Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Yep. It's that time once again. Hello, everybody.
0:02
Leo aboard here. With the best
0:04
of twenty twenty two security now,
0:07
next.
0:09
Podcasts you love. From
0:11
people you trust. This is
0:15
twitch. This
0:20
is security now with Steve Gibson, episode
0:22
nine hundred three for Tuesday December
0:24
twenty seventh twenty twenty two,
0:27
the year's best. Security
0:31
Now is brought to you by Express VPN.
0:34
Using the internet without express VPN
0:36
is like walking your dog in public
0:38
without securing them on a leash for
0:40
three extra months free with a one year package go
0:42
to expressv p n dot com slash
0:45
security now. And by,
0:49
Colline. Colline is an endpoint security solution
0:51
that uses the most powerful untapped
0:54
resource in IT. And
0:56
users, visit kolai dot com
0:58
slash security now to learn more
1:00
and activate a fourteen day free
1:02
trial today. No credit card required.
1:06
We're gonna let take a week
1:08
off a much needed week off and
1:11
talk about some of the biggest stories of
1:13
the year from twenty twenty
1:15
two. This actually is a good show to listen
1:17
to or to give people who haven't heard security
1:20
now, to give them an idea of the breadth of
1:22
content and the depth of content with
1:24
everything Steve does starting with
1:27
perhaps The worst exploit,
1:29
if you could pick one, the worst exploit
1:32
of twenty twenty two, log for j.
1:36
Okay. So many security firms are
1:39
tracking threat actors who
1:41
immediately and predictably jumped
1:44
aboard the log for Jay bandwagon. You
1:46
know, it's been a it's been a feeding frenzy
1:49
for the security firms. To
1:51
help bring this home and make it
1:53
a bit more real, I wanted to share
1:56
a piece of checkpoint researchers
1:58
reverse engineering work On
2:01
a typical threat, the Internet
2:03
is now facing. I've
2:05
got, for anyone who wants more detail,
2:07
there's always a link in the show notes. Last
2:11
week, checkpoint documented the
2:13
efforts of an of an Iranian
2:15
government backed group
2:18
known again, not just Iranian government
2:21
backed group, known as APT35,
2:25
also known as charming kitten,
2:28
TA four fifty three and
2:30
phosphorus. This
2:33
group started widespread scanning
2:35
and attempts to leverage the
2:37
log for j flaw in
2:40
publicly facing systems only
2:42
four days after the vulnerability
2:45
was disclosed. And, you know,
2:47
all the bad guys knew now
2:49
that this was public, it was, you know, it
2:51
was gonna get remediated at some speed.
2:54
The point being Let's be
2:56
first. You know, get in there before that gets
2:58
before the the the backdoors
3:01
get closed. Since
3:04
this actors, this particular actors
3:06
set up was hurried, they
3:08
simply grabbed one of the publicly
3:10
available Open Source
3:13
GitHub hosted JNDI
3:16
Laporte Kits. Yes. They were
3:18
on GitHub initially, but that kit
3:20
has been removed from GitHub due to
3:22
its enormous popularity following
3:25
the vulnerability emergence. You
3:28
know, why bother reinventing that particular
3:30
wheel when time is of the essence? They
3:32
also base their operations upon
3:34
their pre existing infrastructure rather
3:37
than like creating a whole new one.
3:39
And that infrastructure was already well
3:41
known to
3:42
checkpoint, thus making its detection
3:44
and attribution all the easier.
3:48
On the show notes, I have a flowchart, which
3:51
shows the path that the exploit
3:53
takes. And it could hardly
3:55
be any easier or direct. First,
3:58
the attackers send a
4:00
crafted request to
4:02
the victim's publicly facing Internet
4:05
exposed resource, whatever it is,
4:07
a server of some sort. In this
4:09
particular case, the weaponized
4:11
payload was sent in
4:13
through either the user agent or
4:16
the HTTP authorization
4:18
headers. Remember that all
4:20
that needs to happen is that
4:23
something somewhere
4:25
that's Java based logs
4:28
part of the query that contains this
4:31
weaponized string. In
4:33
order to log the query, Log
4:36
for j examines what TWiT
4:38
logging, sees AJNDI
4:41
component, and goes about its
4:43
job of obtaining the content
4:46
from the LDAP URL contained
4:48
in the query, which is being logged.
4:51
So the vulnerable machine
4:54
as as has been instructed
4:56
to do, basically, although not after
4:58
has been patched, but until then,
5:00
reaches out to a
5:02
what they'd labeled in their diagram a
5:05
log for j exploitation server,
5:08
which assembles the and returns
5:10
a malicious Java class,
5:13
which will be executed on the
5:15
vulnerable machine. The class
5:17
runs a PowerShell command
5:20
with a base sixty four encoded
5:22
payload. And I actually have a
5:24
picture of the actual payload
5:27
the exploit dot
5:30
command, PowerShell, and
5:33
then the encoded payload. That
5:36
PowerShell command downloads
5:39
a PowerShell module
5:42
from an Amazon s
5:44
three bucket URL and
5:46
it actually is http
5:48
colon slash slash s
5:51
three dot amazon AWS
5:53
dot com slash doc
5:55
library sales forward
5:57
slash test dot text and
5:59
executes And we
6:01
have a picture of that in the show notes.
6:03
The actual thing that's downloaded.
6:06
The downloaded PowerShell payload
6:08
is the main module that's
6:10
then responsible for basic
6:12
communication with the command and
6:14
control server and the execution
6:17
of additional modules, which
6:19
may be received. So
6:21
the main module performs the
6:23
following operations. It validates
6:26
the network connection. Upon
6:28
execution, the script waits
6:30
for an active Internet connection by
6:33
by repetitively making HTTP
6:36
post requests to google
6:38
dot com with the parameter
6:40
high equal high h
6:42
i equals h i. Just
6:45
to see if it can succeed. That's how
6:47
it detects whether or not it's got an Internet
6:49
connection. Assuming that it
6:51
does, then it
6:53
knows that. It also performs
6:55
basic system enumeration. It
6:58
collects the Windows OS version
7:00
the computer's name and
7:02
the contents of a file, n
7:05
i me dot
7:07
text in app data.
7:10
In the app data path. The file
7:12
is presumably created and
7:14
filled by different modules that
7:16
will be downloaded by the main
7:18
module. It
7:20
then retrieves the command and
7:22
control server's domain. The
7:25
malware decodes the command and control
7:27
domain retrieved from a hardcoded
7:30
URL located in the
7:32
same s three bucket from where the
7:34
backdoor was downloaded. So
7:36
that they the bad guys have dynamic
7:38
control over that by
7:40
deciding what goes in this AWS
7:43
bucket. It also retrieves,
7:45
decrypts, and executes follow-up
7:48
modules. Okay. So
7:50
once all the data is gathered, The
7:52
malware starts communication with
7:54
the command and control server at
7:57
the domain, which it determined by
7:59
pulling that from the Amazon
8:01
AWS cloud
8:04
bucket. And
8:06
it does that. It com communicates with the command
8:08
and control server by periodically sending
8:11
HTTP post requests. I mean,
8:13
none of this is high-tech. None of this is
8:15
rocket science. You know, this is easy
8:17
to do. Which is why this terrified everybody
8:19
so much. So this thing sends HTTP
8:21
post requests to a preconfigured
8:24
URL with each post
8:26
request containing information from
8:28
which to build a session key,
8:31
the OS version, the computer's
8:33
name, and the
8:35
contents of that file in the
8:37
app data directory.
8:39
So that ends up being something unique which
8:41
it uses to identify itself
8:43
each time. And I think as I recall,
8:45
it puts it in a session header
8:47
in the post query. In
8:50
response to the command and
8:52
control servers receiving these
8:54
these post requests, it
8:58
can either choose not
9:00
to respond, in which case
9:02
the script will keep sending post
9:04
requests periodically to
9:06
continue to provide the server with stream
9:08
of response opportunities, or
9:11
the server will return a
9:13
base sixty four encoded string.
9:17
Now just as a reminder, base
9:19
sixty four is a means
9:21
for sending binary data
9:24
over an Asci channel that
9:26
is over a text only channel.
9:29
Groups of three
9:31
eight bit binary bytes.
9:34
So three eight bit binary bytes is
9:36
twenty four bits. They're
9:39
regrouped from three eight bit
9:41
bytes to four six
9:43
bit bytes. Six
9:45
bits can have sixty four
9:47
combinations. So that
9:50
so we take the lower and the upper
9:53
alphabet gives us two times
9:55
twenty six characters or
9:57
fifty two characters We add the ten
9:59
decimal digits that brings us
10:01
up to sixty two characters,
10:03
and then we toss in two additional
10:06
ones. The plus and the forward
10:08
slash, which brings us to sixty
10:10
four. So so
10:12
in groups of Three,
10:16
binary is taken from
10:19
the source binary. The the
10:21
those those twenty four bits
10:23
are regrouped into four
10:26
characters each connect
10:29
each of each one of
10:31
sixty four different possibilities That's
10:34
then all munch back
10:36
together and sent down with the client,
10:38
which reverses the encoding process
10:40
to restore the original binary.
10:42
This allows the malicious
10:45
server to squirt
10:47
anything it wants into the victim
10:49
machine that's making the
10:51
queries. The malicious The
10:53
modules downloaded in this fashion
10:55
are either PowerShell
10:58
or c sharp scripts.
11:00
The modules set by the command and
11:02
control server are executed
11:04
by the main module with
11:07
each one reporting data back to
11:09
the server separately. So
11:11
that the original module comes
11:13
in, looks around, sets
11:15
up shop, figures out who to
11:17
talk to initiates the
11:19
dialogue and does that
11:21
periodically. If in response to
11:23
one of its of its multiple post
11:25
queries. It receives a blob
11:27
of base sixty four. It goes,
11:29
oh, okay. Something to do.
11:31
It decodes TWiT. Back into
11:34
whatever it was before, you know, removes the
11:36
base sixty four encoding. We
11:38
know that that's gonna be a PowerShell
11:40
or a c sharp script.
11:43
And runs it.
11:45
At that point, that subsidiary
11:47
module takes off on
11:49
its own. And it establishes its
11:51
own communication directly with the
11:53
command and control server. The
11:57
command and control cycle continues
12:00
indefinitely, which allows the
12:02
threat actors to gather data on
12:04
the infected machine, run arbitrary
12:06
commands, and possibly escalate
12:08
their actions by performing a
12:10
lateral movement or executing
12:12
follow-up malware such as
12:14
ransomware. In other words, you know,
12:16
this thing can do anything
12:19
it wants to. Once it
12:21
gains a a foothold.
12:24
So the modules. Every
12:26
module is auto generated
12:28
by the attackers based on the data sent
12:31
by the main module. Each of the
12:33
modules contains a hard
12:35
coded machine name, in a
12:37
hardcoded CNC domain.
12:39
Every module checkpoint observed
12:43
contained a block of shared
12:45
code, which makes sense because there's a bunch
12:47
of stuff that they're all gonna do
12:49
regardless of their specific function. And
12:51
that is encrypting the data
12:53
to be sent, exfiltrating
12:56
the gathered data through a post request
12:58
or uploading it to an FTP server
13:00
that also happens and sending
13:03
execution logs to a
13:05
remote server. In
13:07
addition to this, each module performs
13:09
one specific job that is in addition
13:11
to those things they all have in common.
13:13
Checkpoint retrieved and analyzed modules
13:16
for six different functions. Listing
13:19
installed applications that
13:21
is application installed on the machine
13:23
taking screenshots, listing
13:26
the running processes, getting
13:29
OS and computer information, executing
13:31
a predefined command from
13:34
the command and control server. And
13:36
then finally, cleaning up
13:39
any traces created by
13:41
any of the other modules. The
13:45
applications module uses
13:47
two methods to fetch and
13:49
return a list of installed
13:51
modules. It can either enumerate the
13:53
uninstall registry values
13:56
or use the management the
13:59
Windows Management Instrumentation Command
14:02
in order to get
14:04
an enumeration It gets those,
14:07
encrypts them, and sends them back
14:09
to to headquarters. The
14:11
screenshot module They
14:13
found both c sharp and
14:16
PowerShell scripts for the
14:18
screenshot. They both had the
14:20
capability to capture multiple screenshots
14:22
at specified intervals and
14:25
upload the resulting screenshots to
14:27
an FTP server whose
14:29
credentials are provided by the script. The
14:31
c sharp script uses a b
14:33
sixty four encoded PowerShell command
14:35
to take the screenshot from multiple
14:38
screens. So again, you
14:40
might have this thing in your computer,
14:42
not know it, you're doing things,
14:44
and this thing is spying on
14:46
you, sending shots at
14:48
your screens. Back to headquarters. The
14:51
processes module obtains a
14:53
list of the machine's running processes
14:55
using the task list command gather
14:57
them, encoders them, sends them
14:59
back. The system information
15:01
module contains a bunch of
15:03
PowerShell commands. What was interesting
15:05
was that in the instances the checkpoint
15:09
saw the bad
15:11
guys had commented out
15:14
all of these potential sources
15:17
of information, they
15:19
just weren't using it. This
15:22
told checkpoint that this
15:24
whole campaign was hastily
15:26
assembled since the entire,
15:28
you know, as we know, attacker
15:31
community was well aware that
15:33
systems would be closing their doors
15:35
very quickly. So there were there
15:37
was like all these different suggestions
15:40
of, you know, the moment this
15:42
thing big went
15:43
public, the attackers jumped on
15:45
it and said, let's quickly get
15:47
something together that that we can
15:49
exploit this
15:50
with. And finally,
15:53
we have the command execution module
15:55
which is able to essentially
15:58
download and execute any actions,
16:00
any commands that are provided
16:02
by the command and
16:04
control server. They saw, for
16:06
example, listing the contents of the
16:08
c drive route, listing
16:10
the specific WiFi profile
16:12
details using net
16:15
s h, the
16:17
w LAN subcommand
16:19
of that, and
16:21
also listing all the drives
16:23
using get PS drive, a a
16:25
PowerShell numerator.
