profile for the Canary device, such as a, a window spot, selected spots a brand named router or, or what have you. If you want, you can further tweak the services of your canary. You can even if you need a specific i s server version if you need open s ssh windows files share or, or with actual files constructed according to your particular name and scheme, you got it. Lastly, register your canary with the hosted console for monitoring and notifications. And then just sit back and wait. <Laugh> attackers who have breached your network, malicious insiders or other adversaries make themselves known by access in your canaries.

(00:37:36):
There's little room for doubt. If someone browse for a file share or open a sensitive looking document on your canary, you'll immediately be alerted to the problem. View testimonies@canary.tools slash love and see why customers on all seven continents, love dare thinks Canary deploy your birds and forget about them. They remain silent until needed. You get one alert via email, you get one from text, you get one from Slack webhooks or SIS logs only when it matters. There's nothing worse than a bunch of dagum alerts coming to your smartphone that are useless, none with Canary <laugh>. Visit canary.tools/twit for just $7,500 a year. You get five canaries, your own hosted console upgrades, support and maintenance. And if you use Code TWIT in the, how did you hear about a spot, you'll get 10% off the price for life. That's huge things. Canary adds incomparable value, but if you're unhappy with how things are going you can always return your Canaries with their two month money back guarantee for a full refund. Now, however, during all, during all of these years, twit has been partnered up with, with thanks Canary. Their refund guarantee has never been clean. Hmm. Think about it <laugh>. So visit canary.tools/twit and enter, enter the code twit in the, how did you hear about A Spots? And I tell you, we thank things Canaries so much for their support of us here at TWIT and for support insecurity now.

(00:39:22):
All right. So,

Steve Gibson (00:39:23):
Okay. Okay. So this one, I guess if I was gonna title this story, I'd say okay, we know it's illegal. How much will it cost? Now if that was a criminal saying that he knows it's illegal, what'll the price be, that would be one thing. But this is the government of India who is reportedly seeking bids from as many as a dozen, I guess we would call them me too, smartphone surveillance software purveyors, because the current per preferred go-to spyware, the well-known Pegasus from Israelis n o group, has become too well known <laugh>. The use of Pegasus now is being, is being frowned on by several annoyed nations, including the current US administration, which has been quite vocal about it. So now it appears to matter which super secret hidden illegitimate illegal surveillance spyware a country chooses to use to implant into the smartphones of its surveillance targets, which again, like <laugh>, what world are we in? <Laugh>, the news, the news coverage of this in the financial time stated that India is hunting for news spyware with a lower profile than the controversial Pegasus system, which has been blacklisted by the US government. Indian defense and intelligence officials had decided to acquire spyware from less well-known and less publicly exposed competitors of the NSO group. And they plan to spend around $120 million. They figure it's gonna cost for the replacement software, which they feel they need these lesser, I mean, I, again, this is like illegal spy. I'm,

Ant Pruitt (00:41:26):
I'm sitting here, I'm supposed to be laughing at this, sir, but this,

Steve Gibson (00:41:34):
So these, these spyware fire <laugh>, yeah. These lesser known alternatives are doubtless, gleeful that Pegasus became so popular that it's now being frowned upon by those with a reputation to remain, to maintain. Anyway, this all seems super bizarre since it's, as I said, it's illegal, but it's what everyone does. The financial times noted that India's move shows how demand for sophisticated, unregulated, and illegal technology remains strong despite growing evidence that governments worldwide have abused spyware by targeting dissidents and critics. Right? They're, that's only supposed to be for terrorists and like, you know, you're only supposed to use it again against criminals, but they're, it's being used against non-criminal critics of the government. India for their part is never publicly acknowledged, ever being a customer of nso, but they would like their money back. However, Pegasus spyware has been found on the phones of secular journalists, left-leaning academics and opposition leaders around India.

(00:42:47):
And this sparked a political crisis. Ultimately, as we know, Pegasus phones into surveillance devices which can collect encrypted WhatsApp and signal messages surreptitiously, and of course it doesn't crack their encryption. It's just there on the phone so it gets it before it's encrypted and sends it off to wherever Pegasus sends things. This is what the spooks inside governments want, claim they need and are obviously willing to pay for. And I love this, India's Modi, government officials have grown concerned about the PR problem caused by the ability of human rights groups to forensically trace Pegasus, as well as it's a PR problem. Yeah. To forensically trace Pegasus, as well as warnings from Apple and WhatsApp to those who have been targeted according to two people familiar with the discussion. So yeah, we're looking for something they're saying that is just as effective, but also much less well known.

(00:43:56):
So where do we wire the funds? Wow, <laugh>. Unbelievable. You know, I mean, so we we're talking, you know, the, the, the, the, the, the promise of being able to spy on people who are critical to your government has turned mm-hmm. <Affirmative> na these nations into outlaw nations where, where they are ex they're explicitly using illegal forbidden. You know who, whose word about ethical ai? What about ethical nations? Right. And governments. That's, that's a, we already don't have that, right? Wow. Oh man. Okay. Meanwhile, the timing, w w with timing that you couldn't make up. Last Wednesday, the so-called Summit for democracy was held after which a joint 12 nation statement condemning the proliferation of exactly the sort of commercial spyware that India is currently on the market for happened. The governments of an alphabetical order, Australia, Canada, Costa Rica, Denmark France, New Zealand, Norway, Sweden, Switzerland, the UK and the US published a joint statement on planned efforts to counter the proliferation of this commercial.

(00:45:23):
Spyware agreed countermeasures include tightening, export controls, better information sharing to track the proliferation of such tools, and engaging with additional partner governments to reform and align policies on the use of spyware by their agencies. Maybe they ought to give India a call. <Laugh> given how, given how widespread the practice has become at the highest levels of nation state intelligence, tradecraft, you really wonder how many of the signatories of that letter are condemning on one hand and deploying exactly that spyware within from their own agencies on the other. So it's just, you know, it's, it's just too tantalizing, tantalizing, scary, sad. Yeah. All at the same time. So on a happy front, thank you. Guidance has been issued. Yes. We need some happy news. Guidance has been issued by the US Food and Drug Administration last Thursday, March 30th, which explains now that any and all medical devices being submitted to the F D A for approval will from now on be required to meet specific cybersecurity requirements.

