0:00

It's time for security now. Last show

0:02

of the year, Steve Gibson is here.

0:04

We're going to talk about the results of the

0:06

prone to own competition. Everybody

0:08

got hacked. Everybody. Then it's

0:10

the latest on last week's Microsoft

0:13

patch Tuesday. And finally, what

0:15

exactly is coordinated inauthentic

0:18

behavior. You'll find out nothing but

0:20

authentic behavior next on security

0:22

now.

0:25

Podcasts you love. From

0:27

people you trust. This

0:30

is twins. This

0:35

is security now with Steve Gibson. Episode

0:38

nine hundred two recorded Tuesday,

0:40

December twentieth twenty twenty

0:42

two, a generic WAF bypass.

0:46

Security now is brought to you by

0:48

PlexTrak, the premier cybersecurity

0:51

reporting and collaboration platform.

0:54

With plex track, you'll streamline the

0:56

full workflow from testing, to

0:58

reporting, to remediation. Visit

1:00

plexetrack dot com slash twitch to

1:02

claim your free months of the PlexTrak platform

1:05

today. Listeners

1:08

of this program get an ad free

1:10

version if they're members of clubbed,

1:12

TWiT seven dollars a month gives you ad

1:14

free versions of all of our shows,

1:17

plus membership in the clubbed,

1:19

discord, a great clubhouse for twit listeners.

1:22

And finally, the TWiT Plus Feed.

1:24

The shows like Stacey's Book Club, The Un

1:26

titled Linick Show, The Giz Fizz,

1:28

and more. Go to TWiT dot tv

1:30

slash club TWiT. And thanks for your

1:32

support. Thanks

1:37

for listening to this show as an ad supported

1:40

network. We are always looking for new

1:42

partners with products and services

1:44

that will benefit our qualified

1:46

audience. Are you ready to grow your business?

1:49

Reach out to advertise at TWiT dot

1:51

tv and launch your campaign now.

1:54

It's time. For security

1:57

now, the show where we cover your security,

1:59

your privacy, your online agenda,

2:02

online with this guy right here,

2:04

the king of security, mister Steve

2:06

Gibson, hello, Steve. Leo,

2:08

you'll be glad to know. Actually, Paul Therrott

2:10

will be very glad to know that I left

2:12

my Grinch costume. You

2:15

are so good. Lisa

2:17

and I, so we're talking about

2:19

the show that's not yet aired. It's gonna be

2:21

a Christmas day version of TWiT. Steve,

2:24

Jeff Jarvis, Dock SIRLS,

2:26

Paul Throutt, were and I were the

2:28

old guys talking about the years' news

2:31

and so forth. But Steve really

2:33

dressed it up with his Grinch custom.

2:36

And the thing that I was so impressed

2:38

with is, you didn't just do it, you

2:40

know, like token grinch. You kept

2:42

it going the whole two and a half

2:44

hours. He was doing his hands

2:46

and you were impressive. Lease

2:49

and I both were really impressed. I have

2:51

to SHA1. now

2:54

everybody listening is thinking, okay.

2:57

I didn't know if I was gonna make time to

2:59

actually have to watch. Just on Christmas

3:01

day, but maybe But you can watch

3:03

TWiT want. You can watch it next TWiT you

3:05

if this is being that rich. You

3:08

no. I thank you. You you

3:10

Steve goes all in. He put

3:12

his heart into that, and it's one of the

3:14

reasons, you know, I think that this

3:16

show does well and you really helped the network.

3:19

I I'm very great full to you.

3:21

And always will be. Steve, we don't have

3:23

a show next week. We have a best

3:25

of. You can take next week off. Goodness.

3:28

Oh, what did I say? On No. No. That's okay.

3:30

I get to work. He's been right. It's gonna be

3:32

a major spinner. If if you wanted

3:34

to take six months It

3:36

wouldn't be me that you'd have to worry

3:38

about or Lisa. I know. It'd be

3:40

the fans. You can't know

3:43

how many messages I receive

3:45

about new ways to number the SHA1.

3:47

So that so that 999 is

3:49

not a problem. That's gonna be a bad day

3:52

in BlackRock, but then it happens, but not

3:54

gonna be good. Actually, think about it. When I on

3:56

episode nine hundred, it was only two weeks

3:58

ago. When I said, yeah. We have a hundred

4:00

episodes left. So I got immediately scolded.

4:03

Gibson, where is your,

4:05

you know, off by one mat?

4:07

That would be ninety nine shows

4:09

left. It's like, oh, she had an overflow.

4:12

A mask overflow, buffer overflow. And it has

4:14

to

4:14

be very careful when talking to our on our

4:17

audience, Leo. But that think

4:19

that's why they appreciate my being -- Absolutely.

4:21

-- they can be. Absolutely. This

4:23

week, we're going to answer another

4:26

collection of burning

4:28

questions. First,

4:31

is there no honor

4:33

among thieves? was

4:36

discovered during this year's Toronto

4:38

prone to own competition? What

4:40

did we learn from last Tuesday's

4:42

Patch Fest? Whose fault

4:45

was the most recent Uber data

4:47

breach. What happened when Elon

4:49

tried to block all the bots? What's

4:52

the first web browser to offer native

4:54

support for Mastodon? What

4:56

exactly is coordinated

4:59

inauthentic behavior And

5:02

why is it such a problem? SHA1

5:04

will happen to get hub submitters at the

5:06

end of next year? What

5:08

measure Could every member of

5:10

the US senate possibly agree

5:12

upon? Oh, god. Exactly

5:14

what applicator exactly

5:16

what applications are there for

5:18

a zero width space

5:20

character. And finally, what

5:23

larger lesson are we taught?

5:26

By the discovery of a serious

5:28

failure to block a problem that we should

5:30

have never had in the first place. The

5:32

answer drove all those questions and more.

5:34

I'll wait the listeners of today's SecurityNow

5:37

podcast nine hundred and two.

5:39

See now, this this is exactly why you

5:41

gotta do more than nine hundred ninety nine shows. You've

5:43

come with the perfect way to introduce

5:45

the t's, the show. It's perfect.

5:48

All those questions and more will be

5:50

answered. I like all. And my

5:52

theory, it matches my theory of life.

5:54

Just as you're taking your final

5:56

dying glass gasp

5:58

of a breath, you

6:00

figure it out. Oh, you

6:02

don't. I thought you were gonna say you

6:04

say is that all there is? I

6:08

was like, oh, I finally get it.

6:09

I finally get it. Erika.

6:12

And, of course, the kids never wanna listen to the

6:14

gramps. They he has no idea what he's

6:16

talking about. So Yeah. -- I just

6:18

keep it to myself. Yeah. We

6:20

yell at the clouds so you don't have to. That's

6:22

right. We'll take a little break. And

6:25

then we're gonna get in the answers

6:27

to all those questions and

6:29

more with Steve Dennis. Of

6:31

course, I forgot to mention that the title of

6:33

today's podcast -- Oh, what is it?

6:35

-- a generic WAF

6:38

bypass. Were any of is that

6:40

the answer to any of those questions? Happy

6:43

holidays. A

6:46

generic WAF Bypass.

6:49

Our generic WAF bypass is

6:51

is it it it is involved

6:53

with the larger lesson that we're

6:55

taught by the discovery of a serious

6:58

failure block a problem that we should have never had in

7:00

the first. So that's what I thought. Okay. So that

7:02

last -- That's right. -- is the last thing.

7:04

Okay. Boy, what a yes. I don't

7:06

even have a build up to that one.

7:09

That's why you listen to this show. Right folks?

7:11

That's exactly right. And, you know,

7:13

one of the reasons we have such

7:15

great sponsors in this shows because they know

7:17

the people listening to this show are

7:20

focused on tech. Many of them,

7:22

you know, are responsible

7:25

for security in the

7:27

in the workplace. That's

7:29

why PlexTrak wants to tell

7:31

you about their product. PlexTrak

7:34

is your security team's

7:36

secret weapon and a mighty

7:38

fine tool it is to. For

7:40

blue teams, for red teams,

7:43

For the teams in the middle of the purple

7:45

teams, FlexTrack is the premier

7:47

cybersecurity reporting

7:49

and collaboration platform. And

7:51

it really changes the way you're gonna get your

7:53

job done. Cybersecurity absolutely

7:57

needs plex track. Right? Because

8:00

wouldn't it be nice? I'll give you. Wouldn't it be here's

8:02

a question. Wouldn't it be nice to

8:04

gain control of all your tools, all

8:06

your data, you know? Get it

8:08

all in one place, build more actionable

8:10

Laporte, focus

8:13

on the right remediation, even more important,

8:15

communicate what needs to be remediated,

8:17

to the blue team effectively? Are

8:20

you working to mature your security

8:22

posture but struggling to optimize efficiency?

8:25

And facilitate collaboration within your

8:27

team, Olli, this is the perfect solution for you,

8:29

plex Track. It

8:31

is a very powerful but easy to use

8:33

very simple cybersecurity platform

8:35

that does a bunch of different

8:37

things. It centralizes all your security

8:40

assessments. Your pen test

8:42

reports, all your audit findings,

8:44

all your vulnerability tracking,

8:46

and makes it easy for you to

8:48

generate those reports so you can

8:50

get these things fixed. It transforms

8:52

the risk management life cycle.

8:54

It lets security teams generate

8:56

better reports faster. You

8:58

can aggregate and visualize your

9:01

analytics. You can collaborate on remediation

9:03

real time. So bottom

9:05

line is it helps you get your

9:07

job done, fewer keystrokes, less

9:10

work, making a report more time

9:12

to do the testing. PlexCheck

9:15

is amazing. It addresses all the pain

9:17

points across the spectrum

9:19

of security team workflows and rules.

9:21

Start with its second and none for managing

9:23

offensive testing. And reporting security

9:25

findings. It'll run your pen test, but

9:27

then you can take the code samples, generated

9:29

the screenshots, you can add videos

9:31

to any finding, You can import

9:34

findings from, you know, all the major scanning tools

9:36

in Nessus Burb. Whatever it is you

9:38

use, import it right in. You can create

9:40

custom templates so that

9:42

you know, you do that once. And then from

9:44

then on, a click of a button and your

9:46

report is generated. You

9:49

get analytics and service level agreement functions

9:51

to help you visualize your security posture,

9:53

which means you can quickly assess and

9:55

prioritize to ensure you're

9:57

tracking remediation efforts, for your compliance

9:59

efforts, to show progress over time

10:01

for the for the the c

10:03

suite, the board, to get built

10:05

in compatibility with industry tools and

10:07

frameworks, vulnerabilities, scanners,

10:10

pen testing as a service platform's

10:12

bug bounty tools, adversary

10:15

emulation plans. It allows you to improve the

10:17

effectiveness and efficiency of your

10:19

current workflow. You get robust

10:21

integrations with Jira and ServiceNow,

10:24

So that's nice because you you

10:26

create you're generating these reports, but now you're

10:28

also closing the loop on the highest

10:30

priority findings. Enterprise

10:32

teams can use PlexTrak to

10:34

streamline their pen tests, security

10:37

assessments, incident response reports, and

10:39

so much more. you're

10:41

gonna love it because it takes the the burden

10:43

of reporting off of you,

10:45

makes it easy to do. So you can

10:47

focus on the thing you're there for, which is to do

10:49

all these assessments, right, to to

10:51

find these problems.

10:54

PlexTrak clients report up to a sixty

10:56

percent reduction in times spent Laporte.

10:58

Wouldn't that be nice? Wouldn't

11:00

that be nice? You get a thirty percent

11:02

increase in efficiency and A5X

11:04

ROI in year one?

11:06

All in all, FlexTrack provides

11:08

a single source of truth for all stakeholders

11:12

transforming the cybersecurity management

11:14

life cycle. I think sometimes it's,

11:16

you know, it's it's hard to

11:18

say Well, I need this tool for reporting. know,

11:21

it's probably not so hard to say, well,

11:23

you know, I need this or that to

11:25

do some testing. But ports

11:28

are how you communicate your results to

11:30

the people who could fix the problem to the people

11:32

upstairs. And it should

11:34

be easy. It shouldn't be the thing that takes

11:37

your time. Book a demo right now. See

11:39

how FlexTrack can save your team.