16:28
And finally, the cleanup module. It's
16:30
dropped after the attackers have finished their
16:33
activity and want to remove any
16:35
traces that they've been inside the system.
16:37
The module contains cleanup methods
16:39
for persistence related artifacts
16:41
in the registry and the
16:44
startup folder you know,
16:46
any files created and any
16:48
running processes. It
16:50
contains five hard coded
16:52
levels of, sort of, like, stages
16:54
of cleanup depending upon the
16:56
stage of the attack. Each
16:58
one serving a different purpose. Checkpoint
17:00
said that the design and the intent of
17:03
the cleanup module made it
17:05
clear that the threat
17:07
actors wanna keep the infection on
17:09
the machine First of all, for as
17:11
long as they deem necessary,
17:13
but then after once their goal
17:15
has been achieved, they wanna disappear
17:18
without a trace. So that, you know, no
17:20
one believes that there that an
17:22
attack occurred.
17:24
As for attribution, Of
17:26
course, we know attribution of
17:29
network remote attacks
17:31
often falls somewhere
17:33
between difficult too
17:35
impossible, but not so in this
17:38
case. Most advanced persistent
17:40
threat actors put
17:42
some effort into making sure to
17:44
change their tools and their
17:46
infrastructure to avoid being
17:48
detected in the first place and
17:50
to make attribution much more difficult if
17:52
they were detected. And in fact,
17:55
you know, we know that the the solar
17:57
winds attacks were famous
17:59
for, like, really working
18:02
to obscure the path
18:04
by which the infection happened
18:06
if it were to be discovered.
18:09
However, APT thirty five
18:11
does not conform to this behavior.
18:13
Apparently, the group is famous within this
18:16
the cyber security community
18:18
for the number of operational security
18:21
mistakes they've made in
18:23
previous operations. And they tend not
18:25
to put too much effort into
18:27
changing their infrastructure once it's
18:29
been exposed. So it's
18:31
little wonder that their operation as
18:33
checkpoint has detailed it has
18:35
significant overlaps in the
18:37
code and the infrastructure, which
18:40
previously identified the
18:42
activities of APT thirty
18:45
five. As for code
18:47
overlaps, four months ago, October
18:49
of twenty twenty one.
18:51
Google's tag team, remember their
18:53
threat analysis group, published
18:55
an article about APT35's
18:58
mobile malware, you know, because
19:00
Google and Android. Even though
19:02
the samples checkpoint analyzed,
19:07
were PowerShell scripts.
19:09
The similar meaning, you know,
19:11
PowerShell as opposed to Android.
19:14
So windows only,
19:16
the similarity of
19:18
coding style between them
19:20
and the Android spyware
19:22
that Google attributed to
19:25
APT thirty five immediately
19:27
caught checkpoint's attention. For
19:29
one thing, the implementation of
19:31
the logging functions was
19:34
identical between the Android
19:36
app, which Google analyzed, and
19:38
this present campaign's PowerShell
19:41
modules which use the
19:43
identical logging format.
19:45
Even though the commands are commented
19:47
out and replaced with another
19:50
format. The fact that these
19:52
lines were not removed outright.
19:55
Checkpoint felt might indicate that
19:57
the change was done only recently.
19:59
And the syntax of
20:01
the logging messages themselves
20:03
being logged is identical.
20:06
As for infrastructure, both
20:09
then and now
20:12
campaigns, October and now
20:14
apparently use the same server
20:16
side infrastructure. When a
20:19
client posts data to a
20:21
remote HTTP server, The
20:23
server side path of the
20:26
query is called the API
20:29
endpoint. Google's mobile
20:31
analysis and checkpoints
20:33
both revealed the use of
20:35
the common endpoint slash
20:38
API session. Now,
20:40
okay, that's not a high entropy name.
20:42
Could have just been a collision of of,
20:44
you know, convenience but
20:48
checkpoint felt encouraged
20:51
by the observed overlap,
20:53
and they stated in their report
20:55
that other API endpoints are
20:58
similar but not entirely identical
21:00
due to the differences in the
21:02
functionality of the platform. So it didn't
21:04
make sense for them to be completely identical. Checkpoint
21:06
also observed that not
21:08
only are the URLs familiar
21:11
but the command and control domain
21:14
of the PowerShell variant
21:16
responds to the API
21:18
requests that are used in the
21:20
mobile variant. This suggests similar,
21:23
if not identical, server
21:25
side support for both
21:28
campaigns. So checkpoint
21:31
concluded its report by
21:33
observing that every time
21:35
there is a new published critical
21:38
vulnerability the entire Infosec
21:41
community holds its collective breath
21:43
until its worst fears come true.
21:46
Scenarios of real world
21:48
exploitation appear, especially
21:50
by state sponsored actors.
21:52
As they demonstrated in their report,
21:54
The breath holding weight in the
21:57
case of the log for j vulnerability was
21:59
only a few days. The combination
22:01
of its simplicity its publicly
22:04
available open source code
22:06
samples, and the massively
22:08
tantalizing number of
22:10
vulnerable devices made
22:12
this a very attractive vulnerability
22:14
for actors such as APT
22:16
thirty five, and I have
22:18
no doubt that, you know, while I
22:20
don't think I will continue giving this
22:22
in-depth coverage because we know
22:24
pretty much everything there is to know about it, oh,
22:26
if something major happens,
22:28
it'll certainly be newsworthy. But
22:30
that's how this stuff works. Again,
22:33
just it's
22:36
frightening how
22:38
how non rocket science,
22:41
how how script
22:43
kitty level -- Yeah. -- this thing
22:45
is and that it can get up to so
22:47
much mischief. Amazing. a
22:50
even a what is A kitty? What
22:52
kind of kitty? Charming kitten.
22:54
Even charming kitten. You could do it. Who
22:56
comes up? Is that like a vulnerable name?
22:58
Who comes up with? I mean, there's fancy
23:01
bear for the Russian group,
23:03
charming kitten for the Iranian
23:06
group. Somebody's coming up
23:08
with these. Must be the
23:10
CIA or the NSA. That's
23:12
just why. Okay. So
23:15
Unsurprisingly, as I said
23:17
at the top of the show, the world's cyber news
23:19
this past week was dominated
23:21
by the cyber aspects
23:24
of Russia's invasion of Ukraine.
23:26
We've been living through, and this Twitter
23:28
podcast network is documented
23:31
and chronicled important and
23:33
fascinating aspects of, you know,
23:35
the evolution of the personal
23:37
computer and the Internet. When I think back,
23:39
Leo, to where we were with the hunting hunting
23:41
monkeys, you know, almost eighteen years
23:43
ago. It's like, okay, a lot
23:45
has changed. HTTP was
23:47
a
23:47
thing, right, with no s. Now,
23:50
good luck. If don't have an s there.
23:53
And I have
23:55
to
23:55
admit that when this
23:59
first When this podcast, Security Now
24:02
began, I was personally
24:05
skeptical. Of the
24:07
idea of cyber warfare. It
24:09
just, like, really,
24:12
like, packets, you
24:14
know, Well, obviously, since then,
24:16
I've been well disciplined of of
24:18
any such skepticism. And
24:22
I've been interested to note that in
24:24
the last few weeks, all the experts
24:27
because like cyber warfare is like
24:29
a topic now. We like, on on any
24:32
time, like, there's a discussion of what's going
24:34
on. It's like, oh, whatever, you know, this
24:36
threat of cyber warfare. And
24:38
the presumption is it would not be constrained
24:41
to Russia and Ukraine. It
24:43
would be, you know, global
24:45
to some degree. But
24:48
all the point is that all the experts that
24:50
I'm hearing talk about it feel
24:53
much as I do, which is that
24:55
it's something no one is really
24:58
that excited to
25:00
unleash. Very much like
25:02
you know, the cold war days
25:04
of mutually assured destruction,
25:09
But as I said last week, the feeling
25:11
is that no one has any
25:13
real confidence in their own
25:16
defenses being adequate. So
25:18
nobody wants to be the first to initiate what
25:20
you whoa. And I forgot to turn
25:22
that down. Our little
25:25
friend telling me I've got email. Sorry.
25:28
No one's that, you know,
25:31
confident about their own defenses being
25:33
adequate. So no one wants to be the first to
25:35
initiate what might be mutually
25:38
assured cyber destruction. We don't even know what
25:40
that looks like and nobody wants to
25:42
find out. Yet, here we
25:44
are
25:44
today, kind picking
25:46
around the edges of
25:48
exactly that possibility such that
25:51
more than any other time in
25:53
the past It's on everyone's
25:55
lips. Okay.
25:58
So I'm
26:01
not gonna spend an inordinate amount
26:03
of time on any one of
26:05
these topics, but literally as
26:07
I was going through the
26:10
last week's What is there to talk It was all about
26:12
this. It was all about the consequences of
26:14
this. So, Saturday
26:17
before last, on the twenty
26:19
sixth. Ukraine's minister
26:21
of digital transformation, whose
26:23
name will hear of a few times
26:26
today, Mikaelo Ferrov announced
26:28
the creation of an army
26:30
of IT specialists
26:32
to fight for Ukraine
26:35
in cyberspace. Mikaelo said,
26:38
quote, we have many talented Ukrainianians
26:41
in tech. Developers, cyber
26:44
specialists, designers, copywriters, marketing
26:47
specialists, targeting
26:49
specialists, Wow,
26:51
targeting specialists. He said, we
26:53
are creating an IT army.
26:56
All operational tasks will
26:58
be posted here There's plenty to do
27:00
for everyone. We continue our
27:03
fight at the cyber front.
27:05
So of course, being that he's
27:08
there their digital transformation
27:09
guy, his focus is that.
27:13
Anyway,
27:13
turns out that Makaylo's call
27:16
did not go unheeded. At
27:20
when I captured this
27:22
particular report, the
27:24
number of volunteers
27:26
that had signed up, and
27:28
we'll see that by the time we end
27:30
this podcast, that number has has
27:33
grown at this point, it
27:35
was already a hundred and seventy
27:37
five thousand people
27:39
had said, yeah, I wanted, you
27:41
know, sign up. I wanna a hundred and
27:43
seventy five thousand. Oh. I
27:46
don't know there weren't that many people with
27:48
the skills. Yeah.
27:50
Well, And and they said copywriters, marketing
27:52
specialists. So so, basically, you know, like, you
27:54
don't have to actually know how
27:57
to Sharpen the front edge of a packet in
27:59
order to send it off. Wow.
28:01
You just have to know what that packet
28:04
should contain I guess, if it was some propaganda or some
28:06
IT specialists to manage the
28:08
database of a volunteers, that's
28:10
what they're gonna need.
28:13
That's right. So he said many have
28:15
been tasked with launching DDoS
28:17
attacks against Russian websites,
28:19
including government websites, banks and energy
28:22
companies on the twenty
28:24
seventh the day after this,
28:26
officials also told Volund
28:28
peers to target websites third,
28:30
in Belarus, Makaylo
28:33
also publicly released the targeting
28:36
list. Okay? So so this
28:38
is the IT Army of
28:40
Ukraine. It says for
28:42
all IT specialists from
28:44
other countries, we translated
28:47
tasks in English. So
28:49
he says, task number one.
28:51
We encourage you to use
28:53
any vectors of cyber
28:55
and DDoS attacks on
28:58
these resources. So
29:00
I mean, this is a
29:02
publicly posted list from
29:04
Ukraine. So we've got three
29:06
categories business corporations,
29:09
banks, and the
29:11
state. So for example business corporations,
29:14
Gazprom, I I can't even
29:16
pronounce these things. I I won't
29:18
try, but there's like 123456789
29:22
ten, eleven, twelve, thirteen, fourteen, fifteen,
29:25
sixteen, seventeen, eighteen,
29:27
nineteen, specific business
29:30
corporations where the
29:32
URL their URL, and
29:34
I think without exception, there is a
29:36
dot com by by far the
29:39
most or dot are you, of
29:41
course, there are some a org, predominantly,
29:44
are you that we've got
29:47
three banks the
29:49
Esper Bank, VTB, and
29:52
Gazprombank, and then the third
29:54
category is the state. There's
29:56
public services, Moscow state
29:58
services president of the Russian
30:00
Federation, government of the
30:02
Russian Federation, Ministry
30:04
of Defense, tax, whatever
30:06
that is, customs,
30:09
pension fund, and
30:11
our favorite Ross commonsor
30:14
is also there.