(00:46:45):
This is a first, we've never had this before. These new requirements are part of the so-called Consolidated Appropriations Act, which was signed into law in late, late last year, 2022. That new law contained a section titled Ensuring Cybersecurity of Medical Devices, which is exactly what it sounds like, right? According to the FDA's submissions for new medical devices will need to include specific cyber security related information, such as the description of the plan for identifying and addressing vulnerabilities and exploits within a reasonable time. Companies must also provide details on the processes and procedures for releasing post-market updates and patches that address security issues, including through regular updates and out-of-band patches. In the case of critical vulnerabilities, the information provided to the update must also include, and this is something that we're seeing more and more, a software build of materials, an S B O M Scon commercial Yes.

(00:47:52):
Commercial open source and off-the-shelf components so that it will, they will be disclosing what's, you know, what what, what p tools and components and, and subsystems were used to build this whole thing. So, again, to, to create some visibility into the, the individual offering. The requirements apply to any cyber device that runs software that's defined as a device that runs software, has the ability to connect to the internet and would be vulnerable, thereby to cyber threats. The new cybersecurity requirements do not apply to submissions prior to March 29th, 2023, so like, not, like not prior to last Thursday. And the F D A will not reject out of hand applications solely failing this new requirement until October 1st. So you've got some, you know, a grace period essentially from, from the, this announcement and this going into effect kind of semi officially last Friday until October 1st. But oh, and in the interim, it will provide assistance to companies up until that date, but starting with October 1st, the agency may start rejecting pre-market submissions that do not contain the required information.

Ant Pruitt (00:49:18):
So, you know, it's not there. I love this. Make this very, very clear for everybody. So there's no wiggle room. You know, I love, just, just just simplify this. We're trying to make things better for everybody, and here we have the government stepping in and making it just a simple, simple process. Thank you. Right.

Steve Gibson (00:49:37):
Thank you. We're announcing it now. We're giving you till October 1st. We'll help you until then, if anything about this is confusing and no reason why it would be, you know, and Right. You know, the, the, the, the, in our industry, in the security industry, the stories, for example, about insulin pumps being hacked mm-hmm. Mm-Hmm. <affirmative> and taken over, you know, have almost become a, a, a, a meme in the industry. So this welcome legislation means that devices can no longer be sold and forgotten. Now, you know, this works easily today for medical devices, you know, the marketing and sales of which are already highly regulated. So the, you know, there's, there's already FDA regulation you know, mumbo jumbo and paperwork and, and, and analysis mm-hmm. <Affirmative> and all that in place. But it does seem unlikely that, you know well, it, it, it seems likely that somewhere in the future, and I don't know how far in the future we're talking anything that can connect to the internet may need similar mandatory functionality. You know, note that in their, in the FDA's definition of cyber device, it meant could connect to the internet because

Ant Pruitt (00:50:59):
It doesn't get any simpler than that. You know that. Right? I love it. It doesn't get any simpler than that. Just keep it that way. None of the legal jargon mumble, jumbo that you see in all the other terms of services. This is great.

Steve Gibson (00:51:11):
Yeah. The problem of course, is that with non-medical devices, we don't already have any kind of regulatory framework in place. It's just like, you know, it's a wild west out there mm-hmm. <Affirmative> and so mm-hmm. <Affirmative>, the question is, will that eventually happen? It would be better if it was done voluntarily by manufacturers and if consumers were to insist upon those features. The, unfortunately it, you know, most consumers feel that updates to Windows are a big pain in the ass. It's, you know, it's interfering with their, with their work and their job. No one who listens to this podcast thinks that updates are a problem. You know, they're, it's like, okay, the only question is when do we update? Do we wait to see if it causes any problems? And, and so forth. Mm-Hmm. <affirmative>, but, but most consumers don't have anything like that appreciation. It's like, cuz because they don't see a problem that's being fixed, they just see that, you know, their, their computer had something spitting on the screen for an hour and then they finally, you know, were able to get back to work.

Ant Pruitt (00:52:15):
What, with this requirement in place, what do you think would be the, the biggest pushback, if any, from the OEMs? Would it be listing the, the SBO or, or, or, or something else? If, would there be any pushback for this? For the security requirement?

Steve Gibson (00:52:30):
Certainly the software bill of materials would require some disclosure, which otherwise would not be necessary. Right. So I remember, what was it? I think it was, maybe it was the Kindle when I first, because the Kindle was b from Amazon was based on Linux and a whole bunch of, of of public stuff. I remember seeing the, oh, I know it, it was the, it was the requirement to disclose the licenses of the open source software that the product was using. And you looked through it and it was like, well, Amazon, did you write anything?

Ant Pruitt (00:53:09):
Nothing.

Steve Gibson (00:53:10):
You just, you know, get glue this together from, from stuff you've got on GitHub. I mean, you

Ant Pruitt (00:53:15):
Skinned it, it

Steve Gibson (00:53:16):
Was crazy. Yeah, exactly. It looks stamping label on it and yeah, <laugh>.

Ant Pruitt (00:53:23):
Wow.

Steve Gibson (00:53:24):
Okay. So seven years ago in 2016, we covered here on the podcast, the US Department of Defense's first halting experimental we're not sure about this hack the Pentagon Bug bounty effort. No one was sure it would work least of all the skeptical government bureaucrats, but work it did. Since that program's launch, ethical hackers have helped the D O D find and fix more than 2100 vulnerabilities. Many of them, which were <laugh> very scary and it good to find, which were identified by more than 1400 hackers. The news today is that they continually useful and successful program now has a dedicated website at www dot hack the Pentagon dot mill, which the D O D will be using to continue to educate additional branches of the sprawling US government about the benefits available from allowing good guy hackers to take a crack at cracking the site will also continue to seek and sign up talented new hackers for the continually expanding program.