11:41

Try it free for one month. See how

11:43

it can improve the effectiveness and

11:45

the efficiency of your security team,

11:47

blue team, red team, purple team.

11:49

Simply go to plex track dot com slash

11:51

tweet and claim your free

11:53

month. Now, please go to that address PLEXTRAC

11:57

plexetrack dot com

11:59

slash TWIT Okay?

12:01

So that way, they know you heard it here.

12:04

Plexetrack dot com

12:06

slash TWiT. We

12:08

thank Plexetrack so much for support and

12:10

security now. And the efforts of this

12:12

cat right here. Don't forget,

12:14

plexetrack dot com slash

12:16

security. Now,

12:19

I am

12:19

ready for the picture of the week. And

12:22

this one really is

12:24

interesting. Yes. So

12:27

I titled this old school

12:29

message routing, and

12:31

it would be difficult to adequately describe

12:34

this, but it's a fascinating picture.

12:36

It And if nothing else Leo shows

12:38

us how far we've come, because

12:41

what we have is I'm

12:44

old enough to remember going to a

12:46

department store, buying

12:48

something with my mom, and the clerk

12:50

would roll up the

12:52

the slip, put it in a

12:54

tube and act like

12:56

a cylinder, and shove it

12:58

into one of these holes. That

13:00

is a pneumatic delivery system.

13:03

And and my my earliest

13:05

memory of that was when

13:07

you did a car, you know,

13:09

auto ATMs, I

13:12

remember that -- Yeah. -- we we still

13:14

have one in town. Yeah. Yeah.

13:16

Where where you'd like, stick

13:18

your your checks and and things

13:20

in this plastic cylinder

13:22

and then stick it in this

13:23

tube. And then we go,

13:24

And

13:25

It was so satisfying. Oh.

13:27

It WAF wonderful. So

13:30

okay. So what we have if, you know,

13:32

if if people could imagine a

13:34

a bunch of tubes that

13:36

have sort of a like

13:38

like AAA catheter

13:40

at the end so that this

13:42

the cylinder is gonna come flying out of

13:44

this tube like and and like stop.

13:47

This is the switch room

13:49

which involves all of

13:51

the ends of these tubes

13:53

and some poor guy who's

13:55

standing there, I

13:57

guess, like, picking tubes up

13:59

from what like like picking cylinders up

14:01

that have arrived in one tube

14:03

and then sticking them up in

14:05

another tube and off they go, know,

14:08

back, you know, like, onto their

14:10

destination. This looks like a

14:12

message routing or switching

14:14

room for pneumatic

14:16

tube transfers. And

14:18

but now what's interesting

14:20

is that I don't see any labels on these things.

14:22

There's like, I don't know, what thirty of

14:24

them or twenty of them that that we can see, and

14:27

then, like, over on the left are a whole bunch

14:29

not like other rows of

14:31

them. This is just fascinating. This is

14:33

the inbound. This is your inbox.

14:36

I don't know what you would do

14:38

for outbound. Yeah. I guess you have

14:40

to remember where it came out of.

14:42

These are called according to

14:44

the Chatham Lansen tubes,

14:47

and there's a website dedicated to it,

14:49

pneumatic dot tube.

14:51

Oh, that's so good. That's

14:53

so good. And and and

14:55

also I love I love the one there along

14:57

the ceiling at the top. It like it looks like

14:59

it's it it starts to come down and then it

15:01

changes its mind. It goes Nope. We're not gonna

15:03

we're not gonna end here. We're gonna go across and

15:05

go back up somewhere else. So it's like,

15:08

okay. And also when you think about it, you

15:10

know, these things have

15:12

some links to them. Right? Like, it it's

15:14

actually AAA canister

15:16

that you're able to put documents

15:18

in. So there's a

15:20

minimum radius of

15:22

the for the bend of these things,

15:25

or the canister's gonna get

15:27

stuck trying to go around a

15:29

around a curve. So it

15:31

must be that it had larger

15:33

ends and a thinner

15:36

body or maybe

15:38

even a like a Concave

15:40

body that would allow, you

15:42

know, this thing to navigate around

15:44

the corner because it's We

15:46

could see some corners. They're not

15:48

sharp and and they couldn't be.

15:50

Anyway, just, you know, completely

15:52

not about Well, it is

15:54

kind of about packet routing, I guess. Oh, yeah.

15:56

This is this is a website all

15:58

about it. Here's a scientific american.

16:01

Article about the pneumatic

16:03

tube system of New York City.

16:06

Now it was published a couple of years ago.

16:08

So this But the original article was from

16:10

eighteen ninety seven. This is why the Internet

16:12

is so There's nothing you can't find.

16:14

Isn't I mean, pneumatic

16:16

dot tube. There's a website for

16:18

crying out loud. Amazing.

16:22

I love it. Yeah. And they're all over the

16:24

world, I guess. These nomadic. There's

16:26

a nomadic railway. I'm not sure I'd

16:28

wanna ride that.

16:32

Yeah. Just just just lie

16:35

flat and tuck your arms in, and

16:37

we'll just gonna close this little

16:39

lid on this on this round coffee

16:41

and send you out your way. I think

16:43

there's actually, that's isn't that

16:45

Elon Musk's idea for what do you

16:47

call that? That that tube system that

16:49

he wants? Not the the boring

16:51

company, but he actually wanted to do a high

16:53

speed tube.

16:55

Hyperloop. Hyperloop. Thank you. Yeah.

16:57

That was that was last week. Know

16:59

what? Who knows? It's a little busy

17:01

now. Yeah. Yeah. So a

17:03

malware operation known

17:06

as UR SNIF

17:08

you know, your which

17:11

we've noted a few times they've

17:13

kind of crossed our radar, it's

17:15

the fourth one this year

17:17

to suffer from internal squabbles,

17:20

which end up surfacing in the public

17:22

eye. Disagreements over,

17:25

you know, Russia's invasion of

17:28

Ukraine, and in some cases strong pro

17:30

Russian sentiments, which have

17:32

divided previous groups were

17:34

the were the nominal triggers

17:36

in those first three instances.

17:38

But for number four, it appears

17:40

that it's just about greed. You

17:42

know, that's all the motivation we need. And

17:45

this is is heading toward the answer to the

17:47

question, you know, is there no

17:49

honor among thieves? Through

17:52

a Twitter account, which was

17:55

at ur sniffleak,

17:58

which may still be suspended. It

18:00

was a while ago at least. An

18:02

ex member of

18:04

this group, this your URSNIF

18:07

group, announced his

18:09

intention to leak the

18:11

real world identities of

18:13

the top leaders of

18:15

the group. Unless he received a significant payout.

18:17

To prove his willingness to do so,

18:19

in a succession of tweets,

18:21

you know, you you are

18:24

sniff leak leaked various

18:26

pieces of internal dialogue,

18:29

some of the group's source

18:31

code, and the names of three low

18:33

level group members. That

18:35

was enough to get this person paid.

18:38

After that, he tweeted,

18:40

he said, I just made

18:42

more money in a single week.

18:45

Than I have made in years.

18:47

Pay workers right and they won't

18:49

have a reason to leak stuff.

18:51

Unquote. And I couldn't help, but note

18:54

that it's interesting that this

18:56

person considers to this

18:58

had been an act of making

19:00

money you know,

19:02

wow. What a what a different culture.

19:05

Apparently, the motivation to

19:07

extort was heightened by something that

19:09

the head of the group said in an interview

19:11

with the VX underground project. It was

19:13

not clear what about that was

19:15

upsetting. The UR sniffleaker

19:17

tweeted, the interview

19:19

angered me. He

19:21

has been a bad boss for a

19:23

long time. I've been waiting for

19:25

the right time to release unquote.

19:27

And of course, you know, Remember that this is a

19:29

bad boss of a of

19:31

a Russian ransomware

19:34

group. So Yeah. Bad kind of goes

19:36

into territory. It's hysterical. Wow.

19:38

I just wanted to click my

19:40

paycheck and go home, but no.

19:42

Yeah. So I had to extort

19:44

money in order to get paid or or extort

19:46

the the boss for money. That's

19:48

right. So anyway, I don't think

19:50

we can count on all of the major

19:53

groups to implode, but there's probably

19:55

a little extra tendency for that

19:57

to happen within an organization comprised

20:00

of people who must be aware that

20:02

what they're doing is not earning

20:04

an honest days living. You know, at

20:06

least I guess we can hope so.

20:10

Okay. Pone to own

20:13

Toronto twenty twenty two just

20:15

happened. And it's always interesting

20:17

to see what hackers wearing white

20:19

hats are able to do

20:21

to today's fully patched

20:24

and up to date systems. Right? Because,

20:26

you know, those are the targets.

20:28

Is in in every case, these

20:30

things are one hundred

20:32

percent patched. And we've seen

20:34

instances in the past where

20:36

a a group will get

20:38

all ready to to

20:40

to demonstrate a a vulnerability

20:42

that they've very cleverly

20:44

crafted in something and, like, the

20:46

day before their demo,

20:49

the publisher patches.

20:51

And, like, not because they told

20:53

them. Right? There I mean, they

20:55

will end up telling them all of the things that are

20:57

done during these prone to own con contests

21:00

end up being communicated

21:03

to the publisher of the of

21:05

the thing that was compromised, but

21:08

not beforehand. Anyway, so the point is

21:10

this is the this is state of

21:13

the art fully patched as good as we know how to

21:15

make it products that these guys are

21:17

going after. So

21:21

In the past, we've taken people

21:24

through a blow by blow. And

21:28

sometimes, I think that ends up getting

21:30

a little long. So

21:33

the what I so I'm gonna summarize this a

21:35

bit. The recently concluded

21:37

Toronto twenty twenty two hacking

21:39

contest focused upon

21:41

hacking routers, smartphones,

21:45

printers, and other smart devices.

21:47

So it was sort of an IoT

21:50

esque you know, smartphones, printers, routers,

21:52

and other stuff. It

21:54

was a four day contest that ended

21:56

up getting won by

21:59

DevCore which is the now well

22:01

known Chinese, Taiwanese

22:04

penetration testing group. Okay.

22:06

So to give everyone some

22:08

sense for

22:09

this, I'm just gonna

22:09

quickly scan down and I

22:12

abbreviated these just

22:14

the bullet points which

22:16

briefly describe the

22:18

attacks. So and

22:20

and this is just day one.

22:23

Okay? Day one of the four

22:25

day Contest.

22:28

A stack buffer overflow

22:30

attack against the

22:32

Canon, image class MF7

22:34

forty three CDW printer.

22:36

A two buck authentication bypass and

22:38

command injection attack against the

22:40

WAN interface of a TP Link

22:42

ax eighteen hundred router.

22:45

A command injection attack which cause a Lexmark,

22:47

m c thirty two twenty

22:49

four i printer, to

22:52

serenade the audience. With

22:54

a well known Mario Brothers

22:56

tune. We had a command

22:58

injection attack against the WAN

23:00

interface of the Synology RT6600ax

23:04

router. A stack based

23:06

buffer overflow against an HP Canon

23:08

laserjet pro laserjet pro

23:10

m four seventy nine FTW

23:13

printer. An improper input validation

23:15

attack against the Samsung Galaxy

23:17

s twenty two a

23:19

command injection root shell attack against the

23:21

LAN interface of the Synology

23:23

r t sixty six hundred ax router

23:26

again. Another improper input

23:28

validation attack against the Samsung Galaxy

23:30

s twenty 2A2 bug

23:32

attack, SQL injection, and command

23:34

injection against the LAN interface of

23:36

the Netgear, RAX thirty,

23:38

a x twenty twenty four

23:40

hundred router, a sequel

23:43

injection on a router. That's interesting. Anyway,

23:45

two different based buffer overflow

23:47

attacks against the MicroTic

23:49

router and a Canon printer.