30:17
So, you know, I
30:19
mean, obviously, they're being
30:21
put upon that as Ukraine
30:23
is. And they're saying, hey,
30:25
cyber is now a
30:27
vector of of
30:29
counterattack. So let's go.
30:32
And, you know, here's your initial
30:34
targeting list. An
30:36
open call for everyone, you know, anyone
30:38
and and everyone to participate, you
30:40
know, and but let's be
30:43
clear that the perceived justice,
30:46
if that's how you
30:48
feel of this cause,
30:51
doesn't make it legal. Right?
30:53
So people listening that don't don't
30:55
don't go don't go off attacking
30:58
Russia because that, you know, because
31:00
some guy in Ukraine said, yeah,
31:02
here's Here's where you go. Don't do
31:05
that. According to Victor Zuora,
31:07
an official at the Ukrainian cybersecurity
31:10
agency charged with protecting government
31:12
networks he said, quote,
31:14
Russian media outlets that
31:16
are, quote, constantly lying
31:19
to their
31:19
citizens, unquote, and financial and
31:22
transportation organizations supporting the
31:24
war effort are among the
31:26
potential targets for digital attacks
31:28
from the so called Ukranian
31:31
IT
31:31
Army. He said that the IT
31:34
Army is a loose band of
31:36
Ukrainian citizens and
31:38
foreigners that are not part
31:40
of the Ukrainian government.
31:42
But Kiev is encouraging
31:45
them. It's an example of how the Ukrainian
31:47
government is pulling out all the
31:49
stops to try to
31:51
slow Russia's military assault
31:53
and illustrates how cyberattacks
31:55
have played a supporting role in the
31:57
war. The goal of this IT Army
31:59
of Ukraine is to, quote,
32:01
do everything possible,
32:03
to make the aggressor feel
32:06
uncomfortable with their actions in cyberspace and
32:08
in Ukrainian land.
32:10
And so, you know, this was Victor
32:13
Zuora in a video conference with
32:15
journalists on Friday. And
32:17
and I will say, because I've
32:19
just gone through this myself, assembling
32:21
this seventeen page Notes for
32:23
this
32:23
podcast. If
32:25
you follow along by
32:27
the end of this podcast, I
32:29
would argue you will have
32:32
very mature, complete,
32:35
almost comprehensive, I
32:37
dare say appreciation
32:40
for everything that is going on,
32:42
like everywhere on this. It's
32:44
it's what we hear to talk about. Well,
32:47
Russia hasn't disconnected from the Internet
32:49
yet, but Who knows what twenty twenty
32:51
three will be? We'll be back with more
32:53
of Steve Gibson in just a moment. First
32:55
a word from our sponsor. I hope you're
32:57
enjoying our best of Steve's great. Isn't he?
32:59
We just love doing this show together.
33:01
And for most of the
33:03
year, we have loved our
33:05
sponsor. Express VPN. They've been with us all year long.
33:08
Using the Internet without express VPN,
33:10
my personal choice for VPN
33:12
well, that would be, I don't know, like,
33:14
walking your dog in public
33:16
without a leash. Most of the
33:18
time, no problem. You'll probably be fine. But what
33:20
if one day The dog runs
33:23
away or gets dog napped.
33:25
It's better to be careful. You're not
33:28
preparing for everyday
33:30
activity preparing for the worst.
33:32
Somebody spying on you, somebody attacking
33:35
you, that's why it's great when you've
33:37
got something as simple as express VPN. Every time
33:39
you connect to an unencrypted
33:42
network, which could be and
33:44
cafes and hotels and Laporte, your
33:47
online data is insecure. Any hacker in
33:49
the same network has all sorts of
33:51
ways to attack your system and steal
33:53
your personal data using things that are
33:55
widely available on the Internet
33:57
like the like the WiFi pineapple.
33:59
But express VPN creates
34:01
a secure encrypted tunnel between your
34:03
device and the Internet. So they
34:05
can't see you. They can't
34:07
attack you. You're absolutely safe.
34:10
In fact, so good. The so hacker
34:12
with a supercomputer over a billion years
34:14
to get past Express VPN's
34:18
encryption. ExpressVPN works on all your devices,
34:20
phone, tablet, laptop, even on your
34:22
smart TV. In fact, they've got a great
34:24
router now. They you can put ExpressVPN
34:26
on many
34:28
routers but they even sell a router that's just fantastic. So
34:30
we were talking to a dog m. Right? He
34:32
took an express VPN router with him to
34:34
Vietnam. Was able to watch all
34:36
his shows in the United States, communicate
34:38
securely and safely, worked phenomenally,
34:40
and he said he was getting amazing data
34:42
rates. I can't remember what he said, but it
34:44
was like, a hundred, two hundred, three hundred megabits. Try
34:47
that with some other VPN.
34:49
Only express VPN works as fast
34:51
as you do. And it's so
34:53
easy to use. Put it on the router or just fire up the
34:55
app. Click one button. Boom. You're
34:58
safe. Now if you go to
35:00
expressvpn dot com slash security now, you
35:02
can get three extra
35:04
months with a one year package,
35:06
absolutely free. Express VPN
35:08
dot com slash security now by a twelve
35:10
year package you get fifteen months for the price of twelve, and I have to tell
35:12
you, it is the only VPN I trust,
35:14
the only one I use, express
35:17
VPN dot com slash
35:20
security. Now, thank you express VPN for being such
35:23
a great sponsor for Steve's work
35:25
all this year. Speaking of
35:28
work, Time to get back to
35:30
Steve. We're back with more twenty twenty two. We
35:32
kick things off in this segment.
35:35
TWiT a look at
35:38
kaspersky antivirus, is it safe?
35:41
Well, the US The
35:44
FCC, Casper Ski Labs
35:46
and Chinese telecoms are
35:48
all
35:49
mixed up. Last
35:51
Friday, in an announcement titled FCC
35:54
Expands List of Equipment and
35:56
Services that pose security
35:59
threat, unquote. The US Federal Communications Commission
36:02
added the well known to
36:04
us, Russian cybersecurity firm,
36:07
Kaspersky, to its covered
36:10
list. Believing that the use
36:13
of Caspersky Lab Products
36:15
poses unacceptable risks
36:18
to US national security. The
36:21
coverage includes information
36:26
to Casper Ski's information security products, solutions,
36:28
and services supplied by
36:30
Casper Ski or any
36:33
linked companies including subsidiaries or
36:36
affiliates. And the same day
36:37
last Friday, the hacker won
36:39
bug bounty program
36:42
also terminated their relationship with Casper Ski. Hacker
36:45
One's decision to disable Casper
36:47
Ski's bug bounty program follows
36:50
the news that
36:52
Germany's federal office for
36:54
information security, known as
36:57
BSI, had warned
37:00
companies against using Kaspersky products. The German
37:02
regulator indicated that Russian
37:04
authorities could force the
37:06
AV provider
37:08
into allowing Russian intelligence to
37:10
launch cyberattacks against its
37:12
customers or have its products
37:16
used for cyber espionage campaigns.
37:18
Just to be clear, this is all
37:20
entirely without any precipitating
37:23
evidence and only
37:26
out of an abundance of
37:27
caution. Casper's key
37:31
responded by writing Caspersky
37:34
is disappointed with the
37:36
decision by the Federal Communications Commission
37:39
to prohibit certain
37:42
telecommunications related federal subsidies for being used to purchase
37:44
Casper's key products and
37:46
services. This decision is
37:48
not based on any
37:50
technical assessment
37:52
of Caspersky products that the company continuously
37:55
advocates for, but instead
37:58
is being made on
38:00
political grounds. Caspersky
38:03
maintains that the US government's
38:05
twenty seventeen prohibitions on
38:08
federal entities and
38:10
federal contractors from
38:12
using Kaspersky products and services were unconstitutional
38:16
based on unsubstantiated allegations
38:20
and lacked any public
38:22
evidence of wrongdoing by the
38:24
company. And there has been
38:26
no public evidence to otherwise
38:28
justify those actions since
38:30
twenty seventeen and the
38:32
FCC announcement specifically refers
38:34
to the Department of Homeland Security's
38:36
twenty seventeen determination as the
38:38
basis for today's decision. Caspersky
38:40
believes today's expansion of
38:43
such prohibition on entities that
38:45
receive FCC communications related
38:47
subsidies is similarly
38:50
substantiated and is a response to
38:52
the geopolitical climate. Rather
38:55
than a comprehensive evaluation,
38:58
of the integrity of Casper Ski's products and services. Casper
39:02
Ski will continue to assure
39:04
its partners and customers on
39:07
the quality and integrity of its
39:10
products and remains ready to
39:12
cooperate with US government
39:14
agencies to address
39:16
the FCC's and any other
39:18
regulatory agency's concerns. Caspersky provides
39:20
industry leading products and
39:23
services to customers around
39:26
the world to protect them from all types of cyber
39:28
threats. And it has stated
39:30
clearly that it doesn't have any
39:32
ties with
39:34
any government including Russia's.
39:36
The company believes the
39:39
transparency and the continued implementation
39:41
of concrete measures to
39:43
demonstrate trade its enduring commitment to integrity and
39:46
trustworthiness to its customers is
39:48
paramount. Unquote,
39:52
Now, I completely
39:54
agree that Casper's key
39:57
has never given us any
39:59
cause to mistrust them. But
40:02
that's not the question or
40:05
the problem. That's
40:07
a misdirection, I think, that
40:09
misses the point. And they know
40:12
what the point is,
40:14
where they are
40:16
is the
40:18
point. So I'm not sympathetic to Casper's
40:20
plight. None of this
40:22
should have been a surprise to them.
40:25
It's been their conscious choice
40:27
to remain operating in Russia
40:30
for the past eight years
40:32
since twenty
40:34
fourteen. After their president and country illegally
40:36
invaded Ukraine and annexed
40:39
its Crimean Peninsula. And being in
40:42
Russia, they know far more than
40:44
we do how their country
40:46
is being run and has
40:48
been acting.
40:48
We know that not
40:49
everyone in Russia agrees with
40:52
Putin, and I don't doubt
40:54
that Kaspersky would
40:56
resist and fight any subversion of
40:59
their integrity. That's all they have, and
41:01
that's a lot to
41:04
lose. But given everything we've seen recently,
41:06
it might not be their choice,
41:08
and that's the point. Given
41:12
the awesome networking power that
41:14
a deeply trusted and embedded company
41:17
such as Caspersky wheels, And
41:19
in the context of an authoritarian
41:22
regime, which is increasingly acting
41:24
as if it has nothing left
41:26
to lose, There's
41:28
every reason to worry
41:30
that Kaspersky's employees could be
41:32
forced to act against their will.
41:35
So it's not
41:37
kaspersky for a moment that
41:39
I don't trust. It's their
41:41
ruthless and immoral government that
41:44
ultimately controls them, which we
41:46
cannot afford to trust in this
41:48
instance. And there are plenty of
41:50
good, maybe even better choices in the
41:52
world. It's not like they have to Exactly.
41:54
Now I have to point out
41:56
that Kaspersky got his technical education
41:59
from the KGB higher school,
42:02
which prepares intelligence officers for
42:04
the Russian military and KGB. He
42:06
has a degree from there in
42:09
mathematical engineering computer technology. He served in the
42:11
Soviet military Soviet military
42:13
intelligence service as
42:15
a software
42:16
engineer. And he met his wife
42:18
at a KGB vacation resort two
42:20
years before he founded Kaspersky antivirus.
42:24
I'm not saying I mean, here's part of the problem loves Eugene because
42:26
he goes he's a very good salesman.
42:29
And he goes around
42:31
and he goes to conferences and
42:33
stuff and, you know, he buys people drinks to to swear by Kaspersky probably because
42:35
he used to hang with
42:38
Eugene. Yep. I
42:41
don't know.
42:41
I think there's there's no
42:44
evidence, but there's enough
42:46
smoke. Yes. And and your
42:48
point, Leo, is why take the risk.
42:50
You don't have to, so why? And all this, by the is saying you
42:53
can't use government subsidies to
42:55
buy Kaspersky. Right. Right.
42:58
By the way, you can't buy a lot of Russian stuff right now, not
43:00
because they're inherently insecure, but because
43:03
it's it's money to Russia. So
43:05
-- Yeah. -- I don't think this is a bridge
43:08
too far. Yeah. And, you
43:10
know, from my standpoint,
43:12
there's no way I would feel
43:14
completely comfortable right now
43:16
if my computer was running
43:18
software that was routinely phoning
43:20
home to Russia. That just
43:22
you know, seems a bad idea.