(00:54:52):
So, bottom line, this was a win. The government's networks and the, you know, the d o d military government networks are more secure as a direct result of inviting ethical hackers. You know, not anybody, you just can't go attack the government. You gotta sign up first and identify yourself and say may I please at least you better identify yourself. <Laugh> ha. Yeah, exactly. It's doesn't work If you say, oh, but wait a minute, I was hacking the Pentagon. They said, we know anyway. No, you need to let them know you're gonna do that first. So it's cool that it's, it, it is succeeding and in general, that's what we're seeing. We're, we're seeing, and I talked about this a couple weeks ago, in general, bug bounty programs are a win for the security industry. They have, they have become just as much as security updates have become, you know, they are now part of the ecosystem and we're better for it.

(00:55:54):
 Speaking of being better for it since Firefox one 10, which everyone should have by now I'm at one 11.0 0.1, but ever since one 10, Firefox has provided a new built-in facility for showing third party DLLs, meaning those not signed by either Mozilla or Microsoft, which have arranged, hmm, sometimes by hook or by crook to have, and I mean crook in that sense have themselves injected into Firefox's address space. If you're a Firefox user, you can type up in the address bar type about colon third, you know, t h i r d hyphen party, p a r t y. You'd enter, and you'll be looking at this new page. When I did that, I only had three DLLs, all which were signed by Intel since I'm running on an Intel Knuck machine that wasn't surprising. By clicking on the little folder icon to the right of each of the DLL's names, windows Explorer will be opened on that file, and it's then possible to right click to look further into its properties.

(00:57:23):
I did that, and sure enough, in my case, the three DLLs were Intel graphics drivers signed by Intel, and actually they were also cosigned by Microsoft. So they probably shipped along with windows 10 in, in, in that instance. So this is very useful from a security standpoint since injecting DLLs into another processes process space and, and all and very useful into a browser's process. Space is something that malware likes to do because it allows it to steal things like the passwords that are being entered either by you or your password manager in, into the browser fields and the crypto addresses that you may be copying and pasting in order to send money to various places. But Mozilla's primary motivation or mo motivation was to help identify misbehaving DLLs that might be causing Firefox to become unstable and to crash. So in that sense, it was self-defense is really what was going on.

(00:58:31):
You know, the like, like people were reporting crashes. And so Mozilla said and I'm sure they initially said, type some bazaar command to so that you can tell us what DLLs had been injected into the browser. And they decided, okay, let's just make this a form, you know, a fully public known UI about colon third hyphen party. Now you can see the DLLs and for DLLs that are not signed by Mozilla or Microsoft, and in this case these were co-signed mine were, you'll find a little another option there a a little red cross out symbol that allows you to deny that DLL's ability to inject itself. So you're able to turn off to, to, to block the injection by DLL in order to see whether that might cure a problem that you're having. So they've also made it nicely diagnostic,

Ant Pruitt (00:59:31):
Very end user remediation is what that sounds like. Right?

Steve Gibson (00:59:34):
Right, right. Of course, nobody would know it's there until, you know, you, you, you, you complained or you know, certainly in in forums with other knowledgeable Firefox users, they might say, oh yeah, type about colon third hyphen party, and you'll find out and then, you know, turn that stuff off. You don't know if you know what it's for. And remember, from a security standpoint, if something looks suspicious, then definitely go explore what that is that's been injected into your browser's process space.

(01:00:07):
Okay. So not surprisingly, a great many of our listeners wrote after last week's Microsoft rant on my part. Rather than share with everyone here, what was essentially the same sentiment expressed many times in, in the feedback that I received I'll just share one, which is representative of all Matthew Hele. He tweeted me, he said, Steve listener cinch e episode one and spin right. Alpha tester. Thanks. He said, I need, I I, he said, I think you need to reconsider last week's rant for years you have decried outdated unpatched servers stuck in the closet. I absolutely have. You have spoken positively of government's recent efforts to locate and report vulnerable servers. You have asked what it would take to get those servers updated and would it ever happen? Well, Microsoft's refusal to accept email from unpatched and unsupported exchange servers is clearly a very dramatic way to accomplish your goal. Regardless of the, regardless of the dangers from email, from those systems, this will force users to either upgrade or move from known vulnerable systems to a less vulnerable one, making the internet safer for all.

Ant Pruitt (01:01:41):
That's an interesting point. Okay. An interesting, an interesting perspective I should say.

Steve Gibson (01:01:45):
Of course. And I'm bringing it up because I completely agree with what Matthew wrote and with what everyone who wrote something similar said, I agree a hundred percent. Really this is without question an absolutely powerful and doubtless effective means for Microsoft to force the upgrading of their older exchange servers, as we've said last week, done, you know, refuse to accept any email from them and that the, the those who are still running them will get the message. And toward the end of last week's rant, I did say exactly that though I would not fault anyone for missing it since it certainly wasn't my main thrust. What I said toward the end of my rant was quote, no one using any Microsoft Exchange server software will ever again be able to fail to keep it updated nor to avoid the purchase of future licenses forever. I celebrate that idea from here forward since keeping software updated, especially Exchange server is a good thing. So anyway, I I just wanted to make sure that everyone understood that I really do appreciate that aspect of this mess, but in my mind, the fact that it would be effective still doesn't make it right because Microsoft is rendering otherwise useful servers unuseful in a what is clear, claiming that they represent a danger to them and in clearly what would generate revenue for them. So, you know, let me

Ant Pruitt (01:03:33):
Push back on you. Let me push back on you here. So you said clearly useful servers what would those uses be if they're unpatched and not necessarily secure? How would it be considered useful?