23:52

Three bugs, Two,

23:54

missing off for critical function and

23:56

an off bypass attack against the

23:58

sonology disk station DS9

24:01

twenty plus mass. Two bugs,

24:03

including a command injection in an attack

24:05

against the HP color laserjet Pro,

24:07

m four seventy nine

24:10

FDW printer. Five different bugs leveraged

24:12

in an attack against the LAN interface of

24:14

the NETGEAR RA X

24:16

thirty, again, a x twenty four hundred

24:18

router, and three different bugs against a

24:20

Netgear router and an HP

24:22

printer. Now you know why I'm only doing day

24:24

one. And remember,

24:26

these were all

24:28

one hundred percent up to date

24:31

devices all cut through.

24:33

All of that on only

24:35

the first day and

24:38

it kept going like that throughout the entire

24:40

event. As we know,

24:42

LAN side attacks

24:45

on routers and NAS devices

24:47

are much less concerning

24:49

than attacks that could be launched against

24:51

the WAN

24:52

interface. But this contest revealed

24:54

plenty of both of those. And

24:56

the number

24:57

of printer vulnerabilities

24:59

that still exist Well, I suppose

25:01

we shouldn't be surprised. But

25:05

obtaining well hidden persistence

25:08

inside a network is an overriding

25:11

goal of anyone who penetrates

25:13

an enterprises perimeter. And

25:16

printer protocols by their

25:19

design loudly broadcast

25:21

and advertise on networks

25:24

because their goal is to be found.

25:27

Unfortunately, this results in highly

25:29

vulnerable printers shouting

25:31

their presence and creating a

25:33

perfect and often unsuspecting

25:35

place for malicious post

25:37

intrusion malware to set

25:39

up shop and wait.

25:42

Thus becoming an advanced persistent

25:45

threat. So anyway, I

25:47

just sort of as a reality check,

25:49

here's here's Yes.

25:51

These guys are, you know, at the

25:53

top of their game. Right? They're they're the

25:55

the the world's best hackers.

25:58

Yet it appears that all they have

26:00

to do is look at

26:02

some device, make that the

26:05

target of their scrutiny and

26:07

they can find a way in. So,

26:10

you know, we we

26:12

need to I

26:14

guess anyone listening to this podcast long

26:16

enough will have lost any sense

26:18

that if there's anything that's

26:20

invulnerable to, you

26:22

know, it's somebody who is serious about

26:24

finding a way in. And in fact, that is the story

26:26

behind today's main

26:28

podcast story at

26:30

the end. Okay? And speaking of getting

26:32

into networks, it's not just

26:34

lower end IoT

26:36

devices that are permitting bad

26:38

guys to get into networks. Both

26:40

Citrix and Fortinet, who are two

26:42

of today's largest providers of enterprise

26:45

networking equipment, recently

26:47

released security updates to

26:49

patch zero day vulnerabilities

26:51

one in each of their devices

26:53

that were being exploited in the

26:55

wild against

26:56

them. In

26:57

the case of the Fortinet Zero Day,

26:59

which created an unauthenticated

27:02

remote code execution, in

27:05

the forty OS, which

27:07

is what runs the company's SSL

27:09

VPN devices, it was

27:11

the way some

27:13

ransomware was managing to crawl

27:15

inside enterprise networks,

27:18

which is never what you

27:20

want. And it was so

27:22

bad that Fortinet did the right thing

27:24

by also offering down

27:26

version patches for

27:29

their older out of support devices, which

27:31

were still running their also

27:34

vulnerable six point zero

27:36

firmware. The zero day was

27:38

first spotted being used in the wild by a

27:40

French security firm, Olmpe,

27:43

last week. And afford a credit.

27:45

They patched it over the weekend

27:47

in just three days. So

27:50

props forgetting it fixed quickly,

27:52

but boy, you know,

27:54

what this French security firm watched, what

27:57

were ransomware groups

27:59

gaining entry to an enterprise

28:02

network through this

28:03

vulnerability. So, wow.

28:06

And I said, you know,

28:08

220 days, one each

28:11

Fortinet and Citrix Citrix's

28:14

is the other. And it's

28:16

also an unauthenticated remote

28:18

code execution exploit.

28:21

Interestingly, this one was

28:23

spotted by the NSA -- Yep. --

28:25

our national security agency.

28:27

In their security advisory, the

28:29

NSA wrote that they

28:31

saw the Chinese cyber

28:34

espionage group designated APT

28:37

five, leveraging that

28:39

Citrix Zero Day. But the NSA offered

28:42

nothing further about what was being

28:44

done with the obtained leverage.

28:46

So again, you

28:49

know, high end gear also

28:51

vulnerable, not just low end

28:53

stuff. Last Tuesday

28:57

WAF the industry's increasingly well

28:59

attended final monthly patch

29:01

event of the year.

29:04

And those offering up

29:06

incrementally more secure improvements

29:08

in their code and products, notably

29:10

included Adobe, Android,

29:13

Apple, Microsoft, Mozilla,

29:15

SAP, and VMware, Microsoft

29:19

fixed seventy two security flaws

29:21

this month across their range of

29:23

offerings, and that included a zero day

29:26

was being used to circumvent Microsoft's

29:29

smart screen and mark of

29:31

the web detection use

29:33

which was which would

29:37

that I got myself tangled up. The

29:39

zero day was

29:41

being used to bypass that

29:43

to allow stand

29:45

alone JavaScript files to execute

29:48

because modern windows will

29:50

execute JavaScript natively. And, of

29:52

course, we covered this trouble

29:54

recently. So it's very good

29:56

that it's been fixed. The other

29:58

issue Microsoft addressed was a problem that

30:00

we also noted before here.

30:03

Which was that somehow, malicious

30:05

Windows drivers were being

30:07

used by the Hive and

30:10

the Cuba Ransomware strains

30:12

or groups, and those malicious

30:15

drivers were being trusted by

30:17

windows because they were carrying

30:19

valid Microsoft signatures.

30:22

Oops. Okay. In this

30:24

month's advisory, Microsoft wrote

30:26

We were notified of this

30:29

activity by Sentinel one, Mandiant,

30:32

and Sophos. So

30:34

everybody was watching. On October nineteenth

30:37

of twenty twenty two, and

30:39

subsequently performed an

30:41

investigation into

30:43

this activity. And I and I should just mention

30:45

that Sentinel one,

30:47

Mandiant, and Sophos. They've

30:49

all got clients and

30:52

their technology is

30:54

on those clients' networks

30:57

offering protection over

30:59

and above what Microsoft is

31:01

providing. So the reason all

31:03

three of those companies, all

31:05

notified Microsoft on

31:07

October nineteenth of twenty twenty two is

31:10

that's when all three of

31:12

their technologies alarms

31:15

went off when

31:17

drivers were acting maliciously.

31:20

They immediately thought,

31:22

wait a minute, How is a driver getting into

31:24

the colonel and acting this

31:27

way? So they yanked

31:29

those, looked at them, found

31:31

that they were all validly signed

31:33

by Microsoft and

31:35

immediately notified Microsoft that that was what

31:37

was happening. So, you know, that's the

31:39

good thing about the way

31:41

this industry is evolving with

31:43

third parties who are offering, you

31:45

know, real time detection services

31:47

for people's networks is,

31:49

you know, they're able to close the

31:51

loop and let Microsoft

31:53

know when something bad has happened.

31:56

Microsoft said, This investigation revealed

31:58

that several developer accounts

32:01

for the Microsoft partner center

32:03

were engaged in submitting

32:06

malicious drivers to obtain a

32:08

Microsoft signature.

32:09

In other words,

32:10

there were some bad partners

32:12

there. They said a new attempt

32:14

at submitting a malicious driver for signing

32:16

on September twenty ninth twenty

32:18

twenty two led to the suspension

32:21

of the seller's accounts in

32:23

early October. So

32:27

okay. So early October,

32:31

Yet the drivers appeared on

32:33

the nineteenth of October, which

32:35

suggests that that drivers

32:38

were signed Microsoft

32:40

caught this happening on

32:42

at the end of September, yet

32:45

there were still drivers out there that

32:47

Microsoft wasn't aware because they haven't hadn't

32:50

invalidated them. So then they appeared

32:52

in use at the end toward the end of

32:54

October the nineteenth, and that's

32:56

when they got notified of something

32:58

that basically they already knew about. Anyway,

33:00

that was all good. And not to be

33:02

left out, Apple also updated

33:05

web kit. To fix a zero was being used in

33:07

targeted attacks against iOS

33:09

users. Uber has

33:14

been having a rough time recently.

33:16

Recall that about four months ago,

33:18

the lapses gang

33:20

breached Uber's security and

33:23

cause them trouble. What's interesting

33:26

about last week's second

33:28

breach, which resulted in

33:30

unfortunately, the leaking of the personal

33:33

details of seventy

33:35

seven or actually more than

33:37

seventy seven thousand Uber employees

33:40

and also some source code and

33:42

credentials for some of the company's

33:44

internal IT

33:45

network. And

33:48

I should mention the the Uber confirmed

33:51

the authenticity of that

33:53

of that relate of

33:55

that leaked data

33:57

What's interesting is that this wasn't

34:00

directly Uber's fault. The

34:02

breach occurred in the

34:04

network of an Uber contracted

34:07

IT service provider whose

34:09

name suggests or suggested

34:11

to me at least that all the good

34:13

names were already taken. This

34:16

chose to name itself

34:18

Tectivity. It's

34:22

TEQ ITY

34:26

Anyway, the day after

34:28

Uber outed Tectivity as being

34:31

the the actual proximate cause of

34:33

this latest leak, Tectivity

34:36

themselves disclosed

34:38

the breach last Thursday. Uber may have been

34:40

tech Tivity's biggest cost biggest

34:42

customer. Actually, I did some looking

34:44

around and, you know, they've got a bunch

34:46

of them. But

34:49

I mentioned this because other notable companies may also

34:51

have had their data stolen

34:54

since a breach of one large

34:56

service provider

34:58

can potentially expose the data belonging to all their clients. We saw

35:00

this, of course, a couple years ago

35:02

when all of those dental offices

35:05

were in trouble. Because they were

35:07

all SHA1. They were all

35:10

outsourcing their deckle their dental

35:12

records management to one single

35:13

provider. The so called MSP,

35:16

right, managed service provider. As

35:17

an industry these days, we're

35:20

really sort of facing

35:22

a conundrum.

35:23

Do

35:24

you run

35:24

your own in house shop

35:27

where you're you are

35:29

solely responsible for

35:32

your company's security and IT and

35:34

everything? Or

35:36

do you decide that running networks

35:40

and servers, and points of presence, and dealing with a

35:43

constant need to focus upon

35:45

security is not your

35:47

main line

35:48

business. It, you know, it isn't

35:50

what you should be spending your cycles

35:52

on. And and also that

35:54

it's just become too complicated to

35:57

do it

35:58

right. No, that's a valid consideration. So

36:00

you farm it out to someone who

36:04

promises to you that it

36:06

will be their mainline

36:08

business because that's all they're

36:10

going to do. It is their

36:12

business. And

36:14

you know, I think today that's a tough call. I think it

36:16

can work out and be extremely cost

36:20

effective to to do

36:22

this subcontracting. So long

36:24

as everything goes well. On the

36:26

other hand, when something doesn't go

36:28

well, you know, if it's a big

36:30

breach at at at

36:32

a major at a at a

36:34

major service

36:34

provider, you know, potentially

36:37

the the damage can be

36:39

huge because so many individual

36:40

clients of theirs can be affected by

36:42

a single attack. So again,

36:45

a tough

36:48

call, but increasingly, I can see that it makes sense. And

36:50

this sort of goes back to the comment I made. I

36:52

think it was last week where, you know,

36:54

the the guys at

36:56

the digisearch customer

36:58

advisory board meeting looked

37:01

at me like I

37:03

was nuts for still

37:05

doing it myself. Saying, you know,

37:07

Gibson, nobody nobody does their own hardware

37:10

anymore. Okay.