43:24
We're waiting for the big cyber attack.
43:26
And they were implicated in the in the leak
43:28
of the NSA hack taking tools -- Yes. -- whether
43:30
intentionally or not, they were in they
43:33
were involved -- Yep. -- which is not to
43:35
say that other AV might not have also been
43:37
doing the same
43:39
thing, but you know, theirs went to
43:41
Russia. So anyway And
43:44
and, you know, for what it's worth Caspersky,
43:47
has not been singled out for this treatment, at least not
43:50
globally. Last week's decision to
43:52
designate Caspersky as a national security
43:54
threat, follows
43:56
previous decisions to ban and revoke
43:58
China Unicom America's license
44:00
over serious national security
44:03
concerns in January of
44:06
this year and two and a half years or two and a half weeks
44:08
ago, the FCC added the
44:10
Chinese telecommunications companies,
44:12
Huawei, ZTE,
44:15
Hytera Communications, Hikvision
44:20
and and
44:22
Dawa, to its ban list. Back in June of twenty twenty,
44:24
Huawei and ZTE were designated
44:26
national security threats to the
44:28
integrity of the US communications
44:32
networks or the communications supply chain, and
44:34
now the Chinese state owned
44:36
mobile service providers, China Mobile
44:38
International USA,
44:40
and China telecom Americas have been added as well. So,
44:43
you know, Tedders are running
44:45
high. And, you know, Leah, we're
44:47
in this weird world of
44:50
deep economic co dependency
44:53
with those we
44:55
do not trust. It's freaky. I
44:57
mean, I don't think I have anything. I don't think I owed anything that didn't
44:59
come from China. Made in
45:01
China, baby. Yeah. Yet, you
45:04
know, here we are, you know, and how many times have I
45:06
talked about our IoT stuff -- Right. --
45:08
you know, all my my lights and plugs
45:10
and things turn on and off because
45:14
they're connecting to Chinese cloud services.
45:16
I actually think that's a good thing, not
45:18
for a sec from a security point
45:20
of view, but from global economic
45:23
perspective -- True. -- to independence
45:25
is good for peace. Yes. And if
45:27
it weren't if we weren't
45:29
independent in interdependent. We couldn't sanction Russia to
45:31
the degree we have. Yeah. Obviously, he's
45:33
not enough to stop them. But Well,
45:35
it is not have to stop
45:37
one man. Right. And I think that's the that's the problem is that
45:39
this guy is, you know, believed to
45:42
be the richest person in the world
45:44
that, you
45:46
know, nothing he doesn't care. He doesn't get to his point. And there
45:48
we there are no handles -- Right.
45:50
-- on him. There's nothing we can do.
45:52
Right. And and so We'll
45:55
see what happens, Blair.
45:59
Yikes. Lenovo. Leo,
46:02
I I heard you refer to Lenovo's
46:04
UEFI problem on some
46:06
podcast recently. So, you know, this has
46:08
been in the news a lot. Oh, it's not it's
46:10
not surprising. I'm I'm aware of it
46:12
because I buy a lot of Lenovo. Hardware. So
46:15
That's been the ThinkPad. Right? Like -- Yeah. --
46:17
the ThinkPad. Yeah. Yes. The
46:19
premier laptop. So
46:22
As we know,
46:23
when a PC is powered up,
46:25
something needs to wake up
46:27
and configure the various parts
46:29
of the machine. The
46:31
video needs to be started. The fans
46:34
need to spin up. All of the
46:36
machines various mass
46:38
storage subsystems need to be
46:40
initialized, and then the
46:42
firmware's configuration needs to
46:44
be checked. The proper
46:46
operating system needs to
46:48
be located and its OS boot code needs to be
46:50
initially loaded into RAM so that
46:52
control can be turned over to
46:54
it to continue booting
46:56
the machine. The
46:58
first PCs did that
47:00
using their basic input output
47:03
system, Bios or Bios.
47:05
That was good for
47:07
about five years. It actually didn't last
47:10
very long because the PC just
47:12
exploded in terms of, you know,
47:14
what everybody wanted to do
47:16
with it. So the limitations,
47:18
which had been built into the Bios'
47:20
assumptions, began to cause more
47:22
problems than they were worth than
47:25
they were worth almost automatically.
47:28
And various Mickey Mouse
47:30
workarounds were created to
47:32
overcome many of these problems while
47:34
Intel worked on a wholesale
47:36
replacement of the Bios. The
47:38
initial attempt was
47:40
the EFI, the so called
47:42
extensible firmware interface,
47:44
which quickly matured into the
47:47
unified extensible firmware
47:50
interface, UEFI. And
47:52
we find ourselves right
47:54
back where we always do.
47:57
The original Bios was
47:59
so dumb that it could
48:02
not be infected. It
48:04
was originally implemented in
48:07
sometimes dumb is a good
48:09
thing. That's exactly it
48:12
was originally implemented in
48:14
masked Ram, meaning that the
48:16
firmware's bits were
48:18
etched into a metal
48:20
mask at the factory and could
48:22
never be changed. It did mean you
48:24
had to get the code right the first time. I have
48:26
no updates. And That was
48:28
something people used to be able to do,
48:30
but we don't do that
48:32
anymore. So that soon gave
48:34
way to nonvolatile
48:36
flash ram.
48:37
Which could be updated, but the code
48:39
it implemented was still
48:42
egressively
48:43
dumb. Sometimes for some things, the dumber, the
48:46
better. Because if all you
48:48
want is to boot an
48:50
OS, you really don't need that
48:52
much smart Bios did
48:54
it, just fine. And the
48:56
lesson we keep falling
48:58
into and we keep failing to
49:00
learn is that the
49:02
more complicated fancy, capable and
49:04
smart. We make things.
49:06
The more leeway in latitude
49:09
the system has to
49:12
go very badly wrong.
49:15
So welcome to
49:17
the unified extensible
49:19
firmware interface where malware
49:22
is also able to extend
49:25
the firmware. Lenovo
49:29
has been most recently
49:31
in the we made
49:33
a UFI mistake news
49:36
recently. Last week, the guys over
49:38
at ESET. Whose motto is, we live
49:40
security, posted the results of their
49:42
analysis of some widely
49:44
used Lenovo
49:48
UEFI firmware. Their posting's
49:50
title was, quote, when
49:53
secure isn't secure
49:55
at all. Colon? High impact
49:59
UEFI vulnerabilities discovered
50:01
in Lenovo consumer laptops.
50:04
And the story's
50:06
tagline is ESET researchers discover
50:08
multiple vulnerabilities in various
50:10
Lenovo laptop models that
50:13
allow an attacker with admin
50:15
privileges to expose the user to
50:18
firmware level
50:20
malware. Okay.
50:23
Firmware, level malware. That's not what
50:25
you wanna hear. That's even less
50:27
what you wanna have crawling around
50:29
inside your machine. Firmware
50:33
level malware enables the
50:35
ultimate in rootkit
50:37
techniques. In fact, having
50:40
its own worst name, boot kit. The
50:43
presence of firmware level
50:45
malware means quite simply
50:47
that it's impossible to
50:50
trust anything about
50:52
what the machine might
50:54
do. Firmware level malware is
50:57
able to infect and compromise the operating
51:00
system's own code during
51:02
its boot process before
51:04
it has had any opportunity
51:06
to raise its own shields. And
51:09
reformatting the machine's mass
51:11
storage and reinstalling an
51:14
operating system or even
51:16
removing and replacing a drive
51:18
won't necessarily eliminate the
51:20
problem because
51:22
this malware has taken up residence in the
51:24
machines underlying firmware
51:26
on the motherboard, on
51:29
a on a nonvolatile memory
51:32
soldered to the main
51:34
board. Now,
51:36
we know that
51:38
anybody can make a mistake, and I am as as our listeners know,
51:40
I am infinitely forgiving of
51:44
mistakes. But the most
51:46
troubling aspect of what the
51:48
ESET researchers found was
51:50
that two of the three big mistakes
51:52
Lenovo made were
51:54
the oversight of leaving highly
51:58
exploitable drivers in the
52:00
UEFI firmware image, which
52:02
should have only been present during
52:05
the firmware's development. These drivers should have
52:07
never left the factory. So
52:10
it's not like
52:12
they got you know, a
52:14
loop condition wrong or
52:16
something like a mistake.
52:18
You know, they've left stuff
52:20
in there that should not be in there.
52:22
How do we know?
52:24
We know because the
52:26
two drivers were actually
52:29
named Secure backdoor.
52:32
That's the in the UEFI
52:35
firmware, that's the driver's name. Yeah.
52:37
We're gonna talk about an
52:40
oxymoron secure back door.
52:42
Yeah. Yeah. That turns out it
52:44
it wasn't. Yeah. The other one was
52:46
Secure backdoor PEIM.
52:48
So here's what ESET said.
52:50
They said ESET researchers
52:52
have discovered and analyzed three
52:56
vulnerabilities affecting various Lenovo
52:58
consumer laptop models. Various yeah.
53:00
We'll get to that in a minute. The
53:02
first two of these vulnerabilities and
53:05
we got two CVEs from this year,
53:07
thirty nine seventy one and
53:09
seventy two. Affect UEFI
53:12
firmware drivers originally meant to
53:15
be used, this is EZED, only
53:17
during the manufacturing process of
53:19
Lenovo Consumer Notebooks. Unfortunately,
53:22
writes ESET, they were mistakenly
53:26
included also in the production
53:28
firmware images
53:30
without being properly deactivated slash
53:33
or deleted. These affected
53:35
firmware drivers can
53:38
be activated by
53:41
an attacker to directly disable SPI
53:46
flash protections that's is
53:48
using control register bits and
53:50
protected range registers or
53:53
the UEFI secure
53:56
boot feature from a privileged user mode
53:58
process running OS
54:00
runtime. Okay. So just to
54:02
be clear about what ESET just
54:06
said. They said from a
54:08
privileged user mode process
54:10
in the OS. In
54:12
other words, mistakenly a user, any
54:14
user of these laptops,
54:16
mistakenly allowing some
54:18
malware to run-in their OS.
54:22
Which might innocently ask to be granted brief
54:25
UAC privilege elevation
54:27
to install something
54:30
if that is, if it didn't bring
54:32
along its own privilege at escalation vulnerability exploit
54:34
as it might, or which
54:37
might set itself up to run as a
54:39
system service. That code
54:42
can disable all relevant
54:46
UEFI right protections to then surreptitiously
54:48
install semi permanent hidden
54:51
boot kit malware into
54:54
the system's UEFI firmware, and the
54:56
user would be none the wiser. And
55:00
we don't know how to scan for that
55:02
yet. We're mean, there there's
55:04
been some talk of scanning UEFI. Nothing much has come of it.
55:07
Eset said, it
55:10
means that exploitation
55:12
of these vulnerabilities would
55:14
allow attackers to deploy and
55:17
successfully execute SPI flash
55:19
or ESP implants like
55:21
LoJack's. To understand how
55:22
we were able to find these vulnerabilities,
55:24
consider the firmware drivers affected
55:28
by and then they this is the
55:30
CVE number, the thirty nine seventy one. They wrote. These
55:33
drivers, imagine this Leo,
55:35
immediately caught our
55:38
attention by their very unfortunate but
55:41
surprisingly honest names.
55:44
Secure backdoor and
55:47
secure backdoor PEIM. After some
55:49
initial analysis, we discovered
55:51
other Lenovo drivers
55:55
sharing a few common characteristics
55:58
with the secure backdoor
56:02
asterisk drivers. Those are CHG, I guess, that's
56:04
short for change, and then
56:06
boot DXC
56:08
hook. And CHCHG
56:11
boot SMM You
56:14
know, SMM
56:16
is system management
56:18
mode stuff, which is the
56:20
the OS under the
56:22
OS. As it turned out, they write,
56:24
their functionality
56:26
was even more interesting and could be abused
56:29
to disable UEFI
56:32
Secure Boot. That's that's
56:34
the CVE ending in thirty nine
56:36
seventy two. In addition, they
56:38
said while investigating the vulnerable drivers,
56:40
we discovered a third vulnerability,
56:43
SMM memory corruption inside
56:46
the SWSMI
56:48
handler function, Thus,
56:51
we have CVE ending in thirty nine seventy. This
56:53
vulnerability, they said, allows arbitrary
56:55
read write from
56:58
into SMRAM,
57:00
which could lead to the ex execution
57:02
of malicious code with
57:04
full SMM privileges. That's again,
57:07
that's like the chip level privileges nothing
57:09
more privileged in the world
57:11
than that. And they said
57:14
potentially lead to the deployment of an
57:16
SPI flash implant. We
57:18
reported all discovered vulnerabilities
57:20
to Lenovo on October eleventh
57:23
twenty twenty one. And I didn't have
57:26
it in the show notes, but Lenovo responded a month later. Although, the list of
57:28
affected devices contains, and here
57:32
it comes, More
57:34
than one hundred different
57:38
consumer laptop models
57:41
with millions many of users
57:44
worldwide from affordable models
57:46
like idea PADD three to
57:48
more advanced ones
57:50
like Legion five Pro
57:52
or yoga slim nine.
