Security Now Best of 2022 - The best moments from throughout the year
Security Now Best of 2022 - The best moments from throughout the year
Security Now Best of 2022 - The best moments from throughout the year
Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Yep. It's that time once again. Hello, everybody.
0:02
Leo aboard here. With the best
0:04
of twenty twenty two security now,
0:07
next.
0:09
Podcasts you love. From
0:11
people you trust. This is
0:15
twitch. This
0:20
is security now with Steve Gibson, episode
0:22
nine hundred three for Tuesday December
0:24
twenty seventh twenty twenty two,
0:27
the year's best. Security
0:31
Now is brought to you by Express VPN.
0:34
Using the internet without express VPN
0:36
is like walking your dog in public
0:38
without securing them on a leash for
0:40
three extra months free with a one year package go
0:42
to expressv p n dot com slash
0:45
security now. And by,
0:49
Colline. Colline is an endpoint security solution
0:51
that uses the most powerful untapped
0:54
resource in IT. And
0:56
users, visit kolai dot com
0:58
slash security now to learn more
1:00
and activate a fourteen day free
1:02
trial today. No credit card required.
1:06
We're gonna let take a week
1:08
off a much needed week off and
1:11
talk about some of the biggest stories of
1:13
the year from twenty twenty
1:15
two. This actually is a good show to listen
1:17
to or to give people who haven't heard security
1:20
now, to give them an idea of the breadth of
1:22
content and the depth of content with
1:24
everything Steve does starting with
1:27
perhaps The worst exploit,
1:29
if you could pick one, the worst exploit
1:32
of twenty twenty two, log for j.
1:36
Okay. So many security firms are
1:39
tracking threat actors who
1:41
immediately and predictably jumped
1:44
aboard the log for Jay bandwagon. You
1:46
know, it's been a it's been a feeding frenzy
1:49
for the security firms. To
1:51
help bring this home and make it
1:53
a bit more real, I wanted to share
1:56
a piece of checkpoint researchers
1:58
reverse engineering work On
2:01
a typical threat, the Internet
2:03
is now facing. I've
2:05
got, for anyone who wants more detail,
2:07
there's always a link in the show notes. Last
2:11
week, checkpoint documented the
2:13
efforts of an of an Iranian
2:15
government backed group
2:18
known again, not just Iranian government
2:21
backed group, known as APT35,
2:25
also known as charming kitten,
2:28
TA four fifty three and
2:30
phosphorus. This
2:33
group started widespread scanning
2:35
and attempts to leverage the
2:37
log for j flaw in
2:40
publicly facing systems only
2:42
four days after the vulnerability
2:45
was disclosed. And, you know,
2:47
all the bad guys knew now
2:49
that this was public, it was, you know, it
2:51
was gonna get remediated at some speed.
2:54
The point being Let's be
2:56
first. You know, get in there before that gets
2:58
before the the the backdoors
3:01
get closed. Since
3:04
this actors, this particular actors
3:06
set up was hurried, they
3:08
simply grabbed one of the publicly
3:10
available Open Source
3:13
GitHub hosted JNDI
3:16
Laporte Kits. Yes. They were
3:18
on GitHub initially, but that kit
3:20
has been removed from GitHub due to
3:22
its enormous popularity following
3:25
the vulnerability emergence. You
3:28
know, why bother reinventing that particular
3:30
wheel when time is of the essence? They
3:32
also base their operations upon
3:34
their pre existing infrastructure rather
3:37
than like creating a whole new one.
3:39
And that infrastructure was already well
3:41
known to
3:42
checkpoint, thus making its detection
3:44
and attribution all the easier.
3:48
On the show notes, I have a flowchart, which
3:51
shows the path that the exploit
3:53
takes. And it could hardly
3:55
be any easier or direct. First,
3:58
the attackers send a
4:00
crafted request to
4:02
the victim's publicly facing Internet
4:05
exposed resource, whatever it is,
4:07
a server of some sort. In this
4:09
particular case, the weaponized
4:11
payload was sent in
4:13
through either the user agent or
4:16
the HTTP authorization
4:18
headers. Remember that all
4:20
that needs to happen is that
4:23
something somewhere
4:25
that's Java based logs
4:28
part of the query that contains this
4:31
weaponized string. In
4:33
order to log the query, Log
4:36
for j examines what TWiT
4:38
logging, sees AJNDI
4:41
component, and goes about its
4:43
job of obtaining the content
4:46
from the LDAP URL contained
4:48
in the query, which is being logged.
4:51
So the vulnerable machine
4:54
as as has been instructed
4:56
to do, basically, although not after
4:58
has been patched, but until then,
5:00
reaches out to a
5:02
what they'd labeled in their diagram a
5:05
log for j exploitation server,
5:08
which assembles the and returns
5:10
a malicious Java class,
5:13
which will be executed on the
5:15
vulnerable machine. The class
5:17
runs a PowerShell command
5:20
with a base sixty four encoded
5:22
payload. And I actually have a
5:24
picture of the actual payload
5:27
the exploit dot
5:30
command, PowerShell, and
5:33
then the encoded payload. That
5:36
PowerShell command downloads
5:39
a PowerShell module
5:42
from an Amazon s
5:44
three bucket URL and
5:46
it actually is http
5:48
colon slash slash s
5:51
three dot amazon AWS
5:53
dot com slash doc
5:55
library sales forward
5:57
slash test dot text and
5:59
executes And we
6:01
have a picture of that in the show notes.
6:03
The actual thing that's downloaded.
6:06
The downloaded PowerShell payload
6:08
is the main module that's
6:10
then responsible for basic
6:12
communication with the command and
6:14
control server and the execution
6:17
of additional modules, which
6:19
may be received. So
6:21
the main module performs the
6:23
following operations. It validates
6:26
the network connection. Upon
6:28
execution, the script waits
6:30
for an active Internet connection by
6:33
by repetitively making HTTP
6:36
post requests to google
6:38
dot com with the parameter
6:40
high equal high h
6:42
i equals h i. Just
6:45
to see if it can succeed. That's how
6:47
it detects whether or not it's got an Internet
6:49
connection. Assuming that it
6:51
does, then it
6:53
knows that. It also performs
6:55
basic system enumeration. It
6:58
collects the Windows OS version
7:00
the computer's name and
7:02
the contents of a file, n
7:05
i me dot
7:07
text in app data.
7:10
In the app data path. The file
7:12
is presumably created and
7:14
filled by different modules that
7:16
will be downloaded by the main
7:18
module. It
7:20
then retrieves the command and
7:22
control server's domain. The
7:25
malware decodes the command and control
7:27
domain retrieved from a hardcoded
7:30
URL located in the
7:32
same s three bucket from where the
7:34
backdoor was downloaded. So
7:36
that they the bad guys have dynamic
7:38
control over that by
7:40
deciding what goes in this AWS
7:43
bucket. It also retrieves,
7:45
decrypts, and executes follow-up
7:48
modules. Okay. So
7:50
once all the data is gathered, The
7:52
malware starts communication with
7:54
the command and control server at
7:57
the domain, which it determined by
7:59
pulling that from the Amazon
8:01
AWS cloud
8:04
bucket. And
8:06
it does that. It com communicates with the command
8:08
and control server by periodically sending
8:11
HTTP post requests. I mean,
8:13
none of this is high-tech. None of this is
8:15
rocket science. You know, this is easy
8:17
to do. Which is why this terrified everybody
8:19
so much. So this thing sends HTTP
8:21
post requests to a preconfigured
8:24
URL with each post
8:26
request containing information from
8:28
which to build a session key,
8:31
the OS version, the computer's
8:33
name, and the
8:35
contents of that file in the
8:37
app data directory.
8:39
So that ends up being something unique which
8:41
it uses to identify itself
8:43
each time. And I think as I recall,
8:45
it puts it in a session header
8:47
in the post query. In
8:50
response to the command and
8:52
control servers receiving these
8:54
these post requests, it
8:58
can either choose not
9:00
to respond, in which case
9:02
the script will keep sending post
9:04
requests periodically to
9:06
continue to provide the server with stream
9:08
of response opportunities, or
9:11
the server will return a
9:13
base sixty four encoded string.
9:17
Now just as a reminder, base
9:19
sixty four is a means
9:21
for sending binary data
9:24
over an Asci channel that
9:26
is over a text only channel.
9:29
Groups of three
9:31
eight bit binary bytes.
9:34
So three eight bit binary bytes is
9:36
twenty four bits. They're
9:39
regrouped from three eight bit
9:41
bytes to four six
9:43
bit bytes. Six
9:45
bits can have sixty four
9:47
combinations. So that
9:50
so we take the lower and the upper
9:53
alphabet gives us two times
9:55
twenty six characters or
9:57
fifty two characters We add the ten
9:59
decimal digits that brings us
10:01
up to sixty two characters,
10:03
and then we toss in two additional
10:06
ones. The plus and the forward
10:08
slash, which brings us to sixty
10:10
four. So so
10:12
in groups of Three,
10:16
binary is taken from
10:19
the source binary. The the
10:21
those those twenty four bits
10:23
are regrouped into four
10:26
characters each connect
10:29
each of each one of
10:31
sixty four different possibilities That's
10:34
then all munch back
10:36
together and sent down with the client,
10:38
which reverses the encoding process
10:40
to restore the original binary.
10:42
This allows the malicious
10:45
server to squirt
10:47
anything it wants into the victim
10:49
machine that's making the
10:51
queries. The malicious The
10:53
modules downloaded in this fashion
10:55
are either PowerShell
10:58
or c sharp scripts.
11:00
The modules set by the command and
11:02
control server are executed
11:04
by the main module with
11:07
each one reporting data back to
11:09
the server separately. So
11:11
that the original module comes
11:13
in, looks around, sets
11:15
up shop, figures out who to
11:17
talk to initiates the
11:19
dialogue and does that
11:21
periodically. If in response to
11:23
one of its of its multiple post
11:25
queries. It receives a blob
11:27
of base sixty four. It goes,
11:29
oh, okay. Something to do.
11:31
It decodes TWiT. Back into
11:34
whatever it was before, you know, removes the
11:36
base sixty four encoding. We
11:38
know that that's gonna be a PowerShell
11:40
or a c sharp script.
11:43
And runs it.
11:45
At that point, that subsidiary
11:47
module takes off on
11:49
its own. And it establishes its
11:51
own communication directly with the
11:53
command and control server. The
11:57
command and control cycle continues
12:00
indefinitely, which allows the
12:02
threat actors to gather data on
12:04
the infected machine, run arbitrary
12:06
commands, and possibly escalate
12:08
their actions by performing a
12:10
lateral movement or executing
12:12
follow-up malware such as
12:14
ransomware. In other words, you know,
12:16
this thing can do anything
12:19
it wants to. Once it
12:21
gains a a foothold.
12:24
So the modules. Every
12:26
module is auto generated
12:28
by the attackers based on the data sent
12:31
by the main module. Each of the
12:33
modules contains a hard
12:35
coded machine name, in a
12:37
hardcoded CNC domain.
12:39
Every module checkpoint observed
12:43
contained a block of shared
12:45
code, which makes sense because there's a bunch
12:47
of stuff that they're all gonna do
12:49
regardless of their specific function. And
12:51
that is encrypting the data
12:53
to be sent, exfiltrating
12:56
the gathered data through a post request
12:58
or uploading it to an FTP server
13:00
that also happens and sending
13:03
execution logs to a
13:05
remote server. In
13:07
addition to this, each module performs
13:09
one specific job that is in addition
13:11
to those things they all have in common.
13:13
Checkpoint retrieved and analyzed modules
13:16
for six different functions. Listing
13:19
installed applications that
13:21
is application installed on the machine
13:23
taking screenshots, listing
13:26
the running processes, getting
13:29
OS and computer information, executing
13:31
a predefined command from
13:34
the command and control server. And
13:36
then finally, cleaning up
13:39
any traces created by
13:41
any of the other modules. The
13:45
applications module uses
13:47
two methods to fetch and
13:49
return a list of installed
13:51
modules. It can either enumerate the
13:53
uninstall registry values
13:56
or use the management the
13:59
Windows Management Instrumentation Command
14:02
in order to get
14:04
an enumeration It gets those,
14:07
encrypts them, and sends them back
14:09
to to headquarters. The
14:11
screenshot module They
14:13
found both c sharp and
14:16
PowerShell scripts for the
14:18
screenshot. They both had the
14:20
capability to capture multiple screenshots
14:22
at specified intervals and
14:25
upload the resulting screenshots to
14:27
an FTP server whose
14:29
credentials are provided by the script. The
14:31
c sharp script uses a b
14:33
sixty four encoded PowerShell command
14:35
to take the screenshot from multiple
14:38
screens. So again, you
14:40
might have this thing in your computer,
14:42
not know it, you're doing things,
14:44
and this thing is spying on
14:46
you, sending shots at
14:48
your screens. Back to headquarters. The
14:51
processes module obtains a
14:53
list of the machine's running processes
14:55
using the task list command gather
14:57
them, encoders them, sends them
14:59
back. The system information
15:01
module contains a bunch of
15:03
PowerShell commands. What was interesting
15:05
was that in the instances the checkpoint
15:09
saw the bad
15:11
guys had commented out
15:14
all of these potential sources
15:17
of information, they
15:19
just weren't using it. This
15:22
told checkpoint that this
15:24
whole campaign was hastily
15:26
assembled since the entire,
15:28
you know, as we know, attacker
15:31
community was well aware that
15:33
systems would be closing their doors
15:35
very quickly. So there were there
15:37
was like all these different suggestions
15:40
of, you know, the moment this
15:42
thing big went
15:43
public, the attackers jumped on
15:45
it and said, let's quickly get
15:47
something together that that we can
15:49
exploit this
15:50
with. And finally,
15:53
we have the command execution module
15:55
which is able to essentially
15:58
download and execute any actions,
16:00
any commands that are provided
16:02
by the command and
16:04
control server. They saw, for
16:06
example, listing the contents of the
16:08
c drive route, listing
16:10
the specific WiFi profile
16:12
details using net
16:15
s h, the
16:17
w LAN subcommand
16:19
of that, and
16:21
also listing all the drives
16:23
using get PS drive, a a
16:25
PowerShell numerator.
16:28
And finally, the cleanup module. It's
16:30
dropped after the attackers have finished their
16:33
activity and want to remove any
16:35
traces that they've been inside the system.
16:37
The module contains cleanup methods
16:39
for persistence related artifacts
16:41
in the registry and the
16:44
startup folder you know,
16:46
any files created and any
16:48
running processes. It
16:50
contains five hard coded
16:52
levels of, sort of, like, stages
16:54
of cleanup depending upon the
16:56
stage of the attack. Each
16:58
one serving a different purpose. Checkpoint
17:00
said that the design and the intent of
17:03
the cleanup module made it
17:05
clear that the threat
17:07
actors wanna keep the infection on
17:09
the machine First of all, for as
17:11
long as they deem necessary,
17:13
but then after once their goal
17:15
has been achieved, they wanna disappear
17:18
without a trace. So that, you know, no
17:20
one believes that there that an
17:22
attack occurred.
17:24
As for attribution, Of
17:26
course, we know attribution of
17:29
network remote attacks
17:31
often falls somewhere
17:33
between difficult too
17:35
impossible, but not so in this
17:38
case. Most advanced persistent
17:40
threat actors put
17:42
some effort into making sure to
17:44
change their tools and their
17:46
infrastructure to avoid being
17:48
detected in the first place and
17:50
to make attribution much more difficult if
17:52
they were detected. And in fact,
17:55
you know, we know that the the solar
17:57
winds attacks were famous
17:59
for, like, really working
18:02
to obscure the path
18:04
by which the infection happened
18:06
if it were to be discovered.
18:09
However, APT thirty five
18:11
does not conform to this behavior.
18:13
Apparently, the group is famous within this
18:16
the cyber security community
18:18
for the number of operational security
18:21
mistakes they've made in
18:23
previous operations. And they tend not
18:25
to put too much effort into
18:27
changing their infrastructure once it's
18:29
been exposed. So it's
18:31
little wonder that their operation as
18:33
checkpoint has detailed it has
18:35
significant overlaps in the
18:37
code and the infrastructure, which
18:40
previously identified the
18:42
activities of APT thirty
18:45
five. As for code
18:47
overlaps, four months ago, October
18:49
of twenty twenty one.
18:51
Google's tag team, remember their
18:53
threat analysis group, published
18:55
an article about APT35's
18:58
mobile malware, you know, because
19:00
Google and Android. Even though
19:02
the samples checkpoint analyzed,
19:07
were PowerShell scripts.
19:09
The similar meaning, you know,
19:11
PowerShell as opposed to Android.
