Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
It's time for security now. Last show
0:02
of the year, Steve Gibson is here.
0:04
We're going to talk about the results of the
0:06
prone to own competition. Everybody
0:08
got hacked. Everybody. Then it's
0:10
the latest on last week's Microsoft
0:13
patch Tuesday. And finally, what
0:15
exactly is coordinated inauthentic
0:18
behavior. You'll find out nothing but
0:20
authentic behavior next on security
0:22
now.
0:25
Podcasts you love. From
0:27
people you trust. This
0:30
is twins. This
0:35
is security now with Steve Gibson. Episode
0:38
nine hundred two recorded Tuesday,
0:40
December twentieth twenty twenty
0:42
two, a generic WAF bypass.
0:46
Security now is brought to you by
0:48
PlexTrak, the premier cybersecurity
0:51
reporting and collaboration platform.
0:54
With plex track, you'll streamline the
0:56
full workflow from testing, to
0:58
reporting, to remediation. Visit
1:00
plexetrack dot com slash twitch to
1:02
claim your free months of the PlexTrak platform
1:05
today. Listeners
1:08
of this program get an ad free
1:10
version if they're members of clubbed,
1:12
TWiT seven dollars a month gives you ad
1:14
free versions of all of our shows,
1:17
plus membership in the clubbed,
1:19
discord, a great clubhouse for twit listeners.
1:22
And finally, the TWiT Plus Feed.
1:24
The shows like Stacey's Book Club, The Un
1:26
titled Linick Show, The Giz Fizz,
1:28
and more. Go to TWiT dot tv
1:30
slash club TWiT. And thanks for your
1:32
support. Thanks
1:37
for listening to this show as an ad supported
1:40
network. We are always looking for new
1:42
partners with products and services
1:44
that will benefit our qualified
1:46
audience. Are you ready to grow your business?
1:49
Reach out to advertise at TWiT dot
1:51
tv and launch your campaign now.
1:54
It's time. For security
1:57
now, the show where we cover your security,
1:59
your privacy, your online agenda,
2:02
online with this guy right here,
2:04
the king of security, mister Steve
2:06
Gibson, hello, Steve. Leo,
2:08
you'll be glad to know. Actually, Paul Therrott
2:10
will be very glad to know that I left
2:12
my Grinch costume. You
2:15
are so good. Lisa
2:17
and I, so we're talking about
2:19
the show that's not yet aired. It's gonna be
2:21
a Christmas day version of TWiT. Steve,
2:24
Jeff Jarvis, Dock SIRLS,
2:26
Paul Throutt, were and I were the
2:28
old guys talking about the years' news
2:31
and so forth. But Steve really
2:33
dressed it up with his Grinch custom.
2:36
And the thing that I was so impressed
2:38
with is, you didn't just do it, you
2:40
know, like token grinch. You kept
2:42
it going the whole two and a half
2:44
hours. He was doing his hands
2:46
and you were impressive. Lease
2:49
and I both were really impressed. I have
2:51
to SHA1. now
2:54
everybody listening is thinking, okay.
2:57
I didn't know if I was gonna make time to
2:59
actually have to watch. Just on Christmas
3:01
day, but maybe But you can watch
3:03
TWiT want. You can watch it next TWiT you
3:05
if this is being that rich. You
3:08
no. I thank you. You you
3:10
Steve goes all in. He put
3:12
his heart into that, and it's one of the
3:14
reasons, you know, I think that this
3:16
show does well and you really helped the network.
3:19
I I'm very great full to you.
3:21
And always will be. Steve, we don't have
3:23
a show next week. We have a best
3:25
of. You can take next week off. Goodness.
3:28
Oh, what did I say? On No. No. That's okay.
3:30
I get to work. He's been right. It's gonna be
3:32
a major spinner. If if you wanted
3:34
to take six months It
3:36
wouldn't be me that you'd have to worry
3:38
about or Lisa. I know. It'd be
3:40
the fans. You can't know
3:43
how many messages I receive
3:45
about new ways to number the SHA1.
3:47
So that so that 999 is
3:49
not a problem. That's gonna be a bad day
3:52
in BlackRock, but then it happens, but not
3:54
gonna be good. Actually, think about it. When I on
3:56
episode nine hundred, it was only two weeks
3:58
ago. When I said, yeah. We have a hundred
4:00
episodes left. So I got immediately scolded.
4:03
Gibson, where is your,
4:05
you know, off by one mat?
4:07
That would be ninety nine shows
4:09
left. It's like, oh, she had an overflow.
4:12
A mask overflow, buffer overflow. And it has
4:14
to
4:14
be very careful when talking to our on our
4:17
audience, Leo. But that think
4:19
that's why they appreciate my being -- Absolutely.
4:21
-- they can be. Absolutely. This
4:23
week, we're going to answer another
4:26
collection of burning
4:28
questions. First,
4:31
is there no honor
4:33
among thieves? was
4:36
discovered during this year's Toronto
4:38
prone to own competition? What
4:40
did we learn from last Tuesday's
4:42
Patch Fest? Whose fault
4:45
was the most recent Uber data
4:47
breach. What happened when Elon
4:49
tried to block all the bots? What's
4:52
the first web browser to offer native
4:54
support for Mastodon? What
4:56
exactly is coordinated
4:59
inauthentic behavior And
5:02
why is it such a problem? SHA1
5:04
will happen to get hub submitters at the
5:06
end of next year? What
5:08
measure Could every member of
5:10
the US senate possibly agree
5:12
upon? Oh, god. Exactly
5:14
what applicator exactly
5:16
what applications are there for
5:18
a zero width space
5:20
character. And finally, what
5:23
larger lesson are we taught?
5:26
By the discovery of a serious
5:28
failure to block a problem that we should
5:30
have never had in the first place. The
5:32
answer drove all those questions and more.
5:34
I'll wait the listeners of today's SecurityNow
5:37
podcast nine hundred and two.
5:39
See now, this this is exactly why you
5:41
gotta do more than nine hundred ninety nine shows. You've
5:43
come with the perfect way to introduce
5:45
the t's, the show. It's perfect.
5:48
All those questions and more will be
5:50
answered. I like all. And my
5:52
theory, it matches my theory of life.
5:54
Just as you're taking your final
5:56
dying glass gasp
5:58
of a breath, you
6:00
figure it out. Oh, you
6:02
don't. I thought you were gonna say you
6:04
say is that all there is? I
6:08
was like, oh, I finally get it.
6:09
I finally get it. Erika.
6:12
And, of course, the kids never wanna listen to the
6:14
gramps. They he has no idea what he's
6:16
talking about. So Yeah. -- I just
6:18
keep it to myself. Yeah. We
6:20
yell at the clouds so you don't have to. That's
6:22
right. We'll take a little break. And
6:25
then we're gonna get in the answers
6:27
to all those questions and
6:29
more with Steve Dennis. Of
6:31
course, I forgot to mention that the title of
6:33
today's podcast -- Oh, what is it?
6:35
-- a generic WAF
6:38
bypass. Were any of is that
6:40
the answer to any of those questions? Happy
6:43
holidays. A
6:46
generic WAF Bypass.
6:49
Our generic WAF bypass is
6:51
is it it it is involved
6:53
with the larger lesson that we're
6:55
taught by the discovery of a serious
6:58
failure block a problem that we should have never had in
7:00
the first. So that's what I thought. Okay. So that
7:02
last -- That's right. -- is the last thing.
7:04
Okay. Boy, what a yes. I don't
7:06
even have a build up to that one.
7:09
That's why you listen to this show. Right folks?
7:11
That's exactly right. And, you know,
7:13
one of the reasons we have such
7:15
great sponsors in this shows because they know
7:17
the people listening to this show are
7:20
focused on tech. Many of them,
7:22
you know, are responsible
7:25
for security in the
7:27
in the workplace. That's
7:29
why PlexTrak wants to tell
7:31
you about their product. PlexTrak
7:34
is your security team's
7:36
secret weapon and a mighty
7:38
fine tool it is to. For
7:40
blue teams, for red teams,
7:43
For the teams in the middle of the purple
7:45
teams, FlexTrack is the premier
7:47
cybersecurity reporting
7:49
and collaboration platform. And
7:51
it really changes the way you're gonna get your
7:53
job done. Cybersecurity absolutely
7:57
needs plex track. Right? Because
8:00
wouldn't it be nice? I'll give you. Wouldn't it be here's
8:02
a question. Wouldn't it be nice to
8:04
gain control of all your tools, all
8:06
your data, you know? Get it
8:08
all in one place, build more actionable
8:10
Laporte, focus
8:13
on the right remediation, even more important,
8:15
communicate what needs to be remediated,
8:17
to the blue team effectively? Are
8:20
you working to mature your security
8:22
posture but struggling to optimize efficiency?
8:25
And facilitate collaboration within your
8:27
team, Olli, this is the perfect solution for you,
8:29
plex Track. It
8:31
is a very powerful but easy to use
8:33
very simple cybersecurity platform
8:35
that does a bunch of different
8:37
things. It centralizes all your security
8:40
assessments. Your pen test
8:42
reports, all your audit findings,
8:44
all your vulnerability tracking,
8:46
and makes it easy for you to
8:48
generate those reports so you can
8:50
get these things fixed. It transforms
8:52
the risk management life cycle.
8:54
It lets security teams generate
8:56
better reports faster. You
8:58
can aggregate and visualize your
9:01
analytics. You can collaborate on remediation
9:03
real time. So bottom
9:05
line is it helps you get your
9:07
job done, fewer keystrokes, less
9:10
work, making a report more time
9:12
to do the testing. PlexCheck
9:15
is amazing. It addresses all the pain
9:17
points across the spectrum
9:19
of security team workflows and rules.
9:21
Start with its second and none for managing
9:23
offensive testing. And reporting security
9:25
findings. It'll run your pen test, but
9:27
then you can take the code samples, generated
9:29
the screenshots, you can add videos
9:31
to any finding, You can import
9:34
findings from, you know, all the major scanning tools
9:36
in Nessus Burb. Whatever it is you
9:38
use, import it right in. You can create
9:40
custom templates so that
9:42
you know, you do that once. And then from
9:44
then on, a click of a button and your
9:46
report is generated. You
9:49
get analytics and service level agreement functions
9:51
to help you visualize your security posture,
9:53
which means you can quickly assess and
9:55
prioritize to ensure you're
9:57
tracking remediation efforts, for your compliance
9:59
efforts, to show progress over time
10:01
for the for the the c
10:03
suite, the board, to get built
10:05
in compatibility with industry tools and
10:07
frameworks, vulnerabilities, scanners,
10:10
pen testing as a service platform's
10:12
bug bounty tools, adversary
10:15
emulation plans. It allows you to improve the
10:17
effectiveness and efficiency of your
10:19
current workflow. You get robust
10:21
integrations with Jira and ServiceNow,
10:24
So that's nice because you you
10:26
create you're generating these reports, but now you're
10:28
also closing the loop on the highest
10:30
priority findings. Enterprise
10:32
teams can use PlexTrak to
10:34
streamline their pen tests, security
10:37
assessments, incident response reports, and
10:39
so much more. you're
10:41
gonna love it because it takes the the burden
10:43
of reporting off of you,
10:45
makes it easy to do. So you can
10:47
focus on the thing you're there for, which is to do
10:49
all these assessments, right, to to
10:51
find these problems.
10:54
PlexTrak clients report up to a sixty
10:56
percent reduction in times spent Laporte.
10:58
Wouldn't that be nice? Wouldn't
11:00
that be nice? You get a thirty percent
11:02
increase in efficiency and A5X
11:04
ROI in year one?
11:06
All in all, FlexTrack provides
11:08
a single source of truth for all stakeholders
11:12
transforming the cybersecurity management
11:14
life cycle. I think sometimes it's,
11:16
you know, it's it's hard to
11:18
say Well, I need this tool for reporting. know,
11:21
it's probably not so hard to say, well,
11:23
you know, I need this or that to
11:25
do some testing. But ports
11:28
are how you communicate your results to
11:30
the people who could fix the problem to the people
11:32
upstairs. And it should
11:34
be easy. It shouldn't be the thing that takes
11:37
your time. Book a demo right now. See
11:39
how FlexTrack can save your team.
11:41
Try it free for one month. See how
11:43
it can improve the effectiveness and
11:45
the efficiency of your security team,
11:47
blue team, red team, purple team.
11:49
Simply go to plex track dot com slash
11:51
tweet and claim your free
11:53
month. Now, please go to that address PLEXTRAC
11:57
plexetrack dot com
11:59
slash TWIT Okay?
12:01
So that way, they know you heard it here.
12:04
Plexetrack dot com
12:06
slash TWiT. We
12:08
thank Plexetrack so much for support and
12:10
security now. And the efforts of this
12:12
cat right here. Don't forget,
12:14
plexetrack dot com slash
12:16
security. Now,
12:19
I am
12:19
ready for the picture of the week. And
12:22
this one really is
12:24
interesting. Yes. So
12:27
I titled this old school
12:29
message routing, and
12:31
it would be difficult to adequately describe
12:34
this, but it's a fascinating picture.
12:36
It And if nothing else Leo shows
12:38
us how far we've come, because
12:41
what we have is I'm
12:44
old enough to remember going to a
12:46
department store, buying
12:48
something with my mom, and the clerk
12:50
would roll up the
12:52
the slip, put it in a
12:54
tube and act like
12:56
a cylinder, and shove it
12:58
into one of these holes. That
13:00
is a pneumatic delivery system.
13:03
And and my my earliest
13:05
memory of that was when
13:07
you did a car, you know,
13:09
auto ATMs, I
13:12
remember that -- Yeah. -- we we still
13:14
have one in town. Yeah. Yeah.
13:16
Where where you'd like, stick
13:18
your your checks and and things
13:20
in this plastic cylinder
13:22
and then stick it in this
13:23
tube. And then we go,
13:24
And
13:25
It was so satisfying. Oh.
13:27
It WAF wonderful. So
13:30
okay. So what we have if, you know,
13:32
if if people could imagine a
13:34
a bunch of tubes that
13:36
have sort of a like
13:38
like AAA catheter
13:40
at the end so that this
13:42
the cylinder is gonna come flying out of
13:44
this tube like and and like stop.