Steve Gibson (01:03:49):
Well, okay, so there are the, there exchange server 20 2007 2010 mm-hmm. <Affirmative> and soon to be 2013, which actually expires, now we're in April. It the, it's end of life. Mm-Hmm. <affirmative>. So they're useful because they are online and they are receiving and sending email. They're, they're doing the job for their licensors. Okay. And, and so, and, and so it is certainly the case that, and in fact this is actually, we're we're gonna, this is the na this is the, the gist of our conversation we're about to have about zombie software is mm-hmm. <Affirmative>, what does it mean when software has left its useful service life? You know, like, what does that really mean? My my argument is Microsoft is claiming that those servers represent a danger to them because they can send malicious email. Well, you know every email server can send malicious email <laugh>.

Ant Pruitt (01:04:50):
Okay, good point.

Steve Gibson (01:04:50):
You know, that's the nature of email <laugh>. And, and so Microsoft is singling them out for one thing, be why? Oh, well, because what's the, what's the shortest path for somebody who has an out-of-date server that suddenly is no longer able to send email to, to any Office 365 or outlook.com user? Well, the shortest path is to upgrade that server to from, from, you know, from whatever they have to the current exchange server. And that's not free. Right? So my, so what pisses me off here is that Microsoft is essentially f is is rendering those, those functioning servers, yes, they're old. Yes. They may be buggy, yes, they have security vulnerabilities. They're not vulnerabilities to Microsoft. They're vulnerabilities that affect the users of those servers. And, and it's up to them if they want to update not up to Microsoft to force them to do so.

(01:05:52):
So that is a bit of extortion. I give you that. I give you that, yeah. <Laugh>. Okay. All right. Let's we, I, we already did this last week and I, my blood pressure rises every time I <laugh> I start talking about this, so on onto a happier subject. Yeah, it was episode 8 87, which we recorded on September 6th of last year. And, and before I went back to look it up, I assumed it was longer ago because that means that it's only been seven months since I shared my discovery of this new to me author. And in that time, I've read his first two series totaling 24 books. Our listeners will know that I'm referring to the Silver Ships series by Scott Yuka Yuha, I think it is J u c h a J u c, hha A mm-hmm. <Affirmative>. now Leo was not a fan of the series since he felt that the main character Alex Racine was unrealistically portrayed as being too perfect.

(01:07:02):
Okay. I understand that not everyone is gonna like everything. Not everyone likes the same sort of music nor the same food. But for what it's worth, I had a wonderful time reading the series, and I have heard from many of our listeners who felt the same way I did. And I mean, rave reviews there was terrific science fiction in there. Scott is a great storyteller. Now, when I look back over the 24 books, my main complaint would be that 20 books spent with the same characters is a lot of time with them. Now, I knew that was the case because when I switched, I don't remember now, like maybe it was after book 16 of the first 20, I switched to the four book Pyres sideline series. I was a bit relieved to be meeting some completely new characters in an entirely different set of worlds.

(01:08:05):
And inevitably, any 20 book storyline is gonna have some spots where you're waiting through detail that just seems to be taking up time. I'm mentioning the series again because I did love it and I'm glad to have recommended it to everyone here. If it wasn't your cup of tea, then no harm done. And if it was, then you already know how much fun was contained within those pages. Since the beginning of the year, the amount of time I've allowed myself for recreational reading has been significantly curtailed. So I must have really been reading a lot more during the first months of the series, because today all I really want to do is to get spin right. Six ver ver version 6.1, finished and published. So pretty much whenever I'm awake, except for the time spent assembling this podcast, each week, spin Wright has my full attention.

(01:08:59):
But I did manage to finish the final 20th book in the Silver Ships series since I really think that Scott is extremely pleasant to read. It's just, it's just comfortable reading. He, he writes well, he's a great storyteller. I like the way he develops characters. I have opened the first of his next eight book Gate Ghosts series. And so far I love it too. New people, new worlds but the same, very acceptable writing style and terrific storytelling. Anyway, I should also note that while I've been doing this reading of this new author, another favorite of ours, Rick Brown, has been cranking away on the third of his 15 book arcs he's doing. He's, he's, remember he's laid out five arcs each of 15 books, and many of us have all read the first two. Many of you may already be into the, into the fif in, into the third arc of 15.

(01:10:06):
I read a couple, and then, then I was turned on to the silver Ship series while I was waiting for the next book of, of Rick's to Happen. I switched and then I got sucked into that. So anyway, he's continuing to tell the story of Nathan Jessica Cameron tells Josh Loki and the rest, and anyone who has dipped their toe into the frontier saga knows all those names quite well. So I'm sure that once I eventually finish Yukas eight book Gate Coast series, I'll switch back to catch up with the ongoing Frontier saga, which is underway and continuing. And speaking of Spin Wright, very briefly, I'll just say that we're getting very, very close. Spin Wright has not misbehaved in a long time since I adopted full protection from many of the many ways that Bios firmware can misbehave and was misbehaving. And as, as I mentioned before, there were many, but I think that if anything now spin right, is probably over insulated, but you could never have too much insulation.

(01:11:15):
The few problems remaining mostly surround how hard spin, right? I guess it's, they're not really problems. They're questions remaining surround how hard spin right. Should try to work with badly damaged drives when a drive is really very badly damaged. It's even difficult for Spin Wright to verify that it is a drive or that it's established communication with the drive. So that's where we are now. We're sorting through a few issues surrounding that. On one hand, it's mostly of academic interest, since none of those clearly dead and drying and dying drives that spin rights testers have, would ever be considered useful any longer for data storage. But we're all curious, right? To know like, what's going on. Exactly. a and for me, I want to make spin, right? As good as it can be. And I don't ever want to, you know, to re to return to work on spin, right?