37:13

I don't know, Leo, if

37:16

every podcast on Twitter

37:18

mentions Twitter and Elon

37:20

probably. But,

37:22

you know, there he

37:24

keeps doing things that are

37:25

interesting, certainly for us.

37:28

So for this one way to put it,

37:30

From the outside

37:32

looking in, it's difficult

37:35

to understand the

37:37

mechanisms at play. Inside

37:40

Elon Musk's TWiT, rain.

37:43

You know, from the outside, anyone would

37:45

get the sense of

37:47

things lurching back and forth

37:49

inside Twitter. Presumably, as

37:52

Elon's, as he described

37:54

it himself, his biological neural net fires

37:56

off whimsical edicts,

37:58

which Twitter's remaining employees

38:01

apparently quickly implement without

38:03

any, without any buffering in a

38:06

desperate effort to hold

38:08

onto their own paychecks. In

38:10

this chaotic

38:12

and fragile work environment, which has been created. You

38:14

know, one moment, we're done with

38:16

layoffs. Then we have more

38:18

layoffs. No.

38:20

Now we're really done

38:22

with layoffs, then entire departments disappear.

38:25

Collections of press

38:28

accounts are suspended for an interval of seven days.

38:30

Until the next day, they're

38:32

reinstated. A new policy

38:36

states anyone tweeting a link, which points to another

38:38

social network will have their account

38:40

suspended. Until a few

38:42

hours later, when that

38:44

policy ends. You know, it really

38:46

has been quite something to

38:48

watch. And as I'm assembling the

38:50

notes and details of

38:52

this podcast, when I follow links to online

38:54

events that would once

38:56

have linked to

38:58

Twitter, I'm increasingly

39:00

being taken to Mastodon.

39:02

Well,

39:03

last week something else happened as a

39:06

result of a

39:08

parent misfiring of Elon's

39:10

biological neural net.

39:12

He decided that he was

39:14

going to block all of

39:17

the bots. This of course was something that

39:19

had endlessly bedeviled all

39:22

of the pre Elon

39:24

Twitter engineers.

39:26

How to block the bots. Elon, it

39:28

turns out, had the answer.

39:30

So he declared publicly that

39:33

he had a surprise for all of

39:36

the bot farms. And

39:38

last Monday, Twitter

39:40

blocked entire

39:42

IP address blocks, which were used

39:44

by it turns out

39:47

approximately thirty three

39:49

zero mobile carriers across

39:52

Asia. According to platformer, I

39:55

I know. This included

39:57

the primary telecom

40:00

providers for all

40:02

of India and all

40:04

of Russia, as well as Indonesia's

40:07

second largest telecom. Of

40:10

course, there were vastly more

40:12

legitimate users in every

40:14

one of those address blocks than

40:17

there were bots. So three countries,

40:20

worth of legitimate Twitter users TWiT

40:22

all shared the same IP address

40:24

blocks as a few

40:26

bots, were completely

40:28

cut off from

40:29

Twitter. And you have to,

40:32

like, wonder, how

40:36

could anyone not anticipate that happening.

40:38

It's it's I don't know.

40:40

Again, it's just incredible to me.

40:43

What I can see

40:46

is that Elon wants to own Twitter.

40:49

But Twitter is

40:52

not technology. It

40:54

is

40:54

enabled by technology.

40:58

Twitter is

41:00

a community. A community can be enabled

41:02

and nurtured and encouraged.

41:04

The one thing it cannot

41:07

be is owned. Nobody

41:10

owns Twitter's community no one can,

41:13

not even Elon. You

41:17

can

41:18

you're always welcome over

41:21

at Twitter's social. You could

41:22

have your own mastodon account. I promise

41:25

not to ban you. Well, we're

41:27

gonna see because, you know, he famously held a poll

41:29

over the weekend. That's

41:31

all silly, silly. I

41:34

know. He said, if this poll says

41:36

I should no longer be CEO,

41:38

I will resign. Yeah. Of course, the

41:40

petition said, please resign.

41:42

We're waiting. Well, yeah.

41:44

Go. We're done. We're done.

41:46

Well, then he said, be careful what you wish

41:48

for, which is probably true as God

41:50

knows. He would take over.

41:52

is I think he's destroyed. I mean, you know, you

41:54

know, one of the things that I'm seeing, in

41:56

fact, we're gonna get to this in a minute.

41:59

This is the coordinated inauthentic

42:02

behavior, which is just this wonderful

42:04

phrase. I love that phrase. Yeah.

42:06

It is it is difficult to

42:08

do this, Leo. It is it is

42:10

difficult to be in an

42:12

ownership or, you know,

42:14

catbird position with any

42:16

large social media network you you are be

42:18

constantly fighting abuse. On the

42:20

one hand, you wanna open your

42:23

date and allow everybody in the

42:26

world to come in and

42:28

participate. Unfortunately, we know that

42:30

the world has a whole bunch of

42:32

bad people in it. And,

42:34

you know, bots are a thing. And so it's just

42:36

this is really hard to do. And

42:38

and I would argue Twitter was doing

42:40

the best job they could. And,

42:44

of course, then they got all they ran afoul of

42:46

all of these issues of,

42:48

well, you know, should we

42:50

allow people to scream fire in a burning

42:52

building or

42:54

not? And add in for an item. Anyway, Elon

42:56

appears to have badly broken it, and

42:58

it's not at all clear to me that

43:00

him disappearing is gonna suddenly

43:03

you know, fix it. I don't know how you

43:05

do that. Yeah. It's sad. Anyway,

43:08

the good news is, speaking of

43:10

Mastodon, Vivaldi

43:12

recently became the first browser to have its

43:15

own Mastodon

43:15

instance, Vivaldi Social,

43:19

Now, the new version on the

43:22

desktop is also the

43:24

first to integrate

43:26

Mastodon natively

43:28

into the browser itself. Along with the ability

43:30

to pin tab groups and other

43:32

UI improvements, they said We

43:35

believe in providing alternatives to big

43:38

tech while putting your privacy

43:40

first and launched

43:41

Vivaldi our Mastodon Instance. And today,

43:44

we are integrating the Volvo

43:46

Social into the sidebar

43:48

of our

43:50

desktop browser. Becoming the

43:52

first browser to offer this

43:54

functionality. So anyway, I

43:56

just wanted to give a tip to

43:58

to Vivaldi, and note that it's interesting

44:01

that this has

44:01

happened. Hey, everybody. Leo Le

44:04

Port here. I'm the founder and one

44:06

of the

44:08

hosts at the Twitter podcast network. I wanna

44:10

talk to you a little bit about what we do here

44:12

at Twitter. Because I think it's unique

44:14

and I think for anybody

44:18

who is bringing a product or

44:20

a service to a tech

44:22

audience, you need to know about what

44:24

we do here

44:26

at Twitter. We've built an amazing audience of engaged,

44:28

intelligent, affluent listeners

44:30

who listen to us and

44:32

trust us when we recommend. A

44:36

product. Our mission statement is to is to

44:38

build a highly engaged community of tech

44:40

enthusiasts. Wait.

44:42

Already, you should be your year should

44:44

be perking up at that because highly engaged is good for

44:46

you. Tech enthusiasts, if that's who

44:48

you're looking for, this is the place. We do

44:50

it by offering them the knowledge they need

44:54

to understand and use technology in today's world. And

44:56

I hear from our audience all the time,

44:58

part of that knowledge comes from our

45:02

advertisers. We are very careful. We pick advertisers

45:04

with great products, great

45:06

services, with integrity, and

45:08

introduce them

45:10

to our audience with authenticity and

45:13

genuine enthusiasm. And that makes our host

45:15

red ads different from anything else

45:17

you can buy. We

45:19

are literally bringing you

45:22

to the attention of our audience

45:24

and giving you a big,

45:27

fat, endorsed We like to create partnerships

45:29

with trusted brands. Brands who are in

45:31

it for the long run, long

45:33

term partners that

45:36

wanna grow with us, and we have so many great success

45:38

stories. Tim Broome, who founded

45:40

IT pro TV in

45:42

twenty thirteen, started advertising

45:44

with us on day one has been with us

45:46

ever since. He said,

45:48

quote, we would not be where we

45:50

are today. Without the TWiT network. I think the proof is in the

45:52

pudding. Advertisers like IT

45:54

pro TV and Audible that have been with

45:56

us for more than ten years. They stick

46:00

around because their ads work. And honestly,

46:02

isn't that why you're buying

46:04

advertising? You get a lot with Twitter. We have

46:06

a very full service attitude.

46:08

We almost think of

46:10

it as kind of artisanal

46:12

advertising, boutique advertising. You'll get a

46:14

full service

46:16

continuity team.

46:18

People who are on the phone with you, who are in touch with you,

46:20

who support you from with everything

46:22

from copywriting to graphic design.

46:26

So you are not alone in this. We embed

46:28

our ads into the shows.

46:30

They're not they're not added later. They're

46:32

part of the shows. In fact, often,

46:36

they're such a part of our shows that our other host will chime

46:38

in on the ad saying, yeah, I

46:40

love that or just the other day.

46:43

One of our host said, man, I

46:45

really gotta buy that. That's an

46:47

additional benefit to you because

46:49

you're hearing people Our audience trusts saying, yeah,

46:51

that sounds great. We deliver

46:54

always overdeliver on impressions,

46:56

so you know you're gonna get the impressions

46:59

you expect. The ads are unique every

47:02

time. We don't prerecord them and roll them

47:04

in. We are genuinely doing those ads

47:06

in the middle of

47:08

the show. We'll give you great onboarding services,

47:10

ad tech with pod sites that's

47:12

free for direct clients, gives

47:14

you a lot of reporting,

47:16

gives you great idea of how well your ads are working. You'll get

47:18

courtesy commercials. You actually can take our ads

47:20

and share them across social media

47:22

and landing

47:24

pages that really extends the reach. There are other free goodies

47:26

too, including mentions in our weekly newsletter

47:28

that sent the thousands of fans

47:32

engaged fans who really wanna see this stuff, we give you

47:34

bonus ads and social media

47:36

promotion too. So if you want

47:38

to be a long

47:40

term partner, introduce your

47:42

product to a savvy,

47:44

engaged tech audience. Visit twit

47:46

dot tv

47:48

slash advertise Check out those testimonials. Mark McCreery is the

47:50

CEO of Authentic. You probably know him one of

47:52

the biggest original podcast

47:56

advertising companies. We've been with

47:58

him for sixteen years. Mark said the feedback from many advertisers

48:00

over sixteen years across a range

48:03

of product categories everything

48:06

from razors to computers is that

48:08

if ads and podcasts are gonna work for

48:10

a brand, they're gonna work on twitch shows,

48:12

I'm very proud of what

48:15

we do. Because it's honest, it's got integrity,

48:17

it's authentic, and it really

48:20

is a great introduction to

48:22

our Of

48:24

your brand. Our listeners are smart.

48:26

They're engaged. They're tech savvy.

48:28

They're dedicated to our network. And

48:31

that's one of the reasons we only work with

48:33

high integrity partners that we've personally

48:36

and thoroughly vetted. I

48:38

have absolutely prove on

48:40

everybody. If you've got a great product,

48:42

I wanna hear from you. Elevate your

48:44

brand by reaching out today at

48:46

advertise at twit dot tv.

48:48

Breakout of advertising norm. Grow your brand with host red

48:50

ads on TWiT dot tv. Visit twit

48:52

dot tv slash advertise for more

48:54

details, or you can

48:56

email us advertise

48:58

at twit dot tv if

49:00

you're ready to launch your campaign now. I can't

49:02

wait to see your product. So it was a ring.

49:04

On

49:05

the topic of governments

49:08

recognizing the growing dangers of

49:10

known vulnerabilities

49:12

in the works of the

49:14

enterprises within their own

49:16

borders. Remember, we've we've talked

49:18

about a a couple governments. I

49:20

don't think it was the Dutch government.