13:47
This is the switch room
13:49
which involves all of
13:51
the ends of these tubes
13:53
and some poor guy who's
13:55
standing there, I
13:57
guess, like, picking tubes up
13:59
from what like like picking cylinders up
14:01
that have arrived in one tube
14:03
and then sticking them up in
14:05
another tube and off they go, know,
14:08
back, you know, like, onto their
14:10
destination. This looks like a
14:12
message routing or switching
14:14
room for pneumatic
14:16
tube transfers. And
14:18
but now what's interesting
14:20
is that I don't see any labels on these things.
14:22
There's like, I don't know, what thirty of
14:24
them or twenty of them that that we can see, and
14:27
then, like, over on the left are a whole bunch
14:29
not like other rows of
14:31
them. This is just fascinating. This is
14:33
the inbound. This is your inbox.
14:36
I don't know what you would do
14:38
for outbound. Yeah. I guess you have
14:40
to remember where it came out of.
14:42
These are called according to
14:44
the Chatham Lansen tubes,
14:47
and there's a website dedicated to it,
14:49
pneumatic dot tube.
14:51
Oh, that's so good. That's
14:53
so good. And and and
14:55
also I love I love the one there along
14:57
the ceiling at the top. It like it looks like
14:59
it's it it starts to come down and then it
15:01
changes its mind. It goes Nope. We're not gonna
15:03
we're not gonna end here. We're gonna go across and
15:05
go back up somewhere else. So it's like,
15:08
okay. And also when you think about it, you
15:10
know, these things have
15:12
some links to them. Right? Like, it it's
15:14
actually AAA canister
15:16
that you're able to put documents
15:18
in. So there's a
15:20
minimum radius of
15:22
the for the bend of these things,
15:25
or the canister's gonna get
15:27
stuck trying to go around a
15:29
around a curve. So it
15:31
must be that it had larger
15:33
ends and a thinner
15:36
body or maybe
15:38
even a like a Concave
15:40
body that would allow, you
15:42
know, this thing to navigate around
15:44
the corner because it's We
15:46
could see some corners. They're not
15:48
sharp and and they couldn't be.
15:50
Anyway, just, you know, completely
15:52
not about Well, it is
15:54
kind of about packet routing, I guess. Oh, yeah.
15:56
This is this is a website all
15:58
about it. Here's a scientific american.
16:01
Article about the pneumatic
16:03
tube system of New York City.
16:06
Now it was published a couple of years ago.
16:08
So this But the original article was from
16:10
eighteen ninety seven. This is why the Internet
16:12
is so There's nothing you can't find.
16:14
Isn't I mean, pneumatic
16:16
dot tube. There's a website for
16:18
crying out loud. Amazing.
16:22
I love it. Yeah. And they're all over the
16:24
world, I guess. These nomadic. There's
16:26
a nomadic railway. I'm not sure I'd
16:28
wanna ride that.
16:32
Yeah. Just just just lie
16:35
flat and tuck your arms in, and
16:37
we'll just gonna close this little
16:39
lid on this on this round coffee
16:41
and send you out your way. I think
16:43
there's actually, that's isn't that
16:45
Elon Musk's idea for what do you
16:47
call that? That that tube system that
16:49
he wants? Not the the boring
16:51
company, but he actually wanted to do a high
16:53
speed tube.
16:55
Hyperloop. Hyperloop. Thank you. Yeah.
16:57
That was that was last week. Know
16:59
what? Who knows? It's a little busy
17:01
now. Yeah. Yeah. So a
17:03
malware operation known
17:06
as UR SNIF
17:08
you know, your which
17:11
we've noted a few times they've
17:13
kind of crossed our radar, it's
17:15
the fourth one this year
17:17
to suffer from internal squabbles,
17:20
which end up surfacing in the public
17:22
eye. Disagreements over,
17:25
you know, Russia's invasion of
17:28
Ukraine, and in some cases strong pro
17:30
Russian sentiments, which have
17:32
divided previous groups were
17:34
the were the nominal triggers
17:36
in those first three instances.
17:38
But for number four, it appears
17:40
that it's just about greed. You
17:42
know, that's all the motivation we need. And
17:45
this is is heading toward the answer to the
17:47
question, you know, is there no
17:49
honor among thieves? Through
17:52
a Twitter account, which was
17:55
at ur sniffleak,
17:58
which may still be suspended. It
18:00
was a while ago at least. An
18:02
ex member of
18:04
this group, this your URSNIF
18:07
group, announced his
18:09
intention to leak the
18:11
real world identities of
18:13
the top leaders of
18:15
the group. Unless he received a significant payout.
18:17
To prove his willingness to do so,
18:19
in a succession of tweets,
18:21
you know, you you are
18:24
sniff leak leaked various
18:26
pieces of internal dialogue,
18:29
some of the group's source
18:31
code, and the names of three low
18:33
level group members. That
18:35
was enough to get this person paid.
18:38
After that, he tweeted,
18:40
he said, I just made
18:42
more money in a single week.
18:45
Than I have made in years.
18:47
Pay workers right and they won't
18:49
have a reason to leak stuff.
18:51
Unquote. And I couldn't help, but note
18:54
that it's interesting that this
18:56
person considers to this
18:58
had been an act of making
19:00
money you know,
19:02
wow. What a what a different culture.
19:05
Apparently, the motivation to
19:07
extort was heightened by something that
19:09
the head of the group said in an interview
19:11
with the VX underground project. It was
19:13
not clear what about that was
19:15
upsetting. The UR sniffleaker
19:17
tweeted, the interview
19:19
angered me. He
19:21
has been a bad boss for a
19:23
long time. I've been waiting for
19:25
the right time to release unquote.
19:27
And of course, you know, Remember that this is a
19:29
bad boss of a of
19:31
a Russian ransomware
19:34
group. So Yeah. Bad kind of goes
19:36
into territory. It's hysterical. Wow.
19:38
I just wanted to click my
19:40
paycheck and go home, but no.
19:42
Yeah. So I had to extort
19:44
money in order to get paid or or extort
19:46
the the boss for money. That's
19:48
right. So anyway, I don't think
19:50
we can count on all of the major
19:53
groups to implode, but there's probably
19:55
a little extra tendency for that
19:57
to happen within an organization comprised
20:00
of people who must be aware that
20:02
what they're doing is not earning
20:04
an honest days living. You know, at
20:06
least I guess we can hope so.
20:10
Okay. Pone to own
20:13
Toronto twenty twenty two just
20:15
happened. And it's always interesting
20:17
to see what hackers wearing white
20:19
hats are able to do
20:21
to today's fully patched
20:24
and up to date systems. Right? Because,
20:26
you know, those are the targets.
20:28
Is in in every case, these
20:30
things are one hundred
20:32
percent patched. And we've seen
20:34
instances in the past where
20:36
a a group will get
20:38
all ready to to
20:40
to demonstrate a a vulnerability
20:42
that they've very cleverly
20:44
crafted in something and, like, the
20:46
day before their demo,
20:49
the publisher patches.
20:51
And, like, not because they told
20:53
them. Right? There I mean, they
20:55
will end up telling them all of the things that are
20:57
done during these prone to own con contests
21:00
end up being communicated
21:03
to the publisher of the of
21:05
the thing that was compromised, but
21:08
not beforehand. Anyway, so the point is
21:10
this is the this is state of
21:13
the art fully patched as good as we know how to
21:15
make it products that these guys are
21:17
going after. So
21:21
In the past, we've taken people
21:24
through a blow by blow. And
21:28
sometimes, I think that ends up getting
21:30
a little long. So
21:33
the what I so I'm gonna summarize this a
21:35
bit. The recently concluded
21:37
Toronto twenty twenty two hacking
21:39
contest focused upon
21:41
hacking routers, smartphones,
21:45
printers, and other smart devices.
21:47
So it was sort of an IoT
21:50
esque you know, smartphones, printers, routers,
21:52
and other stuff. It
21:54
was a four day contest that ended
21:56
up getting won by
21:59
DevCore which is the now well
22:01
known Chinese, Taiwanese
22:04
penetration testing group. Okay.
22:06
So to give everyone some
22:08
sense for
22:09
this, I'm just gonna
22:09
quickly scan down and I
22:12
abbreviated these just
22:14
the bullet points which
22:16
briefly describe the
22:18
attacks. So and
22:20
and this is just day one.
22:23
Okay? Day one of the four
22:25
day Contest.
22:28
A stack buffer overflow
22:30
attack against the
22:32
Canon, image class MF7
22:34
forty three CDW printer.
22:36
A two buck authentication bypass and
22:38
command injection attack against the
22:40
WAN interface of a TP Link
22:42
ax eighteen hundred router.
22:45
A command injection attack which cause a Lexmark,
22:47
m c thirty two twenty
22:49
four i printer, to
22:52
serenade the audience. With
22:54
a well known Mario Brothers
22:56
tune. We had a command
22:58
injection attack against the WAN
23:00
interface of the Synology RT6600ax
23:04
router. A stack based
23:06
buffer overflow against an HP Canon
23:08
laserjet pro laserjet pro
23:10
m four seventy nine FTW
23:13
printer. An improper input validation
23:15
attack against the Samsung Galaxy
23:17
s twenty two a
23:19
command injection root shell attack against the
23:21
LAN interface of the Synology
23:23
r t sixty six hundred ax router
23:26
again. Another improper input
23:28
validation attack against the Samsung Galaxy
23:30
s twenty 2A2 bug
23:32
attack, SQL injection, and command
23:34
injection against the LAN interface of
23:36
the Netgear, RAX thirty,
23:38
a x twenty twenty four
23:40
hundred router, a sequel
23:43
injection on a router. That's interesting. Anyway,
23:45
two different based buffer overflow
23:47
attacks against the MicroTic
23:49
router and a Canon printer.
23:52
Three bugs, Two,
23:54
missing off for critical function and
23:56
an off bypass attack against the
23:58
sonology disk station DS9
24:01
twenty plus mass. Two bugs,
24:03
including a command injection in an attack
24:05
against the HP color laserjet Pro,
24:07
m four seventy nine
24:10
FDW printer. Five different bugs leveraged
24:12
in an attack against the LAN interface of
24:14
the NETGEAR RA X
24:16
thirty, again, a x twenty four hundred
24:18
router, and three different bugs against a
24:20
Netgear router and an HP
24:22
printer. Now you know why I'm only doing day
24:24
one. And remember,
24:26
these were all
24:28
one hundred percent up to date
24:31
devices all cut through.
24:33
All of that on only
24:35
the first day and
24:38
it kept going like that throughout the entire
24:40
event. As we know,
24:42
LAN side attacks
24:45
on routers and NAS devices
24:47
are much less concerning
24:49
than attacks that could be launched against
24:51
the WAN
24:52
interface. But this contest revealed
24:54
plenty of both of those. And
24:56
the number
24:57
of printer vulnerabilities
24:59
that still exist Well, I suppose
25:01
we shouldn't be surprised. But
25:05
obtaining well hidden persistence
25:08
inside a network is an overriding
25:11
goal of anyone who penetrates
25:13
an enterprises perimeter. And
25:16
printer protocols by their
25:19
design loudly broadcast
25:21
and advertise on networks
25:24
because their goal is to be found.
25:27
Unfortunately, this results in highly
25:29
vulnerable printers shouting
25:31
their presence and creating a
25:33
perfect and often unsuspecting
25:35
place for malicious post
25:37
intrusion malware to set
25:39
up shop and wait.
25:42
Thus becoming an advanced persistent
25:45
threat. So anyway, I
25:47
just sort of as a reality check,
25:49
here's here's Yes.
25:51
These guys are, you know, at the
25:53
top of their game. Right? They're they're the
25:55
the the world's best hackers.
25:58
Yet it appears that all they have
26:00
to do is look at
26:02
some device, make that the
26:05
target of their scrutiny and
26:07
they can find a way in. So,
26:10
you know, we we
26:12
need to I
26:14
guess anyone listening to this podcast long
26:16
enough will have lost any sense
26:18
that if there's anything that's
26:20
invulnerable to, you
26:22
know, it's somebody who is serious about
26:24
finding a way in. And in fact, that is the story
26:26
behind today's main
26:28
podcast story at
26:30
the end. Okay? And speaking of getting
26:32
into networks, it's not just
26:34
lower end IoT
26:36
devices that are permitting bad
26:38
guys to get into networks. Both
26:40
Citrix and Fortinet, who are two
26:42
of today's largest providers of enterprise
26:45
networking equipment, recently
26:47
released security updates to
26:49
patch zero day vulnerabilities
26:51
one in each of their devices
26:53
that were being exploited in the
26:55
wild against
26:56
them. In
26:57
the case of the Fortinet Zero Day,
26:59
which created an unauthenticated
27:02
remote code execution, in
27:05
the forty OS, which
27:07
is what runs the company's SSL
27:09
VPN devices, it was
27:11
the way some
27:13
ransomware was managing to crawl
27:15
inside enterprise networks,
27:18
which is never what you
27:20
want. And it was so
27:22
bad that Fortinet did the right thing
27:24
by also offering down
27:26
version patches for
27:29
their older out of support devices, which
27:31
were still running their also
27:34
vulnerable six point zero
27:36
firmware. The zero day was
27:38
first spotted being used in the wild by a
27:40
French security firm, Olmpe,
27:43
last week. And afford a credit.
27:45
They patched it over the weekend
27:47
in just three days. So
27:50
props forgetting it fixed quickly,
27:52
but boy, you know,
27:54
what this French security firm watched, what
27:57
were ransomware groups
27:59
gaining entry to an enterprise
28:02
network through this
28:03
vulnerability. So, wow.
28:06
And I said, you know,
28:08
220 days, one each
28:11
Fortinet and Citrix Citrix's
28:14
is the other. And it's
28:16
also an unauthenticated remote
28:18
code execution exploit.
28:21
Interestingly, this one was
28:23
spotted by the NSA -- Yep. --
28:25
our national security agency.