19:14
So windows only,
19:16
the similarity of
19:18
coding style between them
19:20
and the Android spyware
19:22
that Google attributed to
19:25
APT thirty five immediately
19:27
caught checkpoint's attention. For
19:29
one thing, the implementation of
19:31
the logging functions was
19:34
identical between the Android
19:36
app, which Google analyzed, and
19:38
this present campaign's PowerShell
19:41
modules which use the
19:43
identical logging format.
19:45
Even though the commands are commented
19:47
out and replaced with another
19:50
format. The fact that these
19:52
lines were not removed outright.
19:55
Checkpoint felt might indicate that
19:57
the change was done only recently.
19:59
And the syntax of
20:01
the logging messages themselves
20:03
being logged is identical.
20:06
As for infrastructure, both
20:09
then and now
20:12
campaigns, October and now
20:14
apparently use the same server
20:16
side infrastructure. When a
20:19
client posts data to a
20:21
remote HTTP server, The
20:23
server side path of the
20:26
query is called the API
20:29
endpoint. Google's mobile
20:31
analysis and checkpoints
20:33
both revealed the use of
20:35
the common endpoint slash
20:38
API session. Now,
20:40
okay, that's not a high entropy name.
20:42
Could have just been a collision of of,
20:44
you know, convenience but
20:48
checkpoint felt encouraged
20:51
by the observed overlap,
20:53
and they stated in their report
20:55
that other API endpoints are
20:58
similar but not entirely identical
21:00
due to the differences in the
21:02
functionality of the platform. So it didn't
21:04
make sense for them to be completely identical. Checkpoint
21:06
also observed that not
21:08
only are the URLs familiar
21:11
but the command and control domain
21:14
of the PowerShell variant
21:16
responds to the API
21:18
requests that are used in the
21:20
mobile variant. This suggests similar,
21:23
if not identical, server
21:25
side support for both
21:28
campaigns. So checkpoint
21:31
concluded its report by
21:33
observing that every time
21:35
there is a new published critical
21:38
vulnerability the entire Infosec
21:41
community holds its collective breath
21:43
until its worst fears come true.
21:46
Scenarios of real world
21:48
exploitation appear, especially
21:50
by state sponsored actors.
21:52
As they demonstrated in their report,
21:54
The breath holding weight in the
21:57
case of the log for j vulnerability was
21:59
only a few days. The combination
22:01
of its simplicity its publicly
22:04
available open source code
22:06
samples, and the massively
22:08
tantalizing number of
22:10
vulnerable devices made
22:12
this a very attractive vulnerability
22:14
for actors such as APT
22:16
thirty five, and I have
22:18
no doubt that, you know, while I
22:20
don't think I will continue giving this
22:22
in-depth coverage because we know
22:24
pretty much everything there is to know about it, oh,
22:26
if something major happens,
22:28
it'll certainly be newsworthy. But
22:30
that's how this stuff works. Again,
22:33
just it's
22:36
frightening how
22:38
how non rocket science,
22:41
how how script
22:43
kitty level -- Yeah. -- this thing
22:45
is and that it can get up to so
22:47
much mischief. Amazing. a
22:50
even a what is A kitty? What
22:52
kind of kitty? Charming kitten.
22:54
Even charming kitten. You could do it. Who
22:56
comes up? Is that like a vulnerable name?
22:58
Who comes up with? I mean, there's fancy
23:01
bear for the Russian group,
23:03
charming kitten for the Iranian
23:06
group. Somebody's coming up
23:08
with these. Must be the
23:10
CIA or the NSA. That's
23:12
just why. Okay. So
23:15
Unsurprisingly, as I said
23:17
at the top of the show, the world's cyber news
23:19
this past week was dominated
23:21
by the cyber aspects
23:24
of Russia's invasion of Ukraine.
23:26
We've been living through, and this Twitter
23:28
podcast network is documented
23:31
and chronicled important and
23:33
fascinating aspects of, you know,
23:35
the evolution of the personal
23:37
computer and the Internet. When I think back,
23:39
Leo, to where we were with the hunting hunting
23:41
monkeys, you know, almost eighteen years
23:43
ago. It's like, okay, a lot
23:45
has changed. HTTP was
23:47
a
23:47
thing, right, with no s. Now,
23:50
good luck. If don't have an s there.
23:53
And I have
23:55
to
23:55
admit that when this
23:59
first When this podcast, Security Now
24:02
began, I was personally
24:05
skeptical. Of the
24:07
idea of cyber warfare. It
24:09
just, like, really,
24:12
like, packets, you
24:14
know, Well, obviously, since then,
24:16
I've been well disciplined of of
24:18
any such skepticism. And
24:22
I've been interested to note that in
24:24
the last few weeks, all the experts
24:27
because like cyber warfare is like
24:29
a topic now. We like, on on any
24:32
time, like, there's a discussion of what's going
24:34
on. It's like, oh, whatever, you know, this
24:36
threat of cyber warfare. And
24:38
the presumption is it would not be constrained
24:41
to Russia and Ukraine. It
24:43
would be, you know, global
24:45
to some degree. But
24:48
all the point is that all the experts that
24:50
I'm hearing talk about it feel
24:53
much as I do, which is that
24:55
it's something no one is really
24:58
that excited to
25:00
unleash. Very much like
25:02
you know, the cold war days
25:04
of mutually assured destruction,
25:09
But as I said last week, the feeling
25:11
is that no one has any
25:13
real confidence in their own
25:16
defenses being adequate. So
25:18
nobody wants to be the first to initiate what
25:20
you whoa. And I forgot to turn
25:22
that down. Our little
25:25
friend telling me I've got email. Sorry.
25:28
No one's that, you know,
25:31
confident about their own defenses being
25:33
adequate. So no one wants to be the first to
25:35
initiate what might be mutually
25:38
assured cyber destruction. We don't even know what
25:40
that looks like and nobody wants to
25:42
find out. Yet, here we
25:44
are
25:44
today, kind picking
25:46
around the edges of
25:48
exactly that possibility such that
25:51
more than any other time in
25:53
the past It's on everyone's
25:55
lips. Okay.
25:58
So I'm
26:01
not gonna spend an inordinate amount
26:03
of time on any one of
26:05
these topics, but literally as
26:07
I was going through the
26:10
last week's What is there to talk It was all about
26:12
this. It was all about the consequences of
26:14
this. So, Saturday
26:17
before last, on the twenty
26:19
sixth. Ukraine's minister
26:21
of digital transformation, whose
26:23
name will hear of a few times
26:26
today, Mikaelo Ferrov announced
26:28
the creation of an army
26:30
of IT specialists
26:32
to fight for Ukraine
26:35
in cyberspace. Mikaelo said,
26:38
quote, we have many talented Ukrainianians
26:41
in tech. Developers, cyber
26:44
specialists, designers, copywriters, marketing
26:47
specialists, targeting
26:49
specialists, Wow,
26:51
targeting specialists. He said, we
26:53
are creating an IT army.
26:56
All operational tasks will
26:58
be posted here There's plenty to do
27:00
for everyone. We continue our
27:03
fight at the cyber front.
27:05
So of course, being that he's
27:08
there their digital transformation
27:09
guy, his focus is that.
27:13
Anyway,
27:13
turns out that Makaylo's call
27:16
did not go unheeded. At
27:20
when I captured this
27:22
particular report, the
27:24
number of volunteers
27:26
that had signed up, and
27:28
we'll see that by the time we end
27:30
this podcast, that number has has
27:33
grown at this point, it
27:35
was already a hundred and seventy
27:37
five thousand people
27:39
had said, yeah, I wanted, you
27:41
know, sign up. I wanna a hundred and
27:43
seventy five thousand. Oh. I
27:46
don't know there weren't that many people with
27:48
the skills. Yeah.
27:50
Well, And and they said copywriters, marketing
27:52
specialists. So so, basically, you know, like, you
27:54
don't have to actually know how
27:57
to Sharpen the front edge of a packet in
27:59
order to send it off. Wow.
28:01
You just have to know what that packet
28:04
should contain I guess, if it was some propaganda or some
28:06
IT specialists to manage the
28:08
database of a volunteers, that's
28:10
what they're gonna need.
28:13
That's right. So he said many have
28:15
been tasked with launching DDoS
28:17
attacks against Russian websites,
28:19
including government websites, banks and energy
28:22
companies on the twenty
28:24
seventh the day after this,
28:26
officials also told Volund
28:28
peers to target websites third,
28:30
in Belarus, Makaylo
28:33
also publicly released the targeting
28:36
list. Okay? So so this
28:38
is the IT Army of
28:40
Ukraine. It says for
28:42
all IT specialists from
28:44
other countries, we translated
28:47
tasks in English. So
28:49
he says, task number one.
28:51
We encourage you to use
28:53
any vectors of cyber
28:55
and DDoS attacks on
28:58
these resources. So
29:00
I mean, this is a
29:02
publicly posted list from
29:04
Ukraine. So we've got three
29:06
categories business corporations,
29:09
banks, and the
29:11
state. So for example business corporations,
29:14
Gazprom, I I can't even
29:16
pronounce these things. I I won't
29:18
try, but there's like 123456789
29:22
ten, eleven, twelve, thirteen, fourteen, fifteen,
29:25
sixteen, seventeen, eighteen,
29:27
nineteen, specific business
29:30
corporations where the
29:32
URL their URL, and
29:34
I think without exception, there is a
29:36
dot com by by far the
29:39
most or dot are you, of
29:41
course, there are some a org, predominantly,
29:44
are you that we've got
29:47
three banks the
29:49
Esper Bank, VTB, and
29:52
Gazprombank, and then the third
29:54
category is the state. There's
29:56
public services, Moscow state
29:58
services president of the Russian
30:00
Federation, government of the
30:02
Russian Federation, Ministry
30:04
of Defense, tax, whatever
30:06
that is, customs,
30:09
pension fund, and
30:11
our favorite Ross commonsor
30:14
is also there.
30:17
So, you know, I
30:19
mean, obviously, they're being
30:21
put upon that as Ukraine
30:23
is. And they're saying, hey,
30:25
cyber is now a
30:27
vector of of
30:29
counterattack. So let's go.
30:32
And, you know, here's your initial
30:34
targeting list. An
30:36
open call for everyone, you know, anyone
30:38
and and everyone to participate, you
30:40
know, and but let's be
30:43
clear that the perceived justice,
30:46
if that's how you
30:48
feel of this cause,
30:51
doesn't make it legal. Right?
30:53
So people listening that don't don't
30:55
don't go don't go off attacking
30:58
Russia because that, you know, because
31:00
some guy in Ukraine said, yeah,
31:02
here's Here's where you go. Don't do
31:05
that. According to Victor Zuora,
31:07
an official at the Ukrainian cybersecurity
31:10
agency charged with protecting government
31:12
networks he said, quote,
31:14
Russian media outlets that
31:16
are, quote, constantly lying
31:19
to their
31:19
citizens, unquote, and financial and
31:22
transportation organizations supporting the
31:24
war effort are among the
31:26
potential targets for digital attacks
31:28
from the so called Ukranian
31:31
IT
31:31
Army. He said that the IT
31:34
Army is a loose band of
31:36
Ukrainian citizens and
31:38
foreigners that are not part
31:40
of the Ukrainian government.
31:42
But Kiev is encouraging
31:45
them. It's an example of how the Ukrainian
31:47
government is pulling out all the
31:49
stops to try to
31:51
slow Russia's military assault
31:53
and illustrates how cyberattacks
31:55
have played a supporting role in the
31:57
war. The goal of this IT Army
31:59
of Ukraine is to, quote,
32:01
do everything possible,
32:03
to make the aggressor feel
32:06
uncomfortable with their actions in cyberspace and
32:08
in Ukrainian land.
32:10
And so, you know, this was Victor
32:13
Zuora in a video conference with
32:15
journalists on Friday. And
32:17
and I will say, because I've
32:19
just gone through this myself, assembling
32:21
this seventeen page Notes for
32:23
this
32:23
podcast. If
32:25
you follow along by
32:27
the end of this podcast, I
32:29
would argue you will have
32:32
very mature, complete,
32:35
almost comprehensive, I
32:37
dare say appreciation
32:40
for everything that is going on,
32:42
like everywhere on this. It's
32:44
it's what we hear to talk about. Well,
32:47
Russia hasn't disconnected from the Internet
32:49
yet, but Who knows what twenty twenty
32:51
three will be? We'll be back with more
32:53
of Steve Gibson in just a moment. First
32:55
a word from our sponsor. I hope you're
32:57
enjoying our best of Steve's great. Isn't he?
32:59
We just love doing this show together.
33:01
And for most of the
33:03
year, we have loved our
33:05
sponsor. Express VPN. They've been with us all year long.
33:08
Using the Internet without express VPN,
33:10
my personal choice for VPN
33:12
well, that would be, I don't know, like,
33:14
walking your dog in public
33:16
without a leash. Most of the
33:18
time, no problem. You'll probably be fine. But what
33:20
if one day The dog runs
33:23
away or gets dog napped.
33:25
It's better to be careful. You're not
33:28
preparing for everyday
33:30
activity preparing for the worst.
33:32
Somebody spying on you, somebody attacking
33:35
you, that's why it's great when you've
33:37
got something as simple as express VPN. Every time
33:39
you connect to an unencrypted
33:42
network, which could be and
33:44
cafes and hotels and Laporte, your
33:47
online data is insecure. Any hacker in
33:49
the same network has all sorts of
33:51
ways to attack your system and steal
33:53
your personal data using things that are
33:55
widely available on the Internet
33:57
like the like the WiFi pineapple.
33:59
But express VPN creates
34:01
a secure encrypted tunnel between your
34:03
device and the Internet. So they
34:05
can't see you. They can't
34:07
attack you. You're absolutely safe.
34:10
In fact, so good. The so hacker
34:12
with a supercomputer over a billion years
34:14
to get past Express VPN's
34:18
encryption. ExpressVPN works on all your devices,
34:20
phone, tablet, laptop, even on your
34:22
smart TV. In fact, they've got a great
34:24
router now. They you can put ExpressVPN
34:26
on many
34:28
routers but they even sell a router that's just fantastic. So
34:30
we were talking to a dog m. Right? He
34:32
took an express VPN router with him to
34:34
Vietnam. Was able to watch all
34:36
his shows in the United States, communicate
34:38
securely and safely, worked phenomenally,
34:40
and he said he was getting amazing data
34:42
rates. I can't remember what he said, but it
34:44
was like, a hundred, two hundred, three hundred megabits. Try
34:47
that with some other VPN.
34:49
Only express VPN works as fast
34:51
as you do. And it's so
34:53
easy to use. Put it on the router or just fire up the
34:55
app. Click one button. Boom. You're
34:58
safe. Now if you go to
35:00
expressvpn dot com slash security now, you
35:02
can get three extra
35:04
months with a one year package,
35:06
absolutely free. Express VPN
35:08
dot com slash security now by a twelve
35:10
year package you get fifteen months for the price of twelve, and I have to tell
35:12
you, it is the only VPN I trust,
35:14
the only one I use, express
35:17
VPN dot com slash
35:20
security. Now, thank you express VPN for being such
35:23
a great sponsor for Steve's work
35:25
all this year. Speaking of
35:28
work, Time to get back to
35:30
Steve. We're back with more twenty twenty two. We
35:32
kick things off in this segment.
35:35
TWiT a look at
35:38
kaspersky antivirus, is it safe?
35:41
Well, the US The
35:44
FCC, Casper Ski Labs
35:46
and Chinese telecoms are
35:48
all
35:49
mixed up. Last
35:51
Friday, in an announcement titled FCC
35:54
Expands List of Equipment and
35:56
Services that pose security
35:59
threat, unquote. The US Federal Communications Commission
36:02
added the well known to
36:04
us, Russian cybersecurity firm,
36:07
Kaspersky, to its covered
36:10
list. Believing that the use
36:13
of Caspersky Lab Products
36:15
poses unacceptable risks
36:18
to US national security. The
36:21
coverage includes information
36:26
to Casper Ski's information security products, solutions,
36:28
and services supplied by
36:30
Casper Ski or any
36:33
linked companies including subsidiaries or
36:36
affiliates. And the same day
36:37
last Friday, the hacker won
36:39
bug bounty program
36:42
also terminated their relationship with Casper Ski. Hacker
36:45
One's decision to disable Casper
36:47
Ski's bug bounty program follows
36:50
the news that
36:52
Germany's federal office for
36:54
information security, known as
36:57
BSI, had warned
37:00
companies against using Kaspersky products. The German
37:02
regulator indicated that Russian
37:04
authorities could force the
37:06
AV provider
37:08
into allowing Russian intelligence to
37:10
launch cyberattacks against its
37:12
customers or have its products
37:16
used for cyber espionage campaigns.