49:22

And I meant to go find out which one we'd we'd

49:24

referred to before. But but it WAF

49:27

there was another note of some

49:29

government that was gonna you

49:31

know, like announced they were gonna

49:34

start scanning their own citizens. It might have

49:36

been the UK. Anyway,

49:38

in this case, The Dutch government has

49:40

been doing TWiT. And they just

49:42

said that since the beginning of

49:45

this work that which was the

49:47

summer of twenty twenty one, So

49:50

about a year and a half

49:52

ago and about a year and a half worth

49:54

of this, they have sent

49:56

more than fifty two

49:58

hundred warnings to Dutch companies

50:00

concerning security vulnerabilities within

50:04

their networks. Officials

50:06

said that around seventy

50:08

six percent. So three out of

50:10

four of these warnings were

50:12

for sensitive

50:14

systems being accessible via the Internet, RDP,

50:18

SMB, LDAP, and

50:20

so forth. The other twenty

50:22

four percent of the warnings

50:24

regarding malware infections, leaked

50:26

credentials, or unpatched systems.

50:29

So presumably, they're you know,

50:32

scanning the Internet and

50:34

seeing a version number in the

50:36

in the greeting of something and

50:39

saying, whoops, not latest version, and they send the company

50:41

a note saying, hey, you know, maybe you

50:43

ought to update your email because you're

50:46

running an old one, which has some

50:48

known vulnerabilities. So

50:50

anyway, this is not the

50:52

first time we've encountered this, and it

50:55

seems to me like an

50:57

entirely same thing for

51:00

governments to do in the interest of

51:02

helping to protect their own national

51:04

interests and those of all of

51:06

their

51:06

citizens. And the enterprise

51:08

operating within their borders. So I expect

51:10

that we're gonna be seeing more announcements of

51:12

this sort in coming

51:14

years. Okay, CIB.

51:18

That's the abbreviation for

51:22

coordinated inauthentic

51:24

behavior. A term that I love, a

51:26

recent report from Facebook's parent

51:28

company meta. It introduced

51:31

me to this term coordinated

51:35

inauthentic behavior. And and I love

51:37

it because it's such a wonderfully neutral

51:39

and politically correct

51:41

term to describe the behavior of

51:43

organizations and countries that have

51:45

figured out that they could

51:47

use fraudulent postings and

51:49

replies on Facebook

51:51

to influence beliefs and behavior

51:54

through massive

51:56

coordinated campaigns.

51:58

Facebook's

51:59

report, which they published on

52:02

Thursday. Last Thursday, was

52:05

titled recapping our

52:08

twenty twenty two coordinated inauthentic

52:11

behavior enforcements. They

52:14

noted that since they began

52:16

focusing upon the

52:18

explicit abuse of Facebook

52:20

services for what they term

52:22

covert and influence

52:25

operations, they've disrupted two

52:28

hundred identically

52:30

separate global networks that

52:32

were that were the source of

52:36

these campaigns. Those networks were based in sixty eight

52:38

countries, but far from evenly as

52:40

we'll see, and operated in at

52:42

least forty two

52:44

different languages. Two

52:46

thirds of the campaigns, I

52:48

thought this was really interesting. Two thirds

52:50

of the campaigns were

52:52

targeting their own local audiences in

52:55

their home countries, and only

52:58

one third were aimed at

53:00

audiences outside the country,

53:02

so, you

53:04

know, abroad. In terms of targets, more

53:06

than one hundred different

53:08

countries from a through

53:12

z, Afghanistan, through Zimbabwe

53:15

been targeted by at least

53:17

one CIB network, foreign or

53:20

domestic, with the US being the most

53:22

targeted with thirty four

53:24

of those operations followed

53:26

by Ukraine. And I'm sure that's only

53:28

in the in the most recent year.

53:31

Targeted by twenty CIB networks,

53:33

and then the UK targeted

53:35

by sixteen. So thirty four

53:37

for the US, twenty for

53:39

Ukraine, sixteen for the UK,

53:41

and a single covert network might often

53:44

be simultaneously targeting

53:46

multiple countries at once. In

53:49

one case, for example, a network running from

53:51

Iran was simultaneously targeting eighteen

53:54

countries on four

53:56

different continents. Okay.

53:58

As for the originators of the campaign networks,

54:02

perhaps not

54:04

surprisingly, Russia leads the

54:06

list of the originating

54:08

sources of these networks

54:10

with having thirty four

54:14

networks identified closely followed by Iran with

54:16

twenty nine, and then

54:18

the next highest with

54:20

fewer than half of Iran's twenty

54:24

nine Interestingly, was Mexico, which surprised

54:26

me as the as the third

54:28

largest source of these these

54:30

influence networks at thirteen. Interestingly,

54:36

those are the top three. Right?

54:38

Russia, Iran, Mexico,

54:40

China is not among Russia and

54:42

Iran are the biggest perks in this game. And

54:45

as I said, I was surprised about

54:47

Mexico, so I went looking for

54:49

some more information about them. As

54:51

I suspected, most of the CIB

54:54

networks originating in Mexico

54:56

have focused primarily on regional

55:00

or local audiences to Mexico,

55:02

often in the context of regional

55:04

elections. Those networks tended

55:08

to be less tactically sophisticated, and many

55:10

were linked to PR or

55:12

marketing firms, including instances

55:14

where I love this one

55:18

network simultaneously

55:21

supported rivals in the

55:23

same electoral post. The

55:26

report noted that this illustrates the danger of

55:28

using covert influence operations

55:30

for hire that might

55:32

be providing inauthentic support

55:35

to not just the highest bidder but to

55:37

multiple bidders at once.

55:40

So

55:40

again, we have

55:43

this wonderful term coordinated inauthentic behavior.

55:46

And now we have some sense, thanks to

55:48

to Facebook's work on

55:52

this about you know, the the spread in nature

55:54

of these

55:56

networks. Okay.

56:01

SHA one. We

56:04

might say that we hardly knew Yi,

56:06

but as it turns out, we knew

56:08

Yi quite well the NIST has

56:11

formally announced that many of

56:14

well, what many of us have been assuming for

56:16

some time The

56:18

aging original SHA1

56:20

cryptographic hashing function is

56:24

officially being retired. In

56:26

its place, is either

56:28

SHA two or SHA

56:30

three, both which have existed for quite

56:32

a while and have been in use for a

56:34

long time.

56:36

But I did a bit of

56:38

a double take when I saw that companies have now

56:40

have, as of the NIST's

56:42

announcement, companies have until

56:46

the end of twenty

56:47

thirty. In

56:49

other words, until the beginning

56:51

of twenty thirty one,

56:54

So another entire eight years

56:56

from now to make that

56:58

replacement. The end of

57:02

NIST's announcement said, quote,

57:04

they said, modules that

57:07

still use SHA one after

57:09

two thousand and thirty. Will

57:12

not be permitted for

57:14

purchase by the federal

57:16

government. Companies have

57:18

eight years to submit

57:20

updated modules that no

57:22

longer use SHA one

57:24

because there's often a backlog of

57:26

submissions before a deadline we

57:28

recommend that developers submit

57:30

their updated modules well in

57:32

advance so that CMVP

57:34

has time to respond.

57:37

Okay. Now, a

57:40

cryptographer might have been

57:42

a bit more explicit. And careful

57:45

in the wording of that mandate. I'd

57:47

have written modules

57:50

that are still capable of

57:54

using SHA1

57:56

after two thousand and thirty dot

57:58

dot dot. The reason for

58:00

the added clarity is that as

58:03

we've often talked about, many

58:06

cryptographic systems obtain

58:10

robust interoperability by comparing acceptable protocol

58:12

suites SHA1 both

58:14

ends understand and

58:17

then negotiating the best

58:20

and hopefully the most

58:22

secure among those. But

58:24

through the years of this podcast, we've examined

58:27

a great many downgrade attacks

58:30

where a malicious endpoint

58:32

identifies that the other

58:34

end is

58:36

still offering a no longer considered

58:38

safe, weak cryptographic protocol.

58:40

So the sneaky end pretends

58:44

that it cannot use any of

58:46

the stronger systems, thus tricking

58:49

the agreeable other end

58:51

point into establishing a

58:54

potentially vulnerable connection.

58:56

So what we want is

58:58

for all systems to immediately eliminate

59:01

SHA one from their collection of

59:04

acceptable hashing functions. Absolutely,

59:06

it should no longer be

59:08

offered.

59:08

And, you know, it is a fine point, but for

59:11

the record, there are still some things

59:13

you could use SHA one for

59:15

safely if you chose.

59:19

would make a fine hash for use in

59:21

a PBKDF password based key

59:24

derivation function. Where a is

59:26

literate TWiT literated a

59:29

great many times. But, you know,

59:31

given that its presence might

59:33

allow its misuse, Removing it

59:35

altogether would be best.

59:38

Okay. And one last little tidbit

59:40

for any of our listeners who are

59:42

using WordPress.

59:44

Last Wednesday, Word Defense, the very

59:47

useful third party

59:50

WordPress web application

59:52

firewall people,

59:54

who have been identifying troubled WordPress add ons, they

59:57

launched a free and

59:59

very useful looking vulnerability

1:00:02

database for WordPress add ons. I

1:00:04

poked it around TWiT a bit, and I'm impressed.

1:00:06

So I wanted to give our WordPress users

1:00:08

a heads up about it. It

1:00:11

is at word fence dot com slash

1:00:14

threat hyphen

1:00:16

intel. Again, WWW

1:00:19

dot W0RDFENCE

1:00:23

dot com slash THREAT

1:00:25

hyphen INTEL

1:00:28

looks like a very

1:00:31

comprehensive listing of of

1:00:34

dangerous add ons for WordPress, I would

1:00:37

say we're taking a look and making

1:00:39

sure that that you're not using any

1:00:41

of those and are

1:00:43

might be unaware of

1:00:45

the problems. And Leo, time

1:00:47

for me to cap catch up

1:00:49

on my caffeine at the

1:00:51

moment. Catch up on your caffeine. That doesn't sound very

1:00:54

tasty. Catch up on my ass. Oh, yeah. This

1:00:56

is actually very

1:00:56

tasty. Oh, have you ever done? Oh, well, I

1:00:58

just wanna take a little moment to thank

1:01:01

our club, TWiT fans

1:01:04

and members because you've really made

1:01:06

this a banner year

1:01:08

for us. A lot of what

1:01:10

we do here at Twitter is paid

1:01:12

for by club, Twitter members now

1:01:14

more than five thousand strong.

1:01:16

Our Mastodon instance that I've been telling

1:01:18

Steve about begging Steve to join Twit dot

1:01:20

social. Our TWiT forums, Steve has

1:01:22

great forums. We do too at

1:01:24

twit dot TWiT. Of

1:01:26

course, the IRC, which is always accompanying

1:01:29

every show we do.

1:01:31

And frankly, keeps the lights on

1:01:33

and helps us keep staff Through

1:01:36

the new year. So thank you club twist members. For

1:01:38

people who are not yet a member of

1:01:40

club twist, please can or

1:01:43

joining, it'd be a great holiday gift for the

1:01:45

geek in your life. It's a mere seven

1:01:47

dollars a month. A buck less than

1:01:49

a blue check. You get so much more too. Add free versions

1:01:51

of this show and all the shows we do.

1:01:54

Access to other shows that are club

1:01:56

only. Shows

1:01:58

that yet haven't generated enough revenue to put out in

1:02:00

public. We launched shows in the club

1:02:02

because it's a great way to get shows started like

1:02:04

hands on McEntosh with

1:02:06

Michael Sergeant. Micah

1:02:08

Sargent, Paul Throck's Windows hands

1:02:10

on Windows show, UNTETALINICS SHA1

1:02:12

with Jonathan Bennett, the GizFizz, of

1:02:15

course, all of our events that we hold in there. Eventually, we always

1:02:17

hope to get shows out into the public. That's what

1:02:19

happened with this week in space launched

1:02:21

in the club. Grew

1:02:24

an audience. We put it out in public. In

1:02:26

fact, good news. I think we're gonna start adding

1:02:28

video to it very soon. The

1:02:30

club really is a proving ground for new shows,

1:02:32

a great place to hang out in

1:02:34

our club to TWiT, discord, a great place to

1:02:37

hear material that you don't hear anywhere

1:02:40

else. And it's just seven bucks a month. There's a year long package. If you

1:02:42

wanna give a nice gift to somebody, you know,

1:02:44

there's also corporate memberships. If you

1:02:46

wanna know more about club twist, tweet dot

1:02:50

TV slash club tweet.