28:27
In their security advisory, the
28:29
NSA wrote that they
28:31
saw the Chinese cyber
28:34
espionage group designated APT
28:37
five, leveraging that
28:39
Citrix Zero Day. But the NSA offered
28:42
nothing further about what was being
28:44
done with the obtained leverage.
28:46
So again, you
28:49
know, high end gear also
28:51
vulnerable, not just low end
28:53
stuff. Last Tuesday
28:57
WAF the industry's increasingly well
28:59
attended final monthly patch
29:01
event of the year.
29:04
And those offering up
29:06
incrementally more secure improvements
29:08
in their code and products, notably
29:10
included Adobe, Android,
29:13
Apple, Microsoft, Mozilla,
29:15
SAP, and VMware, Microsoft
29:19
fixed seventy two security flaws
29:21
this month across their range of
29:23
offerings, and that included a zero day
29:26
was being used to circumvent Microsoft's
29:29
smart screen and mark of
29:31
the web detection use
29:33
which was which would
29:37
that I got myself tangled up. The
29:39
zero day was
29:41
being used to bypass that
29:43
to allow stand
29:45
alone JavaScript files to execute
29:48
because modern windows will
29:50
execute JavaScript natively. And, of
29:52
course, we covered this trouble
29:54
recently. So it's very good
29:56
that it's been fixed. The other
29:58
issue Microsoft addressed was a problem that
30:00
we also noted before here.
30:03
Which was that somehow, malicious
30:05
Windows drivers were being
30:07
used by the Hive and
30:10
the Cuba Ransomware strains
30:12
or groups, and those malicious
30:15
drivers were being trusted by
30:17
windows because they were carrying
30:19
valid Microsoft signatures.
30:22
Oops. Okay. In this
30:24
month's advisory, Microsoft wrote
30:26
We were notified of this
30:29
activity by Sentinel one, Mandiant,
30:32
and Sophos. So
30:34
everybody was watching. On October nineteenth
30:37
of twenty twenty two, and
30:39
subsequently performed an
30:41
investigation into
30:43
this activity. And I and I should just mention
30:45
that Sentinel one,
30:47
Mandiant, and Sophos. They've
30:49
all got clients and
30:52
their technology is
30:54
on those clients' networks
30:57
offering protection over
30:59
and above what Microsoft is
31:01
providing. So the reason all
31:03
three of those companies, all
31:05
notified Microsoft on
31:07
October nineteenth of twenty twenty two is
31:10
that's when all three of
31:12
their technologies alarms
31:15
went off when
31:17
drivers were acting maliciously.
31:20
They immediately thought,
31:22
wait a minute, How is a driver getting into
31:24
the colonel and acting this
31:27
way? So they yanked
31:29
those, looked at them, found
31:31
that they were all validly signed
31:33
by Microsoft and
31:35
immediately notified Microsoft that that was what
31:37
was happening. So, you know, that's the
31:39
good thing about the way
31:41
this industry is evolving with
31:43
third parties who are offering, you
31:45
know, real time detection services
31:47
for people's networks is,
31:49
you know, they're able to close the
31:51
loop and let Microsoft
31:53
know when something bad has happened.
31:56
Microsoft said, This investigation revealed
31:58
that several developer accounts
32:01
for the Microsoft partner center
32:03
were engaged in submitting
32:06
malicious drivers to obtain a
32:08
Microsoft signature.
32:09
In other words,
32:10
there were some bad partners
32:12
there. They said a new attempt
32:14
at submitting a malicious driver for signing
32:16
on September twenty ninth twenty
32:18
twenty two led to the suspension
32:21
of the seller's accounts in
32:23
early October. So
32:27
okay. So early October,
32:31
Yet the drivers appeared on
32:33
the nineteenth of October, which
32:35
suggests that that drivers
32:38
were signed Microsoft
32:40
caught this happening on
32:42
at the end of September, yet
32:45
there were still drivers out there that
32:47
Microsoft wasn't aware because they haven't hadn't
32:50
invalidated them. So then they appeared
32:52
in use at the end toward the end of
32:54
October the nineteenth, and that's
32:56
when they got notified of something
32:58
that basically they already knew about. Anyway,
33:00
that was all good. And not to be
33:02
left out, Apple also updated
33:05
web kit. To fix a zero was being used in
33:07
targeted attacks against iOS
33:09
users. Uber has
33:14
been having a rough time recently.
33:16
Recall that about four months ago,
33:18
the lapses gang
33:20
breached Uber's security and
33:23
cause them trouble. What's interesting
33:26
about last week's second
33:28
breach, which resulted in
33:30
unfortunately, the leaking of the personal
33:33
details of seventy
33:35
seven or actually more than
33:37
seventy seven thousand Uber employees
33:40
and also some source code and
33:42
credentials for some of the company's
33:44
internal IT
33:45
network. And
33:48
I should mention the the Uber confirmed
33:51
the authenticity of that
33:53
of that relate of
33:55
that leaked data
33:57
What's interesting is that this wasn't
34:00
directly Uber's fault. The
34:02
breach occurred in the
34:04
network of an Uber contracted
34:07
IT service provider whose
34:09
name suggests or suggested
34:11
to me at least that all the good
34:13
names were already taken. This
34:16
chose to name itself
34:18
Tectivity. It's
34:22
TEQ ITY
34:26
Anyway, the day after
34:28
Uber outed Tectivity as being
34:31
the the actual proximate cause of
34:33
this latest leak, Tectivity
34:36
themselves disclosed
34:38
the breach last Thursday. Uber may have been
34:40
tech Tivity's biggest cost biggest
34:42
customer. Actually, I did some looking
34:44
around and, you know, they've got a bunch
34:46
of them. But
34:49
I mentioned this because other notable companies may also
34:51
have had their data stolen
34:54
since a breach of one large
34:56
service provider
34:58
can potentially expose the data belonging to all their clients. We saw
35:00
this, of course, a couple years ago
35:02
when all of those dental offices
35:05
were in trouble. Because they were
35:07
all SHA1. They were all
35:10
outsourcing their deckle their dental
35:12
records management to one single
35:13
provider. The so called MSP,
35:16
right, managed service provider. As
35:17
an industry these days, we're
35:20
really sort of facing
35:22
a conundrum.
35:23
Do
35:24
you run
35:24
your own in house shop
35:27
where you're you are
35:29
solely responsible for
35:32
your company's security and IT and
35:34
everything? Or
35:36
do you decide that running networks
35:40
and servers, and points of presence, and dealing with a
35:43
constant need to focus upon
35:45
security is not your
35:47
main line
35:48
business. It, you know, it isn't
35:50
what you should be spending your cycles
35:52
on. And and also that
35:54
it's just become too complicated to
35:57
do it
35:58
right. No, that's a valid consideration. So
36:00
you farm it out to someone who
36:04
promises to you that it
36:06
will be their mainline
36:08
business because that's all they're
36:10
going to do. It is their
36:12
business. And
36:14
you know, I think today that's a tough call. I think it
36:16
can work out and be extremely cost
36:20
effective to to do
36:22
this subcontracting. So long
36:24
as everything goes well. On the
36:26
other hand, when something doesn't go
36:28
well, you know, if it's a big
36:30
breach at at at
36:32
a major at a at a
36:34
major service
36:34
provider, you know, potentially
36:37
the the damage can be
36:39
huge because so many individual
36:40
clients of theirs can be affected by
36:42
a single attack. So again,
36:45
a tough
36:48
call, but increasingly, I can see that it makes sense. And
36:50
this sort of goes back to the comment I made. I
36:52
think it was last week where, you know,
36:54
the the guys at
36:56
the digisearch customer
36:58
advisory board meeting looked
37:01
at me like I
37:03
was nuts for still
37:05
doing it myself. Saying, you know,
37:07
Gibson, nobody nobody does their own hardware
37:10
anymore. Okay.
37:13
I don't know, Leo, if
37:16
every podcast on Twitter
37:18
mentions Twitter and Elon
37:20
probably. But,
37:22
you know, there he
37:24
keeps doing things that are
37:25
interesting, certainly for us.
37:28
So for this one way to put it,
37:30
From the outside
37:32
looking in, it's difficult
37:35
to understand the
37:37
mechanisms at play. Inside
37:40
Elon Musk's TWiT, rain.
37:43
You know, from the outside, anyone would
37:45
get the sense of
37:47
things lurching back and forth
37:49
inside Twitter. Presumably, as
37:52
Elon's, as he described
37:54
it himself, his biological neural net fires
37:56
off whimsical edicts,
37:58
which Twitter's remaining employees
38:01
apparently quickly implement without
38:03
any, without any buffering in a
38:06
desperate effort to hold
38:08
onto their own paychecks. In
38:10
this chaotic
38:12
and fragile work environment, which has been created. You
38:14
know, one moment, we're done with
38:16
layoffs. Then we have more
38:18
layoffs. No.
38:20
Now we're really done
38:22
with layoffs, then entire departments disappear.
38:25
Collections of press
38:28
accounts are suspended for an interval of seven days.
38:30
Until the next day, they're
38:32
reinstated. A new policy
38:36
states anyone tweeting a link, which points to another
38:38
social network will have their account
38:40
suspended. Until a few
38:42
hours later, when that
38:44
policy ends. You know, it really
38:46
has been quite something to
38:48
watch. And as I'm assembling the
38:50
notes and details of
38:52
this podcast, when I follow links to online
38:54
events that would once
38:56
have linked to
38:58
Twitter, I'm increasingly
39:00
being taken to Mastodon.
39:02
Well,
39:03
last week something else happened as a
39:06
result of a
39:08
parent misfiring of Elon's
39:10
biological neural net.
39:12
He decided that he was
39:14
going to block all of
39:17
the bots. This of course was something that
39:19
had endlessly bedeviled all
39:22
of the pre Elon
39:24
Twitter engineers.
39:26
How to block the bots. Elon, it
39:28
turns out, had the answer.
39:30
So he declared publicly that
39:33
he had a surprise for all of
39:36
the bot farms. And
39:38
last Monday, Twitter
39:40
blocked entire
39:42
IP address blocks, which were used
39:44
by it turns out
39:47
approximately thirty three
39:49
zero mobile carriers across
39:52
Asia. According to platformer, I
39:55
I know. This included
39:57
the primary telecom
40:00
providers for all
40:02
of India and all
40:04
of Russia, as well as Indonesia's
40:07
second largest telecom. Of
40:10
course, there were vastly more
40:12
legitimate users in every
40:14
one of those address blocks than
40:17
there were bots. So three countries,
40:20
worth of legitimate Twitter users TWiT
40:22
all shared the same IP address
40:24
blocks as a few
40:26
bots, were completely
40:28
cut off from
40:29
Twitter. And you have to,
40:32
like, wonder, how
40:36
could anyone not anticipate that happening.
40:38
It's it's I don't know.
40:40
Again, it's just incredible to me.
40:43
What I can see
40:46
is that Elon wants to own Twitter.
40:49
But Twitter is
40:52
not technology. It
40:54
is
40:54
enabled by technology.
40:58
Twitter is
41:00
a community. A community can be enabled
41:02
and nurtured and encouraged.
41:04
The one thing it cannot
41:07
be is owned. Nobody
41:10
owns Twitter's community no one can,
41:13
not even Elon. You
41:17
can
41:18
you're always welcome over
41:21
at Twitter's social. You could
41:22
have your own mastodon account. I promise
41:25
not to ban you. Well, we're
41:27
gonna see because, you know, he famously held a poll
41:29
over the weekend. That's
41:31
all silly, silly. I
41:34
know. He said, if this poll says
41:36
I should no longer be CEO,
41:38
I will resign. Yeah. Of course, the
41:40
petition said, please resign.
41:42
We're waiting. Well, yeah.
41:44
Go. We're done. We're done.
41:46
Well, then he said, be careful what you wish
41:48
for, which is probably true as God
41:50
knows. He would take over.
41:52
is I think he's destroyed. I mean, you know, you
41:54
know, one of the things that I'm seeing, in
41:56
fact, we're gonna get to this in a minute.
41:59
This is the coordinated inauthentic
42:02
behavior, which is just this wonderful
42:04
phrase. I love that phrase. Yeah.
42:06
It is it is difficult to
42:08
do this, Leo. It is it is
42:10
difficult to be in an
42:12
ownership or, you know,
42:14
catbird position with any
42:16
large social media network you you are be
42:18
constantly fighting abuse. On the
42:20
one hand, you wanna open your
42:23
date and allow everybody in the
42:26
world to come in and
42:28
participate. Unfortunately, we know that
42:30
the world has a whole bunch of
42:32
bad people in it. And,
42:34
you know, bots are a thing. And so it's just
42:36
this is really hard to do. And
42:38
and I would argue Twitter was doing
42:40
the best job they could. And,
42:44
of course, then they got all they ran afoul of
42:46
all of these issues of,
42:48
well, you know, should we
42:50
allow people to scream fire in a burning
42:52
building or
42:54
not? And add in for an item. Anyway, Elon
42:56
appears to have badly broken it, and
42:58
it's not at all clear to me that
43:00
him disappearing is gonna suddenly
43:03
you know, fix it. I don't know how you
43:05
do that. Yeah. It's sad. Anyway,
43:08
the good news is, speaking of
43:10
Mastodon, Vivaldi
43:12
recently became the first browser to have its
43:15
own Mastodon
43:15
instance, Vivaldi Social,
43:19
Now, the new version on the
43:22
desktop is also the
43:24
first to integrate
43:26
Mastodon natively
43:28
into the browser itself. Along with the ability
43:30
to pin tab groups and other
43:32
UI improvements, they said We
43:35
believe in providing alternatives to big
43:38
tech while putting your privacy
43:40
first and launched
43:41
Vivaldi our Mastodon Instance. And today,
43:44
we are integrating the Volvo
43:46
Social into the sidebar
43:48
of our
43:50
desktop browser. Becoming the
43:52
first browser to offer this
43:54
functionality. So anyway, I
43:56
just wanted to give a tip to
43:58
to Vivaldi, and note that it's interesting
44:01
that this has
44:01
happened. Hey, everybody. Leo Le
44:04
Port here. I'm the founder and one
44:06
of the
44:08
hosts at the Twitter podcast network. I wanna
44:10
talk to you a little bit about what we do here
44:12
at Twitter. Because I think it's unique
44:14
and I think for anybody
44:18
who is bringing a product or
44:20
a service to a tech
44:22
audience, you need to know about what
44:24
we do here
44:26
at Twitter. We've built an amazing audience of engaged,
44:28
intelligent, affluent listeners
44:30
who listen to us and
44:32
trust us when we recommend. A
44:36
product. Our mission statement is to is to
44:38
build a highly engaged community of tech
44:40
enthusiasts. Wait.