37:18
Just to be clear, this is all
37:20
entirely without any precipitating
37:23
evidence and only
37:26
out of an abundance of
37:27
caution. Casper's key
37:31
responded by writing Caspersky
37:34
is disappointed with the
37:36
decision by the Federal Communications Commission
37:39
to prohibit certain
37:42
telecommunications related federal subsidies for being used to purchase
37:44
Casper's key products and
37:46
services. This decision is
37:48
not based on any
37:50
technical assessment
37:52
of Caspersky products that the company continuously
37:55
advocates for, but instead
37:58
is being made on
38:00
political grounds. Caspersky
38:03
maintains that the US government's
38:05
twenty seventeen prohibitions on
38:08
federal entities and
38:10
federal contractors from
38:12
using Kaspersky products and services were unconstitutional
38:16
based on unsubstantiated allegations
38:20
and lacked any public
38:22
evidence of wrongdoing by the
38:24
company. And there has been
38:26
no public evidence to otherwise
38:28
justify those actions since
38:30
twenty seventeen and the
38:32
FCC announcement specifically refers
38:34
to the Department of Homeland Security's
38:36
twenty seventeen determination as the
38:38
basis for today's decision. Caspersky
38:40
believes today's expansion of
38:43
such prohibition on entities that
38:45
receive FCC communications related
38:47
subsidies is similarly
38:50
substantiated and is a response to
38:52
the geopolitical climate. Rather
38:55
than a comprehensive evaluation,
38:58
of the integrity of Casper Ski's products and services. Casper
39:02
Ski will continue to assure
39:04
its partners and customers on
39:07
the quality and integrity of its
39:10
products and remains ready to
39:12
cooperate with US government
39:14
agencies to address
39:16
the FCC's and any other
39:18
regulatory agency's concerns. Caspersky provides
39:20
industry leading products and
39:23
services to customers around
39:26
the world to protect them from all types of cyber
39:28
threats. And it has stated
39:30
clearly that it doesn't have any
39:32
ties with
39:34
any government including Russia's.
39:36
The company believes the
39:39
transparency and the continued implementation
39:41
of concrete measures to
39:43
demonstrate trade its enduring commitment to integrity and
39:46
trustworthiness to its customers is
39:48
paramount. Unquote,
39:52
Now, I completely
39:54
agree that Casper's key
39:57
has never given us any
39:59
cause to mistrust them. But
40:02
that's not the question or
40:05
the problem. That's
40:07
a misdirection, I think, that
40:09
misses the point. And they know
40:12
what the point is,
40:14
where they are
40:16
is the
40:18
point. So I'm not sympathetic to Casper's
40:20
plight. None of this
40:22
should have been a surprise to them.
40:25
It's been their conscious choice
40:27
to remain operating in Russia
40:30
for the past eight years
40:32
since twenty
40:34
fourteen. After their president and country illegally
40:36
invaded Ukraine and annexed
40:39
its Crimean Peninsula. And being in
40:42
Russia, they know far more than
40:44
we do how their country
40:46
is being run and has
40:48
been acting.
40:48
We know that not
40:49
everyone in Russia agrees with
40:52
Putin, and I don't doubt
40:54
that Kaspersky would
40:56
resist and fight any subversion of
40:59
their integrity. That's all they have, and
41:01
that's a lot to
41:04
lose. But given everything we've seen recently,
41:06
it might not be their choice,
41:08
and that's the point. Given
41:12
the awesome networking power that
41:14
a deeply trusted and embedded company
41:17
such as Caspersky wheels, And
41:19
in the context of an authoritarian
41:22
regime, which is increasingly acting
41:24
as if it has nothing left
41:26
to lose, There's
41:28
every reason to worry
41:30
that Kaspersky's employees could be
41:32
forced to act against their will.
41:35
So it's not
41:37
kaspersky for a moment that
41:39
I don't trust. It's their
41:41
ruthless and immoral government that
41:44
ultimately controls them, which we
41:46
cannot afford to trust in this
41:48
instance. And there are plenty of
41:50
good, maybe even better choices in the
41:52
world. It's not like they have to Exactly.
41:54
Now I have to point out
41:56
that Kaspersky got his technical education
41:59
from the KGB higher school,
42:02
which prepares intelligence officers for
42:04
the Russian military and KGB. He
42:06
has a degree from there in
42:09
mathematical engineering computer technology. He served in the
42:11
Soviet military Soviet military
42:13
intelligence service as
42:15
a software
42:16
engineer. And he met his wife
42:18
at a KGB vacation resort two
42:20
years before he founded Kaspersky antivirus.
42:24
I'm not saying I mean, here's part of the problem loves Eugene because
42:26
he goes he's a very good salesman.
42:29
And he goes around
42:31
and he goes to conferences and
42:33
stuff and, you know, he buys people drinks to to swear by Kaspersky probably because
42:35
he used to hang with
42:38
Eugene. Yep. I
42:41
don't know.
42:41
I think there's there's no
42:44
evidence, but there's enough
42:46
smoke. Yes. And and your
42:48
point, Leo, is why take the risk.
42:50
You don't have to, so why? And all this, by the is saying you
42:53
can't use government subsidies to
42:55
buy Kaspersky. Right. Right.
42:58
By the way, you can't buy a lot of Russian stuff right now, not
43:00
because they're inherently insecure, but because
43:03
it's it's money to Russia. So
43:05
-- Yeah. -- I don't think this is a bridge
43:08
too far. Yeah. And, you
43:10
know, from my standpoint,
43:12
there's no way I would feel
43:14
completely comfortable right now
43:16
if my computer was running
43:18
software that was routinely phoning
43:20
home to Russia. That just
43:22
you know, seems a bad idea.
43:24
We're waiting for the big cyber attack.
43:26
And they were implicated in the in the leak
43:28
of the NSA hack taking tools -- Yes. -- whether
43:30
intentionally or not, they were in they
43:33
were involved -- Yep. -- which is not to
43:35
say that other AV might not have also been
43:37
doing the same
43:39
thing, but you know, theirs went to
43:41
Russia. So anyway And
43:44
and, you know, for what it's worth Caspersky,
43:47
has not been singled out for this treatment, at least not
43:50
globally. Last week's decision to
43:52
designate Caspersky as a national security
43:54
threat, follows
43:56
previous decisions to ban and revoke
43:58
China Unicom America's license
44:00
over serious national security
44:03
concerns in January of
44:06
this year and two and a half years or two and a half weeks
44:08
ago, the FCC added the
44:10
Chinese telecommunications companies,
44:12
Huawei, ZTE,
44:15
Hytera Communications, Hikvision
44:20
and and
44:22
Dawa, to its ban list. Back in June of twenty twenty,
44:24
Huawei and ZTE were designated
44:26
national security threats to the
44:28
integrity of the US communications
44:32
networks or the communications supply chain, and
44:34
now the Chinese state owned
44:36
mobile service providers, China Mobile
44:38
International USA,
44:40
and China telecom Americas have been added as well. So,
44:43
you know, Tedders are running
44:45
high. And, you know, Leah, we're
44:47
in this weird world of
44:50
deep economic co dependency
44:53
with those we
44:55
do not trust. It's freaky. I
44:57
mean, I don't think I have anything. I don't think I owed anything that didn't
44:59
come from China. Made in
45:01
China, baby. Yeah. Yet, you
45:04
know, here we are, you know, and how many times have I
45:06
talked about our IoT stuff -- Right. --
45:08
you know, all my my lights and plugs
45:10
and things turn on and off because
45:14
they're connecting to Chinese cloud services.
45:16
I actually think that's a good thing, not
45:18
for a sec from a security point
45:20
of view, but from global economic
45:23
perspective -- True. -- to independence
45:25
is good for peace. Yes. And if
45:27
it weren't if we weren't
45:29
independent in interdependent. We couldn't sanction Russia to
45:31
the degree we have. Yeah. Obviously, he's
45:33
not enough to stop them. But Well,
45:35
it is not have to stop
45:37
one man. Right. And I think that's the that's the problem is that
45:39
this guy is, you know, believed to
45:42
be the richest person in the world
45:44
that, you
45:46
know, nothing he doesn't care. He doesn't get to his point. And there
45:48
we there are no handles -- Right.
45:50
-- on him. There's nothing we can do.
45:52
Right. And and so We'll
45:55
see what happens, Blair.
45:59
Yikes. Lenovo. Leo,
46:02
I I heard you refer to Lenovo's
46:04
UEFI problem on some
46:06
podcast recently. So, you know, this has
46:08
been in the news a lot. Oh, it's not it's
46:10
not surprising. I'm I'm aware of it
46:12
because I buy a lot of Lenovo. Hardware. So
46:15
That's been the ThinkPad. Right? Like -- Yeah. --
46:17
the ThinkPad. Yeah. Yes. The
46:19
premier laptop. So
46:22
As we know,
46:23
when a PC is powered up,
46:25
something needs to wake up
46:27
and configure the various parts
46:29
of the machine. The
46:31
video needs to be started. The fans
46:34
need to spin up. All of the
46:36
machines various mass
46:38
storage subsystems need to be
46:40
initialized, and then the
46:42
firmware's configuration needs to
46:44
be checked. The proper
46:46
operating system needs to
46:48
be located and its OS boot code needs to be
46:50
initially loaded into RAM so that
46:52
control can be turned over to
46:54
it to continue booting
46:56
the machine. The
46:58
first PCs did that
47:00
using their basic input output
47:03
system, Bios or Bios.
47:05
That was good for
47:07
about five years. It actually didn't last
47:10
very long because the PC just
47:12
exploded in terms of, you know,
47:14
what everybody wanted to do
47:16
with it. So the limitations,
47:18
which had been built into the Bios'
47:20
assumptions, began to cause more
47:22
problems than they were worth than
47:25
they were worth almost automatically.
47:28
And various Mickey Mouse
47:30
workarounds were created to
47:32
overcome many of these problems while
47:34
Intel worked on a wholesale
47:36
replacement of the Bios. The
47:38
initial attempt was
47:40
the EFI, the so called
47:42
extensible firmware interface,
47:44
which quickly matured into the
47:47
unified extensible firmware
47:50
interface, UEFI. And
47:52
we find ourselves right
47:54
back where we always do.
47:57
The original Bios was
47:59
so dumb that it could
48:02
not be infected. It
48:04
was originally implemented in
48:07
sometimes dumb is a good
48:09
thing. That's exactly it
48:12
was originally implemented in
48:14
masked Ram, meaning that the
48:16
firmware's bits were
48:18
etched into a metal
48:20
mask at the factory and could
48:22
never be changed. It did mean you
48:24
had to get the code right the first time. I have
48:26
no updates. And That was
48:28
something people used to be able to do,
48:30
but we don't do that
48:32
anymore. So that soon gave
48:34
way to nonvolatile
48:36
flash ram.
48:37
Which could be updated, but the code
48:39
it implemented was still
48:42
egressively
48:43
dumb. Sometimes for some things, the dumber, the
48:46
better. Because if all you
48:48
want is to boot an
48:50
OS, you really don't need that
48:52
much smart Bios did
48:54
it, just fine. And the
48:56
lesson we keep falling
48:58
into and we keep failing to
49:00
learn is that the
49:02
more complicated fancy, capable and
49:04
smart. We make things.
49:06
The more leeway in latitude
49:09
the system has to
49:12
go very badly wrong.
49:15
So welcome to
49:17
the unified extensible
49:19
firmware interface where malware
49:22
is also able to extend
49:25
the firmware. Lenovo
49:29
has been most recently
49:31
in the we made
49:33
a UFI mistake news
49:36
recently. Last week, the guys over
49:38
at ESET. Whose motto is, we live
49:40
security, posted the results of their
49:42
analysis of some widely
49:44
used Lenovo
49:48
UEFI firmware. Their posting's
49:50
title was, quote, when
49:53
secure isn't secure
49:55
at all. Colon? High impact
49:59
UEFI vulnerabilities discovered
50:01
in Lenovo consumer laptops.
50:04
And the story's
50:06
tagline is ESET researchers discover
50:08
multiple vulnerabilities in various
50:10
Lenovo laptop models that
50:13
allow an attacker with admin
50:15
privileges to expose the user to
50:18
firmware level
50:20
malware. Okay.
50:23
Firmware, level malware. That's not what
50:25
you wanna hear. That's even less
50:27
what you wanna have crawling around
50:29
inside your machine. Firmware
50:33
level malware enables the
50:35
ultimate in rootkit
50:37
techniques. In fact, having
50:40
its own worst name, boot kit. The
50:43
presence of firmware level
50:45
malware means quite simply
50:47
that it's impossible to
50:50
trust anything about
50:52
what the machine might
50:54
do. Firmware level malware is
50:57
able to infect and compromise the operating
51:00
system's own code during
51:02
its boot process before
51:04
it has had any opportunity
51:06
to raise its own shields. And
51:09
reformatting the machine's mass
51:11
storage and reinstalling an
51:14
operating system or even
51:16
removing and replacing a drive
51:18
won't necessarily eliminate the
51:20
problem because
51:22
this malware has taken up residence in the
51:24
machines underlying firmware
51:26
on the motherboard, on
51:29
a on a nonvolatile memory
51:32
soldered to the main
51:34
board. Now,
51:36
we know that
51:38
anybody can make a mistake, and I am as as our listeners know,
51:40
I am infinitely forgiving of
51:44
mistakes. But the most
51:46
troubling aspect of what the
51:48
ESET researchers found was
51:50
that two of the three big mistakes
51:52
Lenovo made were
51:54
the oversight of leaving highly
51:58
exploitable drivers in the
52:00
UEFI firmware image, which
52:02
should have only been present during
52:05
the firmware's development. These drivers should have
52:07
never left the factory. So
52:10
it's not like
52:12
they got you know, a
52:14
loop condition wrong or
52:16
something like a mistake.
52:18
You know, they've left stuff
52:20
in there that should not be in there.
52:22
How do we know?
52:24
We know because the
52:26
two drivers were actually
52:29
named Secure backdoor.
52:32
That's the in the UEFI
52:35
firmware, that's the driver's name. Yeah.
52:37
We're gonna talk about an
52:40
oxymoron secure back door.
52:42
Yeah. Yeah. That turns out it
52:44
it wasn't. Yeah. The other one was
52:46
Secure backdoor PEIM.
52:48
So here's what ESET said.
52:50
They said ESET researchers
52:52
have discovered and analyzed three
52:56
vulnerabilities affecting various Lenovo
52:58
consumer laptop models. Various yeah.
53:00
We'll get to that in a minute. The
53:02
first two of these vulnerabilities and
53:05
we got two CVEs from this year,
53:07
thirty nine seventy one and
53:09
seventy two. Affect UEFI
53:12
firmware drivers originally meant to
53:15
be used, this is EZED, only
53:17
during the manufacturing process of
53:19
Lenovo Consumer Notebooks. Unfortunately,
53:22
writes ESET, they were mistakenly
53:26
included also in the production
53:28
firmware images
53:30
without being properly deactivated slash
53:33
or deleted. These affected
53:35
firmware drivers can
53:38
be activated by
53:41
an attacker to directly disable SPI
53:46
flash protections that's is
53:48
using control register bits and
53:50
protected range registers or
53:53
the UEFI secure
53:56
boot feature from a privileged user mode
53:58
process running OS
54:00
runtime. Okay. So just to
54:02
be clear about what ESET just
54:06
said. They said from a
54:08
privileged user mode process
54:10
in the OS. In
54:12
other words, mistakenly a user, any
54:14
user of these laptops,
54:16
mistakenly allowing some
54:18
malware to run-in their OS.
54:22
Which might innocently ask to be granted brief
54:25
UAC privilege elevation
54:27
to install something
54:30
if that is, if it didn't bring
54:32
along its own privilege at escalation vulnerability exploit
54:34
as it might, or which
54:37
might set itself up to run as a
54:39
system service. That code
54:42
can disable all relevant
54:46
UEFI right protections to then surreptitiously
54:48
install semi permanent hidden
54:51
boot kit malware into
54:54
the system's UEFI firmware, and the
54:56
user would be none the wiser. And
55:00
we don't know how to scan for that
55:02
yet. We're mean, there there's
55:04
been some talk of scanning UEFI. Nothing much has come of it.
55:07
Eset said, it
55:10
means that exploitation
55:12
of these vulnerabilities would
55:14
allow attackers to deploy and
55:17
successfully execute SPI flash
55:19
or ESP implants like
55:21
LoJack's. To understand how
55:22
we were able to find these vulnerabilities,
55:24
consider the firmware drivers affected
55:28
by and then they this is the
55:30
CVE number, the thirty nine seventy one. They wrote. These
55:33
drivers, imagine this Leo,
55:35
immediately caught our
55:38
attention by their very unfortunate but
55:41
surprisingly honest names.