1:02:52

And again, thank you all of

1:02:54

our club tweet members. We really appreciate you.

1:02:56

We hope you have a wonderful Well, all of you

1:02:58

have a wonderful New Year.

1:03:00

We will not be here next

1:03:01

week. We're gonna be doing reruns.

1:03:04

Well, we'd like to call them the best

1:03:06

of shows. We

1:03:08

carefully edit them, craft them

1:03:10

to be the best material from the year twenty

1:03:12

twenty TWiT. That'll be a a week

1:03:14

from today December twenty seventh. And then Steve and I will be

1:03:16

back with a live show in two weeks,

1:03:18

January third. This is our last show of

1:03:20

twenty twenty two, January third, the

1:03:22

first

1:03:24

SHA1. Of the brand new year.

1:03:26

Steve, let's let's continue

1:03:28

on. Soldier on as you

1:03:32

And, you know, you're right, Leo. Catch up on

1:03:34

my caffeine. You got it

1:03:35

now. I

1:03:36

did. It took me a little while.

1:03:40

the got it. Wasn't a very good job. I also don't put

1:03:42

ketchup on my eggs for what it's worth. Oh. It

1:03:44

TWiT not work. How about hot sauce?

1:03:48

Oh, yeah. A little sriracha maybe or some tapatito

1:03:50

-- Yeah. -- tapatito. -- how

1:03:53

you're talking? See? Yep. See?

1:03:56

Okay. So A

1:03:58

bit of closing the loop feedback from our

1:04:00

listeners, Michael Lalli, he

1:04:02

said, please at SGGRC

1:04:04

It's pronounced

1:04:08

MediBank. And

1:04:10

okay. I'm glad to know that. I did say.

1:04:12

How would you know? MediBank. MediBank.

1:04:15

Mehdi Bank. Mehdi Bank. And you know, that

1:04:17

does sound more more Australian, doesn't it?

1:04:20

Mehdi Bank. Yeah. Yeah.

1:04:22

In in that kind of an

1:04:24

accent. So Thank you, Michael. Glad

1:04:26

to know. SkyNet tweeted me, question

1:04:28

about ADP referring to

1:04:32

Apple's new encryption that was the topic of last week's podcast. He says,

1:04:34

once it asks, once it's turned on

1:04:36

and the keys are sent down to your device,

1:04:38

is it stored in hardware

1:04:41

or software? Because what happens

1:04:43

when you get a new iPhone in the future, how do

1:04:45

you get the keys over to your new

1:04:47

iPhone? You can't set up

1:04:49

the new phone and restore an

1:04:52

iCloud backup once you

1:04:54

log log

1:04:54

on. So it would have to be by the

1:04:56

method where you move your old phone close

1:04:58

to your new

1:04:59

phone. Correct? Okay. So, and I received a

1:05:02

number of questions that are sort of related to

1:05:04

this. The

1:05:06

primary concept that I I guess I

1:05:08

wanna get across is

1:05:10

similar to the familiar

1:05:12

pattern that last pass

1:05:14

and presumably all other password managers use, at least I

1:05:16

hope they would. In all of those

1:05:18

cases, they are simply

1:05:20

storing an

1:05:22

encrypted blob on our

1:05:24

behalf. They have no

1:05:26

visibility into the blob.

1:05:28

But by making that

1:05:32

blob available, Across devices, devices are

1:05:34

able to share a common set of

1:05:36

passwords or as in the case of

1:05:38

Apple, a common set of

1:05:40

decryption keys. So

1:05:42

the process of Apple relinquishing

1:05:45

the keys to

1:05:47

iCloud is that Apple sends

1:05:50

the current key chain

1:05:52

blob, which it is

1:05:54

never and has never

1:05:56

been able

1:05:58

to And the current iCloud

1:06:00

keys, which until now,

1:06:02

it has held in its data

1:06:06

centers HSMs to the user's

1:06:08

device. The device uses

1:06:10

its local private account key

1:06:14

which never leaves the device to decrypt

1:06:16

the key chain blob

1:06:18

on the device and

1:06:22

then adds the current iCloud key

1:06:24

into the key chain. In

1:06:26

this way, the keys that

1:06:29

Apple was holding are

1:06:32

moved from where Apple could

1:06:34

get at them into the

1:06:36

user's account key chain where

1:06:38

Apple can never get

1:06:40

at them. The device

1:06:42

then instructs Apple to

1:06:44

delete the iCloud keys that

1:06:46

it just sent from all

1:06:48

of its data center's HSM's. Now,

1:06:52

only the device has

1:06:54

the old iCloud keys

1:06:56

in its key chain. Then,

1:06:59

Wanting to be thorough, the

1:07:01

device performs a key

1:07:03

rotation, changing the key that encrypts

1:07:05

the iCloud data to one

1:07:07

that Apple has never had in its

1:07:09

possession. But again, since

1:07:12

we're

1:07:13

all quite familiar, with the notion

1:07:15

of trust no one and pre

1:07:18

internet encryption, which is

1:07:20

the technology that all password managers

1:07:22

holding encrypted blobs that unable to

1:07:25

decrypt use. You know, I think that's the

1:07:27

clearest way to think about this and

1:07:29

the best analogy. Basically, Apple

1:07:31

is holding the stuff for us, provides

1:07:34

the synchronization service among

1:07:36

devices, but is

1:07:38

only able to hand

1:07:40

the devices these blobs, which

1:07:42

are then decrypted locally on the device

1:07:44

in order to give devices the

1:07:46

keys which then it's then able to

1:07:49

use to go further. You know,

1:07:51

one of the things that I've been

1:07:53

saying for years is that we've got

1:07:55

all these very cool crypto

1:07:57

components, which we can assemble in any manner

1:07:59

of different ways.

1:08:02

Walt Stoneberger

1:08:05

said, Steve, you have warned

1:08:07

several times that pixelation is not

1:08:09

a safe redaction

1:08:12

technique. Someone just wrote a beautiful GitHub project that

1:08:14

visually brings home the point as you see

1:08:19

brings him the point, he said, as you see

1:08:21

unredaction being performed. And it's

1:08:24

funny. I don't know

1:08:26

why this started circulating again. I got a

1:08:28

whole bunch of tweets about it. And

1:08:30

I thought, oh cool. Something new.

1:08:33

But it was ten months ago, when

1:08:35

we first talked about this and showed this, so

1:08:37

not something turns out that that

1:08:39

was new. Michael, Brodsted,

1:08:43

he said, hi, Steve Love Your Show, read

1:08:45

this article and thought it might

1:08:47

be interesting for

1:08:50

you. Okay? So what this what

1:08:52

Michael sent and I appreciated

1:08:54

it, was the verge's follow-up

1:08:57

on their story about those

1:08:59

UV cameras that we talked about a

1:09:01

few weeks ago. Remember, those are the

1:09:04

cameras that promised

1:09:06

that all of their

1:09:08

storage was local and that

1:09:10

nothing ever left the user's home and that it was all transmitted

1:09:13

directly to

1:09:16

their phone. You know, and,

1:09:18

you know, then, of course, in some reporting, following up

1:09:20

on on some news that

1:09:22

that was not the case, you

1:09:26

know, the verge was able to monitor their own

1:09:29

UV cameras from the other side

1:09:31

of the country. So And

1:09:34

and, you know, Leo, you and I

1:09:36

talked about it at the time. This was

1:09:38

the the the the company that was

1:09:41

owned by Anchor, and

1:09:43

it was our conjecture that, you know, the

1:09:45

way this could happen, because we'd like Anchor, we thought they were a

1:09:47

reputable company, was it having you know, after

1:09:49

having launched their successful power

1:09:51

supply product line, they

1:09:54

perhaps purchased the UV camera line in order to grow their business. Anyway, we

1:09:59

don't know, but you know, I

1:10:01

I guess I'd wanna forgive them a little bit for, you know, making such a mess.

1:10:04

Anyway, the verge checked

1:10:06

back and what did they

1:10:08

find? Their

1:10:11

follow-up story is headlined,

1:10:14

Anchors Yuffie, deleted

1:10:17

these ten

1:10:20

privacy promises

1:10:20

instead of answering our

1:10:22

questions, unquote. And the subhead reads two

1:10:24

weeks after getting caught

1:10:27

lying to the verge, Anchor

1:10:30

still hasn't sent us any answers about its security cameras. Instead,

1:10:37

it's nerfed the Yuffie

1:10:39

privacy commitment unquote. So one

1:10:41

of the things on

1:10:43

the verge's page is

1:10:46

they have this wonderful mouse based sliding divider where

1:10:48

you can slide the the

1:10:50

the divider with your mouse back

1:10:55

and forth and and it reveals either it's

1:10:58

it's like a shutter revealing either

1:11:00

the old or the

1:11:03

new privacy claims. And And

1:11:05

if you pull it to the I

1:11:08

think you you pull it to the right, you see the original

1:11:10

claims where, you know, nothing leaves your facility or, you know, it's

1:11:12

all kept

1:11:15

locally blah blah blah. You pull it to the other side

1:11:17

and you get then the updated

1:11:20

claims, which

1:11:22

are dramatically toned down. So

1:11:24

anyway, the verge makes a very

1:11:26

good point. And it's sad,

1:11:29

but on the other hand,

1:11:31

all of these systems are out there. They can't change the way they

1:11:33

operate, and I'm sure they never operated the way they

1:11:35

said they did. Someone just

1:11:38

got a little over enthusiastic

1:11:40

or carried away when they were writing

1:11:42

the marketing material for this. Anyway, or,

1:11:45

you know, maybe they

1:11:47

did add features later where

1:11:50

like they began to offer cloud things and never updated the page in order to make it correct. So, you

1:11:53

know, they've done

1:11:56

that now. Elaine,

1:11:58

he tweeted at elaine underscore

1:12:00

Geiger. He said thanks

1:12:03

for another excellent episode. I

1:12:07

do have one question about TikTok. Do you

1:12:09

see a difference between

1:12:11

the bands on ZTE

1:12:14

and Huawei versus TikTok? He

1:12:17

said the FCC has labeled all three as

1:12:19

unacceptable risk. He said also, I just

1:12:21

saw that there is

1:12:23

a bipartisan bill that

1:12:26

would, quote, end all commercial

1:12:29

operations of TikTok in

1:12:31

the US and Other social

1:12:34

media platforms that are sufficiently controlled or influenced by America's

1:12:37

foreign adversaries,

1:12:40

including China, Russia

1:12:43

and Iran. He said, it'll

1:12:45

be interesting to see where

1:12:47

this goes. So, okay,

1:12:49

I wanted to include Elaine's tweet

1:12:51

to give me the opportunity to

1:12:54

note that last Wednesday, the

1:12:56

entire US

1:12:59

Senate voted unanimously, passing

1:13:02

a bill which

1:13:04

would bar the

1:13:07

installation of TikTok from any

1:13:09

government owned devices. So yes,

1:13:11

whereas initially a handful of

1:13:14

Republican governors and an attorney

1:13:16

general may

1:13:18

have been first during the previous

1:13:21

week or two. Now we

1:13:23

have unanimous and obviously,

1:13:26

completely bipartisan agreement on

1:13:28

this. Which is astonishing to

1:13:30

me. Wow. But it happened. But to Elaine's question, I

1:13:35

do regard these selective bands

1:13:38

such as on ZTE

1:13:43

and Huawei and even on TikTok is mostly ridiculous

1:13:46

theater because we are

1:13:51

so intimately deeply and inexorably and meshed

1:13:54

with Chinese technology products.

1:13:56

You know, I look around

1:13:58

and everything in my home. All

1:14:02

of the electronics that I own, and the electronics in what I drive fabricated in

1:14:08

China. Every bit of it.