44:42
Already, you should be your year should
44:44
be perking up at that because highly engaged is good for
44:46
you. Tech enthusiasts, if that's who
44:48
you're looking for, this is the place. We do
44:50
it by offering them the knowledge they need
44:54
to understand and use technology in today's world. And
44:56
I hear from our audience all the time,
44:58
part of that knowledge comes from our
45:02
advertisers. We are very careful. We pick advertisers
45:04
with great products, great
45:06
services, with integrity, and
45:08
introduce them
45:10
to our audience with authenticity and
45:13
genuine enthusiasm. And that makes our host
45:15
red ads different from anything else
45:17
you can buy. We
45:19
are literally bringing you
45:22
to the attention of our audience
45:24
and giving you a big,
45:27
fat, endorsed We like to create partnerships
45:29
with trusted brands. Brands who are in
45:31
it for the long run, long
45:33
term partners that
45:36
wanna grow with us, and we have so many great success
45:38
stories. Tim Broome, who founded
45:40
IT pro TV in
45:42
twenty thirteen, started advertising
45:44
with us on day one has been with us
45:46
ever since. He said,
45:48
quote, we would not be where we
45:50
are today. Without the TWiT network. I think the proof is in the
45:52
pudding. Advertisers like IT
45:54
pro TV and Audible that have been with
45:56
us for more than ten years. They stick
46:00
around because their ads work. And honestly,
46:02
isn't that why you're buying
46:04
advertising? You get a lot with Twitter. We have
46:06
a very full service attitude.
46:08
We almost think of
46:10
it as kind of artisanal
46:12
advertising, boutique advertising. You'll get a
46:14
full service
46:16
continuity team.
46:18
People who are on the phone with you, who are in touch with you,
46:20
who support you from with everything
46:22
from copywriting to graphic design.
46:26
So you are not alone in this. We embed
46:28
our ads into the shows.
46:30
They're not they're not added later. They're
46:32
part of the shows. In fact, often,
46:36
they're such a part of our shows that our other host will chime
46:38
in on the ad saying, yeah, I
46:40
love that or just the other day.
46:43
One of our host said, man, I
46:45
really gotta buy that. That's an
46:47
additional benefit to you because
46:49
you're hearing people Our audience trusts saying, yeah,
46:51
that sounds great. We deliver
46:54
always overdeliver on impressions,
46:56
so you know you're gonna get the impressions
46:59
you expect. The ads are unique every
47:02
time. We don't prerecord them and roll them
47:04
in. We are genuinely doing those ads
47:06
in the middle of
47:08
the show. We'll give you great onboarding services,
47:10
ad tech with pod sites that's
47:12
free for direct clients, gives
47:14
you a lot of reporting,
47:16
gives you great idea of how well your ads are working. You'll get
47:18
courtesy commercials. You actually can take our ads
47:20
and share them across social media
47:22
and landing
47:24
pages that really extends the reach. There are other free goodies
47:26
too, including mentions in our weekly newsletter
47:28
that sent the thousands of fans
47:32
engaged fans who really wanna see this stuff, we give you
47:34
bonus ads and social media
47:36
promotion too. So if you want
47:38
to be a long
47:40
term partner, introduce your
47:42
product to a savvy,
47:44
engaged tech audience. Visit twit
47:46
dot tv
47:48
slash advertise Check out those testimonials. Mark McCreery is the
47:50
CEO of Authentic. You probably know him one of
47:52
the biggest original podcast
47:56
advertising companies. We've been with
47:58
him for sixteen years. Mark said the feedback from many advertisers
48:00
over sixteen years across a range
48:03
of product categories everything
48:06
from razors to computers is that
48:08
if ads and podcasts are gonna work for
48:10
a brand, they're gonna work on twitch shows,
48:12
I'm very proud of what
48:15
we do. Because it's honest, it's got integrity,
48:17
it's authentic, and it really
48:20
is a great introduction to
48:22
our Of
48:24
your brand. Our listeners are smart.
48:26
They're engaged. They're tech savvy.
48:28
They're dedicated to our network. And
48:31
that's one of the reasons we only work with
48:33
high integrity partners that we've personally
48:36
and thoroughly vetted. I
48:38
have absolutely prove on
48:40
everybody. If you've got a great product,
48:42
I wanna hear from you. Elevate your
48:44
brand by reaching out today at
48:46
advertise at twit dot tv.
48:48
Breakout of advertising norm. Grow your brand with host red
48:50
ads on TWiT dot tv. Visit twit
48:52
dot tv slash advertise for more
48:54
details, or you can
48:56
email us advertise
48:58
at twit dot tv if
49:00
you're ready to launch your campaign now. I can't
49:02
wait to see your product. So it was a ring.
49:04
On
49:05
the topic of governments
49:08
recognizing the growing dangers of
49:10
known vulnerabilities
49:12
in the works of the
49:14
enterprises within their own
49:16
borders. Remember, we've we've talked
49:18
about a a couple governments. I
49:20
don't think it was the Dutch government.
49:22
And I meant to go find out which one we'd we'd
49:24
referred to before. But but it WAF
49:27
there was another note of some
49:29
government that was gonna you
49:31
know, like announced they were gonna
49:34
start scanning their own citizens. It might have
49:36
been the UK. Anyway,
49:38
in this case, The Dutch government has
49:40
been doing TWiT. And they just
49:42
said that since the beginning of
49:45
this work that which was the
49:47
summer of twenty twenty one, So
49:50
about a year and a half
49:52
ago and about a year and a half worth
49:54
of this, they have sent
49:56
more than fifty two
49:58
hundred warnings to Dutch companies
50:00
concerning security vulnerabilities within
50:04
their networks. Officials
50:06
said that around seventy
50:08
six percent. So three out of
50:10
four of these warnings were
50:12
for sensitive
50:14
systems being accessible via the Internet, RDP,
50:18
SMB, LDAP, and
50:20
so forth. The other twenty
50:22
four percent of the warnings
50:24
regarding malware infections, leaked
50:26
credentials, or unpatched systems.
50:29
So presumably, they're you know,
50:32
scanning the Internet and
50:34
seeing a version number in the
50:36
in the greeting of something and
50:39
saying, whoops, not latest version, and they send the company
50:41
a note saying, hey, you know, maybe you
50:43
ought to update your email because you're
50:46
running an old one, which has some
50:48
known vulnerabilities. So
50:50
anyway, this is not the
50:52
first time we've encountered this, and it
50:55
seems to me like an
50:57
entirely same thing for
51:00
governments to do in the interest of
51:02
helping to protect their own national
51:04
interests and those of all of
51:06
their
51:06
citizens. And the enterprise
51:08
operating within their borders. So I expect
51:10
that we're gonna be seeing more announcements of
51:12
this sort in coming
51:14
years. Okay, CIB.
51:18
That's the abbreviation for
51:22
coordinated inauthentic
51:24
behavior. A term that I love, a
51:26
recent report from Facebook's parent
51:28
company meta. It introduced
51:31
me to this term coordinated
51:35
inauthentic behavior. And and I love
51:37
it because it's such a wonderfully neutral
51:39
and politically correct
51:41
term to describe the behavior of
51:43
organizations and countries that have
51:45
figured out that they could
51:47
use fraudulent postings and
51:49
replies on Facebook
51:51
to influence beliefs and behavior
51:54
through massive
51:56
coordinated campaigns.
51:58
Facebook's
51:59
report, which they published on
52:02
Thursday. Last Thursday, was
52:05
titled recapping our
52:08
twenty twenty two coordinated inauthentic
52:11
behavior enforcements. They
52:14
noted that since they began
52:16
focusing upon the
52:18
explicit abuse of Facebook
52:20
services for what they term
52:22
covert and influence
52:25
operations, they've disrupted two
52:28
hundred identically
52:30
separate global networks that
52:32
were that were the source of
52:36
these campaigns. Those networks were based in sixty eight
52:38
countries, but far from evenly as
52:40
we'll see, and operated in at
52:42
least forty two
52:44
different languages. Two
52:46
thirds of the campaigns, I
52:48
thought this was really interesting. Two thirds
52:50
of the campaigns were
52:52
targeting their own local audiences in
52:55
their home countries, and only
52:58
one third were aimed at
53:00
audiences outside the country,
53:02
so, you
53:04
know, abroad. In terms of targets, more
53:06
than one hundred different
53:08
countries from a through
53:12
z, Afghanistan, through Zimbabwe
53:15
been targeted by at least
53:17
one CIB network, foreign or
53:20
domestic, with the US being the most
53:22
targeted with thirty four
53:24
of those operations followed
53:26
by Ukraine. And I'm sure that's only
53:28
in the in the most recent year.
53:31
Targeted by twenty CIB networks,
53:33
and then the UK targeted
53:35
by sixteen. So thirty four
53:37
for the US, twenty for
53:39
Ukraine, sixteen for the UK,
53:41
and a single covert network might often
53:44
be simultaneously targeting
53:46
multiple countries at once. In
53:49
one case, for example, a network running from
53:51
Iran was simultaneously targeting eighteen
53:54
countries on four
53:56
different continents. Okay.
53:58
As for the originators of the campaign networks,
54:02
perhaps not
54:04
surprisingly, Russia leads the
54:06
list of the originating
54:08
sources of these networks
54:10
with having thirty four
54:14
networks identified closely followed by Iran with
54:16
twenty nine, and then
54:18
the next highest with
54:20
fewer than half of Iran's twenty
54:24
nine Interestingly, was Mexico, which surprised
54:26
me as the as the third
54:28
largest source of these these
54:30
influence networks at thirteen. Interestingly,
54:36
those are the top three. Right?
54:38
Russia, Iran, Mexico,
54:40
China is not among Russia and
54:42
Iran are the biggest perks in this game. And
54:45
as I said, I was surprised about
54:47
Mexico, so I went looking for
54:49
some more information about them. As
54:51
I suspected, most of the CIB
54:54
networks originating in Mexico
54:56
have focused primarily on regional
55:00
or local audiences to Mexico,
55:02
often in the context of regional
55:04
elections. Those networks tended
55:08
to be less tactically sophisticated, and many
55:10
were linked to PR or
55:12
marketing firms, including instances
55:14
where I love this one
55:18
network simultaneously
55:21
supported rivals in the
55:23
same electoral post. The
55:26
report noted that this illustrates the danger of
55:28
using covert influence operations
55:30
for hire that might
55:32
be providing inauthentic support
55:35
to not just the highest bidder but to
55:37
multiple bidders at once.
55:40
So
55:40
again, we have
55:43
this wonderful term coordinated inauthentic behavior.
55:46
And now we have some sense, thanks to
55:48
to Facebook's work on
55:52
this about you know, the the spread in nature
55:54
of these
55:56
networks. Okay.
56:01
SHA one. We
56:04
might say that we hardly knew Yi,
56:06
but as it turns out, we knew
56:08
Yi quite well the NIST has
56:11
formally announced that many of
56:14
well, what many of us have been assuming for
56:16
some time The
56:18
aging original SHA1
56:20
cryptographic hashing function is
56:24
officially being retired. In
56:26
its place, is either
56:28
SHA two or SHA
56:30
three, both which have existed for quite
56:32
a while and have been in use for a
56:34
long time.
56:36
But I did a bit of
56:38
a double take when I saw that companies have now
56:40
have, as of the NIST's
56:42
announcement, companies have until
56:46
the end of twenty
56:47
thirty. In
56:49
other words, until the beginning
56:51
of twenty thirty one,
56:54
So another entire eight years
56:56
from now to make that
56:58
replacement. The end of
57:02
NIST's announcement said, quote,
57:04
they said, modules that
57:07
still use SHA one after
57:09
two thousand and thirty. Will
57:12
not be permitted for
57:14
purchase by the federal
57:16
government. Companies have
57:18
eight years to submit
57:20
updated modules that no
57:22
longer use SHA one
57:24
because there's often a backlog of
57:26
submissions before a deadline we
57:28
recommend that developers submit
57:30
their updated modules well in
57:32
advance so that CMVP
57:34
has time to respond.
57:37
Okay. Now, a
57:40
cryptographer might have been
57:42
a bit more explicit. And careful
57:45
in the wording of that mandate. I'd
57:47
have written modules
57:50
that are still capable of
57:54
using SHA1
57:56
after two thousand and thirty dot
57:58
dot dot. The reason for
58:00
the added clarity is that as
58:03
we've often talked about, many
58:06
cryptographic systems obtain
58:10
robust interoperability by comparing acceptable protocol
58:12
suites SHA1 both
58:14
ends understand and
58:17
then negotiating the best
58:20
and hopefully the most
58:22
secure among those. But
58:24
through the years of this podcast, we've examined
58:27
a great many downgrade attacks
58:30
where a malicious endpoint
58:32
identifies that the other
58:34
end is
58:36
still offering a no longer considered
58:38
safe, weak cryptographic protocol.
58:40
So the sneaky end pretends
58:44
that it cannot use any of
58:46
the stronger systems, thus tricking
58:49
the agreeable other end
58:51
point into establishing a
58:54
potentially vulnerable connection.
58:56
So what we want is
58:58
for all systems to immediately eliminate
59:01
SHA one from their collection of
59:04
acceptable hashing functions. Absolutely,
59:06
it should no longer be
59:08
offered.
59:08
And, you know, it is a fine point, but for
59:11
the record, there are still some things
59:13
you could use SHA one for
59:15
safely if you chose.
59:19
would make a fine hash for use in
59:21
a PBKDF password based key
59:24
derivation function. Where a is
59:26
literate TWiT literated a
59:29
great many times. But, you know,
59:31
given that its presence might
59:33
allow its misuse, Removing it
59:35
altogether would be best.