55:44
Secure backdoor and
55:47
secure backdoor PEIM. After some
55:49
initial analysis, we discovered
55:51
other Lenovo drivers
55:55
sharing a few common characteristics
55:58
with the secure backdoor
56:02
asterisk drivers. Those are CHG, I guess, that's
56:04
short for change, and then
56:06
boot DXC
56:08
hook. And CHCHG
56:11
boot SMM You
56:14
know, SMM
56:16
is system management
56:18
mode stuff, which is the
56:20
the OS under the
56:22
OS. As it turned out, they write,
56:24
their functionality
56:26
was even more interesting and could be abused
56:29
to disable UEFI
56:32
Secure Boot. That's that's
56:34
the CVE ending in thirty nine
56:36
seventy two. In addition, they
56:38
said while investigating the vulnerable drivers,
56:40
we discovered a third vulnerability,
56:43
SMM memory corruption inside
56:46
the SWSMI
56:48
handler function, Thus,
56:51
we have CVE ending in thirty nine seventy. This
56:53
vulnerability, they said, allows arbitrary
56:55
read write from
56:58
into SMRAM,
57:00
which could lead to the ex execution
57:02
of malicious code with
57:04
full SMM privileges. That's again,
57:07
that's like the chip level privileges nothing
57:09
more privileged in the world
57:11
than that. And they said
57:14
potentially lead to the deployment of an
57:16
SPI flash implant. We
57:18
reported all discovered vulnerabilities
57:20
to Lenovo on October eleventh
57:23
twenty twenty one. And I didn't have
57:26
it in the show notes, but Lenovo responded a month later. Although, the list of
57:28
affected devices contains, and here
57:32
it comes, More
57:34
than one hundred different
57:38
consumer laptop models
57:41
with millions many of users
57:44
worldwide from affordable models
57:46
like idea PADD three to
57:48
more advanced ones
57:50
like Legion five Pro
57:52
or yoga slim nine.
57:54
The full list of affected models with
57:57
active developments published in the
57:59
Lenovo Advisory. In addition, to
58:01
the models listed in the
58:03
advisory, several other devices
58:06
we were ported to Lenovo are also
58:08
affected but won't be
58:10
fixed. Due to them
58:12
reaching end of
58:14
development support, Laporte. This
58:17
includes devices where we
58:20
spotted reported vulnerabilities for the
58:22
first time. Idea
58:24
pad three thirty and idea
58:26
pad one tenth. The
58:28
list of such EODS devices
58:31
that we have been able to identify will
58:33
be available in ESAT's vulnerability
58:36
disclosures repository. And what
58:38
this tells us reading between the lines is that
58:40
these vulnerabilities have been
58:42
there long enough for
58:44
those machines which
58:47
they started affecting to now have left have
58:49
gone out of their service life with
58:51
Lenovo, thus they will
58:54
never be
58:56
fixed. Lenovo. Oh, yeah. I do have in
58:57
the notes. Lenovo confirmed the vulnerabilities on
59:00
November seventeenth twenty twenty
59:02
one and assigned them the
59:04
following CVEs. And
59:06
and, I mean, they're being they're coming right right out
59:08
with it. CVE ending in thirty
59:11
seven ninety, Lenovo variable,
59:14
SMM, and they say hyphen,
59:16
SMM arbitrary read
59:18
write. The one ending in thirty
59:21
nine seventy one, secure backdoor, disable
59:24
SPI flash protections,
59:26
and thirty nine seventy
59:28
two, change boot DXE
59:32
disable UEFI secure boot.
59:35
So given
59:37
how incredibly
59:40
active The cyber underworld is today.
59:43
We
59:43
keep encountering quite sobering
59:46
evidence of it, you know,
59:50
In every podcast
59:51
now, there's just no
59:54
chance that
59:54
these now fully disclosed and
59:57
very well docked committed vulnerabilities will
59:59
not be used to
1:00:02
compromise the interests of some of
1:00:04
these millions
1:00:06
of Lenovo laptop users worldwide, and many
1:00:08
of them are, you know, gonna
1:00:11
be serious users. It
1:00:14
will happen. So here we
1:00:16
are once more noting that there's something very wrong
1:00:18
with our industry's current
1:00:20
development model. You know, How
1:00:24
can this be allowed to occur over and over
1:00:27
and over? ESAT had
1:00:29
to reverse engineer
1:00:32
the proprietary code in this UEFI
1:00:36
firmware in order to find
1:00:38
these problems. That
1:00:40
it's and it's affecting Lord
1:00:43
knows what multiple of millions
1:00:45
of Lenovo laptop
1:00:48
users. Linovel messed
1:00:50
up big time here, but for
1:00:52
the record, they're not alone. These
1:00:55
newly disclosed vulnerabilities merely
1:00:58
add to the recent disclosure
1:01:00
of more than fifty five zero
1:01:02
UEFI firmware vulnerabilities, which
1:01:05
have been found in
1:01:08
Inside Software's, you know,
1:01:11
INSYDE, Inside Software's,
1:01:14
Inside H20
1:01:16
and HP and Dell laptops
1:01:18
since the start of just this year.
1:01:21
Among those are
1:01:23
six severe flaws in HP's
1:01:25
firmware affecting both laptops
1:01:27
and desktops, which would exploit it,
1:01:29
could allow attackers to
1:01:32
locally escalate to SMM privileges, which as I
1:01:34
said, is as much as you can get
1:01:36
on any hardware
1:01:38
platform. And
1:01:40
trigger at least denial of service and maybe
1:01:42
more. So, you know, Lenovo
1:01:44
is in good company or
1:01:48
at least only the most recent member of this
1:01:50
UFI vulnerability dog house.
1:01:52
And as we know, it's not Lenovo's
1:01:54
first instance of UFI problems.
1:01:58
We've we've you know, years ago, they've also had
1:02:00
problems. So we've
1:02:02
managed to make our lovely
1:02:06
little machines far more complex
1:02:08
by designing in extremely powerful
1:02:12
capabilities. Yes. We
1:02:14
get lots more flexibility. We get remote management and
1:02:17
remote maintenance. And
1:02:20
not surprisingly, It's also a
1:02:22
mixed blessing. So
1:02:24
a heads up to anyone using
1:02:28
Lenovo laptops regardless of the model you have, don't look
1:02:30
at a list of affected models. First of
1:02:32
all, there's hundreds.
1:02:34
You should definitely check-in to
1:02:37
see whether your device has a firmware update
1:02:40
outstanding. And for that matter,
1:02:42
HP and Dell users would be well
1:02:44
advised to do
1:02:46
the same. Do you think these changes are driven by the needs of
1:02:48
enterprise? In other words,
1:02:50
are we personal and
1:02:52
home users and geeks suffering
1:02:56
because -- Yes. Exactly.
1:02:58
-- management capabilities built in
1:03:01
Exactly that. Yeah. Exactly that,
1:03:03
Leo. Yeah. should be and there are a few places where
1:03:05
you can get simpler systems, a
1:03:08
simpler UEFI and core
1:03:10
boot open source firmware
1:03:12
and things like that. And
1:03:14
they aren't really not aimed at
1:03:18
enterprise. What was the other thing I
1:03:20
wanted to to
1:03:22
mention, oh, yeah, firmware updates
1:03:24
now. It's interesting or increasingly part
1:03:26
of the operating system update. I don't know if you've
1:03:28
noticed that. Yeah.
1:03:30
Well, we we we know that
1:03:32
Windows, for example, is patching the
1:03:34
Intel the Intel chipset firmware --
1:03:36
Right. -- clinics brings along the same thing -- Yeah.
1:03:38
-- to to their credit, although it is
1:03:40
a little, you know, a bit of
1:03:43
a mixed blessing, Lenovo now
1:03:45
has software that comes pre installed on their machines, which
1:03:47
is taking responsibility for
1:03:50
keeping your machines firmware up
1:03:52
to date. So
1:03:54
it makes it better than if
1:03:56
you like, you know, than like never
1:03:59
ever having the opportunity to proactively
1:04:02
informed Lenovo machine owners
1:04:04
and having a problem like this out there that
1:04:06
would make them persistently
1:04:08
vulnerable. Yeah. Yeah.
1:04:10
Boy, over the years, the what
1:04:12
is it? Fifteen years have been doing security now. The
1:04:14
name Lenovo has come up a I
1:04:18
still love my Think Pets. That's all. I that's
1:04:20
all I'm gonna say. We're gonna take a little break,
1:04:22
come back with more of Steve Gibson and the best
1:04:24
of SecurityNow twenty twenty In
1:04:27
just a moment. First a word from
1:04:29
our sponsor. I'm gonna interrupt one more
1:04:31
time, Steve. Sorry. The best
1:04:34
stuff continues. In moments. I guess I'm interrupting myself, aren't
1:04:36
they? We'll have more with
1:04:38
Steven the the best stuff in just a bit. But first a
1:04:40
word from a great sponsor. They've been with
1:04:42
us all
1:04:44
year. Collide. Collide is an endpoint security
1:04:46
system that uses the
1:04:49
most powerful, underappreciated, untapped
1:04:52
resource in IT,
1:04:54
your end users. When you're
1:04:56
trying to achieve security goals, whether for a
1:04:59
third party audit or your own
1:05:02
compliance standards, know, the typical conventional wisdom is to treat
1:05:04
every device like Fort
1:05:06
Knox and every user like
1:05:08
the enemy. Old
1:05:10
school device management tools like MDMs force
1:05:12
disruptive agents onto employees'
1:05:15
devices. People know when they put them on, it's
1:05:18
gonna slow me down it's gonna hurt my
1:05:20
privacy. That way of
1:05:22
doing things turns you,
1:05:24
IT admins, and
1:05:26
into end enemies of the
1:05:28
end users. Right? And then you got your
1:05:30
own security problems because end
1:05:32
users say, well, I don't want the performance hit.
1:05:34
I don't want I wanna preserve
1:05:36
my privacy. So they turn to shadow IT just to do their jobs.
1:05:38
Now now you got a big
1:05:40
problem. Right? Co line does dink
1:05:42
things a little bit differently.
1:05:44
Instead of forcing changes on users, collide, sends them
1:05:46
security recommendations via Slack.
1:05:48
Collide automatically notifies your team
1:05:50
when their devices are insecure, gives them
1:05:54
step by step instructions on how to solve the problems. And
1:05:56
by reaching out to employees via a friendly
1:05:58
Slack DM and educating
1:06:01
them about company policies, Kaleid
1:06:03
can help you build a culture in which
1:06:06
everyone contributes to security
1:06:08
because everyone understands
1:06:11
how and why. To do it. Make employees part of
1:06:13
your team, not the enemy. And for
1:06:16
IT admins, you're gonna love Kaleit, a
1:06:18
single dashboard, that
1:06:20
lets you monitor the security of your entire fleet, completely
1:06:22
cross platform. Mac, Windows, Linux,
1:06:24
doesn't matter. You can see it at
1:06:26
glance, for instance, which employees have their
1:06:29
disks encrypt them are up to date on
1:06:31
their OS patches, whether they're using a
1:06:33
password manager and on and on and on and on.
1:06:35
That makes it easy to prove compliance
1:06:38
to your auditors your to
1:06:40
your leadership, makes it easy for you
1:06:42
to keep an eye on what's going on in your network.
1:06:44
So in a nutshell, that's collide. User
1:06:48
centered cross platform endpoint security for Teams
1:06:50
that Slack. I think it's
1:06:52
a brilliant idea. You can meet your
1:06:54
compliance goals by putting users first
1:06:58
Visit K0LIDE kolai dot com slash security
1:07:01
now to find out how. If you follow that link,
1:07:03
they'll hook you up with a goody bag, including
1:07:05
a great kolai t
1:07:08
shirt, I got it right here.
1:07:10
Just for activating that free trial, you get collide coasters,
1:07:12
all sorts of cool stuff. That's that's
1:07:14
a little holiday gift for you from collide.
1:07:18
K0LIDE collide
1:07:20
dot com slash security now. Now, back to
1:07:23
the best of back
1:07:25
to the best of twenty
1:07:27
twenty two with Steve Gibson. Let's
1:07:29
talk about Pascise.
1:07:32
Now let's talk about this
1:07:35
Fido thing because I'm very I really
1:07:37
wanna get your take on it. So ours
1:07:40
Technica's headline was
1:07:42
Apple, Google, and Microsoft want to
1:07:45
kill the password with passkey standard. Instead of
1:07:47
a password, devices would
1:07:49
look for your phone
1:07:52
over
1:07:52
Bluetooth. Leeping
1:07:53
computer said Microsoft, Apple, and Google to support Fido,
1:07:55
password Laporte log ins. The
1:07:57
record said Google, Apple,
1:08:00
and My Microsoft to expand
1:08:02
support for password list sign in
1:08:04
standard. You know, and
1:08:06
it made the headlines in all of
1:08:09
the tech press. And all of these headlines popped up
1:08:11
last Thursday, May fifth, which, as
1:08:14
I said at the top of the show, was not only Cinco
1:08:16
de Mayo, but
1:08:18
also world password day.
1:08:21
And the news of
1:08:23
and questions about this new
1:08:25
pass keys was the most tweeted
1:08:28
to me item of the past week.
1:08:30
Many of our listeners wanted to know
1:08:32
what it was and what I
1:08:34
thought. Having spent seven years
1:08:37
of my life designing, implementing,
1:08:39
demonstrating, and proving
1:08:42
a complete working solution
1:08:45
to this need, I have a
1:08:47
good grasp of the problem domain. So I dug into this passkey's news by
1:08:50
going to the source.
1:08:53
As I always endeavor to, I first
1:08:55
read the Google I'm sorry, the Fido Alliance's May
1:09:00
fifth press release, which
1:09:02
was titled Apple, Google, and Microsoft, commit to expanded support
1:09:08
for Fido Standard to
1:09:10
accelerate availability of passwordless sign
1:09:15
ins. This was the press release that
1:09:17
everyone else was quoting in
1:09:19
the news. It appeared
1:09:22
TWiT whoever wrote it was
1:09:24
being paid by the word since
1:09:26
it went on and on to make sure
1:09:30
that its reader would come away that all
1:09:33
pre Fido systems were
1:09:35
bad and Fido
1:09:39
was the At this point, it appears that regardless
1:09:41
of whether or not it turns out to be the cure, it will at
1:09:44
least be
1:09:46
the next thing we try. the boat as all
1:09:48
of our listeners. We're all avid users
1:09:50
and consumers of the Internet. So
1:09:54
we're all hoping the knows it's doing. But that
1:09:57
press release wasn't gonna get the
1:09:59
job done. Fortunately, it
1:10:02
linked to the description
1:10:04
of the Fido
1:10:07
Alliance white paper titled multi device Fido
1:10:12
Credentials. The description
1:10:14
of the paper that links to it said the Fido standards
1:10:20
together with their companion
1:10:22
web off end specification are on the
1:10:24
cusp of an
1:10:27
important new development. Evolutionary
1:10:32
changes to the standards proposed
1:10:34
by the Fido Alliance, and
1:10:36
the W3C
1:10:38
web often community
1:10:40
aim to markedly improve
1:10:43
the usability and
1:10:45
deployability of Fido based
1:10:48
authentication mechanisms. As a
1:10:50
result, Fido based secure
1:10:53
authentication technology will for
1:10:55
the first
1:10:55
time. Be able to replace passwords
1:10:58
as the dominant form of
1:11:00
authentication on
1:11:04
the Internet.
1:11:04
What a concept. In
1:11:06
this paper, they say we explain how Fido and Web OFTEN
1:11:11
standards previously enabled low
1:11:14
cost deployments of authentication mechanisms with very high assurance levels.
1:11:21
While this has proved
1:11:23
an attractive alternative to traditional smart card authentication, and
1:11:26
even opened the door
1:11:29
to high assurance authentication in the consumer
1:11:31
space, we have not attained large
1:11:36
scale adoption of
1:11:39
Fido based authentication in the
1:11:42
consumer space. We explain
1:11:44
how the introduction
1:11:47
of multi device fido credentials
1:11:50
will enable Fido technology to supplant
1:11:56
passwords for many consumer use
1:11:58
cases as they make Fido credentials available to users
1:12:01
wherever they
1:12:04
need them. Even if they
1:12:06
replace their device. Okay. So I have
1:12:08
the link of the
1:12:10
show notes to the PDF.
1:12:13
For anyone who wants the
1:12:15
raw material. Obviously, this descriptive overview still doesn't
1:12:17
tell us what we
1:12:20
wanna know. So I
1:12:22
dug into the white paper,
1:12:24
we get the executive summary followed
1:12:26
by a brief history of online authentication
1:12:30
then a section titled
1:12:32
Fido starting from the
1:12:34
top followed by web
1:12:37
often level three bringing up the bottom. So this brings us to the
1:12:39
bottom of page four of the
1:12:42
PDF, and we begin to
1:12:47
frame the problem as follows.