(01:12:25):
Once I declare that it's finished. So I'm still willing to give it a, a little more time, but, you know, we're talking a week or two, not much more than that, because I mean, it is, it has actually for quite a while been working just great for mm-hmm. <Affirmative>. I think we're up to 668 people that have been, that have been running the alpha releases through, through the ringer. And, you know, there are a few people with, with clearly dead drives that, you know, spin, right? Still, it's still fighting itself about whether it should wait a little bit longer for the drive to come back with, with a response or not. Or somebody like, when, when it is chugging along and like, and it get and get stuck on a problem, how long should it, how hard should it work on that?

Ant Pruitt (01:13:13):
I see

Steve Gibson (01:13:14):
Before it finally gives up. So it's, it's that sort of, it's trying

Ant Pruitt (01:13:18):
To figure out the difference between where we're malfunctioning drive versus a broken drive is what you saying. Yes. Right? Yes.

Steve Gibson (01:13:25):
Yes. Okay. Let's talk about our last sponsor and then, yeah, zombie, zombie software.

Ant Pruitt (01:13:33):
Yeah, yeah, yeah. Let's get into this next sponsor of security now to find folks at Cisco Meraki, the experts in cloud-based networking for hybrid work. Whether your employees are working at home at a cabin in the mountains or on a lounge chair at the beach, a cloud managed network provides the same exceptional work experience no matter where they are. You may as well roll out the welcome mat, because let's just face it, folks, hybrid work is here to stay. And hmm. Considering where I am right now, recording today's episode of security. Now I tend to agree with that hybrid work works best in the cloud and has its perks for both employees and leaders. Workers can move faster and deliver better results with the cloud managed network, while leaders can automate distributed operations, build more sustainable workspaces and proactively protect the network. An I D G market pulse research report conducted for Meraki highlights top tier opportunities in support in hybrid work.

(01:14:42):
 First point is hybrid work is a priority for 78% of C-suite executives. Leaders want to drive collaboration forward while staying on top of or boosting productivity and security. Point number two, quote, hybrid work also has its challenges. The I D G report raises the red flag about security, noting that 48% of leaders report cybersecurity threats as a primary obstacle to improving workforce experiences. Always on security monitoring is part of what makes the cloud managed network so awesome. So it can use apps from Meraki's vast ecosystem of partners turnkey solutions built to work seamlessly with meraki's Cloud platform for asset tracking location analytics, and much, much more. You can gather insights on how people use their networks in a smart space. Environmental sensors can track activity and occupancy levels to stay on top for cleanliness, reserve workspaces based on vacancy and employee profiles, also called hot desking.

(01:15:55):
<Laugh> I love that allows employees to scout out a spot in a snap. Locations in restricted environments can be booked in advance and include time-based door access, good stuff, security, mobile device management, mdm integrating device integrated devices and systems. Allow it to manage, update, and troubleshoot company owned devices, even when the device and employee are in a remote location. Turn any space into a place of productivity and empower organization with the same exceptional experience no matter where they work. With Meraki and the Cisco suite of technology, learn how your organization can make hybrid work work. It's that simple. Visit meraki.cisco.com/twitter. Say that one more time. Visit meraki.cisco.com/twi to learn more. And we appreciate Cisco and Meraki for supporting security now. All right, so we're gonna talk about the last of us. No, not the last of us. <Laugh> zombies. <Laugh>.

Steve Gibson (01:17:08):
Yeah. So we know that a few years ago, cisa, after its formation, created their kev, which is the, you know, k e v known exploited vulnerabilities list or, you know, database. The idea was for this list to serve as a prioritization for any new entity exposed to the internet. So, so this, this wasn't like every vulnerability ever known. The idea was that only vulnerabilities whose active exploitation has recently been observed in the wild would make it onto the list. And as a prioritization mechanism, when you have, you know, 20 things, okay, that would be feasible. Unfortunately, because so many vulnerabilities are under exploitation and SISs a committed to adding anything that they see being exploited to the list, the list has grown. We talked about how the size of SISs a's Kev ballooned last year, not because of many new vulnerabilities discovered with patches being made available in 2022, but rather because older vulnerabilities in some cases almost ancient, were still seen in use.

(01:18:41):
And were therefore, as is Kevs charter added to the list. Okay? Now, today we have another shoe dropping with a rather breathtaking report from a security firm known as, I guess it's Brazilian, R e z i l i O n, resilient. I mean, it could, it could just be resilient, but a fancy way of spelling it. Yeah, I mean, I would have two Ls if it was resilient, you know? No. Okay. Yeah, I guess so. Anyway. We'll, I I like the way resilient sounds, so we'll go with a, you know, as if it was million, but it's resilient anyway. So resilient rights. Do you know, Kev? You should as if it's a person, I guess. Do you know Kev? You should, because hackers do resilience research team just released a new report which highlights the critical importance of known exploited vulnerabilities. Kev, specifically our research they write uncovers that although the KEV catalog vulnerabilities are frequent targets of a p t, you know, advanced persistent threat groups, many organizations are still exposed and at risk from these vulnerabilities because they're not patching them.

(01:20:08):
This gap in patching may be due to a lack of awareness or a lack of patching resources or both, or maybe priorities. Who knows? They said De Kev catalog maintained by the cybersecurity and infrastructure security agency. CISA is a reliable source of information on vulnerabilities that have been exploited in the past or are currently under active exploitation by attackers. According to our new research, there are over 15 million vulnerable instances, yeah, in the Kev catalog, with the majority being vulnerable, Microsoft Windows instances, that's a massive number of systems exposed to attacks, leading organizations vulnerable to exploitation from threat actors and advanced persistent threat groups. Okay, so resilience scanned the internet, checking specifically for systems exposing vulnerabilities to any of the now 896 individual vulnerabilities currently listed in the CISA Kev database. What they found was that it's what any bad guys who took the time to do the same could also find, which was more than 15 million systems worldwide currently in need of patching to prevent their easy exploitation resilience report listed the top 10 most frequently exposed vulnerabilities in a table, which I've included in the show notes.