59:38
Okay. And one last little tidbit
59:40
for any of our listeners who are
59:42
using WordPress.
59:44
Last Wednesday, Word Defense, the very
59:47
useful third party
59:50
WordPress web application
59:52
firewall people,
59:54
who have been identifying troubled WordPress add ons, they
59:57
launched a free and
59:59
very useful looking vulnerability
1:00:02
database for WordPress add ons. I
1:00:04
poked it around TWiT a bit, and I'm impressed.
1:00:06
So I wanted to give our WordPress users
1:00:08
a heads up about it. It
1:00:11
is at word fence dot com slash
1:00:14
threat hyphen
1:00:16
intel. Again, WWW
1:00:19
dot W0RDFENCE
1:00:23
dot com slash THREAT
1:00:25
hyphen INTEL
1:00:28
looks like a very
1:00:31
comprehensive listing of of
1:00:34
dangerous add ons for WordPress, I would
1:00:37
say we're taking a look and making
1:00:39
sure that that you're not using any
1:00:41
of those and are
1:00:43
might be unaware of
1:00:45
the problems. And Leo, time
1:00:47
for me to cap catch up
1:00:49
on my caffeine at the
1:00:51
moment. Catch up on your caffeine. That doesn't sound very
1:00:54
tasty. Catch up on my ass. Oh, yeah. This
1:00:56
is actually very
1:00:56
tasty. Oh, have you ever done? Oh, well, I
1:00:58
just wanna take a little moment to thank
1:01:01
our club, TWiT fans
1:01:04
and members because you've really made
1:01:06
this a banner year
1:01:08
for us. A lot of what
1:01:10
we do here at Twitter is paid
1:01:12
for by club, Twitter members now
1:01:14
more than five thousand strong.
1:01:16
Our Mastodon instance that I've been telling
1:01:18
Steve about begging Steve to join Twit dot
1:01:20
social. Our TWiT forums, Steve has
1:01:22
great forums. We do too at
1:01:24
twit dot TWiT. Of
1:01:26
course, the IRC, which is always accompanying
1:01:29
every show we do.
1:01:31
And frankly, keeps the lights on
1:01:33
and helps us keep staff Through
1:01:36
the new year. So thank you club twist members. For
1:01:38
people who are not yet a member of
1:01:40
club twist, please can or
1:01:43
joining, it'd be a great holiday gift for the
1:01:45
geek in your life. It's a mere seven
1:01:47
dollars a month. A buck less than
1:01:49
a blue check. You get so much more too. Add free versions
1:01:51
of this show and all the shows we do.
1:01:54
Access to other shows that are club
1:01:56
only. Shows
1:01:58
that yet haven't generated enough revenue to put out in
1:02:00
public. We launched shows in the club
1:02:02
because it's a great way to get shows started like
1:02:04
hands on McEntosh with
1:02:06
Michael Sergeant. Micah
1:02:08
Sargent, Paul Throck's Windows hands
1:02:10
on Windows show, UNTETALINICS SHA1
1:02:12
with Jonathan Bennett, the GizFizz, of
1:02:15
course, all of our events that we hold in there. Eventually, we always
1:02:17
hope to get shows out into the public. That's what
1:02:19
happened with this week in space launched
1:02:21
in the club. Grew
1:02:24
an audience. We put it out in public. In
1:02:26
fact, good news. I think we're gonna start adding
1:02:28
video to it very soon. The
1:02:30
club really is a proving ground for new shows,
1:02:32
a great place to hang out in
1:02:34
our club to TWiT, discord, a great place to
1:02:37
hear material that you don't hear anywhere
1:02:40
else. And it's just seven bucks a month. There's a year long package. If you
1:02:42
wanna give a nice gift to somebody, you know,
1:02:44
there's also corporate memberships. If you
1:02:46
wanna know more about club twist, tweet dot
1:02:50
TV slash club tweet.
1:02:52
And again, thank you all of
1:02:54
our club tweet members. We really appreciate you.
1:02:56
We hope you have a wonderful Well, all of you
1:02:58
have a wonderful New Year.
1:03:00
We will not be here next
1:03:01
week. We're gonna be doing reruns.
1:03:04
Well, we'd like to call them the best
1:03:06
of shows. We
1:03:08
carefully edit them, craft them
1:03:10
to be the best material from the year twenty
1:03:12
twenty TWiT. That'll be a a week
1:03:14
from today December twenty seventh. And then Steve and I will be
1:03:16
back with a live show in two weeks,
1:03:18
January third. This is our last show of
1:03:20
twenty twenty two, January third, the
1:03:22
first
1:03:24
SHA1. Of the brand new year.
1:03:26
Steve, let's let's continue
1:03:28
on. Soldier on as you
1:03:32
And, you know, you're right, Leo. Catch up on
1:03:34
my caffeine. You got it
1:03:35
now. I
1:03:36
did. It took me a little while.
1:03:40
the got it. Wasn't a very good job. I also don't put
1:03:42
ketchup on my eggs for what it's worth. Oh. It
1:03:44
TWiT not work. How about hot sauce?
1:03:48
Oh, yeah. A little sriracha maybe or some tapatito
1:03:50
-- Yeah. -- tapatito. -- how
1:03:53
you're talking? See? Yep. See?
1:03:56
Okay. So A
1:03:58
bit of closing the loop feedback from our
1:04:00
listeners, Michael Lalli, he
1:04:02
said, please at SGGRC
1:04:04
It's pronounced
1:04:08
MediBank. And
1:04:10
okay. I'm glad to know that. I did say.
1:04:12
How would you know? MediBank. MediBank.
1:04:15
Mehdi Bank. Mehdi Bank. And you know, that
1:04:17
does sound more more Australian, doesn't it?
1:04:20
Mehdi Bank. Yeah. Yeah.
1:04:22
In in that kind of an
1:04:24
accent. So Thank you, Michael. Glad
1:04:26
to know. SkyNet tweeted me, question
1:04:28
about ADP referring to
1:04:32
Apple's new encryption that was the topic of last week's podcast. He says,
1:04:34
once it asks, once it's turned on
1:04:36
and the keys are sent down to your device,
1:04:38
is it stored in hardware
1:04:41
or software? Because what happens
1:04:43
when you get a new iPhone in the future, how do
1:04:45
you get the keys over to your new
1:04:47
iPhone? You can't set up
1:04:49
the new phone and restore an
1:04:52
iCloud backup once you
1:04:54
log log
1:04:54
on. So it would have to be by the
1:04:56
method where you move your old phone close
1:04:58
to your new
1:04:59
phone. Correct? Okay. So, and I received a
1:05:02
number of questions that are sort of related to
1:05:04
this. The
1:05:06
primary concept that I I guess I
1:05:08
wanna get across is
1:05:10
similar to the familiar
1:05:12
pattern that last pass
1:05:14
and presumably all other password managers use, at least I
1:05:16
hope they would. In all of those
1:05:18
cases, they are simply
1:05:20
storing an
1:05:22
encrypted blob on our
1:05:24
behalf. They have no
1:05:26
visibility into the blob.
1:05:28
But by making that
1:05:32
blob available, Across devices, devices are
1:05:34
able to share a common set of
1:05:36
passwords or as in the case of
1:05:38
Apple, a common set of
1:05:40
decryption keys. So
1:05:42
the process of Apple relinquishing
1:05:45
the keys to
1:05:47
iCloud is that Apple sends
1:05:50
the current key chain
1:05:52
blob, which it is
1:05:54
never and has never
1:05:56
been able
1:05:58
to And the current iCloud
1:06:00
keys, which until now,
1:06:02
it has held in its data
1:06:06
centers HSMs to the user's
1:06:08
device. The device uses
1:06:10
its local private account key
1:06:14
which never leaves the device to decrypt
1:06:16
the key chain blob
1:06:18
on the device and
1:06:22
then adds the current iCloud key
1:06:24
into the key chain. In
1:06:26
this way, the keys that
1:06:29
Apple was holding are
1:06:32
moved from where Apple could
1:06:34
get at them into the
1:06:36
user's account key chain where
1:06:38
Apple can never get
1:06:40
at them. The device
1:06:42
then instructs Apple to
1:06:44
delete the iCloud keys that
1:06:46
it just sent from all
1:06:48
of its data center's HSM's. Now,
1:06:52
only the device has
1:06:54
the old iCloud keys
1:06:56
in its key chain. Then,
1:06:59
Wanting to be thorough, the
1:07:01
device performs a key
1:07:03
rotation, changing the key that encrypts
1:07:05
the iCloud data to one
1:07:07
that Apple has never had in its
1:07:09
possession. But again, since
1:07:12
we're
1:07:13
all quite familiar, with the notion
1:07:15
of trust no one and pre
1:07:18
internet encryption, which is
1:07:20
the technology that all password managers
1:07:22
holding encrypted blobs that unable to
1:07:25
decrypt use. You know, I think that's the
1:07:27
clearest way to think about this and
1:07:29
the best analogy. Basically, Apple
1:07:31
is holding the stuff for us, provides
1:07:34
the synchronization service among
1:07:36
devices, but is
1:07:38
only able to hand
1:07:40
the devices these blobs, which
1:07:42
are then decrypted locally on the device
1:07:44
in order to give devices the
1:07:46
keys which then it's then able to
1:07:49
use to go further. You know,
1:07:51
one of the things that I've been
1:07:53
saying for years is that we've got
1:07:55
all these very cool crypto
1:07:57
components, which we can assemble in any manner
1:07:59
of different ways.
1:08:02
Walt Stoneberger
1:08:05
said, Steve, you have warned
1:08:07
several times that pixelation is not
1:08:09
a safe redaction
1:08:12
technique. Someone just wrote a beautiful GitHub project that
1:08:14
visually brings home the point as you see
1:08:19
brings him the point, he said, as you see
1:08:21
unredaction being performed. And it's
1:08:24
funny. I don't know
1:08:26
why this started circulating again. I got a
1:08:28
whole bunch of tweets about it. And
1:08:30
I thought, oh cool. Something new.
1:08:33
But it was ten months ago, when
1:08:35
we first talked about this and showed this, so
1:08:37
not something turns out that that
1:08:39
was new. Michael, Brodsted,
1:08:43
he said, hi, Steve Love Your Show, read
1:08:45
this article and thought it might
1:08:47
be interesting for
1:08:50
you. Okay? So what this what
1:08:52
Michael sent and I appreciated
1:08:54
it, was the verge's follow-up
1:08:57
on their story about those
1:08:59
UV cameras that we talked about a
1:09:01
few weeks ago. Remember, those are the
1:09:04
cameras that promised
1:09:06
that all of their
1:09:08
storage was local and that
1:09:10
nothing ever left the user's home and that it was all transmitted
1:09:13
directly to
1:09:16
their phone. You know, and,
1:09:18
you know, then, of course, in some reporting, following up
1:09:20
on on some news that
1:09:22
that was not the case, you
1:09:26
know, the verge was able to monitor their own
1:09:29
UV cameras from the other side
1:09:31
of the country. So And
1:09:34
and, you know, Leo, you and I
1:09:36
talked about it at the time. This was
1:09:38
the the the the company that was
1:09:41
owned by Anchor, and
1:09:43
it was our conjecture that, you know, the
1:09:45
way this could happen, because we'd like Anchor, we thought they were a
1:09:47
reputable company, was it having you know, after
1:09:49
having launched their successful power
1:09:51
supply product line, they
1:09:54
perhaps purchased the UV camera line in order to grow their business. Anyway, we
1:09:59
don't know, but you know, I
1:10:01
I guess I'd wanna forgive them a little bit for, you know, making such a mess.
1:10:04
Anyway, the verge checked
1:10:06
back and what did they
1:10:08
find? Their
1:10:11
follow-up story is headlined,
1:10:14
Anchors Yuffie, deleted
1:10:17
these ten
1:10:20
privacy promises
1:10:20
instead of answering our
1:10:22
questions, unquote. And the subhead reads two
1:10:24
weeks after getting caught
1:10:27
lying to the verge, Anchor
1:10:30
still hasn't sent us any answers about its security cameras. Instead,
1:10:37
it's nerfed the Yuffie
1:10:39
privacy commitment unquote. So one
1:10:41
of the things on
1:10:43
the verge's page is
1:10:46
they have this wonderful mouse based sliding divider where
1:10:48
you can slide the the
1:10:50
the divider with your mouse back
1:10:55
and forth and and it reveals either it's
1:10:58
it's like a shutter revealing either
1:11:00
the old or the
1:11:03
new privacy claims. And And
1:11:05
if you pull it to the I
1:11:08
think you you pull it to the right, you see the original
1:11:10
claims where, you know, nothing leaves your facility or, you know, it's
1:11:12
all kept
1:11:15
locally blah blah blah. You pull it to the other side
1:11:17
and you get then the updated
1:11:20
claims, which
1:11:22
are dramatically toned down. So
1:11:24
anyway, the verge makes a very
1:11:26
good point. And it's sad,
1:11:29
but on the other hand,
1:11:31
all of these systems are out there. They can't change the way they
1:11:33
operate, and I'm sure they never operated the way they
1:11:35
said they did. Someone just
1:11:38
got a little over enthusiastic
1:11:40
or carried away when they were writing
1:11:42
the marketing material for this. Anyway, or,
1:11:45
you know, maybe they
1:11:47
did add features later where
1:11:50
like they began to offer cloud things and never updated the page in order to make it correct. So, you
1:11:53
know, they've done
1:11:56
that now. Elaine,
1:11:58
he tweeted at elaine underscore
1:12:00
Geiger. He said thanks
1:12:03
for another excellent episode. I
1:12:07
do have one question about TikTok. Do you
1:12:09
see a difference between
1:12:11
the bands on ZTE
1:12:14
and Huawei versus TikTok? He
1:12:17
said the FCC has labeled all three as
1:12:19
unacceptable risk. He said also, I just
1:12:21
saw that there is
1:12:23
a bipartisan bill that
1:12:26
would, quote, end all commercial
1:12:29
operations of TikTok in
1:12:31
the US and Other social
1:12:34
media platforms that are sufficiently controlled or influenced by America's
1:12:37
foreign adversaries,
1:12:40
including China, Russia
1:12:43
and Iran. He said, it'll
1:12:45
be interesting to see where
1:12:47
this goes. So, okay,
1:12:49
I wanted to include Elaine's tweet
1:12:51
to give me the opportunity to
1:12:54
note that last Wednesday, the
1:12:56
entire US
1:12:59
Senate voted unanimously, passing
1:13:02
a bill which
1:13:04
would bar the
1:13:07
installation of TikTok from any
1:13:09
government owned devices. So yes,
1:13:11
whereas initially a handful of
1:13:14
Republican governors and an attorney
1:13:16
general may
1:13:18
have been first during the previous
1:13:21
week or two. Now we
1:13:23
have unanimous and obviously,
1:13:26
completely bipartisan agreement on
1:13:28
this. Which is astonishing to
1:13:30
me. Wow. But it happened. But to Elaine's question, I
1:13:35
do regard these selective bands
1:13:38
such as on ZTE
1:13:43
and Huawei and even on TikTok is mostly ridiculous
1:13:46
theater because we are
1:13:51
so intimately deeply and inexorably and meshed
1:13:54
with Chinese technology products.