1:12:50
The explanation explains Fido
1:12:52
based solutions can
1:12:55
also increase the security of consumer
1:12:57
two factor authentication by providing phishing
1:12:59
resistance regardless of whether those
1:13:01
use cases care about
1:13:04
hardware based sign
1:13:06
in credentials or not. Now,
1:13:09
I should mention that
1:13:11
that Fido was always
1:13:13
hardware based. Which has been the problem that
1:13:15
they've been struggling with, is that
1:13:18
they the the Fido
1:13:20
the the Fido authentication standard
1:13:22
was you will have a hardware dongle, a token,
1:13:26
a a something which
1:13:30
because it's hardware, because it's physical,
1:13:32
it cannot be spoofed. It
1:13:34
cannot be, you know, no
1:13:37
one in Russia can get the
1:13:39
contents of your of what you
1:13:41
have in your thing you're holding in
1:13:43
your
1:13:43
hand. That's it. You're holding
1:13:46
The Ubiquis said there's some that are 502
1:13:49
Ubiquis. That's that's what you mean.
1:13:51
Yes.
1:13:51
Yes. Yes. Yeah. Yes. And and and
1:13:53
so Which is That's good
1:13:55
that's good security. No one would deny
1:13:57
that. Right? You could argue it's the best. Gold security. Yeah. Yes.
1:13:59
The problem is it's physical. I
1:14:02
mean, can't make people buy
1:14:04
keys. Fifty
1:14:06
dollar keys. Yes. The
1:14:08
better exactly. The benefit
1:14:11
is it's physical. The
1:14:13
problem is it's physical.
1:14:15
And so if you absolute so so
1:14:17
where they say, they they
1:14:20
said Fido based solutions
1:14:22
can also increase the security of consumer authentication
1:14:24
by providing phishing resistance
1:14:26
regardless of whether those
1:14:30
use cases care about
1:14:33
hardware based sign in credentials or not. In other words, they're
1:14:35
saying, we're giving up. We're
1:14:38
gonna back down from the
1:14:43
position we had taken I mean, you could
1:14:46
still use hardware based sign in
1:14:48
credentials But
1:14:51
now you're not gonna have to. We're not gonna make
1:14:53
you have to have a hardware
1:14:55
dongle. And and this has
1:14:57
been sort of in the air for a
1:14:59
couple years. Right? There's been talk about
1:15:01
being able to use your phone
1:15:03
as your Fido
1:15:06
Authenticator. So so this notion isn't completely
1:15:08
new. It's been happening.
1:15:10
They said, however, we
1:15:13
have observed limited adoption
1:15:15
in this latter category, especially in the
1:15:17
consumer space, because of the
1:15:20
perceived inconvenience of
1:15:23
physical security keys buying, registering,
1:15:27
carrying, recovering. And
1:15:31
the challenges consumers face with platform authenticators as
1:15:33
a second factor. For
1:15:36
example, having to
1:15:38
reenroll each new device no
1:15:41
easy ways to recover from lost or stolen devices.
1:15:43
They said, while
1:15:48
these drawbacks can
1:15:50
make Fido based solutions whether based on physical security keys or platform
1:15:53
authenticators that I
1:15:56
should explain this phrase
1:15:58
platform authenticators that just means your smartphone or your laptop. That's what a they're
1:16:01
they're calling that
1:16:03
a platform authenticator as
1:16:06
opposed to a physical security key.
1:16:08
So make drawbacks can
1:16:10
make final based solutions whether based
1:16:12
on physical security keys or
1:16:15
platform authenticators a tricky proposition for users already
1:16:17
accustomed to two factor
1:16:19
authentication. They present
1:16:22
an even higher barrier to adoption for
1:16:25
users who don't or
1:16:27
don't want to use
1:16:30
two factor authentication at
1:16:32
all and are stuck with
1:16:34
passwords. And so finally, we get down to it. The
1:16:39
white paper explains The Fido Alliance
1:16:42
and the W3C web often working group are proposing
1:16:45
to address
1:16:48
these gaps in a
1:16:50
new version, which they call level three of the web often
1:16:56
specification. The two
1:16:58
approach they they they said, two proposed advances in
1:17:00
particular bare mentioning. And
1:17:03
so here they are.
1:17:07
One and two, number one.
1:17:08
Using your phone
1:17:11
as a roaming authenticator, That's
1:17:15
the first of these
1:17:17
proposed advances. They said,
1:17:20
a smartphone is
1:17:22
something that end users typically
1:17:24
already have. Virtually all consumers space
1:17:27
two factor authentication mechanisms today already
1:17:31
make use of the user's smartphone. The problem
1:17:33
is that they do this in
1:17:35
a way, they do
1:17:38
this in a fishable manner.
1:17:40
You may inadvertently enter a
1:17:43
one time password on
1:17:47
a Fisher's site or you may approve
1:17:50
a login prompt on your smartphone, not realizing that your browser
1:17:52
is pointed at
1:17:55
the phishing site
1:17:57
and not the intended
1:17:59
destination. The proposed additions to the Fido web
1:17:59
often specs
1:18:03
define a protocol that
1:18:07
uses Bluetooth to communicate
1:18:09
between the user's phone,
1:18:11
which becomes the
1:18:14
Fido Authenticator, and the device from which the user
1:18:16
is trying to authenticate. You
1:18:18
know, your laptop, for example.
1:18:20
Bluetooth, they say,
1:18:23
requires physical proximity which means
1:18:25
that we now have a fishing resistant way to
1:18:28
leverage the user's
1:18:31
phone during authentication.
1:18:33
Yeah. The hacker has to
1:18:36
be in physical proximity, which is good.
1:18:38
Right? Because Bluetooth is not the most secure.
1:18:42
Well, I'll Go ahead. Go ahead. No. Of course, squirrel
1:18:45
solved this with a QR code -- Right.
1:18:47
-- that you let your
1:18:49
phone see as we know. Right. They said with
1:18:51
this addition to the Fido WIP often
1:18:53
standards, two factor deployments
1:18:55
that currently use the
1:18:57
user's phone as a
1:19:00
second factor will be able to
1:19:02
upgrade to a higher security level, phishing resistance,
1:19:04
without the need for
1:19:07
the user to carry A
1:19:10
specialized piece of authentication
1:19:12
hardware, parens, security keys.
1:19:15
Oh, thank god. So
1:19:17
yes, we'll be able to
1:19:19
use our phones. Wonderful. That
1:19:22
wasn't point one. Here's point
1:19:24
two. Multi device
1:19:27
FidoCredentials. Okay? They
1:19:32
say, We expect that Fido
1:19:34
Authenticator vendors, in particular, those of Authenticators built
1:19:39
into OS platforms, This
1:19:42
is We've heard
1:19:44
the names. Right? Apple, Google, Microsoft.
1:19:46
We'll adapt their authenticator implementations such
1:19:51
that a phytocredential can survive
1:19:55
device loss. In
1:19:57
other word and
1:20:00
again, hasn't been done yet, but this is
1:20:02
what they expect. We expect the final authenticator vendors, blah blah. In other words,
1:20:06
if the user had set up a number of
1:20:08
FidoCredentials for different
1:20:11
relying parties and, you
1:20:13
know, relying parties is a
1:20:15
term of art in this
1:20:17
whole identity space on their phone.
1:20:20
If the user had set
1:20:22
up a number of Fido credentials,
1:20:26
for different relying parties on their
1:20:28
phone. And notice that in
1:20:30
Fido, you need a credential per
1:20:33
relying party, that is a Fido credential for Amazon, a Fido credential
1:20:35
for PayPal, a Fido credential for Facebook,
1:20:37
a Fido credential for Google,
1:20:40
blah blah. One
1:20:43
h. That it that's a it's a one for one mapping in
1:20:46
Fido. And then they
1:20:48
say, got
1:20:50
a new phone That user should be able to
1:20:52
expect that their Fido credentials
1:20:55
will be available on
1:20:58
their new phone. This means that
1:21:00
users don't need passwords
1:21:03
anymore. As they
1:21:06
move from device to device.
1:21:08
Their Fido credentials are
1:21:10
already there, ready to be
1:21:13
used for phishing resistant
1:21:15
authentication. Okay. Now, just pause
1:21:19
to note that I
1:21:23
solve this problem with one
1:21:25
time password authenticators with
1:21:28
my chief of printer
1:21:30
QR codes. Right? We were talking about that last week.
1:21:32
When I when I'm enrolling
1:21:34
on a site that uses AAA1
1:21:39
that offers me second factor
1:21:41
authentication with a one time password, and it shows me the QR code, which I can then
1:21:44
capture with my
1:21:46
authenticator on my phone I
1:21:49
also print the pay I print
1:21:51
the paper out and it's securely stored. There's I have a
1:21:54
sheath of them for all the places I use to factor
1:21:56
authentication. So
1:21:59
that yeah. If I if I
1:22:01
need to set up a
1:22:03
new device that doesn't
1:22:06
sync in some fashion with the authenticator
1:22:08
in my phone, I can
1:22:10
do that. It's offline. No
1:22:12
one in Russia can get
1:22:15
to it. It's very secure. But yeah, it's a little burdensome. I
1:22:17
had to do that. Lots of people don't. And
1:22:19
then they get stuck
1:22:23
if their won't export or transport
1:22:26
and and and sync. So they say,
1:22:29
for these,
1:22:32
multi device fido credentials. So that's
1:22:34
so this is their term, multi device Fido credentials just means
1:22:39
cloud sync. That's all that is. Multivise FidoCredentials, it
1:22:42
is the OS platform's
1:22:44
responsibility to
1:22:47
ensure that the credentials are available
1:22:49
where the user needs
1:22:52
them. And Also,
1:22:55
note that some they said,
1:22:57
note that some companies are
1:23:00
calling FidoCredentials
1:23:04
pass keys in their
1:23:06
product implementations, in particular, when those Fido credentials may
1:23:10
be multi device credentials.
1:23:14
So in other words, just for the record, Passkeys is
1:23:17
not a term of art in
1:23:19
Fido, and I imagine that
1:23:21
the company that has a trademark on
1:23:23
Pass key is not very happy. Mhmm. You know, a lot
1:23:25
of people noted that the government started
1:23:27
to use
1:23:29
the term shields up for one of their things.
1:23:32
That's the thing.
1:23:32
Yeah. What are you gonna do? I don't
1:23:34
know. Yeah. But he exactly. So
1:23:37
they say, Just like password
1:23:40
managers do with passwords,
1:23:42
the underlying OS platform
1:23:44
will sync the cryptic graphic
1:23:46
keys that belong to a Fido credential device to This
1:23:48
means that the security and
1:23:50
availability of a user's synced credential
1:23:55
depends on the security of the
1:23:58
underlying OS platforms, friends,
1:24:01
Google's, Apple's,
1:24:04
Microsoft's, etcetera, authentication mechanism for their online
1:24:06
accounts. And on the security method for
1:24:12
reinstating access, when all old devices
1:24:14
are lost. While this may not always meet the bar
1:24:16
for use cases
1:24:19
that require physical key
1:24:21
level security. They write it is a huge improvement in security
1:24:24
compared to
1:24:28
passwords Each of the
1:24:30
reference, they say, colon, each of the reference platform apply
1:24:35
sophisticated risk analysis and
1:24:37
employ implicit or explicit second factors in authentication, thus
1:24:39
giving two factor like protections
1:24:42
to many of their users.
1:24:46
So this is Fido saying, well, it's not
1:24:49
as good as physical keys. We're
1:24:51
kind of annoyed, but
1:24:54
look, it's gonna work. Like, maybe someone will
1:24:56
actually use Fido because we're
1:24:58
gonna allow cloud syncing in
1:25:01
this level three
1:25:04
lep mode and the the people who
1:25:06
are doing the sinking are, you know, being responsible
1:25:08
enough. So
1:25:11
they said the shift from letting every service
1:25:13
fend for themselves with
1:25:16
their own
1:25:18
password based authentication system to relying on security
1:25:20
of the platform's authentication
1:25:23
mechanisms is how we
1:25:26
can meaningfully reduce the
1:25:28
Internet's overreliance on passwords
1:25:30
at a massive scale. In other words,
1:25:32
they're saying that
1:25:35
we will rely upon
1:25:37
the user authenticating to their own device, smartphone or
1:25:40
desktop, with
1:25:43
biometrics or whatever, rather
1:25:45
than authenticating to each remote site individually. And yes, that sounds
1:25:48
familiar. Finally,
1:25:52
They say, sinking Fido
1:25:55
credentials, cryptographic keys between devices may
1:25:58
not always be possible
1:26:01
For example, if the user
1:26:03
is using a new device from a different vendor, which doesn't sync with
1:26:05
the user's other
1:26:08
existing devices. In
1:26:11
such cases, the existence
1:26:13
of the above mentioned
1:26:16
standardized Bluetooth
1:26:18
protocol enables a convenient
1:26:21
and secure
1:26:24
alternative. Colon, If the
1:26:26
Fido credential isn't readily available on the device from which the user is trying
1:26:28
to authenticate, the user
1:26:30
will likely have a device
1:26:35
for example, a phone nearby that does
1:26:37
have the credential. So
1:26:39
in other words, if
1:26:41
you're using windows, And IOS won't sink the
1:26:44
windows, then you can use
1:26:46
Bluetooth on your IOS device
1:26:48
to get the credential over into
1:26:51
Windows. They said the user will then
1:26:53
be able to use their existing device
1:26:55
to facilitate
1:26:57
authentication from their
1:27:00
new device.
1:27:00
Okay. So it appears that what
1:27:03
this press release and
1:27:05
these so called
1:27:08
pass keys which is,
1:27:10
again, as the white paper explains, don't actually have anything to do with Fido. That is the doesn't.
1:27:12
It's just the
1:27:15
introduction of cloud syncing among
1:27:19
devices to facilitate the transport
1:27:21
of one's collection of
1:27:24
phytocredentials from one device
1:27:26
to the next. The other p well, in in
1:27:28
the case of device loss, you when you
1:27:30
get a new one, you re sync with
1:27:32
the cloud, and you and you get
1:27:34
all of your Fido credentials back. The
1:27:37
other piece is that the Fido Alliance appears to have formally
1:27:39
given up on the idea that we're all gonna go
1:27:42
out and purchase a
1:27:44
hardware fido token
1:27:46
when we all already own a smartphone that can serve the same purpose.
1:27:52
The use of a possibly
1:27:54
available Bluetooth link allows one smartphone to be
1:27:57
used to authenticate
1:27:59
to a website on
1:28:01
a desktop that does not contain a Fido Authenticator with one's
1:28:04
credentials. And as
1:28:09
as we said, for clarity, that's what
1:28:11
squirrel provides for with a QR code and the smartphone's camera.
1:28:13
And yes, speaking
1:28:16
of squirrel, I
1:28:18
know that the heads of everyone out
1:28:20
there who understand squirrel is
1:28:22
exploding right now because Fido
1:28:25
still falls very far short
1:28:27
of providing the complete solution that squirrel offers.
1:28:30
But having moved from
1:28:34
simple usernames and passwords
1:28:36
to password managers and multi factor
1:28:38
authentication, and then to OAF third party
1:28:41
authentication, we're now going
1:28:43
to get Fido. Though
1:28:46
it will apparently be
1:28:49
popularly called pass keys
1:28:51
from the samples I've
1:28:54
seen online, It appears that it will
1:28:56
still be necessary to first
1:28:58
identify oneself to the website
1:29:01
being authenticated to. So Fido
1:29:04
with pass keys replaces
1:29:06
the password but unfortunately
1:29:09
not the username. So it
1:29:11
will continue to be somewhat more cumbersome
1:29:13
in that
1:29:14
way. The way Fido's
1:29:17
CryptoWorks is
1:29:20
that it randomly synthesizes a public and private
1:29:22
key pair for each and every
1:29:24
website the user
1:29:27
wishes to authenticate with. And
1:29:30
it gives that site the public key to retain while the authenticator
1:29:32
stores the matching
1:29:35
private key for each subsequent
1:29:39
use for reauthenticating. So
1:29:42
it's this collection of
1:29:45
individual private
1:29:48
authentication keys which are now being
1:29:50
called pass keys, that Apple, Google, and Microsoft will be obtaining
1:29:52
and synchronizing
1:29:55
in the cloud for their users.
1:29:58
This provides for same
1:30:00
platform, cross
1:30:03
device, Fido credential synchronization, which is
1:30:05
crucial for Fido since
1:30:07
each new website
1:30:11
authentication creates another public private key
1:30:14
pair. And it provides for credential recovery in the event
1:30:17
of a
1:30:20
device's loss, and that's certainly needed
1:30:22
to create a practical system. As we know, I went
1:30:25
a different way
1:30:28
with squirrel. Scroll uses
1:30:30
a single master key, which can be printed and stored safely.
1:30:32
Work could be loaded in
1:30:34
the cloud if you wanted, whatever.
1:30:38
From that one key, it deterministic
1:30:41
synthesizes unique per
1:30:44
site public and private key
1:30:46
pairs based upon the website's domain
1:30:48
name. And like Fido, it
1:30:51
gives each website the
1:30:54
public key to use for future authentication.