(01:22:01):
I was curious to know more about the specifics of a few of these top 10 still most prevalent exposed vulnerabilities. Okay, so the list is as is sorted by the number of IP addresses expressing that vulnerability, where that vulnerability is now today present. So, as I said, I was curious to know more about the specifics of a few of these. Top 10 still most prevalent exposed vulnerabilities. Number one on the, of the top 10, which is currently present in 6,453,785 IP addresses is C V E 20 21 4 0 438. So that one is only two years old. Wow. Here's what Rapid seven the cases <laugh> Yes, yes. Is one vulnerability. And here, listen to what Rapid seven wrote about this. Back on November tw November 30th, 2021, rapid seven said on September 16th, 2021, Apache released version 2.449 of HTTP server, which included a fix for C V E 20 21, 4 0 438, a critical server side request forgery, you know, an S S R F vulnerability affecting Apache HTTP server 2.4 0.48, and earlier versions like you know, all the way back, the vulnerability resides in mod underscore proxy and allows remote unauthenticated attackers, meaning anyone on the internet.

(01:24:07):
Mm-Hmm. <affirmative> lovely to force vulnerable HTTP servers, you know, all six plus million of them to forward requests to arbitrary servers, giving them the ability to obtain or tamper with resources that would potentially otherwise be unavailable to them. They wrote, since other vendors bundle HTTP server in their products, we expect to see a continued trickle of downstream advisories as third party software producers. Here we come to the software bill of materials we were talking about before, right? Like, you know mm-hmm. <Affirmative>, what stuff does your product have in it? As third party software producers update their dependencies, Cisco, they said, for example, has more than 20 products they are investigating as potentially affected by C V E 2021, 4,438, including a number of network infrastructure solutions and security boundary devices to be exploitable. C V E 20 21, 4 0 4 3 8 requires that MOD proxy be enabled. It carries a C V S S score of 9.0.

(01:25:26):
Finally, they wrote, several sources have confirmed that they have seen exploit attempts of C V E 20 21 4, 4 38 in the wild as of November 30th, 2021, there is no evidence yet of widespread attacks. But given HTT P'S prevalence and typical exposure levels, and the fact that it's commonly bundled across a wide ecosystem of products, its likely exploitation will continue and potentially increase. Okay? Now, this particular vulnerability would not be leveraged for any sort of widespread attack. Maybe you could use it in a an H T T P query reflection, but that's not clear due to H T T P S certificates being needed. But it is exactly what a high level determined and targeted attacker might be looking for. Imagine a publicly exposed Apache web server on an enterprises network boundary, which is where they are. The web server sits on the enterprises network, as it pretty much has to, and it fields public H T T P requests over port 4 43 incoming from the public internet.

(01:27:00):
 And that enterprise also maintains other servers naturally of various types for strictly internal use. And those servers have no public exposure. They're simply sitting on the internal network. However, they are visible because they're on the internal network to the vulnerable Apache web server, since, as I said, they reside on the same internal corporate network. Same, right? This vulnerability presents the perfect means for allowing a remotely located attacker to bounce queries off of the enterprises public Apache web server, and into the private corporate network behind it. It turns the Apache server into an unregulated and unrestricted public proxy with access to the enterprise's internal private network. If and when used in that way, it is a horrifying vulnerability. And right now, of the 896 known vulnerabilities on SISs Kev List, it holds the number one slot by being present at 6,453,785 known IP addresses spread around the world.

(01:28:29):
The presence of this vulnerability came to light only about 18 months ago. And one of the problems, as noted by Rapid seven, is that Apache is embedded in many networked appliances. They noted that Cisco has at least 20 different devices that were, and probably to a distressing degree, still are subject to this vulnerability, no fault of Ciscos. I'm sure they pa they, you know, created patches for all of them. But as we know, having the patch and having the patch applied are two very different things. So it, it's not just instances where someone is running a standalone Apache web server on a Unix or Linux box. Those will be obvious and easily updated. No, the real challenge is all of the places where Apache has been embedded inside an appliance that appears to be humming along just fine. Hey, Cisco has some updates for our network thing a jig.

(01:29:30):
Well, okay, but it's working fine just now. We'll get back to it when we have some time, Ben, suddenly your entire network is encrypted. The ransom note arrives and you really don't have any time. You wonder after the fact how they got in. Well, maybe they pivoted off of a known but unpatched vulnerability, 6 million plus instances of which currently exist and were recently enumerated on the public internet. Okay? Now, I'm not gonna go through all 10 of those, but let's look closely at on one more that's halfway down the list occupying slot number five. That's C V E 20 15 1 16 35. The first thing we notice is the 2015. Okay? So eight years ago, and it was, and it's in slot number five of how many servers are currently vocal, how I know, eight years old. And the other thing you notice is the 1 0 35, you know, a reminder of how quaint things were eight years ago when c v E numbers only had four digits.

(01:30:54):
Now we need five. You know, I hope we never need six. It was a simpler time, sir. It was a simpler time <laugh>. So how many known vulnerable instances of that now eight year old problem are still presently exposed on the public internet? Well, 120,156 and get this, it's one of those quite rare vulnerabilities that's managed to earn itself a C V S S score of 10.0. That's right. It doesn't get any worse or more frightening for those who rate these things. We have seen how difficult it is to score a perfect 10. There are plenty of wannabe 9.8 s out there, but the 10.0 remains a rare beast. And who managed to bring that one home? None other than Microsoft in their own web server where it's successful exploitation simply by making the proper remote query, allows the attacker's code to run in the user's system with full system kernel level privilege, thus earning the full Monty 10.0 score, again, a full eight years downstream. And yet today, 120,156 Microsoft web servers remain sitting ducks for this remote code execution vulnerability. I know. Okay, now I'm a software developer.