1:13:56
You know, I look around
1:13:58
and everything in my home. All
1:14:02
of the electronics that I own, and the electronics in what I drive fabricated in
1:14:08
China. Every bit of it.
1:14:10
And I'm sure that's the case for all the people listening to this podcast. And speaking of
1:14:12
listening to this podcast,
1:14:15
this podcast is literally brought
1:14:19
to your ears. Thanks to networking
1:14:21
chips and processors and
1:14:23
transistors all made in
1:14:25
China. By Chinese citizens, you know, and
1:14:27
much of it was designed there. So me, none
1:14:31
of this posturing and
1:14:34
saber rattling makes any
1:14:36
sense. It must be that
1:14:38
some sort of geopolitical kabuki is
1:14:43
transpiring at a level that's far above
1:14:45
my pay grade. I'm just a
1:14:47
simple technologist who does
1:14:51
understand networking and processors
1:14:53
and transistors. So I
1:14:55
know that if China
1:14:57
did actually want to be
1:14:59
evil, the west would be in deep trouble. Because in
1:15:02
the interest of economy,
1:15:05
we've allowed ourselves to become utterly dependent upon
1:15:07
products which we need from China. I don't I
1:15:09
don't want that to be
1:15:11
a bad thing. I
1:15:14
hope it's never gonna be a bad thing. But
1:15:16
if it is gonna be a
1:15:18
bad thing, then the problem is
1:15:21
way bigger than a couple of
1:15:23
wayward Chinese companies. So, you know, maybe I don't get it. But,
1:15:25
you know, TWiT sort
1:15:28
of similar to
1:15:30
me being amazed that Russia
1:15:32
was still using windows like
1:15:35
for the last many years and
1:15:37
still is you know, they're they've finally said
1:15:39
that they're thinking about moving
1:15:42
to something Linux based
1:15:44
presumably. And there's
1:15:46
there been some rumblings of this of the same
1:15:48
thing from China. Just to me,
1:15:50
it seems crazy that that that
1:15:52
would be the case. But, you know,
1:15:54
here we are. Utterly dependent upon another country
1:15:56
and now saying we don't
1:15:58
trust them. Well, we're unable
1:16:01
not to trust
1:16:04
them, frankly. So that's what I
1:16:06
think. And finally, David Ruggles, he
1:16:11
sent You said reaching out regarding the zero
1:16:13
width space mentioned in
1:16:16
security now last week.
1:16:18
He said, I use it
1:16:21
to fix stupid programs. For example, if you want to reference
1:16:23
an account on Twitter without
1:16:28
tagging them,
1:16:31
enter the at sign,
1:16:33
then
1:16:34
a zero with space,
1:16:36
and then the account name,
1:16:38
and it won't get tagged. And
1:16:41
he then he gave some
1:16:43
examples of things that were not tagged were and weren't tagged in
1:16:46
his tweet to me. And
1:16:49
so he said, at sign the real ruggles versus
1:16:51
at sign the real ruggles, they looked identical only
1:16:54
one was lit up. He
1:16:58
said similarly, in Excel, it defaults to adding a hyperlink when you enter anything
1:17:00
that looks like a
1:17:03
URL or email address. You
1:17:07
can use the zero width space to
1:17:09
prevent that behavior without changing
1:17:12
the look of the
1:17:14
text. So That was cool. I think that's very clever. The
1:17:16
problem is, you know, I mean,
1:17:18
well, I I should say I
1:17:20
I should say I can see
1:17:22
many applications for that as well. TWiT it
1:17:24
leaves the question, how do you enter a
1:17:27
zero width space through the keyboard? I
1:17:31
asked the Google and I was told
1:17:34
the zero width space is a uni code character,
1:17:36
capital u plus
1:17:39
200B which
1:17:42
is also HTML, ampersand,
1:17:48
pound sign, 8203
1:17:50
semicolon. Right? And and and Google said it's remarkably hard
1:17:56
to type. On windows,
1:17:58
you can type alt and then 8203
1:18:04
Well, I tried that. And
1:18:06
I got What is that? The symbol for maleness, I think.
1:18:11
Anyway, that
1:18:12
didn't work.
1:18:13
All 8203
1:18:16
So
1:18:18
if anyone can figure out how to type these how
1:18:20
to enter the zero width character through
1:18:22
our keyboard. I think that seems like
1:18:25
a useful thing to be able
1:18:27
to do. Yep. People were also using it post their Mastodon
1:18:29
link on Twitter because
1:18:31
it didn't look the same.
1:18:33
I mean, look the same.
1:18:36
But true without triggering yeah
1:18:37
without counters post. Yeah. Yeah.
1:18:40
Cool. Okay. Briefly, I'll
1:18:41
note that spin right is
1:18:44
looking quite good.
1:18:46
By the end of this past weekend,
1:18:49
we were at the
1:18:51
eighth alpha release. Every
1:18:53
known weird data
1:18:56
recovery behavior that we've worked that
1:18:58
we were seeing appears to have been resolved. And Twitter is now
1:19:00
cruising through even the
1:19:02
most damaged and troubled drives.
1:19:06
While my focus was on getting spin right
1:19:08
to properly perform it's that those
1:19:10
primary functions, I'd also been accumulating
1:19:13
a list of less critical but still
1:19:15
necessary to do items. And our testers
1:19:17
that have been getting a little
1:19:19
restless have been suggesting new features
1:19:21
that they'd like to have. You know, nothing
1:19:23
big, but, you know, there are some some
1:19:26
convenient things that make sense. So, you
1:19:28
know, by the
1:19:31
end of today, Sunday, two days ago, I
1:19:33
told the group that I would be retrenching now
1:19:36
and disappearing
1:19:38
for a while while I worked my way through everything that was on
1:19:40
the wish list and the things
1:19:42
to be fixed. After today's
1:19:45
podcast, that's what
1:19:47
I'll be doing. When I return with alpha
1:19:49
release nine, it should be very close to finished. I'm, you
1:19:51
know, I'm sure there'll be
1:19:54
a few loose odds and
1:19:56
ends that's the nature of such a
1:19:58
complex project. But, you know, I I have to say that I with some pride
1:20:04
that everybody who's been testing six
1:20:06
point one has been very impressed by this new spin
1:20:08
rights speed and
1:20:11
capabilities. So we are we're
1:20:14
getting there. It's not gonna be a Chris' present. It's not gonna be a but
1:20:16
it's gonna be early
1:20:19
in twenty twenty three. That
1:20:22
we finally have this six point
1:20:25
one for everybody.
1:20:28
Okay. A
1:20:30
generic WAF, that's WAF
1:20:33
bypass. As
1:20:38
an industry, We've matured to
1:20:41
the point where vulnerabilities
1:20:44
are
1:20:45
being discovered
1:20:47
only in specific implementations of
1:20:50
some specific solution. And only
1:20:56
in typically in specific versions of those
1:20:58
implementations. In other words, you know, whereas once
1:21:00
upon a time,
1:21:03
the entire industry would
1:21:05
realize that an established standard could be
1:21:07
abused in an unexpected
1:21:12
way and everyone's implementation would
1:21:14
need to be changed. That that's where we were. A perfect example
1:21:17
was everyone's
1:21:20
DNS servers which
1:21:22
were emitting queries from ports sequentially assigned by their underlying operating
1:21:27
system, and often
1:21:29
emitting those queries with sequential
1:21:31
identifiers. When that came to light, you
1:21:36
know, Those who
1:21:38
were focused on DNS realized this would allow for successful DNS spoofing at scale
1:21:44
and the entire
1:21:47
industry repair DNS
1:21:47
overnight. These
1:21:51
events stand out. Because
1:21:53
thankfully they become so rare. These days, as we know, problems
1:21:55
have generally become much more
1:21:58
obscure and specific. For
1:22:00
example, It
1:22:03
might be that if you're still using
1:22:05
the out of support
1:22:07
version two point
1:22:10
029 point 472
1:22:14
of Jimmy Cracks query reader reflector.
1:22:17
You need to
1:22:20
update it to at least version two
1:22:22
point 426 point 327 in order to avoid
1:22:25
problems with query
1:22:28
reflection backflushed. And you
1:22:30
should do so immediately. We don't you know, those are the kinds of things we're often
1:22:35
seeing now to To
1:22:37
date, you know, that It's not
1:22:39
real, folks. Don't go looking forward, Jimmy's back. Don't worry. Unless
1:22:41
you actually do have Jimmy Cracks theory reflector, in which case
1:22:44
you've got other
1:22:48
problems. Today's rarity
1:22:50
of big generic protection
1:22:52
bypasses
1:22:53
has made their existence
1:22:56
extremely interesting.
1:22:57
And a group known
1:22:59
as team eighty two, recently
1:23:01
discovered just such an industry wide mistake. They
1:23:04
discovered an attack
1:23:07
technique that acts as
1:23:11
the first generic bypass of,
1:23:14
excuse me, multiple
1:23:16
web application firewalls
1:23:18
being sold by industry leading vendors, including
1:23:21
at least Palo Alto
1:23:24
Networks, f five,
1:23:26
Amazon Web Services,
1:23:28
Cloudflare and Imperva. Okay. So
1:23:31
before we proceed, we
1:23:34
need to Briefly revisit another
1:23:36
one of those holy crap events
1:23:38
which hit the entire industry many
1:23:41
years ago and
1:23:42
which, due to its difficulty,
1:23:44
The industry continues to
1:23:46
grapple with. And that's SQL
1:23:51
or sequel injection. Stated succinctly,
1:23:54
SQL injection can occur when there
1:23:59
is some way for user provided
1:24:02
input to be passed to a SQL database for
1:24:07
its A sequel database is driven
1:24:10
by strings of characters, which express commands and queries.
1:24:13
Simply by
1:24:16
typing commands, new database tables
1:24:18
can be created. They can be populated with data, queried for their data
1:24:20
and deleted when
1:24:23
they're no longer needed.
1:24:25
New users could be instantiated, passwords
1:24:27
could be changed, privileges could be granted, all through
1:24:31
simple text commands. And
1:24:34
further increasing the system's power,
1:24:37
the simplicity of this
1:24:39
interface allows SQL databases to
1:24:41
be queried over networks.
1:24:43
The simplicity and the power of this interface explains
1:24:47
SQL's success. But
1:24:52
the simplicity and power of this interface has
1:24:54
also been at the heart of one of sequels' longest running
1:24:56
vulnerabilities. Wikipedia
1:24:59
tells us that the first
1:25:01
known public discussion of sequel
1:25:04
injection appeared around
1:25:07
nineteen ninety eight. And cites
1:25:10
an article in Frac, PHRACK magazine, you
1:25:13
know, long
1:25:16
since discontinued. SQL
1:25:20
injection has been the bugaboo
1:25:22
of web applications from the start.
1:25:25
The first web apps gleefully
1:25:27
presented a form asking their user to please enter their
1:25:31
full name to look up their record
1:25:34
in the site's
1:25:35
database. The designer of this form assumed that
1:25:37
that's what anyone
1:25:40
would do. So whatever string
1:25:42
they provided as their name would be added into a SQL
1:25:44
query string to
1:25:47
access the site's database. And
1:25:51
all was well. Until it
1:25:53
occurred to some clever individual
1:25:55
that the website had
1:25:58
inadvertently given them direct access
1:26:00
to that site's SQL
1:26:02
database back end. Rather
1:26:05
than simply inputting
1:26:08
their name, they
1:26:10
could, for example, input a string, which closed the query
1:26:13
and started another
1:26:16
entirely separate SQL
1:26:19
command of their choosing. This
1:26:22
allowed a remote visitor
1:26:25
to directly issue QL
1:26:27
commands to the site's database. If the
1:26:29
web designer had assumed
1:26:32
that
1:26:33
no one else could ever access
1:26:35
the database, which of course is what
1:26:37
they assumed, the SQL account behind
1:26:39
the website's form might
1:26:42
even have
1:26:43
admin rights This would allow remote visitors
1:26:46
to do anything they might wish. This has been
1:26:48
such a common
1:26:51
and persistent problem because the
1:26:54
fundamental architecture of the system, this system is
1:27:00
fragile. It is not
1:27:02
inherently secure and resilient. It
1:27:07
is inherently insecure. We need
1:27:10
to take user supplied input like some personal
1:27:16
details and embed them into a
1:27:18
database query so that we can
1:27:20
look up their
1:27:23
record. You know? We have to
1:27:25
do that. Right? The trouble with sequel is its
1:27:28
power. That
1:27:29
same
1:27:32
query channel is also
1:27:34
SQL's command and control channel. This has
1:27:37
been such a
1:27:40
long standing and well
1:27:42
understood problem that it found its way into one of XKCD's
1:27:48
brilliant comics. And we've
1:27:50
talked about it in the
1:27:52
past. The first frame reads, it
1:27:54
shows somebody holding a cup of coffee
1:27:57
saying, or I guess, lit listening
1:27:59
is a call. And over
1:28:02
the phone, she hears,
1:28:04
hi. This
1:28:07
is your son's school. We're
1:28:09
having some computer
1:28:11
trouble. Mom replies,
1:28:14
Oh dear, did he break
1:28:16
something over and
1:28:17
we hear the the the voice of,
1:28:19
you know, the distraught
1:28:21
principle saying in a
1:28:23
way,
1:28:23
Did you really name
1:28:26
your son Robert, close
1:28:29
quote, close parens,
1:28:32
semi colon, drop table
1:28:34
students, semi colon. And mom
1:28:35
says, oh, yes. Little
1:28:38
Bobby tables we call him.