1:30:56
But unlike Fido, there
1:30:58
is no growing collection
1:31:01
of randomly synthesized per site private
1:31:03
keys that need to be retained
1:31:06
and cloud synced among
1:31:08
devices. So there's no need to
1:31:10
back up a large collection of private
1:31:12
keys to the cloud
1:31:14
or anywhere. The only thing a squirrel user ever needs for their identity to be secure
1:31:19
and fully recoverable all websites
1:31:21
isn't one piece of paper. And if you have multiple identities on multiple
1:31:24
devices, you can log in for
1:31:26
the first time on a on a
1:31:28
device on
1:31:30
some other device that has your same squirrel
1:31:33
identity. And when you log
1:31:35
on on on a
1:31:37
on a on a different
1:31:39
device, the identity works because multiple devices
1:31:41
all synthesized the same private
1:31:44
key. So
1:31:47
Backing off from that, overall, this
1:31:50
whole big announcement of
1:31:53
pass keys appears to have
1:31:56
been a world password
1:31:58
day timed press event
1:32:00
without much technology
1:32:03
to back it up. You
1:32:06
know, we're not getting squirrel. We, all of us, we're getting Fido. And means
1:32:08
we need cloud,
1:32:11
synchronized, pass keys to
1:32:15
make Fido's use practical. The good news
1:32:18
is we're gonna get
1:32:20
it. It'll I'll be
1:32:22
interested to see how the, you
1:32:24
know, how the login
1:32:26
flow functions. The other the other big thing Fido is missing is
1:32:32
it doesn't identify you to the
1:32:34
site. You still have to first identify yourself, then fight or replaces
1:32:38
your password. Squirrel did both, which was way more convenient. But
1:32:41
anyway, we're not getting squirrel,
1:32:43
we're getting Fido, and
1:32:47
pass keys is, you know, basically makes it
1:32:49
makes Fido feasible because you
1:32:51
have to be able
1:32:53
it's since you are syntasizing
1:32:55
completely random keys for every site
1:32:58
you visit. You've got to
1:33:00
collect them. You've somehow
1:33:02
got a cross device, sync
1:33:04
them. And Apple, Google,
1:33:06
and Microsoft will be taking care of that for us. So it like
1:33:08
it's kind of
1:33:11
less secure than if
1:33:15
you used a Ubiqui, I guess. Yes. This
1:33:17
is this is absolutely
1:33:19
Fido Group. The
1:33:22
Fido Alliance compromising themselves down
1:33:24
from their ivory tower because they needed
1:33:26
nobody because nobody wanted Fido. Right. Yes.
1:33:28
Nobody was gonna do it.
1:33:30
You know? I mean, yes. High
1:33:33
level. I know that there are Google
1:33:35
employees who use their their their Titan keys -- Yep. --
1:33:38
to do things. But
1:33:40
you know I'm
1:33:42
not gonna succeed if everybody but see, that's my other other issue is
1:33:44
not everybody has
1:33:47
a smart device. I
1:33:49
I guess, would this work if you didn't have It's
1:33:51
always possible to still use a
1:33:53
username and password. Oh, that will that
1:33:55
will never go away. Okay. Never
1:33:59
That's what people are gonna do. Yes.
1:34:02
Yeah. So, you know,
1:34:04
my favorite example, Leo,
1:34:06
is the person who said
1:34:09
I don't need a password manager. And
1:34:11
I said, well, you can't be using the same password everywhere. And
1:34:13
she said, oh, no.
1:34:16
I don't. And
1:34:19
I said, how how you
1:34:21
do that then? And and she said,
1:34:23
well, when I'm creating an
1:34:25
account, I just bang on
1:34:27
the keyboard a
1:34:28
lot. And I said,
1:34:30
okay. And I said, so
1:34:33
How how do you log in again? I mean, she
1:34:35
said I forgot. There's always there's a little line there
1:34:37
that says I forgot my
1:34:39
password. Yeah. Should and
1:34:42
I never knew it. So I did
1:34:44
forget
1:34:44
it. And and they she said, then
1:34:47
they sent me a link and I
1:34:49
log in
1:34:49
with that. And that's actually
1:34:52
that's fairly secure. Right?
1:34:54
I mean, honestly
1:34:56
yeah. Well,
1:34:58
you know, it's just an email
1:35:01
use an email confirmation in order
1:35:03
to reassert that you As long
1:35:05
as you don't lose control of your
1:35:07
email, you're okay. Correct. And and that is
1:35:09
the segue to next week's picture of the week, which is already in the
1:35:12
document waiting to be displayed. You
1:35:14
don't have anything else, but that's
1:35:16
there. That's
1:35:20
right. Obviously, squirrel
1:35:23
would be much more
1:35:25
secure, but squirrel has a
1:35:27
similar problem, which is TWiT is not trivially
1:35:29
easy to use. And for that reason, I think people are
1:35:31
gonna fall back to a
1:35:34
password for almost anything. Yeah.
1:35:37
Single sign on is good. You know, I use Microsoft now
1:35:39
for login to Windows. As you know, sends you your
1:35:41
phone an authenticator, sends it a digit
1:35:43
a two digit number, you
1:35:46
say, yeah, I know that number. And you're in. That
1:35:49
seems like, is that the same
1:35:51
thing as this final thing?
1:35:54
It's similar. Well, so
1:35:55
it's it's specific to Microsoft. That's right.
1:35:57
And and That's right. Yeah. And
1:35:59
and and so
1:36:01
we're we're we're looking for AAAA
1:36:04
broad based solution which solves
1:36:06
the phishing and the I
1:36:08
forgot my password
1:36:10
problem. Right? Which is, you
1:36:12
know, easy to use.
1:36:14
The fact is we'll
1:36:15
have to see how what
1:36:18
the flow looks like. It is
1:36:22
certainly easy to do, you
1:36:24
know, login with Facebook, login with
1:36:26
Google. We know that that's horrific
1:36:29
from a tracking and privacy
1:36:31
standpoint. Right? Because -- Oh, I don't do that. -- you're bouncing. I've stopped
1:36:33
doing that entirely. Yes. Oh my god. And in
1:36:35
fact, I did hear you
1:36:38
on TWiT quit last Sunday
1:36:40
talking about how you were finally thinking, maybe you
1:36:42
should be taking privacy a little more -- Yes. -- seriously. Yes.
1:36:44
Then you
1:36:46
I I admitted I was
1:36:48
wrong. And that because these
1:36:50
data brokers selling information about
1:36:52
who visited planned parenthood over the past
1:36:54
week for a hundred and sixty bucks.
1:36:58
And what that does is
1:37:00
it puts you if you
1:37:02
live in Texas and there
1:37:04
are now other states and
1:37:07
soon it might
1:37:08
criminalizing, twenty three other states. Personalizing
1:37:10
interstate travel for the purpose of terminating a bankruptcy.
1:37:12
For a hundred
1:37:15
and sixty bucks, Anybody. Not any the
1:37:17
way this Texas law works, anybody can go after you. So there's now probably a brisk
1:37:20
business people
1:37:23
buying that information. And and
1:37:25
then suing you or law enforcement in in
1:37:28
in Tennessee, for
1:37:30
instance, going after you, or
1:37:33
I guess it's I guess it's
1:37:34
Louisiana. In any event, it's it suddenly became obvious that
1:37:37
the government is
1:37:39
now starting to go
1:37:41
after people for things that they shouldn't be. And it is
1:37:44
now
1:37:47
dangerous to leave this stuff on
1:37:50
And that's really I think that that is you're right. That's that's the takeaway is that given
1:37:53
a certain set
1:37:56
of of existing
1:37:58
laws, you could argue that
1:38:04
there TWiT those
1:38:06
laws, there's a a reduced risk from lack of privacy.
1:38:12
Yeah. But if if the laws
1:38:14
change Well, that's the problem. Exactly. And suddenly, the the previous assumptions
1:38:16
no longer hold under the
1:38:18
new regime. Exactly. And that's that
1:38:22
-- Yes. -- the day. If you trust the government,
1:38:24
no problem. I no
1:38:26
longer trust the government.
1:38:29
So, problem. Yeah.
1:38:30
And that's too bad. Yeah.
1:38:32
But now
1:38:33
we have to pay more attention. So
1:38:35
you've been right all along. I
1:38:38
was a wide eyed
1:38:40
optimist. I am no longer.
1:38:42
Steve, thank you as always. It's
1:38:47
always eye opening and always fastening. Passkeys, I
1:38:49
think, have a huge future.
1:38:51
We're very excited about it
1:38:53
just a couple weeks ago. Google announced that
1:38:55
Chrome was gonna start supporting PASKI, so this is very
1:38:57
good news. I think squirrel would be
1:38:59
better. As you know, we
1:39:01
Steve gave some fans know
1:39:04
better, but pass keys is better than
1:39:06
nothing and certainly better than passwords. Next, we're gonna talk about the Conti gang.
1:39:09
Did they
1:39:12
really retire So last
1:39:13
Thursday, advanced intel is the name of this
1:39:16
organization,
1:39:16
ADVINTEL
1:39:20
dot IO
1:39:22
is their domain. Advanced Intel's
1:39:28
jealousy, Boguslowski,
1:39:31
tweeted Today, the official website of Conte
1:39:34
ransomware was shut down.
1:39:37
This is last
1:39:39
Thursday, Making the end of notorious crime group, marking the
1:39:41
end of this notorious crime group,
1:39:43
he says it is truly
1:39:45
a historic day in the
1:39:48
intelligence community. And
1:39:50
the day after that, last Friday, they published their report exactly
1:39:52
what happened. There's so much
1:39:54
more to it than just
1:39:59
someone turned the site off that I felt certain our
1:40:02
listeners would find the details
1:40:04
fascinating. And their
1:40:07
report is titled Don't blame me,
1:40:10
although I
1:40:11
did perpetuate it, this Conti nude, the
1:40:14
end of Conti's brand
1:40:17
Mark's new chapter for
1:40:19
cybercrime landscape. And the top of their report teases reading
1:40:22
from the negotiations site
1:40:26
chat rooms, messengers to
1:40:28
servers and proxy hosts, the
1:40:31
Conte brand, not the
1:40:33
organization itself, is shutting down.
1:40:36
How does this how oh, he
1:40:38
says I'm sorry. However, this does not
1:40:40
mean that the
1:40:42
threat actors themselves are retiring. Okay? What does that what does mean?
1:40:44
Advanced intel apparently rushed
1:40:47
out their report. It
1:40:49
contained some typos, misspelling,
1:40:52
and grammatical goal, awkwardness, and they
1:40:54
may not be native English speakers. So in order to in order to share it with the podcast,
1:40:56
I cleaned it up a bit,
1:40:58
but otherwise, it remains what they wrote.
1:41:02
And I think everyone's gonna
1:41:04
find it interesting. They said
1:41:07
on May nineteenth, the
1:41:10
admin panel Of the Conti ransomware
1:41:12
gang's official website, Conti
1:41:14
News was shut down.
1:41:17
The negotiation service site was
1:41:19
also down while the rest of the infrastructure
1:41:21
from chat rooms to messengers and
1:41:24
from servers to proxy hosts
1:41:26
was going through a massive reset.
1:41:29
Cati news, a shame blog, is the last
1:41:31
beacon of the group's public
1:41:36
operation. Where victim data was
1:41:38
being published. It also served as a media tool that Kati used
1:41:41
for their endless
1:41:44
public statements one of
1:41:46
which led to the gang's downfall. We'll get to that in a minute. I have a snapshot of it later the
1:41:52
show notes. They said, this
1:41:54
publicity function of the blog is still technically active, and this
1:41:56
activity as shown
1:41:59
below is highly strategized. At
1:42:02
the time of this publication, May twentieth,
1:42:05
twenty twenty two, Conte was
1:42:07
even uploading anti
1:42:10
Americanist hate speech claiming the USA to be, quote,
1:42:12
a cancer on the body
1:42:14
of the earth, unquote. This
1:42:18
however only manifests that the website an empty shell.
1:42:21
At the same time,
1:42:23
the crucial operational function
1:42:27
of Kandi News which was to upload
1:42:30
new data in order to intimidate victims to pay is defunct.
1:42:33
As all
1:42:36
the infrastructure related to
1:42:38
negotiations, data uploads, and hosting of stolen data was shut down.
1:42:45
Okay. So, and this shutdown they
1:42:47
wrote highlights a simple
1:42:52
truth that has been evident
1:42:54
for the Conte leadership since early spring of this year.
1:42:59
The group can no longer sufficiently support and obtain
1:43:02
extortion. The blog's
1:43:05
key and only
1:43:08
valid purpose is to leak new
1:43:10
data sets and this operation is now gone. This
1:43:13
was not a
1:43:16
spontaneous decision. They write
1:43:18
instead, it was a calculated move. Signs of which were evident since
1:43:24
late April. Two weeks ago on
1:43:26
May sixth, Advanced Intel explained that the Conte brand
1:43:28
and not the organization
1:43:30
itself was in the process
1:43:34
of the final shutdown.
1:43:36
As of May nineteenth, twenty
1:43:38
twenty two, our exclusive source
1:43:41
intelligence confirms that
1:43:44
today, Conte's of Is Conte's official date
1:43:46
of death. In this retrospective analysis,
1:43:49
we will not only
1:43:51
take the reasons behind the Conte
1:43:53
shutdown, but perhaps most importantly
1:43:56
assess and
1:43:59
project future of a new threat landscape that
1:44:01
is already on the horizon. But first, we need to review how
1:44:04
Kati prepared for
1:44:07
its own demise and how this
1:44:09
group, notable for its
1:44:11
softestry, continued to
1:44:14
utilize information warfare techniques to
1:44:16
orchestrate the shutdown until its final
1:44:18
days in order to ensure the legacy of
1:44:23
its surviving members. They
1:44:26
explained, shutting down ransomware's iconic criminal brand is a
1:44:29
long and
1:44:32
complicated venture. A
1:44:34
notorious and prolific threat group cannot simply turn off its servers
1:44:37
only to pop
1:44:40
back up the
1:44:42
following week with a new
1:44:44
name and logo design.
1:44:46
Even a whisper of
1:44:48
novel threat group activity following
1:44:51
the announcement of Conte's demise would
1:44:54
likely spark immediate accusations
1:44:57
of poorly executed identity
1:44:59
theft. At immediate comparisons between the
1:45:02
two would would permanently
1:45:04
leave the new
1:45:06
group in Conte's ghostly
1:45:08
shadow. The
1:45:10
collective that fell and the one which emerged. And I'll note that, you know, we've
1:45:12
seen and commented
1:45:15
on exactly this TWiT
1:45:18
previous ransomware operations. So
1:45:21
these guys said, evil,
1:45:24
dark side, and countless
1:45:26
other collectives attempted the disappearing act, the
1:45:29
simple approach failed
1:45:32
miserably. As what was
1:45:34
one of the predominant ransomware
1:45:36
groups active at the time,
1:45:38
Conte realized that an element of performativity,
1:45:40
they wrote, would
1:45:43
need to be involved. Where
1:45:45
other groups had been attempting a grand stunt with smoke
1:45:47
and mirrors, Conte would try a
1:45:51
sleight of hand. Conte
1:45:54
would not be itself without its project front man,
1:45:56
an individual operating
1:45:59
under the alias Reshev,
1:46:04
AKA gangster. Besides being
1:46:06
a talented coder, they were
1:46:10
behind that this Russia was behind the original
1:46:12
Reuk payload, this person was
1:46:14
an outstanding an outstanding organizer.
1:46:17
It was Russia who set the foundation
1:46:20
for Conte's dominance in the
1:46:22
cybercrime business by creating an
1:46:24
organizational system
1:46:27
based on skill, framework, clear business
1:46:30
processes, hierarchy, and clear foresight.
1:46:33
It's not surprising
1:46:36
that Reshev was
1:46:38
the first who saw Kanti's
1:46:40
structural challenges. Due to the
1:46:42
group's public allegiance to Russia,
1:46:45
in the first days
1:46:47
of the Russian invasion into Ukraine, Kanti was
1:46:50
unable to be paid.
1:46:54
Since February,
1:46:56
almost no payments were given
1:46:58
to the group. While Conte's
1:47:00
locker, you know, their
1:47:02
The the slang for malware became
1:47:05
highly detectable and was
1:47:07
rarely being
1:47:07
deployed. The
1:47:10
only possible decision was to rebrand.
1:47:12
For over two
1:47:13
months, Conde collective has been
1:47:16
silently creating
1:47:20
subdivisions that began operations before
1:47:22
the start of the shutdown process. These subgroups
1:47:27
either utilized exist conte alter egos
1:47:29
and locker malware or took the opportunity to
1:47:32
create new
1:47:35
ones. This decision was convenient for Conte
1:47:37
as they already had a couple
1:47:39
of subsidiaries operating under
1:47:42
different names. Kara Kurt black
1:47:46
bite and black vesta. The rebranded version of
1:47:52
Conte The monster splitting
1:47:54
into pieces, but still very much alive, ensured that whatever
1:47:56
form Kanti's
1:48:00
affiliates chose to take. They
1:48:02
would emerge into the public eye
1:48:04
before News
1:48:07
of Conte's obsolescence could spread.