Ant Pruitt (01:32:50):
Why? I mean,

Steve Gibson (01:32:52):
Why

Ant Pruitt (01:32:52):
This, this is known information is, is it? Yeah, just lack of resources. When I say resources, that means time and money where none of this stuff is getting

Steve Gibson (01:33:01):
Patched. You know, the thing that's missing from these scans, because there's really no way to get them. We, we can get demographics by country and, and sometimes that is illuminating, but we don't get demographics by size of company or number of employees or okay. You know an corporate annual revenue. And it would be really interesting to see what the correlations were there to get some, and to, you know, to answer your question, an is like, okay, what explains this? Because right at this point all we know is that that's the number, okay? So I'm a software developer who's done a fair share of internet programming. Squirrel is an internet authentication system. Grcs shields up and the DNS spoof ability services are persistently available on the internet. And GRCs DNS benchmark now with 8.2 million downloads, which now occu, which are now occurring at a rate of around 2000 new downloads a day, has become the industry standard for measuring d n s server performance.

(01:34:15):
I published that benchmark 13 years ago back in 2010, and it's never had a bug. So I deeply and fundamentally object to what is clearly a growing presumption in the world that any software that's not being actively maintained is therefore inherently bug ridden. It, it's as if no one, and I see this, and I mean, it's in the air. It's as if no one trusts software anymore that isn't in intensive care with multiple IV bags hanging overhead <laugh>. It has to be in, in serious trouble on continuous life support being monitored 24 hours a day for anyone to think that it doesn't have serious problems. It's perverse. And yet the most frustrating thing is, I can't argue against that because it is the only sane and rational conclusion to draw from all the evidence that is presented to us every day.

Ant Pruitt (01:35:39):
I mean, we hear from the, the, the likes of Microsoft, as big as there are, there's always some type of announcement about a zero day or, or some other bug that, that scares the crap out of everybody. So, so why would the public folks just trust that this software doesn't have any bugs? I mean, why, why should, why would we? Because it's always something in the news

Steve Gibson (01:36:00):
<Laugh>. Now, there, there are, as it turns out, there are some beautiful exceptions to that. Mm-Hmm. <affirmative> spin, right? Seven will be based upon an embedded 32 bit real-time operating system. All ongoing support for which ended at the end of last year when its publisher went out of business. And yet I've selected it for spin right's future. Why They didn't go out of business because the software was no good. They went out of business because the software was too good, it was done, it was a perfectly functioning finished product and no one was subscribing to updates for it anymore because it was feature complete and there were no more bugs to be fixed. None. It was done. Take it off the ventilator, pull the IV lines, hold your breath and count to 10. Does this still have a pulse? What do you know? It's alive Works great.

(01:37:10):
Now, the idea that a company went out of business because its software didn't have any bugs is a bit chilling because nobody wants to use Windows after its life support has been terminated. If it's still moving after that, the presumption is that it's become a zombie that wants to eat your brain. So when we hear that Microsoft shipped a brand new edition of Windows, I don't recall which windows it was, I remember hearing it, maybe Vista seven, eight or 10, you know, which at the time of its release had more than 10,000 bugs known to Microsoft. You have to wonder, that sounds like a Vista thing cuz vista's so bad. <Laugh>, you, you have to wonder whether the leaking of what should have been embarrassing information might not have been deliberate on their part. If a company went out of business because their software worked perfectly and had no more bugs, that's not a worry that will ever keep anyone at Microsoft awake at night.

(01:38:31):
Everyone wants to use Windows and everyone wants to make sure that Windows IV lines are continuously connected and that vital life sustaining fluids are flowing freely into it. And the minute Microsoft cuts off that flow, whoa, time to upgrade. And not because you necessarily want anything that the new Windows has. Quite often, in fact, much of what they've done to it is noxious and unwanted. Just look at Vista or Windows eight. But what choice do you have? Everyone knows that Windows is perpetually so sick that the only safe way to use it is with it lying in I C U attached to a ventilator with IV lines flowing and under constant monitoring, you disconnected it from its continuous life support at your peril. And Microsoft with Windows or Exchange server or, well, I guess anything Microsoft creates is only a slice of a much larger problem that this industry have.

(01:39:43):
This is the sad reality of today's software ecosystem. Our insatiable desire for features, or in Microsoft's case, their unrelenting need to seduce us with new bug ridden features means that we're never gonna get ahead of this. And that indeed, almost all software only remains viable while it's on perpetual life support. So now we loop back to SISs Kev list and we see that what we have is a list of what can only be described as zombie software. For one reason or another, that software has been disconnected from the life support that was sadly and unnecessarily, but still in fact vital for its ongoing safe use on the internet. In the case of that eight year old Windows web server critical 10.0 vulnerability, that Windows seven and Server 2008 error software is now more than three years past its end of support life, which Microsoft terminated in January of 2020.

(01:41:03):
It's worth noting however, that the updates for those hundred and 20,156 very old servers are still online and are available from Microsoft. So simply clicking check for updates on any of those machines, assuming that they're activated and validly licensed, will quickly bring them current with the last build of their servers, code and wood in the process, cure any and all vulnerabilities that were known and for which patches were available when support for that server ended three years ago. Imagine that. But that's <laugh>. Yeah, just the checkbox. But that, that's, that's one of the two oldest entries in the list. The others, the, the newer eight are much more recent and ongoing life support still remains available for all of those. A perfect example of that is the other critical vulnerability we examined Apache, any of those 18 month old Apache servers could be updated immediately.