1:28:42
And
1:28:43
then the principal says, well, we've
1:28:45
lost this year's student
1:28:47
records. I hope you're
1:28:49
happy. To which mom
1:28:52
replies. And I hope you've learned
1:28:54
to sanitize your database input. Such
1:28:56
a classic. Such a great
1:28:58
company. Perfect. Yep. And and then and so what XKCD
1:29:01
is telling us is like exactly
1:29:03
this. So here's
1:29:05
I mean, stepping back
1:29:07
from this
1:29:07
a bit the biggest problem
1:29:10
is through all these years since
1:29:12
it was first inch
1:29:15
first first understood near
1:29:18
the birth of the web.
1:29:20
No one has
1:29:23
fixed this. Instead,
1:29:26
We just keep patching it.
1:29:29
We focus upon each
1:29:32
mistake in
1:29:34
isolation rather than recognizing
1:29:36
that the entire architecture
1:29:39
is wrong for
1:29:43
this application. SQL was not created
1:29:45
for the web. No one
1:29:47
would have done that. was
1:29:51
first designed in the early nineteen seventies. The
1:29:53
oh, we were just talking about when
1:29:55
we graduated from high
1:29:58
school. Yeah. Back then. Yeah. Yeah.
1:30:00
That's when the when no.
1:30:03
At IBM, IBM came up with this before there was
1:30:05
an Internet or websites
1:30:07
or web apps. Unfortunately,
1:30:12
the web found
1:30:13
TWiT, and it's been a
1:30:16
troubled marriage
1:30:18
ever since. The problem is every
1:30:20
newly created web app
1:30:22
creates another new opportunity
1:30:25
to make a mistake
1:30:27
in the parsing of user supplied input that
1:30:29
would give a remote attacker
1:30:32
access to the
1:30:34
site's back end database. That's
1:30:36
why I say that the
1:30:39
systems we've built around this architecture are inherently brittle and
1:30:41
fragile. That's why,
1:30:44
still today, SQL
1:30:47
injection attack scans
1:30:49
are constantly sweeping the
1:30:51
Internet looking for that
1:30:54
newly created newly vulnerable web app.
1:30:56
An SQL injection remains
1:30:59
at the top of
1:31:02
the OOSP top ten list of web application
1:31:05
vulnerabilities. So
1:31:07
what do we
1:31:10
do? If there's no sign
1:31:12
that we're gonna fix
1:31:14
the
1:31:14
underlying problem. Well, the
1:31:18
universal solution to protecting our networks from external
1:31:20
hostility is to place a
1:31:22
firewall in front of those
1:31:24
networks and force
1:31:27
all external traffic to be inspected
1:31:30
and to pass through that gauntlet before it's permitted to
1:31:33
reach our
1:31:36
interior presumably vulnerable
1:31:38
networks. And thus WAF born
1:31:39
the idea of the
1:31:42
web application firewall or WAF
1:31:47
for short. The fundamental concept
1:31:49
of a web application firewall
1:31:52
is detailed
1:31:55
traffic inspection. Whereas packet level firewalls generally
1:31:57
look no deeper than
1:31:59
packet headers, which specify
1:32:01
the source and destination
1:32:03
IPs and ports Laporte the
1:32:06
purpose of monitoring packet flows. A
1:32:08
web application firewall examines in detail the
1:32:10
content of all web application traffic transiting
1:32:15
its boundary in order to
1:32:17
detect and block malicious
1:32:19
attacks. So in
1:32:23
XKCD's example above, A WAF would
1:32:25
spot and block a form's input field
1:32:28
data that
1:32:31
contains suspicious characters for
1:32:34
a user's name such as closed parenthesis and
1:32:36
semicolons, so
1:32:41
that they would go no
1:32:43
further. With a web application firewall positioned upstream of an organization's web
1:32:48
application servers, that malicious
1:32:50
data and intent would never reach any web applications that might not
1:32:52
be adequately providing
1:32:55
for their own protection. Again,
1:32:59
you would need this if mistakes still
1:33:01
weren't being made freshly, but
1:33:03
they are because this
1:33:06
is all being done
1:33:08
wrong. But it's,
1:33:08
you know,
1:33:09
it's what we got. So, okay, with this background,
1:33:11
here's what Team eighty
1:33:14
two had to say about
1:33:17
their recent
1:33:18
discovery. They wrote web application firewalls, WAFs,
1:33:23
are designed to safeguard web based applications
1:33:25
and APIs from malicious external
1:33:28
HTTPS traffic.
1:33:32
Most notably, cross site scripting,
1:33:34
and SQL injection attacks that just don't seem to
1:33:36
drop off the
1:33:39
security
1:33:39
radar. Gee. Imagine
1:33:42
that. I wonder why. While they said, while recognized and relatively simple to remedy,
1:33:48
SQL injection in particular is a constant
1:33:50
among the output of automated code scans and
1:33:56
a regular feature on industry
1:33:58
lists of top vulnerabilities, including the Awasp top ten.
1:34:01
The introduction
1:34:04
of WAF's In
1:34:06
the early two thousands, okay,
1:34:08
note that time, note that
1:34:10
date, early two thousands WAF
1:34:13
largely a counter to these
1:34:15
coding errors. WAFs are now
1:34:18
a key line of
1:34:20
defense in
1:34:22
securing organizational information
1:34:24
stored in a database that can
1:34:26
be reached through a web application.
1:34:29
WAFs are also increasingly used to protect cloud
1:34:31
based management platforms that
1:34:34
oversee connected embedded devices
1:34:38
such as routers and access points. An
1:34:41
attacker able to bypass
1:34:43
the traffic scanning and
1:34:45
blocking capabilities of WAFs often
1:34:47
has a direct line to sensitive
1:34:50
business and consumer customer
1:34:53
information. Such
1:34:56
bypasses, thankfully, have been
1:34:58
infrequent, and one offs targeting a particular vendor's implementation. Today,
1:35:06
Team eighty two introduces
1:35:08
an attack technique that
1:35:10
acts as the first
1:35:14
generic bypass of multiple web application firewalls
1:35:17
sold by industry leading
1:35:20
vendors. Our bypass
1:35:22
works on web application firewall sold by
1:35:25
five leading vendors. Palo
1:35:27
Alto Networks, f five
1:35:30
Amazon Web Services, Cloudflare, and
1:35:32
Impurva. All of the affected vendors acknowledged
1:35:35
Team eighty two's disclosure and
1:35:37
implemented fixes to
1:35:40
their products SQL
1:35:42
Inspection processes. Our technique relies first
1:35:45
on understanding
1:35:48
how whaps identify
1:35:50
and flag sequel syntax
1:35:53
as malicious, and then
1:35:55
finding sequel syntax the
1:35:58
whaf, and then
1:35:59
the is to. This turned
1:36:03
out to be
1:36:07
Jason, JavaScript object
1:36:10
notation. Jason, they
1:36:12
write, is a standard
1:36:14
file and data exchange format.
1:36:16
And is commonly used when
1:36:18
data is set from a server to a web app. Jason's support was
1:36:24
introduced in databases going
1:36:26
back almost ten years. Modern database engines today
1:36:32
Laporte syntax by default, including
1:36:34
basic searches and modifications as well
1:36:37
as a range of Jason
1:36:39
functions and structures. While
1:36:42
JSON Support is the norm among database engines, the
1:36:45
same cannot be
1:36:47
said for WAFs. Vendors
1:36:51
had been slow to add
1:36:53
Jason's support, which allowed
1:36:56
us to craft
1:36:58
new SQL injection payloads that
1:37:01
include Jason, and that completely
1:37:03
bypassed the security wafts
1:37:08
provide. Attackers using this novel technique
1:37:10
could access a back end database and use additional
1:37:12
vulnerabilities and exploits
1:37:15
to exfiltrate information via
1:37:18
either direct access to the server
1:37:20
or over the cloud. This
1:37:22
is especially important for OT
1:37:25
and I OT platforms that have
1:37:27
moved to cloud based management and monitoring
1:37:29
systems. WAFs offer a promise of additional
1:37:31
security from the cloud. An
1:37:35
attacker able to bypass these protections has
1:37:38
expansive access to systems.
1:37:41
Okay. So what happened?
1:37:43
History has shown that no one
1:37:46
is able to always
1:37:49
get SQL injection
1:37:52
protection correct. Because
1:37:54
it's so much easier for it not to be correct. So the notion of
1:37:56
a web application
1:37:59
firewall is created to
1:38:03
move the burden from individual
1:38:05
input forms, fields and
1:38:07
web apps to
1:38:10
the perimeter. Where a single comprehensive
1:38:12
web application firewall will be able
1:38:14
to protect all of an organization's
1:38:17
applications at once.
1:38:20
That happened about twenty years
1:38:22
ago in the early two thousands. Now remember though,
1:38:24
only for those
1:38:27
organizations that deploy them, A
1:38:30
web application firewall is like your big iron box. It's expensive. It needs to be constantly maintained.
1:38:33
TWiT needs to
1:38:36
be licensed. Smaller
1:38:38
organizations aren't gonna have them,
1:38:40
but the big guys do for
1:38:42
the last twenty
1:38:43
years. The problem,
1:38:45
of course, is that now
1:38:48
it's become less imperative.
1:38:50
For those individual web
1:38:53
applications, which are now safely
1:38:56
ensconced behind their protective
1:38:58
application barrier to be
1:39:00
quite so worried. About their
1:39:02
own input form field content. After all, there's a big mean web
1:39:04
application firewall at
1:39:07
the Gate that's
1:39:10
gonna keep little bobby drop tables
1:39:13
safely out of reach.
1:39:15
So all as
1:39:17
well. But then a decade
1:39:20
passes. And a particular
1:39:22
syntax for describing the
1:39:24
features and details of
1:39:26
objects becomes popular. It outgrows
1:39:29
its own modest origins and
1:39:31
is adopted by other
1:39:33
languages and applications. Because it
1:39:36
does the one thing it
1:39:38
was designed to do cleanly,
1:39:40
minimally, and
1:39:43
efficiently. And so, the JavaScript object
1:39:46
notation, Jason, grows
1:39:50
increasingly prevalent. Perhaps it was inevitable
1:39:52
that SQL databases would a
1:39:54
never would eventually choose
1:39:57
to add their
1:40:00
own support for
1:40:00
Jason. And
1:40:01
they did. Here's what Team eighty two had
1:40:03
to say about that.
1:40:08
They said, In modern times, Jason
1:40:10
has become one of the predominant forms
1:40:13
of data storage
1:40:16
and transfer. In order
1:40:18
to Laporte syntax and allow developers to
1:40:20
interact with data
1:40:23
in similar ways to
1:40:26
how they interact with
1:40:28
it in other applications, JSON
1:40:30
Support was needed in SQL. Currently,
1:40:36
all major relational
1:40:39
database engines support
1:40:41
native Jason syntax by
1:40:43
default. This includes Microsoft SQL, Postgres
1:40:48
SQL, SQL
1:40:50
Light and MySQL. Furthermore,
1:40:53
in the latest versions,
1:40:56
all database engines
1:40:58
enable Jason syntax. By default,
1:41:00
meaning it is prevalent in
1:41:02
most database setups today. Developers have
1:41:07
chosen to use JSON features within
1:41:09
SQL databases since it
1:41:12
became available for a number
1:41:14
of reasons. Starting with better performance and efficiency.
1:41:16
Since many back ends already
1:41:18
work with JSON data, performing
1:41:21
all data manipulation
1:41:24
and transition on the SQL engine
1:41:26
itself reduces the number of database calls needed. Furthermore,
1:41:28
if the database can work
1:41:30
with the JSON data format, which
1:41:34
the back end API most likely uses
1:41:36
as well, less data processing,
1:41:39
pre and post processing is
1:41:41
required. Allowing the application to use
1:41:43
convert using Jason's SQL,
1:41:46
an application can fetch
1:41:48
data Combine
1:41:51
multiple sources from within the database, perform data
1:41:53
modification, and transform it to JSON
1:41:56
format URSNIF within
1:41:59
the SQL API. Then
1:42:01
the application can receive the JSON formatted data and work with
1:42:03
it immediately without processing
1:42:07
the data again. While each
1:42:10
database engine, while each database chose a different implementation and
1:42:16
JSON parser Each supports a different
1:42:18
range of JSON functions and operators. Also, they all
1:42:21
support the JSON
1:42:24
data type and basic JSON
1:42:26
surges and modifications. And here's the key underlying
1:42:29
what team eighty
1:42:32
two discovered. Even though
1:42:34
they wrote, all database engines added support for Jason, not
1:42:39
all security tools added
1:42:42
support for this comparatively new
1:42:45
though decade old feature,
1:42:47
which was added as
1:42:49
early as twenty twelve.
1:42:51
This lack of support in the security
1:42:54
tools, meaning the WAFs,
1:42:56
introduced a mismatch
1:42:59
in parsing primitives, between
1:43:02
the security tool, the WAF, and the actual database
1:43:04
engine.