57:54
The full list of affected models with
57:57
active developments published in the
57:59
Lenovo Advisory. In addition, to
58:01
the models listed in the
58:03
advisory, several other devices
58:06
we were ported to Lenovo are also
58:08
affected but won't be
58:10
fixed. Due to them
58:12
reaching end of
58:14
development support, Laporte. This
58:17
includes devices where we
58:20
spotted reported vulnerabilities for the
58:22
first time. Idea
58:24
pad three thirty and idea
58:26
pad one tenth. The
58:28
list of such EODS devices
58:31
that we have been able to identify will
58:33
be available in ESAT's vulnerability
58:36
disclosures repository. And what
58:38
this tells us reading between the lines is that
58:40
these vulnerabilities have been
58:42
there long enough for
58:44
those machines which
58:47
they started affecting to now have left have
58:49
gone out of their service life with
58:51
Lenovo, thus they will
58:54
never be
58:56
fixed. Lenovo. Oh, yeah. I do have in
58:57
the notes. Lenovo confirmed the vulnerabilities on
59:00
November seventeenth twenty twenty
59:02
one and assigned them the
59:04
following CVEs. And
59:06
and, I mean, they're being they're coming right right out
59:08
with it. CVE ending in thirty
59:11
seven ninety, Lenovo variable,
59:14
SMM, and they say hyphen,
59:16
SMM arbitrary read
59:18
write. The one ending in thirty
59:21
nine seventy one, secure backdoor, disable
59:24
SPI flash protections,
59:26
and thirty nine seventy
59:28
two, change boot DXE
59:32
disable UEFI secure boot.
59:35
So given
59:37
how incredibly
59:40
active The cyber underworld is today.
59:43
We
59:43
keep encountering quite sobering
59:46
evidence of it, you know,
59:50
In every podcast
59:51
now, there's just no
59:54
chance that
59:54
these now fully disclosed and
59:57
very well docked committed vulnerabilities will
59:59
not be used to
1:00:02
compromise the interests of some of
1:00:04
these millions
1:00:06
of Lenovo laptop users worldwide, and many
1:00:08
of them are, you know, gonna
1:00:11
be serious users. It
1:00:14
will happen. So here we
1:00:16
are once more noting that there's something very wrong
1:00:18
with our industry's current
1:00:20
development model. You know, How
1:00:24
can this be allowed to occur over and over
1:00:27
and over? ESAT had
1:00:29
to reverse engineer
1:00:32
the proprietary code in this UEFI
1:00:36
firmware in order to find
1:00:38
these problems. That
1:00:40
it's and it's affecting Lord
1:00:43
knows what multiple of millions
1:00:45
of Lenovo laptop
1:00:48
users. Linovel messed
1:00:50
up big time here, but for
1:00:52
the record, they're not alone. These
1:00:55
newly disclosed vulnerabilities merely
1:00:58
add to the recent disclosure
1:01:00
of more than fifty five zero
1:01:02
UEFI firmware vulnerabilities, which
1:01:05
have been found in
1:01:08
Inside Software's, you know,
1:01:11
INSYDE, Inside Software's,
1:01:14
Inside H20
1:01:16
and HP and Dell laptops
1:01:18
since the start of just this year.
1:01:21
Among those are
1:01:23
six severe flaws in HP's
1:01:25
firmware affecting both laptops
1:01:27
and desktops, which would exploit it,
1:01:29
could allow attackers to
1:01:32
locally escalate to SMM privileges, which as I
1:01:34
said, is as much as you can get
1:01:36
on any hardware
1:01:38
platform. And
1:01:40
trigger at least denial of service and maybe
1:01:42
more. So, you know, Lenovo
1:01:44
is in good company or
1:01:48
at least only the most recent member of this
1:01:50
UFI vulnerability dog house.
1:01:52
And as we know, it's not Lenovo's
1:01:54
first instance of UFI problems.
1:01:58
We've we've you know, years ago, they've also had
1:02:00
problems. So we've
1:02:02
managed to make our lovely
1:02:06
little machines far more complex
1:02:08
by designing in extremely powerful
1:02:12
capabilities. Yes. We
1:02:14
get lots more flexibility. We get remote management and
1:02:17
remote maintenance. And
1:02:20
not surprisingly, It's also a
1:02:22
mixed blessing. So
1:02:24
a heads up to anyone using
1:02:28
Lenovo laptops regardless of the model you have, don't look
1:02:30
at a list of affected models. First of
1:02:32
all, there's hundreds.
1:02:34
You should definitely check-in to
1:02:37
see whether your device has a firmware update
1:02:40
outstanding. And for that matter,
1:02:42
HP and Dell users would be well
1:02:44
advised to do
1:02:46
the same. Do you think these changes are driven by the needs of
1:02:48
enterprise? In other words,
1:02:50
are we personal and
1:02:52
home users and geeks suffering
1:02:56
because -- Yes. Exactly.
1:02:58
-- management capabilities built in
1:03:01
Exactly that. Yeah. Exactly that,
1:03:03
Leo. Yeah. should be and there are a few places where
1:03:05
you can get simpler systems, a
1:03:08
simpler UEFI and core
1:03:10
boot open source firmware
1:03:12
and things like that. And
1:03:14
they aren't really not aimed at
1:03:18
enterprise. What was the other thing I
1:03:20
wanted to to
1:03:22
mention, oh, yeah, firmware updates
1:03:24
now. It's interesting or increasingly part
1:03:26
of the operating system update. I don't know if you've
1:03:28
noticed that. Yeah.
1:03:30
Well, we we we know that
1:03:32
Windows, for example, is patching the
1:03:34
Intel the Intel chipset firmware --
1:03:36
Right. -- clinics brings along the same thing -- Yeah.
1:03:38
-- to to their credit, although it is
1:03:40
a little, you know, a bit of
1:03:43
a mixed blessing, Lenovo now
1:03:45
has software that comes pre installed on their machines, which
1:03:47
is taking responsibility for
1:03:50
keeping your machines firmware up
1:03:52
to date. So
1:03:54
it makes it better than if
1:03:56
you like, you know, than like never
1:03:59
ever having the opportunity to proactively
1:04:02
informed Lenovo machine owners
1:04:04
and having a problem like this out there that
1:04:06
would make them persistently
1:04:08
vulnerable. Yeah. Yeah.
1:04:10
Boy, over the years, the what
1:04:12
is it? Fifteen years have been doing security now. The
1:04:14
name Lenovo has come up a I
1:04:18
still love my Think Pets. That's all. I that's
1:04:20
all I'm gonna say. We're gonna take a little break,
1:04:22
come back with more of Steve Gibson and the best
1:04:24
of SecurityNow twenty twenty In
1:04:27
just a moment. First a word from
1:04:29
our sponsor. I'm gonna interrupt one more
1:04:31
time, Steve. Sorry. The best
1:04:34
stuff continues. In moments. I guess I'm interrupting myself, aren't
1:04:36
they? We'll have more with
1:04:38
Steven the the best stuff in just a bit. But first a
1:04:40
word from a great sponsor. They've been with
1:04:42
us all
1:04:44
year. Collide. Collide is an endpoint security
1:04:46
system that uses the
1:04:49
most powerful, underappreciated, untapped
1:04:52
resource in IT,
1:04:54
your end users. When you're
1:04:56
trying to achieve security goals, whether for a
1:04:59
third party audit or your own
1:05:02
compliance standards, know, the typical conventional wisdom is to treat
1:05:04
every device like Fort
1:05:06
Knox and every user like
1:05:08
the enemy. Old
1:05:10
school device management tools like MDMs force
1:05:12
disruptive agents onto employees'
1:05:15
devices. People know when they put them on, it's
1:05:18
gonna slow me down it's gonna hurt my
1:05:20
privacy. That way of
1:05:22
doing things turns you,
1:05:24
IT admins, and
1:05:26
into end enemies of the
1:05:28
end users. Right? And then you got your
1:05:30
own security problems because end
1:05:32
users say, well, I don't want the performance hit.
1:05:34
I don't want I wanna preserve
1:05:36
my privacy. So they turn to shadow IT just to do their jobs.
1:05:38
Now now you got a big
1:05:40
problem. Right? Co line does dink
1:05:42
things a little bit differently.
1:05:44
Instead of forcing changes on users, collide, sends them
1:05:46
security recommendations via Slack.
1:05:48
Collide automatically notifies your team
1:05:50
when their devices are insecure, gives them
1:05:54
step by step instructions on how to solve the problems. And
1:05:56
by reaching out to employees via a friendly
1:05:58
Slack DM and educating
1:06:01
them about company policies, Kaleid
1:06:03
can help you build a culture in which
1:06:06
everyone contributes to security
1:06:08
because everyone understands
1:06:11
how and why. To do it. Make employees part of
1:06:13
your team, not the enemy. And for
1:06:16
IT admins, you're gonna love Kaleit, a
1:06:18
single dashboard, that
1:06:20
lets you monitor the security of your entire fleet, completely
1:06:22
cross platform. Mac, Windows, Linux,
1:06:24
doesn't matter. You can see it at
1:06:26
glance, for instance, which employees have their
1:06:29
disks encrypt them are up to date on
1:06:31
their OS patches, whether they're using a
1:06:33
password manager and on and on and on and on.
1:06:35
That makes it easy to prove compliance
1:06:38
to your auditors your to
1:06:40
your leadership, makes it easy for you
1:06:42
to keep an eye on what's going on in your network.
1:06:44
So in a nutshell, that's collide. User
1:06:48
centered cross platform endpoint security for Teams
1:06:50
that Slack. I think it's
1:06:52
a brilliant idea. You can meet your
1:06:54
compliance goals by putting users first
1:06:58
Visit K0LIDE kolai dot com slash security
1:07:01
now to find out how. If you follow that link,
1:07:03
they'll hook you up with a goody bag, including
1:07:05
a great kolai t
1:07:08
shirt, I got it right here.
1:07:10
Just for activating that free trial, you get collide coasters,
1:07:12
all sorts of cool stuff. That's that's
1:07:14
a little holiday gift for you from collide.
1:07:18
K0LIDE collide
1:07:20
dot com slash security now. Now, back to
1:07:23
the best of back
1:07:25
to the best of twenty
1:07:27
twenty two with Steve Gibson. Let's
1:07:29
talk about Pascise.
1:07:32
Now let's talk about this
1:07:35
Fido thing because I'm very I really
1:07:37
wanna get your take on it. So ours
1:07:40
Technica's headline was
1:07:42
Apple, Google, and Microsoft want to
1:07:45
kill the password with passkey standard. Instead of
1:07:47
a password, devices would
1:07:49
look for your phone
1:07:52
over
1:07:52
Bluetooth. Leeping
1:07:53
computer said Microsoft, Apple, and Google to support Fido,
1:07:55
password Laporte log ins. The
1:07:57
record said Google, Apple,
1:08:00
and My Microsoft to expand
1:08:02
support for password list sign in
1:08:04
standard. You know, and
1:08:06
it made the headlines in all of
1:08:09
the tech press. And all of these headlines popped up
1:08:11
last Thursday, May fifth, which, as
1:08:14
I said at the top of the show, was not only Cinco
1:08:16
de Mayo, but
1:08:18
also world password day.
1:08:21
And the news of
1:08:23
and questions about this new
1:08:25
pass keys was the most tweeted
1:08:28
to me item of the past week.
1:08:30
Many of our listeners wanted to know
1:08:32
what it was and what I
1:08:34
thought. Having spent seven years
1:08:37
of my life designing, implementing,
1:08:39
demonstrating, and proving
1:08:42
a complete working solution
1:08:45
to this need, I have a
1:08:47
good grasp of the problem domain. So I dug into this passkey's news by
1:08:50
going to the source.
1:08:53
As I always endeavor to, I first
1:08:55
read the Google I'm sorry, the Fido Alliance's May
1:09:00
fifth press release, which
1:09:02
was titled Apple, Google, and Microsoft, commit to expanded support
1:09:08
for Fido Standard to
1:09:10
accelerate availability of passwordless sign
1:09:15
ins. This was the press release that
1:09:17
everyone else was quoting in
1:09:19
the news. It appeared
1:09:22
TWiT whoever wrote it was
1:09:24
being paid by the word since
1:09:26
it went on and on to make sure
1:09:30
that its reader would come away that all
1:09:33
pre Fido systems were
1:09:35
bad and Fido
1:09:39
was the At this point, it appears that regardless
1:09:41
of whether or not it turns out to be the cure, it will at
1:09:44
least be
1:09:46
the next thing we try. the boat as all
1:09:48
of our listeners. We're all avid users
1:09:50
and consumers of the Internet. So
1:09:54
we're all hoping the knows it's doing. But that
1:09:57
press release wasn't gonna get the
1:09:59
job done. Fortunately, it
1:10:02
linked to the description
1:10:04
of the Fido
1:10:07
Alliance white paper titled multi device Fido
1:10:12
Credentials. The description
1:10:14
of the paper that links to it said the Fido standards
1:10:20
together with their companion
1:10:22
web off end specification are on the
1:10:24
cusp of an
1:10:27
important new development. Evolutionary
1:10:32
changes to the standards proposed
1:10:34
by the Fido Alliance, and
1:10:36
the W3C
1:10:38
web often community
1:10:40
aim to markedly improve
1:10:43
the usability and
1:10:45
deployability of Fido based
1:10:48
authentication mechanisms. As a
1:10:50
result, Fido based secure
1:10:53
authentication technology will for
1:10:55
the first
1:10:55
time. Be able to replace passwords
1:10:58
as the dominant form of
1:11:00
authentication on
1:11:04
the Internet.