(01:42:18):
Yet 6,453,785 publicly exposed instances of Apache voluntarily remain unpatched today, despite the fact that updates are certainly readily available for every instance of them. So where does this all leave us? One thing I want to observe is that zombies eat the brains of those who are nearby. So this is about self responsibility. If you don't want your zombie server to eat your brain, either shut it down or get it patched if possible. This is one of I, as I said, of my main complaints with Microsoft's plan to force other people to update their zombie exchange servers. Microsoft contends that their brain was going to be eaten by somebody else's, remotely located zombie. That's utter nonsense. We all understand that we are the ones whose brains are in danger if we choose to use software after it's gone zombie. But taking the broadest view possible, it is an unfortunate and sad truth that with very few exceptions, almost none of today's software is able to stand alone without the presumption that periodic and continuing updates are required for that software's users to feel comfortable with the performance of their software.

(01:44:00):
The assumption of the availability of ever present internet, which provides a lifeline for would be zombies, allowing them to remain on life support has enabled a gradually growing laxity on the part of software publishers today. Few, apparently feel the need to get it right the first time since problems can always be fixed later. In the extreme case of Microsoft, major products are shipped despite, reportedly being riddled with tens of thousands of bugs known to its developers at the time that it is shipped. And as we saw with last week's exchange server issue, Microsoft's my, my Microsoft's own self-fulfilling prophecy is that once any of their software is removed from life support, not only everyone nearby, but also everyone else on the earth is put in danger once it becomes a zombie. It's a sad state of affairs, which did not have to be. But as we sometimes observe on this podcast, it's the world we live in. The best we can do is to navigate it safely.

Ant Pruitt (01:45:26):
Now, Mr. Steve, I'm going to come to Microsoft's defense for half a second, okay? Okay. Google is just as bad on this front. There's been a gazillion times Google will push out a version of Android that's gone through Alpha, it's gone through beta testing and so forth. And the second it gets on your device, which happens to be their flagship device, it is a crap testic experience until they run that first patch. So, so

Steve Gibson (01:45:53):
Actually you're supporting my position. You're adding

Ant Pruitt (01:45:55):
Oh, oh, I know, I

Steve Gibson (01:45:56):
Know. Another, another example of a company that you know that is relying on updates rather than ever getting it right.

Ant Pruitt (01:46:04):
Yep. Yeah, I just didn't wanted to come out as if you're just only beating up on Microsoft, cuz there's Oh, yeah, there's a bunch of 'em out there, <laugh>.

Steve Gibson (01:46:11):
Yeah, I'm just using them as, as a good example. But, and, and because they were number, they had number five on the list with a server that, you know, 120 plus thousand of them are right now today vulnerable to a remote code execution exploit, which exists. And if anyone cared to, could take them over, okay? Because, you know, bugs were not fixed.

Ant Pruitt (01:46:37):
Unbelievable. Yep. For Mr. Steve, this has been another, another fun chat and discussion. And yes, there was some sad stuff that happened in some scary stuff, but you did give us a, a little bit of good news on this week's episode of Security Now. And I thank you for all of the information and tidbits that you provided with us this week, sir. My pleasure, aunt. And we'll be back for more next week. Oh, it's gonna be a lot of fun. I look forward to it now, folks, you can find us here on your favorite pod catcher of choice. This is the awesome show security now all about cybersecurity and InfoSec and all the, the crazy stuff happening out there on the internet. Mr. Steve Gibson is going to give you great information and make sure you're on the straight and narrow and not falling for some of those weird headlines that are out there.

(01:47:29):
 Catch the show each and every week here on tweet tv slash sn for security. Now show airs live ish <laugh>, roughly at 1:30 PM Pacific. That's, I believe that's 2030 utc. I'm not sure you folks are smart enough to do the UTC math and I am. But yeah, check us out, 1:30 PM Pacific on Tuesdays and make sure you subscribe and your favorite pod catcher, be it Apple Podcast or Spotify or even our YouTube channel. We do have a dedicated YouTube channel as well. And for you find folks that are wanting to help support us beyond going and checking out our different sponsors, you can support us by joining Club Twit. What is Club twit? Club twit is a member platform that allows you to get ad free versions of our shows. Number one, that's just one benefit. Another benefit is you get to join our private Discord server.

(01:48:26):
And I gotta tell you, our Discord server is the business. There's so much going on in there. Our our conversations are always pretty informative with the other members and sometimes quite hilarious, a lot of different channels to pick from. Each show has its own channel. There's random topics in there such as, you know, beer and cocktails cuz that's what I like to hang out in cybersecurity hacking Ham radio, lots of different topics in there on our Discord server. So go ahead and check it out. That's twit.tv/club twit. You can sign up there and join for just $7 a month and you get all that access. Plus you get access to the shows that are not publicly released. They're only for our Club twit members such as hands-on Mac hands-on Windows Home Theater Geeks is now back with the awesome Mr.

(01:49:18):
Scott Wilkinson. And then you get the Twit plus feed because that's where we drop some little funny clips every now and then that, you know, didn't make it past the editing floor there. So check that out. Again, that's Twit tv slash club twit for seven bucks a month. Or you can opt to do an annual plan, which we really appreciate. Or you can just do a single show plan. And we've also announced family, a plan, family plans as well. So if you want to get the whole family involved, go check this check out Club twit. All right, folks. Mr. LePort has been on vacation and he's going to be there for another couple of weeks. Thank you all for your continued support of us here at twit and, and for checking out security. Now, make sure you tell more folks about the show and Mr. Gibson, thank you again. It's been a lot of fun, sir. Been a pleasure, aunt. Thanks for ho for co-hosting with me. My pleasure. All right folks. You all take care. See you later.

Rod Pyle (01:50:18):
Hey, I'm Rod Pile, editor-in-Chief VAD as magazine. And each week I joined with my co-host to bring you this week in space, the latest and greatest news from the Final Frontier. We talk to NASA chiefs, space scientists, engineers, educators and artists, and sometimes we just shoot the breeze over what's hot and what's not in space books and tv, and we do it all for you, our fellow true believers. So whether you're an armchair adventure or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on this weekend space and be part of the greatest adventure of all time.

... (01:50:51):
Security Now.