1:43:08
Which is implementing sequel, and
1:43:10
caused sequel syntax misidentification. They
1:43:12
said from our understanding
1:43:14
of how a waf could flag
1:43:18
requests as malicious, we
1:43:20
concluded that we needed to
1:43:23
find sequel syntax the WAF would
1:43:25
not understand. If we could supply a sequel
1:43:28
payload that the WAF would
1:43:30
not recognize as sequel, but
1:43:32
the database engine
1:43:34
would parse we could actually achieve
1:43:36
the bypass. As it turns
1:43:38
out, Jason was exactly this
1:43:41
mismatch between the WAF's
1:43:43
parser and the database engine. When we passed
1:43:46
valid SQL statements that
1:43:48
used the less
1:43:51
prevalent JSON syntax, The WAF did
1:43:54
not flag requests as malicious. The JSON operator
1:43:57
at sign greater
1:44:00
than symbol which
1:44:02
checks whether the right adjacent is contained in the left one
1:44:05
through the wafts
1:44:08
into loops and
1:44:10
allowed us to supply malicious SQL
1:44:12
payloads and allowed us to
1:44:14
bypass the by simply
1:44:17
pretending simple JSON syntax to the
1:44:20
start of the request, we
1:44:22
were able to exfiltrate sensitive
1:44:24
information over
1:44:27
the cloud. So This forms a very
1:44:30
interesting story. We start with a fundamentally insecure design.
1:44:35
When a powerful database system from the not
1:44:37
from the seventies, which was never
1:44:40
designed to
1:44:43
allow malicious users to access its command
1:44:46
input stream is used as
1:44:47
the back end database
1:44:51
for websites thus inadvertently giving
1:44:54
malicious users access to its command input stream.
1:44:58
Rather than recognizing, that
1:45:02
using sequel in this way is fundamentally a horrific mistake. Every individual
1:45:08
website must patch their
1:45:10
input field parsers in an attempt to prevent SQL command and
1:45:15
query syntax from being submitted by
1:45:18
the visitors to every site. SQL injection becomes
1:45:22
a meme. And xKCD captures its
1:45:25
essence. In
1:45:26
an extension of the
1:45:30
firewall concept, Web application firewalls are created
1:45:33
to centralize and concentrate
1:45:35
the sequel syntax
1:45:39
filtering challenge. It all seems fine for a time.
1:45:41
Then SQL syntax
1:45:44
undergoes a
1:45:47
fundamental extension as all SQL Servers implement support for
1:45:49
the increasingly popular JavaScript
1:45:52
object notation. But
1:45:55
despite this extension, some of the
1:45:58
industry's application firewalls failed
1:46:00
to update
1:46:02
their protection logic to incorporate an awareness that
1:46:04
Jason can now be used
1:46:06
to encapsulate and issue SQL
1:46:12
queries. Fortunately, A team of white
1:46:14
hat security researchers stumble upon this tidbit while they're working
1:46:16
to discover just
1:46:19
such a
1:46:20
bypass. And they quietly
1:46:22
inform the many vendors of those vulnerable web application firewalls of their
1:46:27
discovery. And all
1:46:30
as well
1:46:31
again? Or is it? Because sequel is
1:46:36
still powering virtually
1:46:38
all web applications and the fundamental problem of now
1:46:41
an even
1:46:44
more powerful SQL
1:46:47
syntax existing
1:46:49
still remains.
1:46:52
If
1:46:54
JSON could be used
1:46:56
to slip past web
1:46:59
application firewalls to
1:47:01
reach the SQL
1:47:03
database behind. How many websites,
1:47:06
individual websites that are not being protected
1:47:09
by a
1:47:12
big iron web application
1:47:14
firewall might now be vulnerable today to
1:47:19
exactly the same Jason
1:47:24
Bypass. Happy
1:47:28
New Year. One of
1:47:30
the apps
1:47:30
that I've used either use MySQL,
1:47:33
which isn't the
1:47:36
it's SQL That's
1:47:39
it. Since next, so it counts. No. It's it's
1:47:41
exactly the same. It supports Jason.
1:47:43
Yeah. As long as it supports
1:47:45
Jason, how about SQL Light? Same thing?
1:47:47
Yep. Okay. SQLite, MySQL, Postgres SQL. As long as
1:47:49
it supports the SQL language, which that
1:47:52
that's the IBM,
1:47:54
is the SQL Server. That's
1:47:56
the original. So but these all support that language. So --
1:47:58
Yeah. -- they're all And even Maria d b is is
1:48:01
a Really? Is that
1:48:03
Maria also Laporte Because if everybody
1:48:05
knows SQL and knows that language. Yes. Right? So why would you invent a new one?
1:48:08
Yeah. Exactly. Why would you
1:48:10
invent a new one? Yeah. It's
1:48:14
it's horrible to put use it
1:48:16
as a back end for the web, but
1:48:18
it's the one we've got. Well,
1:48:20
I mean, you could use as a
1:48:22
back end. You just don't wanna expose it. The
1:48:24
problem
1:48:24
is you are you're you're inherent if
1:48:26
you say, you know, look up the username that the
1:48:31
user inputs, you're taking the you're inherently taking the string they
1:48:33
That's gonna be a sequel string. And
1:48:35
inserting it into ace
1:48:38
into a query. Yeah. Yeah. It's I mean, so the problem
1:48:40
is that that query is not
1:48:42
just a query. It's also
1:48:46
command and control account creation, table
1:48:48
deletion. I mean, it is it was never
1:48:51
meant to be exposed to arbitrary
1:48:56
input. But Oh, look, we
1:48:58
got sequel. Let's use it as our back end.
1:49:00
And we're sanitizing
1:49:03
your inputs merely I
1:49:06
mean, it requires you to be clever
1:49:08
enough to catch all -- Perfect. --
1:49:10
every -- Perfect. -- every single
1:49:13
time. Yeah. That's why I say this
1:49:15
is inherently bro
1:49:17
broken. Right. Incredibly bad.
1:49:19
Right. Right. SHA1 would be the
1:49:21
alternative as a new language
1:49:23
But any database language is gonna have is
1:49:26
gonna be prone to this problem.
1:49:28
Right?
1:49:30
Well, no. Because a a database query language
1:49:33
should not let you delete the
1:49:35
database that you're querying. That's
1:49:37
not a query language.
1:49:39
That's a command. And control like
1:49:42
So separating the queries from the control and command would be the solution.
1:49:44
Yes. And,
1:49:47
you know, and and it's reminiscent of the print the the print
1:49:49
f that we talked about Apple getting tripped
1:49:52
over -- Right. --
1:49:54
where the problem was they
1:49:56
they print f inherently
1:49:58
mixes control with text. Right. And -- Right. --
1:50:00
that's a bad idea. You
1:50:02
should see what the format string
1:50:07
and lisp can do. I mean,
1:50:09
it's print f on steroids.
1:50:11
It predates print f
1:50:13
because it's lisp. And it is crazy,
1:50:16
the things you can do with that.
1:50:18
It's a programming language in and of
1:50:19
itself. And that's
1:50:22
probably not a good
1:50:24
thing. I would never I could never
1:50:26
imagine opening your your website to a to
1:50:28
a random format string. So
1:50:30
I guess I could see
1:50:34
I could see the inherent problem here. Yeah.
1:50:36
Yeah. I, you know, I I
1:50:38
don't know how we fix it.
1:50:41
You could you
1:50:43
could preserve you could reengineer it so
1:50:45
that that the query
1:50:48
was fundamentally limited
1:50:51
through that channel. That, you know, so
1:50:53
that you ask I mean, you can say, I won't accept command commands of any
1:50:56
only only
1:50:59
search queries. Right. And I
1:51:01
guess that's what sanitizing your inputs means, but it's hard to do that perfectly. Especially, it says
1:51:03
you're probably using regular
1:51:08
expressions. To parse it or something. I don't
1:51:10
know. What I want I wonder what the current best practices is.
1:51:12
Well, and and then
1:51:15
that's just it. TWiT The
1:51:17
the problem is, you know,
1:51:19
how how many times, Leo, have we encountered, for example, a TCP IP
1:51:23
stack where some where
1:51:27
security researchers figured out, oh,
1:51:29
you know, we can't do things this
1:51:31
way. Right. We have to
1:51:33
do them that way. You know, a
1:51:35
classic example is packet fragmentation. It is
1:51:38
turns out it's bizarrely difficult
1:51:40
to deal
1:51:42
with fragmented packets. Yet, along
1:51:44
and reimplement the TCP IP
1:51:46
stack and make the same
1:51:48
errors that we fixed thirty
1:51:50
years ago all over again. Yeah.
1:51:53
Because there are some things that are
1:51:55
just hard to get right. And and the problem is, you know, it's like,
1:51:58
sequel is what everyone
1:52:00
uses as
1:52:02
their back end, and it's a
1:52:04
bad idea. Well, you need a d
1:52:07
database of some kind. I think what
1:52:09
the the bad idea is to allow
1:52:11
commands to to you would think the
1:52:13
permissions structure would say, look, unless you're logged in
1:52:15
as a
1:52:18
as a permissioned user, you shouldn't be able
1:52:20
to execute commands. And then
1:52:23
just keep the the privilege
1:52:25
level of the of the
1:52:27
web. Server in the web queries low. Seems like
1:52:29
that would be solvable.
1:52:31
And, unfortunately, the programmers
1:52:32
who put this together never think they well,
1:52:35
and they also want their language. You
1:52:37
know what, you know. They wanna be
1:52:39
able to do this code. Yeah.
1:52:41
It's great. Yeah. Yeah. I don't III
1:52:43
don't think it's insoluble. And
1:52:45
you do need a database in the back end. I that's that's the modern web. You don't want
1:52:48
flat files.
1:52:52
I I bet you're all flat file, so you don't have a
1:52:54
database and you're back end to you. Actually, one of the things that has been really heartening
1:53:00
is that when you go to GRC
1:53:02
and you put your your spin right serial number in and and
1:53:04
in order to get a
1:53:06
link for the prerelease, it's shocking.
1:53:11
How fast it is. Yeah.
1:53:13
Because you didn't did you write
1:53:15
the program yourself? Of course, you
1:53:17
did. It's a it's a super lean
1:53:19
embedded database that's being that's being accessed in assembler, of course. And it's just
1:53:22
it's a simple index database
1:53:26
And it is like it is amazing. And
1:53:28
it took me a while to
1:53:30
say, to realize, you know, everything
1:53:32
else I use, I click the button and
1:53:34
it's like, okay. Wait a minute. You know, it's
1:53:37
still spinning. Other than it comes
1:53:38
up, but not GRC. It's just pow.
1:53:41
Nice. Very interesting. Of course, this is
1:53:43
why this is why you
1:53:45
have to listen to
1:53:47
the show. Right? The
1:53:50
best most interesting stuff. It's been
1:53:52
a great year, Steve. I I think you'll enjoy
1:53:54
the best of. We found some really fun --
1:53:56
Oh. -- business to put together. That's next
1:53:59
Tuesday than the following Tuesday. January
1:54:01
third, we're back again with
1:54:03
episode
1:54:04
would that be 903
1:54:07
Yeah. 903 Betty. Wow. We're getting
1:54:10
close to
1:54:11
the end. I don't say that.
1:54:13
Oh, it's like walking off You got
1:54:15
a whole two years. We
1:54:17
got a long off a short period. That's my
1:54:19
thought I used to say. Steve is GRC dot com. That's the
1:54:21
Gibson Research Corporation. Go there to
1:54:23
get spin right. The
1:54:27
world's best mass storage maintenance and recovery utility.
1:54:29
Currently, six point o, six point
1:54:31
one is so close that
1:54:33
if you buy six
1:54:35
point o now,
1:54:36
It will only be a matter of time before you
1:54:38
get six point one for free. So and you could participate in the development of
1:54:41
six point one, although
1:54:43
it's pretty much in the bag. I
1:54:45
think it's pretty much done here. It's working. Yeah. GRC dot com. You
1:54:48
can also get
1:54:51
the podcast there. Steve has two unique formats.
1:54:53
Of course, we both have sixty four kilobit audio. I have video at Twitter
1:54:55
DB slash s. And he
1:54:58
has a very small audio
1:55:01
version, the sixteen kilobr eight is a sixteen kilobr
1:55:03
eight kilobit. It's tiny. Sixteen kilobit. When
1:55:05
you wanna go on lower,
1:55:07
it would sound like Thomas
1:55:10
Edison, murder, order alarm.
1:55:12
Sixteen kilobit is still pretty scratchy.
1:55:14
Sixteen kilobit audio for the bandwidth
1:55:17
impaired. Also, transcripts, which are actually incredibly useful
1:55:19
both for search and reading along as you listen. It's also
1:55:21
the most compact format
1:55:23
of the show. Show
1:55:26
notes are also there. GRC dot
1:55:28
com. You can leave him feedback at GRC
1:55:31
dot com slash feedback. His Twitter
1:55:33
is open. At SGGRC
1:55:36
so you can leave a DM there
1:55:38
for him. Okay. I'm on NASA, eventually. Don't
1:55:40
worry. You can also
1:55:42
go to our site, twit dot tv slash s n, or the YouTube channel dedicated security. Now that's a great way
1:55:44
to show share
1:55:46
little clips of the show.
1:55:49
Of the video with people. Hey, you gotta watch this boss.
1:55:51
We're gonna take that that website offline.
1:55:56
That kind of thing. And subscribing probably the easiest thing
1:55:58
to do in your favorite podcast player. That way, you'll get
1:56:01
it automatically. You can
1:56:03
build your collection I would
1:56:06
collect all nine hundred and two security
1:56:07
now's. Steve, have a wonderful holiday. You're going anywhere. You're gonna
1:56:09
stay home. You're gonna code. Nope. We're gonna
1:56:12
stay put. Gonna
1:56:15
I'm we're we're gonna stay germ free, and I'm gonna write
1:56:17
a bunch of code. Lot of code
1:56:19
for Christmas. I'll
1:56:22
be coding for
1:56:23
Christmas. Have a happy New Year. Enjoy some Fine Burgundy, and we will
1:56:25
see you next time on
1:56:27
security now.
1:56:29
See you next year, my
1:56:30
friend. Bye bye. The world is changing rapidly. So rapidly, in
1:56:33
fact, that it's hard to keep up.
1:56:35
That's why Micah Sargent and
1:56:38
I, Jason Howell, talk with the people making and breaking the tech news
1:56:40
on tech news weekly every Thursday.
1:56:42
They know these stories better than
1:56:46
anyone, so why not get them in Subscribe
1:56:48
to TWiT news weekly and you won't
1:56:50
miss a beat every Thursday at Twitter TV.
1:56:53
TWiT
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More