1:11:04
What a concept. In
1:11:06
this paper, they say we explain how Fido and Web OFTEN
1:11:11
standards previously enabled low
1:11:14
cost deployments of authentication mechanisms with very high assurance levels.
1:11:21
While this has proved
1:11:23
an attractive alternative to traditional smart card authentication, and
1:11:26
even opened the door
1:11:29
to high assurance authentication in the consumer
1:11:31
space, we have not attained large
1:11:36
scale adoption of
1:11:39
Fido based authentication in the
1:11:42
consumer space. We explain
1:11:44
how the introduction
1:11:47
of multi device fido credentials
1:11:50
will enable Fido technology to supplant
1:11:56
passwords for many consumer use
1:11:58
cases as they make Fido credentials available to users
1:12:01
wherever they
1:12:04
need them. Even if they
1:12:06
replace their device. Okay. So I have
1:12:08
the link of the
1:12:10
show notes to the PDF.
1:12:13
For anyone who wants the
1:12:15
raw material. Obviously, this descriptive overview still doesn't
1:12:17
tell us what we
1:12:20
wanna know. So I
1:12:22
dug into the white paper,
1:12:24
we get the executive summary followed
1:12:26
by a brief history of online authentication
1:12:30
then a section titled
1:12:32
Fido starting from the
1:12:34
top followed by web
1:12:37
often level three bringing up the bottom. So this brings us to the
1:12:39
bottom of page four of the
1:12:42
PDF, and we begin to
1:12:47
frame the problem as follows.
1:12:50
The explanation explains Fido
1:12:52
based solutions can
1:12:55
also increase the security of consumer
1:12:57
two factor authentication by providing phishing
1:12:59
resistance regardless of whether those
1:13:01
use cases care about
1:13:04
hardware based sign
1:13:06
in credentials or not. Now,
1:13:09
I should mention that
1:13:11
that Fido was always
1:13:13
hardware based. Which has been the problem that
1:13:15
they've been struggling with, is that
1:13:18
they the the Fido
1:13:20
the the Fido authentication standard
1:13:22
was you will have a hardware dongle, a token,
1:13:26
a a something which
1:13:30
because it's hardware, because it's physical,
1:13:32
it cannot be spoofed. It
1:13:34
cannot be, you know, no
1:13:37
one in Russia can get the
1:13:39
contents of your of what you
1:13:41
have in your thing you're holding in
1:13:43
your
1:13:43
hand. That's it. You're holding
1:13:46
The Ubiquis said there's some that are 502
1:13:49
Ubiquis. That's that's what you mean.
1:13:51
Yes.
1:13:51
Yes. Yes. Yeah. Yes. And and and
1:13:53
so Which is That's good
1:13:55
that's good security. No one would deny
1:13:57
that. Right? You could argue it's the best. Gold security. Yeah. Yes.
1:13:59
The problem is it's physical. I
1:14:02
mean, can't make people buy
1:14:04
keys. Fifty
1:14:06
dollar keys. Yes. The
1:14:08
better exactly. The benefit
1:14:11
is it's physical. The
1:14:13
problem is it's physical.
1:14:15
And so if you absolute so so
1:14:17
where they say, they they
1:14:20
said Fido based solutions
1:14:22
can also increase the security of consumer authentication
1:14:24
by providing phishing resistance
1:14:26
regardless of whether those
1:14:30
use cases care about
1:14:33
hardware based sign in credentials or not. In other words, they're
1:14:35
saying, we're giving up. We're
1:14:38
gonna back down from the
1:14:43
position we had taken I mean, you could
1:14:46
still use hardware based sign in
1:14:48
credentials But
1:14:51
now you're not gonna have to. We're not gonna make
1:14:53
you have to have a hardware
1:14:55
dongle. And and this has
1:14:57
been sort of in the air for a
1:14:59
couple years. Right? There's been talk about
1:15:01
being able to use your phone
1:15:03
as your Fido
1:15:06
Authenticator. So so this notion isn't completely
1:15:08
new. It's been happening.
1:15:10
They said, however, we
1:15:13
have observed limited adoption
1:15:15
in this latter category, especially in the
1:15:17
consumer space, because of the
1:15:20
perceived inconvenience of
1:15:23
physical security keys buying, registering,
1:15:27
carrying, recovering. And
1:15:31
the challenges consumers face with platform authenticators as
1:15:33
a second factor. For
1:15:36
example, having to
1:15:38
reenroll each new device no
1:15:41
easy ways to recover from lost or stolen devices.
1:15:43
They said, while
1:15:48
these drawbacks can
1:15:50
make Fido based solutions whether based on physical security keys or platform
1:15:53
authenticators that I
1:15:56
should explain this phrase
1:15:58
platform authenticators that just means your smartphone or your laptop. That's what a they're
1:16:01
they're calling that
1:16:03
a platform authenticator as
1:16:06
opposed to a physical security key.
1:16:08
So make drawbacks can
1:16:10
make final based solutions whether based
1:16:12
on physical security keys or
1:16:15
platform authenticators a tricky proposition for users already
1:16:17
accustomed to two factor
1:16:19
authentication. They present
1:16:22
an even higher barrier to adoption for
1:16:25
users who don't or
1:16:27
don't want to use
1:16:30
two factor authentication at
1:16:32
all and are stuck with
1:16:34
passwords. And so finally, we get down to it. The
1:16:39
white paper explains The Fido Alliance
1:16:42
and the W3C web often working group are proposing
1:16:45
to address
1:16:48
these gaps in a
1:16:50
new version, which they call level three of the web often
1:16:56
specification. The two
1:16:58
approach they they they said, two proposed advances in
1:17:00
particular bare mentioning. And
1:17:03
so here they are.
1:17:07
One and two, number one.
1:17:08
Using your phone
1:17:11
as a roaming authenticator, That's
1:17:15
the first of these
1:17:17
proposed advances. They said,
1:17:20
a smartphone is
1:17:22
something that end users typically
1:17:24
already have. Virtually all consumers space
1:17:27
two factor authentication mechanisms today already
1:17:31
make use of the user's smartphone. The problem
1:17:33
is that they do this in
1:17:35
a way, they do
1:17:38
this in a fishable manner.
1:17:40
You may inadvertently enter a
1:17:43
one time password on
1:17:47
a Fisher's site or you may approve
1:17:50
a login prompt on your smartphone, not realizing that your browser
1:17:52
is pointed at
1:17:55
the phishing site
1:17:57
and not the intended
1:17:59
destination. The proposed additions to the Fido web
1:17:59
often specs
1:18:03
define a protocol that
1:18:07
uses Bluetooth to communicate
1:18:09
between the user's phone,
1:18:11
which becomes the
1:18:14
Fido Authenticator, and the device from which the user
1:18:16
is trying to authenticate. You
1:18:18
know, your laptop, for example.
1:18:20
Bluetooth, they say,
1:18:23
requires physical proximity which means
1:18:25
that we now have a fishing resistant way to
1:18:28
leverage the user's
1:18:31
phone during authentication.
1:18:33
Yeah. The hacker has to
1:18:36
be in physical proximity, which is good.
1:18:38
Right? Because Bluetooth is not the most secure.
1:18:42
Well, I'll Go ahead. Go ahead. No. Of course, squirrel
1:18:45
solved this with a QR code -- Right.
1:18:47
-- that you let your
1:18:49
phone see as we know. Right. They said with
1:18:51
this addition to the Fido WIP often
1:18:53
standards, two factor deployments
1:18:55
that currently use the
1:18:57
user's phone as a
1:19:00
second factor will be able to
1:19:02
upgrade to a higher security level, phishing resistance,
1:19:04
without the need for
1:19:07
the user to carry A
1:19:10
specialized piece of authentication
1:19:12
hardware, parens, security keys.
1:19:15
Oh, thank god. So
1:19:17
yes, we'll be able to
1:19:19
use our phones. Wonderful. That
1:19:22
wasn't point one. Here's point
1:19:24
two. Multi device
1:19:27
FidoCredentials. Okay? They
1:19:32
say, We expect that Fido
1:19:34
Authenticator vendors, in particular, those of Authenticators built
1:19:39
into OS platforms, This
1:19:42
is We've heard
1:19:44
the names. Right? Apple, Google, Microsoft.
1:19:46
We'll adapt their authenticator implementations such
1:19:51
that a phytocredential can survive
1:19:55
device loss. In
1:19:57
other word and
1:20:00
again, hasn't been done yet, but this is
1:20:02
what they expect. We expect the final authenticator vendors, blah blah. In other words,
1:20:06
if the user had set up a number of
1:20:08
FidoCredentials for different
1:20:11
relying parties and, you
1:20:13
know, relying parties is a
1:20:15
term of art in this
1:20:17
whole identity space on their phone.
1:20:20
If the user had set
1:20:22
up a number of Fido credentials,
1:20:26
for different relying parties on their
1:20:28
phone. And notice that in
1:20:30
Fido, you need a credential per
1:20:33
relying party, that is a Fido credential for Amazon, a Fido credential
1:20:35
for PayPal, a Fido credential for Facebook,
1:20:37
a Fido credential for Google,
1:20:40
blah blah. One
1:20:43
h. That it that's a it's a one for one mapping in
1:20:46
Fido. And then they
1:20:48
say, got
1:20:50
a new phone That user should be able to
1:20:52
expect that their Fido credentials
1:20:55
will be available on
1:20:58
their new phone. This means that
1:21:00
users don't need passwords
1:21:03
anymore. As they
1:21:06
move from device to device.
1:21:08
Their Fido credentials are
1:21:10
already there, ready to be
1:21:13
used for phishing resistant
1:21:15
authentication. Okay. Now, just pause
1:21:19
to note that I
1:21:23
solve this problem with one
1:21:25
time password authenticators with
1:21:28
my chief of printer
1:21:30
QR codes. Right? We were talking about that last week.
1:21:32
When I when I'm enrolling
1:21:34
on a site that uses AAA1
1:21:39
that offers me second factor
1:21:41
authentication with a one time password, and it shows me the QR code, which I can then
1:21:44
capture with my
1:21:46
authenticator on my phone I
1:21:49
also print the pay I print
1:21:51
the paper out and it's securely stored. There's I have a
1:21:54
sheath of them for all the places I use to factor
1:21:56
authentication. So
1:21:59
that yeah. If I if I
1:22:01
need to set up a
1:22:03
new device that doesn't
1:22:06
sync in some fashion with the authenticator
1:22:08
in my phone, I can
1:22:10
do that. It's offline. No
1:22:12
one in Russia can get
1:22:15
to it. It's very secure. But yeah, it's a little burdensome. I
1:22:17
had to do that. Lots of people don't. And
1:22:19
then they get stuck
1:22:23
if their won't export or transport
1:22:26
and and and sync. So they say,
1:22:29
for these,
1:22:32
multi device fido credentials. So that's
1:22:34
so this is their term, multi device Fido credentials just means
1:22:39
cloud sync. That's all that is. Multivise FidoCredentials, it
1:22:42
is the OS platform's
1:22:44
responsibility to
1:22:47
ensure that the credentials are available
1:22:49
where the user needs
1:22:52
them. And Also,
1:22:55
note that some they said,
1:22:57
note that some companies are
1:23:00
calling FidoCredentials
1:23:04
pass keys in their
1:23:06
product implementations, in particular, when those Fido credentials may
1:23:10
be multi device credentials.
1:23:14
So in other words, just for the record, Passkeys is
1:23:17
not a term of art in
1:23:19
Fido, and I imagine that
1:23:21
the company that has a trademark on
1:23:23
Pass key is not very happy. Mhmm. You know, a lot
1:23:25
of people noted that the government started
1:23:27
to use
1:23:29
the term shields up for one of their things.
1:23:32
That's the thing.