1:48:10
Thus controlling the narrative
1:48:15
around the dissolution as well
1:48:18
as significantly complicating any future threat attributions.
1:48:22
And then
1:48:24
they wrote, this is where the plans
1:48:26
for what was left of Conte became increasingly complex. In
1:48:29
order to hide
1:48:32
the fact, that Conte was
1:48:34
now dispersed and operating via smaller, more novel brands,
1:48:36
the former affiliates
1:48:39
of the gang had to
1:48:42
now convincingly simulate the actions of a dead brand. Conte's remaining
1:48:48
infrastructure operated like an
1:48:50
army preparing for an ambush. Lingering actors were left to keep their fires lit
1:48:53
visible from behind
1:48:56
enemy lines. Meanwhile,
1:48:58
hidden from view, Conte's most skilled agents were instead laid low
1:49:01
in a
1:49:04
nearby encampment biting
1:49:06
their time while watching and smoke particularly
1:49:08
emulating the movements
1:49:11
of an active group. Kanti
1:49:15
continued to publish documents stolen
1:49:18
from victims, most likely
1:49:20
targets hit earlier with attacks and
1:49:22
lined up in a sort of
1:49:24
queue waiting for public
1:49:27
release and campaigned hard for themselves on
1:49:32
criminal forums. Their public
1:49:34
persona boasted a strong and enduring foundation, even one that was
1:49:36
willing to further
1:49:39
expand the group's
1:49:40
operations. From
1:49:42
the perspective of Conte's posting
1:49:44
history, the group appeared to
1:49:47
be as strong
1:49:49
as ever. Okay. Then they shared
1:49:51
a snapshot of a long and quite rambling chest thumping post from March thirtieth
1:49:56
where a county representative talks
1:49:58
up the group's successes, even seeking to recruit new affiliates, all
1:50:02
apparently just smoke screen.
1:50:05
Then they continue. However, in order to pull off their ultimate
1:50:07
tactical maneuver, the agents
1:50:11
left behind to operate from
1:50:14
within Conte's massive empty shell, now had to ensure that their antics would
1:50:16
be would
1:50:19
successfully lure attention away from
1:50:23
their escaping comrades. To do this,
1:50:25
they had to be certain that
1:50:27
they left bait big
1:50:30
enough to satisfy all of the opposing forces
1:50:32
stretching his analogy, Conte would
1:50:34
have to perform a grand
1:50:38
finale, one big enough to live up to the group's
1:50:41
name. And finally, on
1:50:43
May eighth, Costa
1:50:46
Rican president Rodrigo Chavez
1:50:48
declared a national emergency as the
1:50:51
result of a major cyber attack executed by
1:50:54
the Conte ransomware gang.
1:50:58
The massive attack which took
1:51:00
place against multiple Costa Rican
1:51:02
government agencies seems almost like
1:51:04
a last ditch effort by
1:51:06
the group to squeeze a few more drops of riches
1:51:09
from foreign government funds.
1:51:11
However, advanced intel's
1:51:15
unique adversarial visibility and intelligence findings led
1:51:17
to what was in fact
1:51:20
the opposite
1:51:23
conclusion. The only goal Conte had
1:51:25
for this final attack
1:51:27
on Costa Rica was
1:51:32
to use the platform as
1:51:34
a tool to publicly perform their own
1:51:38
death and subsequent rebirth.
1:51:41
Advanced Intel has been tracking the preparations
1:51:43
for this attack since April fourteenth. Days
1:51:48
before even the initial
1:51:50
compromise. Our provincial alert was sent on April fifteenth three
1:51:56
days before the first
1:51:58
incident compromising Costa Rica's Ministry of Finance occurred. Their
1:52:04
report Okay. And so okay.
1:52:06
So so they said that. Now then their report links to a tweet thread in Spanish,
1:52:08
but it appears to be
1:52:11
dated from the eighteenth. But
1:52:15
they then provide a screenshot, which
1:52:17
indeed appears to substantiate a
1:52:19
three day early
1:52:21
warning of an impending
1:52:23
attack. in our pre
1:52:26
and post attack investigation,
1:52:29
we have found Three
1:52:31
things. First, the agenda to conduct
1:52:33
the attack on Costa Rica for
1:52:36
the
1:52:37
purpose of publicly instead of
1:52:40
ransom I'm
1:52:41
sorry. For the purpose of
1:52:43
publicity, instead of
1:52:46
ransom was declared internally
1:52:49
by the county leadership. Second,
1:52:51
internal communications between group members suggested
1:52:53
that the requested
1:52:56
ransom payment was
1:52:58
far below one million US
1:53:01
dollars despite unverified claims
1:53:03
of the ransom being ten
1:53:05
million US dollars followed by
1:53:07
Conte's own claims that the sum
1:53:09
was twenty million dollars. A low
1:53:11
demand such as this
1:53:13
made to a state entity no less
1:53:15
was only made with the knowledge that the
1:53:17
group would never see payment for the ransom
1:53:20
either way. You
1:53:22
know, because their payment had on the against Russia
1:53:24
and by their
1:53:27
pronounced affiliation with Russia. And
1:53:31
third, Conte was very vocal about
1:53:34
the
1:53:34
attack, constantly adding new political
1:53:37
statements. And, you know,
1:53:39
that's this kind of junk
1:53:41
that we talked about
1:53:43
last week. They say the attack on Costa Rica indeed brought Kati
1:53:47
into the spotlight. And helped
1:53:50
them to maintain the illusion of life for just a bit while
1:53:52
the real restructuring
1:53:55
had already taken place. While
1:53:59
Conte had been busy with its diversion
1:54:01
tactics, other brands such
1:54:03
as CaraCurt, Blackbite, and
1:54:06
numerous other groups which existed as
1:54:08
extensions of Conte, but without
1:54:10
taking the group's name were
1:54:13
extremely operationally active, although working in silence.
1:54:15
Working concurrently with them,
1:54:19
talented infiltration specialists who
1:54:23
were in who were ultimately the backbone of
1:54:25
Conte's gang were also more
1:54:28
active than
1:54:30
ever, forming alliances cat, Evoce
1:54:33
locker, Hive, Hello Kitty,
1:54:36
five hands, and
1:54:38
a whole other cadre of
1:54:41
ransomware groups. These pen testers maintain personal
1:54:43
loyalty to the
1:54:46
people who created Conte
1:54:49
but ultimately continued their work with other gangs in
1:54:51
order to fully shed Conte's name and
1:54:56
image. The situation presents the
1:54:58
first and foremost reason for Conte's timely end,
1:55:04
toxic branding. Indeed, the first two months of
1:55:06
twenty twenty two left a major mark on the conti
1:55:08
name. While there's no
1:55:11
tangible evidence to suggest that
1:55:14
the well known Conte leaks had any impact on the group's operations, the event provoked
1:55:20
the leak Kanti's claim to
1:55:22
support the Russian government seems to have been the fatal blow
1:55:24
for the group
1:55:27
despite being revoked almost
1:55:32
immediately. And we noted that at
1:55:34
the time, remember that Kandi posted
1:55:36
the Kandi team is officially
1:55:39
announcing A FULL SUPPORT OF RUSSIAN GOVERNMENT. IF
1:55:41
ANYBODY WILL DECIDE TO
1:55:44
ORGANIZE A
1:55:47
cyberattack or any war activities against Russia, we
1:55:49
are going to use all
1:55:51
our all possible resources to
1:55:54
strike back at the critical infrastructures
1:55:57
of an enemy. That
1:56:00
statement
1:56:01
had several key
1:56:03
consequences. Advanced Intel
1:56:03
wrote, all of which deeply
1:56:06
reshaped the environment Conte was operating
1:56:08
within. First,
1:56:11
by engaging in political discourse,
1:56:13
Conte broke the first
1:56:15
unspoken rule of
1:56:17
the Russian speaking
1:56:20
cybercrime community which is not to
1:56:22
intervene in state matters. In advanced intel's public blog
1:56:24
regarding civil's ultimate takedown
1:56:27
by the Russian government, Advanced
1:56:30
Intel provided an in-depth analysis
1:56:33
of this unspoken agreement,
1:56:35
making case studies of
1:56:37
the two most notable
1:56:39
groups to break it. Avedon and Rival.
1:56:41
With the ongoing Russian invasion of Ukraine, it
1:56:43
may be very plausible
1:56:47
that Russia's state security apparatus is attempting to exert
1:56:49
governmental control over its
1:56:52
cyberspace, even
1:56:54
taking down groups that appeared to have been allies,
1:56:56
but who exhibited undue
1:56:58
independence with their actions.
1:57:03
Advanced intel has seen internal communication of the
1:57:05
Kanti leadership suggesting that the
1:57:07
Russian FSB had
1:57:09
been pressuring the group and even though
1:57:11
non factual evidence was involved, the evil
1:57:14
scenario may have simply repeated
1:57:16
itself with
1:57:18
Conte. The group's brand becoming a target for
1:57:20
Russian authorities despite their
1:57:23
pledged loyalties. Second, Conte's
1:57:25
allegiance to the Russian
1:57:27
invasion of Ukraine provoked internal
1:57:30
conflict and brought shame on the Conti name
1:57:32
from members who
1:57:35
were either ethnically Ukrainian or
1:57:39
were Russian but supported Ukraine simply
1:57:41
wanted to maintain an anti
1:57:44
war ethic. Considering
1:57:46
that one of these members decided
1:57:48
to betray the gang and
1:57:51
leak private county chat
1:57:53
logs We talked about that
1:57:55
too, not long after the conflict began, this illustrated the final nail in
1:57:58
Conte's self made coffin.
1:58:02
The third and most important factor by
1:58:05
pledging their allegiance to
1:58:07
the Russian government, Kanti
1:58:09
as a brand, became associated
1:58:11
with the Russian state, a
1:58:13
state that is currently undergoing
1:58:15
extreme sanctions. In the eyes
1:58:17
of the state, each ransom payment going
1:58:20
to Conte may have potentially
1:58:22
gone to an individual under sanction.
1:58:26
Turning simple data extortion
1:58:28
into a violation of
1:58:31
OFAC regulation and sanction
1:58:33
policies against Russia. This liability
1:58:35
came to a TWiT on May sixth
1:58:37
when the US state department
1:58:39
offered rewards up to ten
1:58:41
million US dollars for information
1:58:44
that led to the takedown of
1:58:46
the Conte group. As a result of these limitations, Conte had essentially cut
1:58:48
itself off from the
1:58:51
main source of income. They
1:58:54
wrote our sensitive source intelligence
1:58:56
shows that many victims were
1:58:59
prohibited from paying ransom
1:59:01
to Conte. Other victims and companies who would
1:59:04
have negotiated ransomware payments were
1:59:06
more were more ready to
1:59:08
risk the financial damage of
1:59:10
not paying the ransom than they to make payments a pro sanctioned entity.
1:59:15
As advanced intel previously
1:59:18
stated the end of the Conte brand does
1:59:20
not equal the end of
1:59:22
Conte as an organization. As
1:59:24
seen with the Costa Rica case,
1:59:26
Conte has been carefully planning its
1:59:29
rebranding for several months,
1:59:31
preparing a comprehensive strategy
1:59:33
to execute it This strategy is based
1:59:35
on two pillars. First, Conte is
1:59:38
adopting a network organizational
1:59:43
structure more horizontal and decentralized
1:59:46
than the previously rigid county hierarchy.
1:59:48
This structure will
1:59:51
be a coalition of
1:59:54
several equal subdivisions, some
1:59:56
of which will be independent,
1:59:58
and some existing within another
2:00:01
ransomware collective. However, They will all
2:00:03
be united by internal loyalty to both
2:00:06
each other and the Conte
2:00:08
leadership, especially
2:00:12
Rechev. At this point, this
2:00:14
network includes the following groups. The first type being
2:00:16
autonomous
2:00:19
No no malware locker involved, pure data
2:00:22
stealing. That's Kerakert, Black
2:00:27
Basta, and Blackbite. The second type being
2:00:30
semi autonomous, acting as conti loyal collective affiliates
2:00:32
within other collectives in
2:00:35
order to use their malware
2:00:38
locker. That's Alf Alf v or Alf five maybe,
2:00:40
Black cat, Hive
2:00:43
Hello
2:00:43
Kitty, five hands and
2:00:47
Evos locker.
2:00:48
The third, type being
2:00:50
independent affiliates working individually
2:00:53
but keeping their loyalty
2:00:55
to the organization. And finally,
2:00:57
the fourth type being mergers and acquisitions where
2:00:59
Conte leadership infiltrates a
2:01:03
preexisting minor brand and
2:01:06
consumes it entirely, keeping the small brand name in place. The small grapes
2:01:09
the small group's leader
2:01:11
loses their independence but
2:01:15
receives a massive influx of manpower while
2:01:17
Conte obtains obtains
2:01:19
a new subsidiary
2:01:22
group. This is different from ransomware as
2:01:24
a service. Since this network, at
2:01:26
least at the time of writing does
2:01:29
not seem to be accepting new members
2:01:31
as part of its structure, Moreover,
2:01:33
unlike ransomware as a service, this model seems
2:01:35
to value operations being executed in
2:01:38
an organized team led
2:01:40
manner. Finally,
2:01:43
unlike ransomware as a service,
2:01:45
all the members know each other
2:01:47
very well personally and are
2:01:49
able to leverage these
2:01:52
personal connections and the loyalty they bring.
2:01:54
And I implied in that, of course, would be some protection against
2:01:56
US based
2:01:59
bounties against their members if they're,
2:02:01
you know, maintain a loyal
2:02:03
cohesive group. You
2:02:06
know, one turns one in, and they they're
2:02:08
subjecting themselves to similar
2:02:11
reprisal. And finally, they finished
2:02:14
this model is more flexible and adaptive
2:02:16
than the previous conti hierarchy,
2:02:18
while also being more secure
2:02:20
and resilient than
2:02:23
ransomware as a service. And finally, the
2:02:25
other major development for this new ransomware model is
2:02:27
a transition from and
2:02:30
this is really interesting. From
2:02:33
data encryption to data
2:02:35
exfiltration, covered extensively by
2:02:40
advanced intel in our analysis
2:02:42
of CaraCurt and Blackbite. In a nutshell, relying
2:02:45
on pure
2:02:48
data exfiltration maintains most
2:02:50
major benefits of a data encryption operation
2:02:52
while avoiding the
2:02:55
issues of a locker
2:02:58
altogether. Most likely,
2:03:00
this will become the
2:03:02
most important outcome of
2:03:05
Kati's rebrand. The actors that formed
2:03:08
and worked under Conte name
2:03:10
have not and will not
2:03:12
cease their forward movement within
2:03:14
the threat landscape. Their impact will simply leave
2:03:16
a different shape. So
2:03:18
to our listeners, if
2:03:21
anyone in your cyber sphere
2:03:24
announces that Conte has shut down
2:03:26
and disbanded. Well, now we know
2:03:28
better. It
2:03:30
appears that earlier this year as a consequence
2:03:33
of of, you know,
2:03:35
we've talked previously
2:03:37
about the entire reason that
2:03:39
ransomware has has come into
2:03:42
existence, whether it be
2:03:46
encrypting malware, or exfiltrating and holding that
2:03:48
data for ransom, it's the ability
2:03:50
to get paid thanks to
2:03:53
cryptocurrency, which has, you
2:03:55
know, made that practical from
2:03:57
a from an
2:03:59
underworld standpoint. But the sanctions against Russia, Kati's original
2:04:04
proclamation that they were
2:04:06
standing with with with Russia,
2:04:08
essentially cut them off from
2:04:10
extra Russian payment of cryptocurrency into
2:04:15
them and that set
2:04:17
them on a multi month
2:04:19
course to to basically
2:04:21
kill Conte off while continuing to
2:04:23
function as a viable ransomware
2:04:28
organization learning
2:04:31
from the mistakes they'd made before, changing their
2:04:33
structure, and probably, apparently,
2:04:36
changing the nature
2:04:38
of, you know, what they do maliciously.
2:04:40
Well, they're not fooling
2:04:43
anyone. Okay? That's
2:04:46
the truth. We know better.
2:04:48
Not so cool, was the
2:04:50
news of last week's last
2:04:53
pass breach announcement which, as I've mentioned
2:04:55
before, overwhelmed my Twitter TWiT.