1:14:10

And I'm sure that's the case for all the people listening to this podcast. And speaking of

1:14:12

listening to this podcast,

1:14:15

this podcast is literally brought

1:14:19

to your ears. Thanks to networking

1:14:21

chips and processors and

1:14:23

transistors all made in

1:14:25

China. By Chinese citizens, you know, and

1:14:27

much of it was designed there. So me, none

1:14:31

of this posturing and

1:14:34

saber rattling makes any

1:14:36

sense. It must be that

1:14:38

some sort of geopolitical kabuki is

1:14:43

transpiring at a level that's far above

1:14:45

my pay grade. I'm just a

1:14:47

simple technologist who does

1:14:51

understand networking and processors

1:14:53

and transistors. So I

1:14:55

know that if China

1:14:57

did actually want to be

1:14:59

evil, the west would be in deep trouble. Because in

1:15:02

the interest of economy,

1:15:05

we've allowed ourselves to become utterly dependent upon

1:15:07

products which we need from China. I don't I

1:15:09

don't want that to be

1:15:11

a bad thing. I

1:15:14

hope it's never gonna be a bad thing. But

1:15:16

if it is gonna be a

1:15:18

bad thing, then the problem is

1:15:21

way bigger than a couple of

1:15:23

wayward Chinese companies. So, you know, maybe I don't get it. But,

1:15:25

you know, TWiT sort

1:15:28

of similar to

1:15:30

me being amazed that Russia

1:15:32

was still using windows like

1:15:35

for the last many years and

1:15:37

still is you know, they're they've finally said

1:15:39

that they're thinking about moving

1:15:42

to something Linux based

1:15:44

presumably. And there's

1:15:46

there been some rumblings of this of the same

1:15:48

thing from China. Just to me,

1:15:50

it seems crazy that that that

1:15:52

would be the case. But, you know,

1:15:54

here we are. Utterly dependent upon another country

1:15:56

and now saying we don't

1:15:58

trust them. Well, we're unable

1:16:01

not to trust

1:16:04

them, frankly. So that's what I

1:16:06

think. And finally, David Ruggles, he

1:16:11

sent You said reaching out regarding the zero

1:16:13

width space mentioned in

1:16:16

security now last week.

1:16:18

He said, I use it

1:16:21

to fix stupid programs. For example, if you want to reference

1:16:23

an account on Twitter without

1:16:28

tagging them,

1:16:31

enter the at sign,

1:16:33

then

1:16:34

a zero with space,

1:16:36

and then the account name,

1:16:38

and it won't get tagged. And

1:16:41

he then he gave some

1:16:43

examples of things that were not tagged were and weren't tagged in

1:16:46

his tweet to me. And

1:16:49

so he said, at sign the real ruggles versus

1:16:51

at sign the real ruggles, they looked identical only

1:16:54

one was lit up. He

1:16:58

said similarly, in Excel, it defaults to adding a hyperlink when you enter anything

1:17:00

that looks like a

1:17:03

URL or email address. You

1:17:07

can use the zero width space to

1:17:09

prevent that behavior without changing

1:17:12

the look of the

1:17:14

text. So That was cool. I think that's very clever. The

1:17:16

problem is, you know, I mean,

1:17:18

well, I I should say I

1:17:20

I should say I can see

1:17:22

many applications for that as well. TWiT it

1:17:24

leaves the question, how do you enter a

1:17:27

zero width space through the keyboard? I

1:17:31

asked the Google and I was told

1:17:34

the zero width space is a uni code character,

1:17:36

capital u plus

1:17:39

200B which

1:17:42

is also HTML, ampersand,

1:17:48

pound sign, 8203

1:17:50

semicolon. Right? And and and Google said it's remarkably hard

1:17:56

to type. On windows,

1:17:58

you can type alt and then 8203

1:18:04

Well, I tried that. And

1:18:06

I got What is that? The symbol for maleness, I think.

1:18:11

Anyway, that

1:18:12

didn't work.

1:18:13

All 8203

1:18:16

So

1:18:18

if anyone can figure out how to type these how

1:18:20

to enter the zero width character through

1:18:22

our keyboard. I think that seems like

1:18:25

a useful thing to be able

1:18:27

to do. Yep. People were also using it post their Mastodon

1:18:29

link on Twitter because

1:18:31

it didn't look the same.

1:18:33

I mean, look the same.

1:18:36

But true without triggering yeah

1:18:37

without counters post. Yeah. Yeah.

1:18:40

Cool. Okay. Briefly, I'll

1:18:41

note that spin right is

1:18:44

looking quite good.

1:18:46

By the end of this past weekend,

1:18:49

we were at the

1:18:51

eighth alpha release. Every

1:18:53

known weird data

1:18:56

recovery behavior that we've worked that

1:18:58

we were seeing appears to have been resolved. And Twitter is now

1:19:00

cruising through even the

1:19:02

most damaged and troubled drives.

1:19:06

While my focus was on getting spin right

1:19:08

to properly perform it's that those

1:19:10

primary functions, I'd also been accumulating

1:19:13

a list of less critical but still

1:19:15

necessary to do items. And our testers

1:19:17

that have been getting a little

1:19:19

restless have been suggesting new features

1:19:21

that they'd like to have. You know, nothing

1:19:23

big, but, you know, there are some some

1:19:26

convenient things that make sense. So, you

1:19:28

know, by the

1:19:31

end of today, Sunday, two days ago, I

1:19:33

told the group that I would be retrenching now

1:19:36

and disappearing

1:19:38

for a while while I worked my way through everything that was on

1:19:40

the wish list and the things

1:19:42

to be fixed. After today's

1:19:45

podcast, that's what

1:19:47

I'll be doing. When I return with alpha

1:19:49

release nine, it should be very close to finished. I'm, you

1:19:51

know, I'm sure there'll be

1:19:54

a few loose odds and

1:19:56

ends that's the nature of such a

1:19:58

complex project. But, you know, I I have to say that I with some pride

1:20:04

that everybody who's been testing six

1:20:06

point one has been very impressed by this new spin

1:20:08

rights speed and

1:20:11

capabilities. So we are we're

1:20:14

getting there. It's not gonna be a Chris' present. It's not gonna be a but

1:20:16

it's gonna be early

1:20:19

in twenty twenty three. That

1:20:22

we finally have this six point

1:20:25

one for everybody.

1:20:28

Okay. A

1:20:30

generic WAF, that's WAF

1:20:33

bypass. As

1:20:38

an industry, We've matured to

1:20:41

the point where vulnerabilities

1:20:44

are

1:20:45

being discovered

1:20:47

only in specific implementations of

1:20:50

some specific solution. And only

1:20:56

in typically in specific versions of those

1:20:58

implementations. In other words, you know, whereas once

1:21:00

upon a time,

1:21:03

the entire industry would

1:21:05

realize that an established standard could be

1:21:07

abused in an unexpected

1:21:12

way and everyone's implementation would

1:21:14

need to be changed. That that's where we were. A perfect example

1:21:17

was everyone's

1:21:20

DNS servers which

1:21:22

were emitting queries from ports sequentially assigned by their underlying operating

1:21:27

system, and often

1:21:29

emitting those queries with sequential

1:21:31

identifiers. When that came to light, you

1:21:36

know, Those who

1:21:38

were focused on DNS realized this would allow for successful DNS spoofing at scale

1:21:44

and the entire

1:21:47

industry repair DNS

1:21:47

overnight. These

1:21:51

events stand out. Because

1:21:53

thankfully they become so rare. These days, as we know, problems

1:21:55

have generally become much more

1:21:58

obscure and specific. For

1:22:00

example, It

1:22:03

might be that if you're still using

1:22:05

the out of support

1:22:07

version two point

1:22:10

029 point 472

1:22:14

of Jimmy Cracks query reader reflector.

1:22:17

You need to

1:22:20

update it to at least version two

1:22:22

point 426 point 327 in order to avoid

1:22:25

problems with query

1:22:28

reflection backflushed. And you

1:22:30

should do so immediately. We don't you know, those are the kinds of things we're often

1:22:35

seeing now to To

1:22:37

date, you know, that It's not

1:22:39

real, folks. Don't go looking forward, Jimmy's back. Don't worry. Unless

1:22:41

you actually do have Jimmy Cracks theory reflector, in which case

1:22:44

you've got other

1:22:48

problems. Today's rarity

1:22:50

of big generic protection

1:22:52

bypasses

1:22:53

has made their existence

1:22:56

extremely interesting.

1:22:57

And a group known

1:22:59

as team eighty two, recently

1:23:01

discovered just such an industry wide mistake. They

1:23:04

discovered an attack

1:23:07

technique that acts as

1:23:11

the first generic bypass of,

1:23:14

excuse me, multiple

1:23:16

web application firewalls

1:23:18

being sold by industry leading vendors, including

1:23:21

at least Palo Alto

1:23:24

Networks, f five,

1:23:26

Amazon Web Services,

1:23:28

Cloudflare and Imperva. Okay. So

1:23:31

before we proceed, we

1:23:34

need to Briefly revisit another

1:23:36

one of those holy crap events

1:23:38

which hit the entire industry many

1:23:41

years ago and

1:23:42

which, due to its difficulty,

1:23:44

The industry continues to

1:23:46

grapple with. And that's SQL

1:23:51

or sequel injection. Stated succinctly,

1:23:54

SQL injection can occur when there

1:23:59

is some way for user provided

1:24:02

input to be passed to a SQL database for

1:24:07

its A sequel database is driven

1:24:10

by strings of characters, which express commands and queries.

1:24:13

Simply by

1:24:16

typing commands, new database tables

1:24:18

can be created. They can be populated with data, queried for their data

1:24:20

and deleted when

1:24:23

they're no longer needed.

1:24:25

New users could be instantiated, passwords

1:24:27

could be changed, privileges could be granted, all through

1:24:31

simple text commands. And

1:24:34

further increasing the system's power,

1:24:37

the simplicity of this

1:24:39

interface allows SQL databases to

1:24:41

be queried over networks.

1:24:43

The simplicity and the power of this interface explains

1:24:47

SQL's success. But

1:24:52

the simplicity and power of this interface has

1:24:54

also been at the heart of one of sequels' longest running

1:24:56

vulnerabilities. Wikipedia

1:24:59

tells us that the first

1:25:01

known public discussion of sequel

1:25:04

injection appeared around

1:25:07

nineteen ninety eight. And cites

1:25:10

an article in Frac, PHRACK magazine, you

1:25:13

know, long

1:25:16

since discontinued. SQL

1:25:20

injection has been the bugaboo

1:25:22

of web applications from the start.