1:23:32
Yeah. What are you gonna do? I don't
1:23:34
know. Yeah. But he exactly. So
1:23:37
they say, Just like password
1:23:40
managers do with passwords,
1:23:42
the underlying OS platform
1:23:44
will sync the cryptic graphic
1:23:46
keys that belong to a Fido credential device to This
1:23:48
means that the security and
1:23:50
availability of a user's synced credential
1:23:55
depends on the security of the
1:23:58
underlying OS platforms, friends,
1:24:01
Google's, Apple's,
1:24:04
Microsoft's, etcetera, authentication mechanism for their online
1:24:06
accounts. And on the security method for
1:24:12
reinstating access, when all old devices
1:24:14
are lost. While this may not always meet the bar
1:24:16
for use cases
1:24:19
that require physical key
1:24:21
level security. They write it is a huge improvement in security
1:24:24
compared to
1:24:28
passwords Each of the
1:24:30
reference, they say, colon, each of the reference platform apply
1:24:35
sophisticated risk analysis and
1:24:37
employ implicit or explicit second factors in authentication, thus
1:24:39
giving two factor like protections
1:24:42
to many of their users.
1:24:46
So this is Fido saying, well, it's not
1:24:49
as good as physical keys. We're
1:24:51
kind of annoyed, but
1:24:54
look, it's gonna work. Like, maybe someone will
1:24:56
actually use Fido because we're
1:24:58
gonna allow cloud syncing in
1:25:01
this level three
1:25:04
lep mode and the the people who
1:25:06
are doing the sinking are, you know, being responsible
1:25:08
enough. So
1:25:11
they said the shift from letting every service
1:25:13
fend for themselves with
1:25:16
their own
1:25:18
password based authentication system to relying on security
1:25:20
of the platform's authentication
1:25:23
mechanisms is how we
1:25:26
can meaningfully reduce the
1:25:28
Internet's overreliance on passwords
1:25:30
at a massive scale. In other words,
1:25:32
they're saying that
1:25:35
we will rely upon
1:25:37
the user authenticating to their own device, smartphone or
1:25:40
desktop, with
1:25:43
biometrics or whatever, rather
1:25:45
than authenticating to each remote site individually. And yes, that sounds
1:25:48
familiar. Finally,
1:25:52
They say, sinking Fido
1:25:55
credentials, cryptographic keys between devices may
1:25:58
not always be possible
1:26:01
For example, if the user
1:26:03
is using a new device from a different vendor, which doesn't sync with
1:26:05
the user's other
1:26:08
existing devices. In
1:26:11
such cases, the existence
1:26:13
of the above mentioned
1:26:16
standardized Bluetooth
1:26:18
protocol enables a convenient
1:26:21
and secure
1:26:24
alternative. Colon, If the
1:26:26
Fido credential isn't readily available on the device from which the user is trying
1:26:28
to authenticate, the user
1:26:30
will likely have a device
1:26:35
for example, a phone nearby that does
1:26:37
have the credential. So
1:26:39
in other words, if
1:26:41
you're using windows, And IOS won't sink the
1:26:44
windows, then you can use
1:26:46
Bluetooth on your IOS device
1:26:48
to get the credential over into
1:26:51
Windows. They said the user will then
1:26:53
be able to use their existing device
1:26:55
to facilitate
1:26:57
authentication from their
1:27:00
new device.
1:27:00
Okay. So it appears that what
1:27:03
this press release and
1:27:05
these so called
1:27:08
pass keys which is,
1:27:10
again, as the white paper explains, don't actually have anything to do with Fido. That is the doesn't.
1:27:12
It's just the
1:27:15
introduction of cloud syncing among
1:27:19
devices to facilitate the transport
1:27:21
of one's collection of
1:27:24
phytocredentials from one device
1:27:26
to the next. The other p well, in in
1:27:28
the case of device loss, you when you
1:27:30
get a new one, you re sync with
1:27:32
the cloud, and you and you get
1:27:34
all of your Fido credentials back. The
1:27:37
other piece is that the Fido Alliance appears to have formally
1:27:39
given up on the idea that we're all gonna go
1:27:42
out and purchase a
1:27:44
hardware fido token
1:27:46
when we all already own a smartphone that can serve the same purpose.
1:27:52
The use of a possibly
1:27:54
available Bluetooth link allows one smartphone to be
1:27:57
used to authenticate
1:27:59
to a website on
1:28:01
a desktop that does not contain a Fido Authenticator with one's
1:28:04
credentials. And as
1:28:09
as we said, for clarity, that's what
1:28:11
squirrel provides for with a QR code and the smartphone's camera.
1:28:13
And yes, speaking
1:28:16
of squirrel, I
1:28:18
know that the heads of everyone out
1:28:20
there who understand squirrel is
1:28:22
exploding right now because Fido
1:28:25
still falls very far short
1:28:27
of providing the complete solution that squirrel offers.
1:28:30
But having moved from
1:28:34
simple usernames and passwords
1:28:36
to password managers and multi factor
1:28:38
authentication, and then to OAF third party
1:28:41
authentication, we're now going
1:28:43
to get Fido. Though
1:28:46
it will apparently be
1:28:49
popularly called pass keys
1:28:51
from the samples I've
1:28:54
seen online, It appears that it will
1:28:56
still be necessary to first
1:28:58
identify oneself to the website
1:29:01
being authenticated to. So Fido
1:29:04
with pass keys replaces
1:29:06
the password but unfortunately
1:29:09
not the username. So it
1:29:11
will continue to be somewhat more cumbersome
1:29:13
in that
1:29:14
way. The way Fido's
1:29:17
CryptoWorks is
1:29:20
that it randomly synthesizes a public and private
1:29:22
key pair for each and every
1:29:24
website the user
1:29:27
wishes to authenticate with. And
1:29:30
it gives that site the public key to retain while the authenticator
1:29:32
stores the matching
1:29:35
private key for each subsequent
1:29:39
use for reauthenticating. So
1:29:42
it's this collection of
1:29:45
individual private
1:29:48
authentication keys which are now being
1:29:50
called pass keys, that Apple, Google, and Microsoft will be obtaining
1:29:52
and synchronizing
1:29:55
in the cloud for their users.
1:29:58
This provides for same
1:30:00
platform, cross
1:30:03
device, Fido credential synchronization, which is
1:30:05
crucial for Fido since
1:30:07
each new website
1:30:11
authentication creates another public private key
1:30:14
pair. And it provides for credential recovery in the event
1:30:17
of a
1:30:20
device's loss, and that's certainly needed
1:30:22
to create a practical system. As we know, I went
1:30:25
a different way
1:30:28
with squirrel. Scroll uses
1:30:30
a single master key, which can be printed and stored safely.
1:30:32
Work could be loaded in
1:30:34
the cloud if you wanted, whatever.
1:30:38
From that one key, it deterministic
1:30:41
synthesizes unique per
1:30:44
site public and private key
1:30:46
pairs based upon the website's domain
1:30:48
name. And like Fido, it
1:30:51
gives each website the
1:30:54
public key to use for future authentication.
1:30:56
But unlike Fido, there
1:30:58
is no growing collection
1:31:01
of randomly synthesized per site private
1:31:03
keys that need to be retained
1:31:06
and cloud synced among
1:31:08
devices. So there's no need to
1:31:10
back up a large collection of private
1:31:12
keys to the cloud
1:31:14
or anywhere. The only thing a squirrel user ever needs for their identity to be secure
1:31:19
and fully recoverable all websites
1:31:21
isn't one piece of paper. And if you have multiple identities on multiple
1:31:24
devices, you can log in for
1:31:26
the first time on a on a
1:31:28
device on
1:31:30
some other device that has your same squirrel
1:31:33
identity. And when you log
1:31:35
on on on a
1:31:37
on a on a different
1:31:39
device, the identity works because multiple devices
1:31:41
all synthesized the same private
1:31:44
key. So
1:31:47
Backing off from that, overall, this
1:31:50
whole big announcement of
1:31:53
pass keys appears to have
1:31:56
been a world password
1:31:58
day timed press event
1:32:00
without much technology
1:32:03
to back it up. You
1:32:06
know, we're not getting squirrel. We, all of us, we're getting Fido. And means
1:32:08
we need cloud,
1:32:11
synchronized, pass keys to
1:32:15
make Fido's use practical. The good news
1:32:18
is we're gonna get
1:32:20
it. It'll I'll be
1:32:22
interested to see how the, you
1:32:24
know, how the login
1:32:26
flow functions. The other the other big thing Fido is missing is
1:32:32
it doesn't identify you to the
1:32:34
site. You still have to first identify yourself, then fight or replaces
1:32:38
your password. Squirrel did both, which was way more convenient. But
1:32:41
anyway, we're not getting squirrel,
1:32:43
we're getting Fido, and
1:32:47
pass keys is, you know, basically makes it
1:32:49
makes Fido feasible because you
1:32:51
have to be able
1:32:53
it's since you are syntasizing
1:32:55
completely random keys for every site
1:32:58
you visit. You've got to
1:33:00
collect them. You've somehow
1:33:02
got a cross device, sync
1:33:04
them. And Apple, Google,
1:33:06
and Microsoft will be taking care of that for us. So it like
1:33:08
it's kind of
1:33:11
less secure than if
1:33:15
you used a Ubiqui, I guess. Yes. This
1:33:17
is this is absolutely
1:33:19
Fido Group. The
1:33:22
Fido Alliance compromising themselves down
1:33:24
from their ivory tower because they needed
1:33:26
nobody because nobody wanted Fido. Right. Yes.
1:33:28
Nobody was gonna do it.
1:33:30
You know? I mean, yes. High
1:33:33
level. I know that there are Google
1:33:35
employees who use their their their Titan keys -- Yep. --
1:33:38
to do things. But
1:33:40
you know I'm
1:33:42
not gonna succeed if everybody but see, that's my other other issue is
1:33:44
not everybody has
1:33:47
a smart device. I
1:33:49
I guess, would this work if you didn't have It's
1:33:51
always possible to still use a
1:33:53
username and password. Oh, that will that
1:33:55
will never go away. Okay. Never
1:33:59
That's what people are gonna do. Yes.
1:34:02
Yeah. So, you know,
1:34:04
my favorite example, Leo,
1:34:06
is the person who said
1:34:09
I don't need a password manager. And
1:34:11
I said, well, you can't be using the same password everywhere. And
1:34:13
she said, oh, no.
1:34:16
I don't. And
1:34:19
I said, how how you
1:34:21
do that then? And and she said,
1:34:23
well, when I'm creating an
1:34:25
account, I just bang on
1:34:27
the keyboard a
1:34:28
lot. And I said,
1:34:30
okay. And I said, so
1:34:33
How how do you log in again? I mean, she
1:34:35
said I forgot. There's always there's a little line there
1:34:37
that says I forgot my
1:34:39
password. Yeah. Should and
1:34:42
I never knew it. So I did
1:34:44
forget
1:34:44
it. And and they she said, then
1:34:47
they sent me a link and I
1:34:49
log in
1:34:49
with that. And that's actually
1:34:52
that's fairly secure. Right?
1:34:54
I mean, honestly
1:34:56
yeah. Well,
1:34:58
you know, it's just an email
1:35:01
use an email confirmation in order
1:35:03
to reassert that you As long
1:35:05
as you don't lose control of your
1:35:07
email, you're okay. Correct. And and that is
1:35:09
the segue to next week's picture of the week, which is already in the
1:35:12
document waiting to be displayed. You
1:35:14
don't have anything else, but that's
1:35:16
there. That's
1:35:20
right. Obviously, squirrel
1:35:23
would be much more
1:35:25
secure, but squirrel has a
1:35:27
similar problem, which is TWiT is not trivially
1:35:29
easy to use. And for that reason, I think people are
1:35:31
gonna fall back to a
1:35:34
password for almost anything. Yeah.
1:35:37
Single sign on is good. You know, I use Microsoft now
1:35:39
for login to Windows. As you know, sends you your
1:35:41
phone an authenticator, sends it a digit
1:35:43
a two digit number, you
1:35:46
say, yeah, I know that number. And you're in. That
1:35:49
seems like, is that the same
1:35:51
thing as this final thing?
1:35:54
It's similar. Well, so
1:35:55
it's it's specific to Microsoft. That's right.
1:35:57
And and That's right. Yeah. And
1:35:59
and and so
1:36:01
we're we're we're looking for AAAA
1:36:04
broad based solution which solves
1:36:06
the phishing and the I
1:36:08
forgot my password
1:36:10
problem. Right? Which is, you
1:36:12
know, easy to use.
1:36:14
The fact is we'll
1:36:15
have to see how what
1:36:18
the flow looks like. It is
1:36:22
certainly easy to do, you
1:36:24
know, login with Facebook, login with
1:36:26
Google. We know that that's horrific
1:36:29
from a tracking and privacy
1:36:31
standpoint. Right? Because -- Oh, I don't do that. -- you're bouncing. I've stopped
1:36:33
doing that entirely. Yes. Oh my god. And in
1:36:35
fact, I did hear you
1:36:38
on TWiT quit last Sunday
1:36:40
talking about how you were finally thinking, maybe you
1:36:42
should be taking privacy a little more -- Yes. -- seriously. Yes.