2:04:58
So I wanted to
2:05:00
lead with this because so
2:05:02
many of our listeners, myself included,
2:05:04
are using LastPass. So I had,
2:05:06
as a consequence, also received an
2:05:11
email from LastPass, the current last
2:05:13
past CEO and I I say current because it's
2:05:16
been it's
2:05:19
been jumping around somewhat recently. A guy
2:05:22
named Karim Tuba had the following to say
2:05:24
in their online
2:05:27
blog posting, which echo the email that
2:05:29
he sent to everyone. He said, I want to inform you of a development that we
2:05:31
feel is important for
2:05:35
us to share with our last past
2:05:37
business and consumer community. Two weeks ago, we detected some
2:05:40
unusual activity within
2:05:43
portions of the last past development environment.
2:05:46
After initiating an immediate
2:05:48
investigation, We've
2:05:50
seen no evidence that this incident involved
2:05:53
any access to customer
2:05:55
data or encrypted password
2:05:57
vaults. We've determined that an unauthorized party gained access to portions of the last
2:05:59
past development environment
2:06:04
through a single, compromised developer account
2:06:07
and took portions of source code and
2:06:09
some proprietary last
2:06:11
past technical information. In
2:06:15
response to the incident, we've deployed
2:06:17
containment and mitigation measures
2:06:19
and engaged a leading
2:06:22
cybersecurity and forensics firm. While our
2:06:25
investigation is ongoing, we've achieved a state
2:06:27
of containment, implemented additional enhanced security
2:06:31
measures unauthorized activity. Based on
2:06:33
what we've learned and implemented,
2:06:36
we Laporte evaluating
2:06:39
further mitigation techniques to strengthen our environment.
2:06:41
We've included a brief
2:06:43
FAQ below of what we
2:06:45
anticipate will be the most
2:06:47
pressing initial questions and concerns from you. We will
2:06:50
continue to update you with the
2:06:52
transparency you
2:06:55
deserve. Thank you for your patience understanding and support. So,
2:06:57
note that there's not a
2:07:00
categorical denial. That
2:07:03
anything like password false. It's
2:07:05
just no evidence of. Right.
2:07:08
So I feel like there's
2:07:11
we we're not completely out of the woods. That I'd like
2:07:13
to know that there
2:07:14
is, in fact, not merely no
2:07:16
evidence of, but
2:07:19
it didn't happen. Okay? I'm
2:07:21
I'm curious what you think about that. The other thing is I think this is part of the
2:07:23
the Twilio breach that this
2:07:26
is a follow on On
2:07:29
the Twilio hack, which turned out to really be problematic, it was pretty
2:07:31
deep because so many people used Twilio
2:07:34
for authentication and other. You
2:07:38
know, texting. So so, of course, that we have the the problem of proving a negative. So,
2:07:41
you know, lack
2:07:44
of evidence is
2:07:46
there evidence of lack and so forth? Right.
2:07:48
Okay. So so the the short version of
2:07:50
the FAQ, I I don't I'm not
2:07:52
bothering to share it all. TWiT it was
2:07:55
basically that there that they
2:07:57
believe there is to be
2:07:59
zero impact upon last past
2:08:01
users you know, no need to
2:08:03
change do or sure they're
2:08:06
unhappy that this occurred
2:08:10
since, you know, I'm sure that they
2:08:12
hold their proprietary information in high
2:08:14
regard and don't want attackers to
2:08:17
snooping around in it. But we've
2:08:19
always known since I first
2:08:21
checked out the technology that
2:08:23
Joe Segrist originally designed
2:08:26
is that so long as
2:08:29
the last pass code that
2:08:31
runs our local browser vault is
2:08:35
not itself compromised. No.
2:08:38
And that's the that's the key. I
2:08:40
mean, that's the that's the golden
2:08:42
goose there. Is the is the
2:08:45
the the script in our browser
2:08:47
that knows how to decrypt the local copy
2:08:49
of the vault. As long
2:08:51
as that's not compromised, the
2:08:54
only thing we're providing to
2:08:56
LastPass The only thing
2:08:58
they have of ours to
2:09:00
lose is a very well
2:09:02
protected encrypted blob of entropy. One
2:09:06
from each of their users. You know, that's what they hold for us in the cloud, which allows them to
2:09:08
link all of
2:09:11
our devices together. And
2:09:14
I'm sure this is no
2:09:17
longer unique technology. I don't know
2:09:19
that it was back then,
2:09:21
but although I haven't looked,
2:09:23
I would imagine and hope that's what every other manager also
2:09:28
does. Because it's the
2:09:30
only way to do what we all want safely. We
2:09:32
know that LastPass
2:09:35
uses a strong many
2:09:37
iteration PBKDF, you know, a password based key derivation
2:09:40
function, which runs
2:09:42
in our local browser to
2:09:46
encrypt all of our password data before it ever leaves our local machine. need
2:09:48
to have a good strong
2:09:50
password to protect your vault if
2:09:55
you have that, you're as safe as
2:09:57
you could be. And
2:09:59
presumably, you know, adding any
2:10:01
of their other security measures such as
2:10:03
multi factor authentication, hardware, dongles,
2:10:05
etcetera, only strengthens things
2:10:07
from there.
2:10:08
But this
2:10:10
leaves us
2:10:11
with the question. With LastPass having admitted to
2:10:13
having one of their developer accounts
2:10:16
breached, should we
2:10:19
change password managers? You
2:10:21
know, that's I would ask that directly by many of our listeners. And it's a
2:10:24
worthwhile question. Lacking
2:10:29
any additional information and no additional information is available
2:10:31
at this point, I think
2:10:34
that's an emotional decision rather
2:10:38
than a rational decision, which is
2:10:40
not the discounted. I mean, I you
2:10:42
could argue that the human race is
2:10:45
here because of the result of
2:10:47
emotional decisions. You could argue, God, trust no one is an emotional decision too,
2:10:49
I guess. Right? Yes.
2:10:51
Yes. So the reason I
2:10:53
think that that is this
2:10:56
is that we that we need
2:10:58
a rational decision is that, you know, because there's no there's
2:11:03
no factual basis Currently, for knowing
2:11:05
about what matters to make an
2:11:08
informed decision, TWiT
2:11:11
would be necessary to deeply understand the
2:11:14
company's policies and procedures,
2:11:17
like as
2:11:20
an insider, and to know
2:11:22
exactly how this particular breach occurred. They're not saying.
2:11:24
Their policies and
2:11:27
procedures would tell us how
2:11:30
they have set up the barriers,
2:11:32
which hopefully exist between
2:11:34
their developer resources and their
2:11:37
production services. Yeah. You hate to tell you that it's
2:11:39
so easy that all we have to
2:11:42
do is a social engineer one
2:11:44
person, and it's all -- Yes. --
2:11:46
gone. Right? And Leo, just look at what we just learned about the way Twitter
2:11:48
operates. Yeah. You know, it's like
2:11:50
-- Right. -- trap. Okay. But
2:11:54
but then you would also need to know that
2:11:57
same thing about the
2:11:59
password manager you
2:12:01
were considering switching to. Again, an
2:12:04
emotional decision needs no
2:12:06
justification whereas a rational
2:12:09
decision is only
2:12:12
about justification. Now,
2:12:14
I've always been careful to draw a clear distinction between policies and mistakes.
2:12:19
Policies are deliberate. Mistakes.
2:12:22
Well, they're mistakes. When you're
2:12:24
an employer, for example, and this is
2:12:26
the example you and I've often
2:12:28
used Leo, you know, and
2:12:31
an employee screws up. Do you fire them
2:12:33
because they screwed up? Or do you consider that they
2:12:35
made a mistake and have learned
2:12:38
a valuable lesson from
2:12:40
it? You know, if as a
2:12:42
consequence of having made a mistake, they're now a better and more valuable employee.
2:12:44
Why give them
2:12:47
to your competition? So,
2:12:50
unfortunately, we don't know enough about the inner workings of LastPass to make
2:12:53
an informed decision
2:12:56
about switching. You
2:12:59
know, should we now be more or
2:13:01
less afraid? How does their
2:13:03
actual policy and behavioral
2:13:06
security after this incident compared
2:13:09
to the actual security available elsewhere. Well,
2:13:11
and there's an interesting comparison because it's believed
2:13:15
that the same nation hacker who did the Twilio attack,
2:13:18
we know DoorDash was attacked by
2:13:20
the same
2:13:22
guy. They say yes. But Octas, Signal, and
2:13:24
LastPass. All all reach roughly
2:13:27
the same time using
2:13:29
similar social engineering
2:13:32
attacks. So but who the one
2:13:34
who wasn't, but was attacked was Cloudflare. Remember this? You had this story last week, I think.
2:13:39
They use Yubiquis. And because
2:13:41
they use strong security even the even that the social
2:13:43
engineering attack worked, it
2:13:47
didn't compromise them. Yep.
2:13:50
So that's that's the that's the
2:13:52
kind of thing I'd like to see
2:13:54
from LastPass. Yes. Right. And and
2:13:56
and in his note, he was
2:13:58
noncommittal. I mean, what he wasn't specific. He
2:14:01
talked about, you know, increasing their
2:14:03
security and tightening their
2:14:05
boundaries and things. It's like, okay.
2:14:07
Again, it's So so so we
2:14:10
have we have an
2:14:11
example, but
2:14:13
again, to to
2:14:15
make a change you
2:14:18
need to know about where you're changing to, just as much as you need to know about where you're changing from.
2:14:20
So, you know, if
2:14:22
LastPass learned a valuable lesson,
2:14:27
That's great. But I have no idea
2:14:29
and neither does anyone else. Their
2:14:31
track record is all we
2:14:34
really have to go on and it's been good so far because
2:14:36
the security architecture is good
2:14:38
and it's the security architecture
2:14:41
that I'm
2:14:44
relying upon.
2:14:44
At the same time, as
2:14:46
I said, presumably everybody else's security architecture is equally sound
2:14:48
because none of this
2:14:50
should be rocket science anymore.
2:14:53
Would you recognize If I was
2:14:56
changing your last pass password, at this point,
2:14:58
would
2:14:58
that be a reasonable response rather than changing your
2:15:01
remaining. No. No. I I don't
2:15:03
see how that has any effect
2:15:05
because because it's the password which
2:15:08
is used only locally -- Right. -- to
2:15:10
encrypt the blob which we send there. They don't have access to that. Or No. They
2:15:12
they they never have
2:15:15
they don't want it TWiT that
2:15:18
was, you know, Joe's original comp you know, his original concept. So if I were starting out today,
2:15:21
all other things
2:15:24
being equal I
2:15:26
would probably choose BitWarton. You know,
2:15:28
being a sole source. We gotta say
2:15:31
yes. That's not why you're choosing
2:15:33
them, I'm sure. No. And in fact, you
2:15:35
know, being open source, I'd be able
2:15:37
to do the same sort of security
2:15:40
architecture vetting -- Right. -- that
2:15:42
I once did with LastPass' designer
2:15:44
Joe Seagress. Right. As we all
2:15:46
know, as Jen, as you just
2:15:48
said and reminded us, BitWarden is
2:15:50
currently a sponsor of the Twitter network, and
2:15:52
I think that's great. Though it's worth noting
2:15:54
that LastPass had never been a sponsor here at the
2:15:58
time I chose them. Yes. I
2:16:00
chose that to us because you chose them. I
2:16:02
think many years later, I figured it came to us. Yeah. Yeah. You
2:16:05
know, I chose
2:16:07
them because was more open than everyone else,
2:16:09
which allowed me to understand exactly how their system worked and
2:16:12
why it was the proper design.
2:16:14
It's kind of ironic because if in
2:16:16
fact what
2:16:18
the bad guys got from LastPass
2:16:20
is the source code. They weren't so
2:16:22
open source. They they got that
2:16:25
already. Is it right? He's right?
2:16:27
And and in a properly designed system, it shouldn't matter. It shouldn't matter. Exactly.
2:16:32
Yeah. Yeah. So anyway, many
2:16:34
of the flood of DMs I received
2:16:36
last Thursday asked whether I was still using
2:16:38
LastPass and if so, whether I was now planning to
2:16:40
change. Security now,
2:16:42
podcast number two hundred and fifty
2:16:44
six. I love that it was two to the
2:16:46
power of eight, was dated July ninth, twenty
2:16:51
ten, and it was titled
2:16:53
LastPass Security. The little summary description for it
2:16:55
on Twitter says TWiT
2:16:59
thoroughly evaluates LastPass, explains
2:17:01
why high security passwords are
2:17:03
necessary, and tells us how
2:17:06
LastPass makes storing those passwords secure.
2:17:08
So it looks like I've been using LastPass for the
2:17:10
past twelve years, and I still am. If
2:17:16
they ever give me a rational
2:17:18
reason to change, I will in a heartbeat. And whether or not BitWarden is
2:17:23
still a sponsor of the Twitter
2:17:25
network at the time, I would
2:17:27
openness inertia you know? So
2:17:34
anyway, I'm still using
2:17:36
them. I I don't
2:17:38
see any reason to
2:17:40
change. Subject to additional information coming to
2:17:43
light. You know, there's never
2:17:45
been a a breach that
2:17:47
that that affected our our
2:17:49
stored security because of the way it's designed. Yeah. And that's what you know,
2:17:51
and that's really what counts. Yeah.
2:17:53
And then it's a matter of
2:17:56
looking at the pricing and the
2:17:58
features and, you know, does it what
2:18:00
suits your your model best? I
2:18:02
just never have a problem with
2:18:05
it. So it's no worries.
2:18:07
It's not irritating me. And I have
2:18:09
a very soft spot in my heart
2:18:11
for LastPass, not only because of your support Laporte
2:18:13
I used them for many, many years. But when
2:18:16
they became the
2:18:18
studio sponsor a few years ago. They kept
2:18:20
us on the air through COVID. If it weren't
2:18:22
for LastPass, I don't know if we'd still be on the air.
2:18:26
So I have a very soft spot
2:18:28
for LastPass. I do use BitWarden. I like the
2:18:30
idea of open source. But I think there's pretty much feature parity between most password
2:18:35
nurtures at this point. Yeah. And and really,
2:18:37
it's just inertia. It's like I there's no good reason for
2:18:39
me to leave it works. And
2:18:43
if there when there is yeah.
2:18:45
I'll be out of there, like, in
2:18:47
a hot second. But so far, so good. Disaster averted. Nothing
2:18:51
to fear here. Move along. Move along.
2:18:53
Well, that's why you listen to security
2:18:55
now. Right? Because Steve is such a trusted voice. When
2:18:58
he says something's a problem, it's a problem. When
2:19:00
he says it's not a problem, you can trust
2:19:02
him. But that's why you gotta keep listening. We've had a great
2:19:05
twenty twenty two. I thank Steve so
2:19:07
much for making it so, and I
2:19:09
thank you for listening, and I hope you will be back
2:19:11
with us next Tuesday, January third, Whole
2:19:14
new year, whole new security now,
2:19:16
lots of episodes and whatever happens in the world out
2:19:18
there, you know you can count Steven Security now.
2:19:23
Right here. Thanks for being a part
2:19:25
of the show. Thanks to all of
2:19:27
our producers and staff who make this show possible to our producer Jason Howell Of
2:19:31
course, to Steve Gibson, couldn't do it
2:19:33
without him. And most of all, thanks to you for listening. Have a wonderful
2:19:36
holiday season. Have
2:19:39
a good New Year's Eve? Be good.
2:19:41
Because I want you back here January third for security now.
2:19:43
We'll see you then. Happy New Year, everybody. Hey,
2:19:47
what's going on, everybody? I am at
2:19:50
Pruitt, and I am the host of hands on photography here on Twitter TV. I know you got yourself a fancy
2:19:52
smartphone. TWiT. You
2:19:57
got yourself a fancy camera, but your pictures are
2:20:00
still lacking. Can't
2:20:02
quite figure out what the hit shutter
2:20:04
speed means? Watch my show, I got
2:20:06
to cover.
2:20:07
Wanna
2:20:07
know more about just the i ISO and exposure triangle
2:20:11
in general? Yeah. I got you
2:20:14
covered.
2:20:14
Or if you got all of that down, you wanna get into lighting, you know, making
2:20:18
things look better by changing the lights around.
2:20:21
I got you covered on that too.
2:20:23
So Check us out. Each and every Thursday here in the network or the twit dot tv slash
2:20:29
hot and subscribe today.
From The Podcast
Security Now (Audio)
Cybersecurity guru Steve Gibson joins Leo Laporte every Tuesday. Steve and Leo break down the latest cybercrime and hacking stories, offering a deep understanding of what's happening and how to protect yourself and your business. Security Now is a must listen for security professionals every week.Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 20:30 UTC.Join Podchaser to...
- Rate podcasts and episodes
- Follow podcasts and creators
- Create podcast and episode lists
- & much more
Episode Tags
Claim and edit this page to your liking.
Unlock more with Podchaser Pro
- Audience Insights
- Contact Information
- Demographics
- Charts
- Sponsor History
- and More!
- Account
- Register
- Log In
- Find Friends
- Resources
- Help Center
- Blog
- API
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More
- © 2024 Podchaser, Inc.
- Privacy Policy
- Terms of Service
- Contact Us