1:25:25

The first web apps gleefully

1:25:27

presented a form asking their user to please enter their

1:25:31

full name to look up their record

1:25:34

in the site's

1:25:35

database. The designer of this form assumed that

1:25:37

that's what anyone

1:25:40

would do. So whatever string

1:25:42

they provided as their name would be added into a SQL

1:25:44

query string to

1:25:47

access the site's database. And

1:25:51

all was well. Until it

1:25:53

occurred to some clever individual

1:25:55

that the website had

1:25:58

inadvertently given them direct access

1:26:00

to that site's SQL

1:26:02

database back end. Rather

1:26:05

than simply inputting

1:26:08

their name, they

1:26:10

could, for example, input a string, which closed the query

1:26:13

and started another

1:26:16

entirely separate SQL

1:26:19

command of their choosing. This

1:26:22

allowed a remote visitor

1:26:25

to directly issue QL

1:26:27

commands to the site's database. If the

1:26:29

web designer had assumed

1:26:32

that

1:26:33

no one else could ever access

1:26:35

the database, which of course is what

1:26:37

they assumed, the SQL account behind

1:26:39

the website's form might

1:26:42

even have

1:26:43

admin rights This would allow remote visitors

1:26:46

to do anything they might wish. This has been

1:26:48

such a common

1:26:51

and persistent problem because the

1:26:54

fundamental architecture of the system, this system is

1:27:00

fragile. It is not

1:27:02

inherently secure and resilient. It

1:27:07

is inherently insecure. We need

1:27:10

to take user supplied input like some personal

1:27:16

details and embed them into a

1:27:18

database query so that we can

1:27:20

look up their

1:27:23

record. You know? We have to

1:27:25

do that. Right? The trouble with sequel is its

1:27:28

power. That

1:27:29

same

1:27:32

query channel is also

1:27:34

SQL's command and control channel. This has

1:27:37

been such a

1:27:40

long standing and well

1:27:42

understood problem that it found its way into one of XKCD's

1:27:48

brilliant comics. And we've

1:27:50

talked about it in the

1:27:52

past. The first frame reads, it

1:27:54

shows somebody holding a cup of coffee

1:27:57

saying, or I guess, lit listening

1:27:59

is a call. And over

1:28:02

the phone, she hears,

1:28:04

hi. This

1:28:07

is your son's school. We're

1:28:09

having some computer

1:28:11

trouble. Mom replies,

1:28:14

Oh dear, did he break

1:28:16

something over and

1:28:17

we hear the the the voice of,

1:28:19

you know, the distraught

1:28:21

principle saying in a

1:28:23

way,

1:28:23

Did you really name

1:28:26

your son Robert, close

1:28:29

quote, close parens,

1:28:32

semi colon, drop table

1:28:34

students, semi colon. And mom

1:28:35

says, oh, yes. Little

1:28:38

Bobby tables we call him.

1:28:42

And

1:28:43

then the principal says, well, we've

1:28:45

lost this year's student

1:28:47

records. I hope you're

1:28:49

happy. To which mom

1:28:52

replies. And I hope you've learned

1:28:54

to sanitize your database input. Such

1:28:56

a classic. Such a great

1:28:58

company. Perfect. Yep. And and then and so what XKCD

1:29:01

is telling us is like exactly

1:29:03

this. So here's

1:29:05

I mean, stepping back

1:29:07

from this

1:29:07

a bit the biggest problem

1:29:10

is through all these years since

1:29:12

it was first inch

1:29:15

first first understood near

1:29:18

the birth of the web.

1:29:20

No one has

1:29:23

fixed this. Instead,

1:29:26

We just keep patching it.

1:29:29

We focus upon each

1:29:32

mistake in

1:29:34

isolation rather than recognizing

1:29:36

that the entire architecture

1:29:39

is wrong for

1:29:43

this application. SQL was not created

1:29:45

for the web. No one

1:29:47

would have done that. was

1:29:51

first designed in the early nineteen seventies. The

1:29:53

oh, we were just talking about when

1:29:55

we graduated from high

1:29:58

school. Yeah. Back then. Yeah. Yeah.

1:30:00

That's when the when no.

1:30:03

At IBM, IBM came up with this before there was

1:30:05

an Internet or websites

1:30:07

or web apps. Unfortunately,

1:30:12

the web found

1:30:13

TWiT, and it's been a

1:30:16

troubled marriage

1:30:18

ever since. The problem is every

1:30:20

newly created web app

1:30:22

creates another new opportunity

1:30:25

to make a mistake

1:30:27

in the parsing of user supplied input that

1:30:29

would give a remote attacker

1:30:32

access to the

1:30:34

site's back end database. That's

1:30:36

why I say that the

1:30:39

systems we've built around this architecture are inherently brittle and

1:30:41

fragile. That's why,

1:30:44

still today, SQL

1:30:47

injection attack scans

1:30:49

are constantly sweeping the

1:30:51

Internet looking for that

1:30:54

newly created newly vulnerable web app.

1:30:56

An SQL injection remains

1:30:59

at the top of

1:31:02

the OOSP top ten list of web application

1:31:05

vulnerabilities. So

1:31:07

what do we

1:31:10

do? If there's no sign

1:31:12

that we're gonna fix

1:31:14

the

1:31:14

underlying problem. Well, the

1:31:18

universal solution to protecting our networks from external

1:31:20

hostility is to place a

1:31:22

firewall in front of those

1:31:24

networks and force

1:31:27

all external traffic to be inspected

1:31:30

and to pass through that gauntlet before it's permitted to

1:31:33

reach our

1:31:36

interior presumably vulnerable

1:31:38

networks. And thus WAF born

1:31:39

the idea of the

1:31:42

web application firewall or WAF

1:31:47

for short. The fundamental concept

1:31:49

of a web application firewall

1:31:52

is detailed

1:31:55

traffic inspection. Whereas packet level firewalls generally

1:31:57

look no deeper than

1:31:59

packet headers, which specify

1:32:01

the source and destination

1:32:03

IPs and ports Laporte the

1:32:06

purpose of monitoring packet flows. A

1:32:08

web application firewall examines in detail the

1:32:10

content of all web application traffic transiting

1:32:15

its boundary in order to

1:32:17

detect and block malicious

1:32:19

attacks. So in

1:32:23

XKCD's example above, A WAF would

1:32:25

spot and block a form's input field

1:32:28

data that

1:32:31

contains suspicious characters for

1:32:34

a user's name such as closed parenthesis and

1:32:36

semicolons, so

1:32:41

that they would go no

1:32:43

further. With a web application firewall positioned upstream of an organization's web

1:32:48

application servers, that malicious

1:32:50

data and intent would never reach any web applications that might not

1:32:52

be adequately providing

1:32:55

for their own protection. Again,

1:32:59

you would need this if mistakes still

1:33:01

weren't being made freshly, but

1:33:03

they are because this

1:33:06

is all being done

1:33:08

wrong. But it's,

1:33:08

you know,

1:33:09

it's what we got. So, okay, with this background,

1:33:11

here's what Team eighty

1:33:14

two had to say about

1:33:17

their recent

1:33:18

discovery. They wrote web application firewalls, WAFs,

1:33:23

are designed to safeguard web based applications

1:33:25

and APIs from malicious external

1:33:28

HTTPS traffic.

1:33:32

Most notably, cross site scripting,

1:33:34

and SQL injection attacks that just don't seem to

1:33:36

drop off the

1:33:39

security

1:33:39

radar. Gee. Imagine

1:33:42

that. I wonder why. While they said, while recognized and relatively simple to remedy,

1:33:48

SQL injection in particular is a constant

1:33:50

among the output of automated code scans and

1:33:56

a regular feature on industry

1:33:58

lists of top vulnerabilities, including the Awasp top ten.

1:34:01

The introduction

1:34:04

of WAF's In

1:34:06

the early two thousands, okay,

1:34:08

note that time, note that

1:34:10

date, early two thousands WAF

1:34:13

largely a counter to these

1:34:15

coding errors. WAFs are now

1:34:18

a key line of

1:34:20

defense in

1:34:22

securing organizational information

1:34:24

stored in a database that can

1:34:26

be reached through a web application.

1:34:29

WAFs are also increasingly used to protect cloud

1:34:31

based management platforms that

1:34:34

oversee connected embedded devices

1:34:38

such as routers and access points. An

1:34:41

attacker able to bypass

1:34:43

the traffic scanning and

1:34:45

blocking capabilities of WAFs often

1:34:47

has a direct line to sensitive

1:34:50

business and consumer customer

1:34:53

information. Such

1:34:56

bypasses, thankfully, have been

1:34:58

infrequent, and one offs targeting a particular vendor's implementation. Today,

1:35:06

Team eighty two introduces

1:35:08

an attack technique that

1:35:10

acts as the first

1:35:14

generic bypass of multiple web application firewalls

1:35:17

sold by industry leading

1:35:20

vendors. Our bypass

1:35:22

works on web application firewall sold by

1:35:25

five leading vendors. Palo

1:35:27

Alto Networks, f five

1:35:30

Amazon Web Services, Cloudflare, and

1:35:32

Impurva. All of the affected vendors acknowledged

1:35:35

Team eighty two's disclosure and

1:35:37

implemented fixes to

1:35:40

their products SQL

1:35:42

Inspection processes. Our technique relies first

1:35:45

on understanding

1:35:48

how whaps identify

1:35:50

and flag sequel syntax

1:35:53

as malicious, and then

1:35:55

finding sequel syntax the

1:35:58

whaf, and then

1:35:59

the is to. This turned

1:36:03

out to be

1:36:07

Jason, JavaScript object

1:36:10

notation. Jason, they

1:36:12

write, is a standard

1:36:14

file and data exchange format.

1:36:16

And is commonly used when

1:36:18

data is set from a server to a web app. Jason's support was

1:36:24

introduced in databases going

1:36:26

back almost ten years. Modern database engines today

1:36:32

Laporte syntax by default, including

1:36:34

basic searches and modifications as well

1:36:37

as a range of Jason

1:36:39

functions and structures. While

1:36:42

JSON Support is the norm among database engines, the

1:36:45

same cannot be

1:36:47

said for WAFs. Vendors

1:36:51

had been slow to add

1:36:53

Jason's support, which allowed

1:36:56

us to craft

1:36:58

new SQL injection payloads that

1:37:01

include Jason, and that completely

1:37:03

bypassed the security wafts

1:37:08

provide. Attackers using this novel technique

1:37:10

could access a back end database and use additional

1:37:12

vulnerabilities and exploits

1:37:15

to exfiltrate information via

1:37:18

either direct access to the server

1:37:20

or over the cloud. This

1:37:22

is especially important for OT

1:37:25

and I OT platforms that have

1:37:27

moved to cloud based management and monitoring

1:37:29

systems. WAFs offer a promise of additional

1:37:31

security from the cloud. An

1:37:35

attacker able to bypass these protections has

1:37:38

expansive access to systems.

1:37:41

Okay. So what happened?

1:37:43

History has shown that no one

1:37:46

is able to always

1:37:49

get SQL injection

1:37:52

protection correct. Because

1:37:54

it's so much easier for it not to be correct. So the notion of

1:37:56

a web application

1:37:59

firewall is created to

1:38:03

move the burden from individual

1:38:05

input forms, fields and

1:38:07

web apps to

1:38:10

the perimeter. Where a single comprehensive

1:38:12

web application firewall will be able

1:38:14

to protect all of an organization's

1:38:17

applications at once.

1:38:20

That happened about twenty years

1:38:22

ago in the early two thousands. Now remember though,

1:38:24

only for those

1:38:27

organizations that deploy them, A

1:38:30

web application firewall is like your big iron box. It's expensive. It needs to be constantly maintained.

1:38:33

TWiT needs to

1:38:36

be licensed. Smaller

1:38:38

organizations aren't gonna have them,

1:38:40

but the big guys do for

1:38:42

the last twenty

1:38:43

years. The problem,

1:38:45

of course, is that now

1:38:48

it's become less imperative.

1:38:50

For those individual web

1:38:53

applications, which are now safely

1:38:56

ensconced behind their protective

1:38:58

application barrier to be

1:39:00

quite so worried. About their

1:39:02

own input form field content. After all, there's a big mean web

1:39:04

application firewall at

1:39:07

the Gate that's

1:39:10

gonna keep little bobby drop tables

1:39:13

safely out of reach.

1:39:15

So all as

1:39:17

well. But then a decade

1:39:20

passes. And a particular

1:39:22

syntax for describing the

1:39:24

features and details of

1:39:26

objects becomes popular. It outgrows

1:39:29

its own modest origins and

1:39:31

is adopted by other

1:39:33

languages and applications. Because it

1:39:36

does the one thing it

1:39:38

was designed to do cleanly,

1:39:40

minimally, and

1:39:43

efficiently. And so, the JavaScript object

1:39:46

notation, Jason, grows

1:39:50

increasingly prevalent. Perhaps it was inevitable

1:39:52

that SQL databases would a

1:39:54

never would eventually choose

1:39:57

to add their

1:40:00

own support for

1:40:00

Jason. And

1:40:01

they did. Here's what Team eighty two had

1:40:03

to say about that.

1:40:08

They said, In modern times, Jason

1:40:10

has become one of the predominant forms

1:40:13

of data storage

1:40:16

and transfer. In order

1:40:18

to Laporte syntax and allow developers to