1:36:44
Then you
1:36:46
I I admitted I was
1:36:48
wrong. And that because these
1:36:50
data brokers selling information about
1:36:52
who visited planned parenthood over the past
1:36:54
week for a hundred and sixty bucks.
1:36:58
And what that does is
1:37:00
it puts you if you
1:37:02
live in Texas and there
1:37:04
are now other states and
1:37:07
soon it might
1:37:08
criminalizing, twenty three other states. Personalizing
1:37:10
interstate travel for the purpose of terminating a bankruptcy.
1:37:12
For a hundred
1:37:15
and sixty bucks, Anybody. Not any the
1:37:17
way this Texas law works, anybody can go after you. So there's now probably a brisk
1:37:20
business people
1:37:23
buying that information. And and
1:37:25
then suing you or law enforcement in in
1:37:28
in Tennessee, for
1:37:30
instance, going after you, or
1:37:33
I guess it's I guess it's
1:37:34
Louisiana. In any event, it's it suddenly became obvious that
1:37:37
the government is
1:37:39
now starting to go
1:37:41
after people for things that they shouldn't be. And it is
1:37:44
now
1:37:47
dangerous to leave this stuff on
1:37:50
And that's really I think that that is you're right. That's that's the takeaway is that given
1:37:53
a certain set
1:37:56
of of existing
1:37:58
laws, you could argue that
1:38:04
there TWiT those
1:38:06
laws, there's a a reduced risk from lack of privacy.
1:38:12
Yeah. But if if the laws
1:38:14
change Well, that's the problem. Exactly. And suddenly, the the previous assumptions
1:38:16
no longer hold under the
1:38:18
new regime. Exactly. And that's that
1:38:22
-- Yes. -- the day. If you trust the government,
1:38:24
no problem. I no
1:38:26
longer trust the government.
1:38:29
So, problem. Yeah.
1:38:30
And that's too bad. Yeah.
1:38:32
But now
1:38:33
we have to pay more attention. So
1:38:35
you've been right all along. I
1:38:38
was a wide eyed
1:38:40
optimist. I am no longer.
1:38:42
Steve, thank you as always. It's
1:38:47
always eye opening and always fastening. Passkeys, I
1:38:49
think, have a huge future.
1:38:51
We're very excited about it
1:38:53
just a couple weeks ago. Google announced that
1:38:55
Chrome was gonna start supporting PASKI, so this is very
1:38:57
good news. I think squirrel would be
1:38:59
better. As you know, we
1:39:01
Steve gave some fans know
1:39:04
better, but pass keys is better than
1:39:06
nothing and certainly better than passwords. Next, we're gonna talk about the Conti gang.
1:39:09
Did they
1:39:12
really retire So last
1:39:13
Thursday, advanced intel is the name of this
1:39:16
organization,
1:39:16
ADVINTEL
1:39:20
dot IO
1:39:22
is their domain. Advanced Intel's
1:39:28
jealousy, Boguslowski,
1:39:31
tweeted Today, the official website of Conte
1:39:34
ransomware was shut down.
1:39:37
This is last
1:39:39
Thursday, Making the end of notorious crime group, marking the
1:39:41
end of this notorious crime group,
1:39:43
he says it is truly
1:39:45
a historic day in the
1:39:48
intelligence community. And
1:39:50
the day after that, last Friday, they published their report exactly
1:39:52
what happened. There's so much
1:39:54
more to it than just
1:39:59
someone turned the site off that I felt certain our
1:40:02
listeners would find the details
1:40:04
fascinating. And their
1:40:07
report is titled Don't blame me,
1:40:10
although I
1:40:11
did perpetuate it, this Conti nude, the
1:40:14
end of Conti's brand
1:40:17
Mark's new chapter for
1:40:19
cybercrime landscape. And the top of their report teases reading
1:40:22
from the negotiations site
1:40:26
chat rooms, messengers to
1:40:28
servers and proxy hosts, the
1:40:31
Conte brand, not the
1:40:33
organization itself, is shutting down.
1:40:36
How does this how oh, he
1:40:38
says I'm sorry. However, this does not
1:40:40
mean that the
1:40:42
threat actors themselves are retiring. Okay? What does that what does mean?
1:40:44
Advanced intel apparently rushed
1:40:47
out their report. It
1:40:49
contained some typos, misspelling,
1:40:52
and grammatical goal, awkwardness, and they
1:40:54
may not be native English speakers. So in order to in order to share it with the podcast,
1:40:56
I cleaned it up a bit,
1:40:58
but otherwise, it remains what they wrote.
1:41:02
And I think everyone's gonna
1:41:04
find it interesting. They said
1:41:07
on May nineteenth, the
1:41:10
admin panel Of the Conti ransomware
1:41:12
gang's official website, Conti
1:41:14
News was shut down.
1:41:17
The negotiation service site was
1:41:19
also down while the rest of the infrastructure
1:41:21
from chat rooms to messengers and
1:41:24
from servers to proxy hosts
1:41:26
was going through a massive reset.
1:41:29
Cati news, a shame blog, is the last
1:41:31
beacon of the group's public
1:41:36
operation. Where victim data was
1:41:38
being published. It also served as a media tool that Kati used
1:41:41
for their endless
1:41:44
public statements one of
1:41:46
which led to the gang's downfall. We'll get to that in a minute. I have a snapshot of it later the
1:41:52
show notes. They said, this
1:41:54
publicity function of the blog is still technically active, and this
1:41:56
activity as shown
1:41:59
below is highly strategized. At
1:42:02
the time of this publication, May twentieth,
1:42:05
twenty twenty two, Conte was
1:42:07
even uploading anti
1:42:10
Americanist hate speech claiming the USA to be, quote,
1:42:12
a cancer on the body
1:42:14
of the earth, unquote. This
1:42:18
however only manifests that the website an empty shell.
1:42:21
At the same time,
1:42:23
the crucial operational function
1:42:27
of Kandi News which was to upload
1:42:30
new data in order to intimidate victims to pay is defunct.
1:42:33
As all
1:42:36
the infrastructure related to
1:42:38
negotiations, data uploads, and hosting of stolen data was shut down.
1:42:45
Okay. So, and this shutdown they
1:42:47
wrote highlights a simple
1:42:52
truth that has been evident
1:42:54
for the Conte leadership since early spring of this year.
1:42:59
The group can no longer sufficiently support and obtain
1:43:02
extortion. The blog's
1:43:05
key and only
1:43:08
valid purpose is to leak new
1:43:10
data sets and this operation is now gone. This
1:43:13
was not a
1:43:16
spontaneous decision. They write
1:43:18
instead, it was a calculated move. Signs of which were evident since
1:43:24
late April. Two weeks ago on
1:43:26
May sixth, Advanced Intel explained that the Conte brand
1:43:28
and not the organization
1:43:30
itself was in the process
1:43:34
of the final shutdown.
1:43:36
As of May nineteenth, twenty
1:43:38
twenty two, our exclusive source
1:43:41
intelligence confirms that
1:43:44
today, Conte's of Is Conte's official date
1:43:46
of death. In this retrospective analysis,
1:43:49
we will not only
1:43:51
take the reasons behind the Conte
1:43:53
shutdown, but perhaps most importantly
1:43:56
assess and
1:43:59
project future of a new threat landscape that
1:44:01
is already on the horizon. But first, we need to review how
1:44:04
Kati prepared for
1:44:07
its own demise and how this
1:44:09
group, notable for its
1:44:11
softestry, continued to
1:44:14
utilize information warfare techniques to
1:44:16
orchestrate the shutdown until its final
1:44:18
days in order to ensure the legacy of
1:44:23
its surviving members. They
1:44:26
explained, shutting down ransomware's iconic criminal brand is a
1:44:29
long and
1:44:32
complicated venture. A
1:44:34
notorious and prolific threat group cannot simply turn off its servers
1:44:37
only to pop
1:44:40
back up the
1:44:42
following week with a new
1:44:44
name and logo design.
1:44:46
Even a whisper of
1:44:48
novel threat group activity following
1:44:51
the announcement of Conte's demise would
1:44:54
likely spark immediate accusations
1:44:57
of poorly executed identity
1:44:59
theft. At immediate comparisons between the
1:45:02
two would would permanently
1:45:04
leave the new
1:45:06
group in Conte's ghostly
1:45:08
shadow. The
1:45:10
collective that fell and the one which emerged. And I'll note that, you know, we've
1:45:12
seen and commented
1:45:15
on exactly this TWiT
1:45:18
previous ransomware operations. So
1:45:21
these guys said, evil,
1:45:24
dark side, and countless
1:45:26
other collectives attempted the disappearing act, the
1:45:29
simple approach failed
1:45:32
miserably. As what was
1:45:34
one of the predominant ransomware
1:45:36
groups active at the time,
1:45:38
Conte realized that an element of performativity,
1:45:40
they wrote, would
1:45:43
need to be involved. Where
1:45:45
other groups had been attempting a grand stunt with smoke
1:45:47
and mirrors, Conte would try a
1:45:51
sleight of hand. Conte
1:45:54
would not be itself without its project front man,
1:45:56
an individual operating
1:45:59
under the alias Reshev,
1:46:04
AKA gangster. Besides being
1:46:06
a talented coder, they were
1:46:10
behind that this Russia was behind the original
1:46:12
Reuk payload, this person was
1:46:14
an outstanding an outstanding organizer.
1:46:17
It was Russia who set the foundation
1:46:20
for Conte's dominance in the
1:46:22
cybercrime business by creating an
1:46:24
organizational system
1:46:27
based on skill, framework, clear business
1:46:30
processes, hierarchy, and clear foresight.
1:46:33
It's not surprising
1:46:36
that Reshev was
1:46:38
the first who saw Kanti's
1:46:40
structural challenges. Due to the
1:46:42
group's public allegiance to Russia,
1:46:45
in the first days
1:46:47
of the Russian invasion into Ukraine, Kanti was
1:46:50
unable to be paid.
1:46:54
Since February,
1:46:56
almost no payments were given
1:46:58
to the group. While Conte's
1:47:00
locker, you know, their
1:47:02
The the slang for malware became
1:47:05
highly detectable and was
1:47:07
rarely being
1:47:07
deployed. The
1:47:10
only possible decision was to rebrand.
1:47:12
For over two
1:47:13
months, Conde collective has been
1:47:16
silently creating
1:47:20
subdivisions that began operations before
1:47:22
the start of the shutdown process. These subgroups
1:47:27
either utilized exist conte alter egos
1:47:29
and locker malware or took the opportunity to
1:47:32
create new
1:47:35
ones. This decision was convenient for Conte
1:47:37
as they already had a couple
1:47:39
of subsidiaries operating under
1:47:42
different names. Kara Kurt black
1:47:46
bite and black vesta. The rebranded version of
1:47:52
Conte The monster splitting
1:47:54
into pieces, but still very much alive, ensured that whatever
1:47:56
form Kanti's
1:48:00
affiliates chose to take. They
1:48:02
would emerge into the public eye
1:48:04
before News
1:48:07
of Conte's obsolescence could spread.
1:48:10
Thus controlling the narrative
1:48:15
around the dissolution as well
1:48:18
as significantly complicating any future threat attributions.
1:48:22
And then
1:48:24
they wrote, this is where the plans
1:48:26
for what was left of Conte became increasingly complex. In
1:48:29
order to hide
1:48:32
the fact, that Conte was
1:48:34
now dispersed and operating via smaller, more novel brands,
1:48:36
the former affiliates
1:48:39
of the gang had to
1:48:42
now convincingly simulate the actions of a dead brand. Conte's remaining
1:48:48
infrastructure operated like an
1:48:50
army preparing for an ambush. Lingering actors were left to keep their fires lit
1:48:53
visible from behind
1:48:56
enemy lines. Meanwhile,
1:48:58
hidden from view, Conte's most skilled agents were instead laid low
1:49:01
in a
1:49:04
nearby encampment biting
1:49:06
their time while watching and smoke particularly
1:49:08
emulating the movements
1:49:11
of an active group. Kanti
1:49:15
continued to publish documents stolen
1:49:18
from victims, most likely
1:49:20
targets hit earlier with attacks and
1:49:22
lined up in a sort of
1:49:24
queue waiting for public
1:49:27
release and campaigned hard for themselves on
1:49:32
criminal forums. Their public
1:49:34
persona boasted a strong and enduring foundation, even one that was
1:49:36
willing to further
1:49:39
expand the group's
1:49:40
operations. From
1:49:42
the perspective of Conte's posting
1:49:44
history, the group appeared to
1:49:47
be as strong
1:49:49
as ever. Okay. Then they shared
1:49:51
a snapshot of a long and quite rambling chest thumping post from March thirtieth
1:49:56
where a county representative talks
1:49:58
up the group's successes, even seeking to recruit new affiliates, all
1:50:02
apparently just smoke screen.
1:50:05
Then they continue. However, in order to pull off their ultimate
1:50:07
tactical maneuver, the agents
1:50:11
left behind to operate from
1:50:14
within Conte's massive empty shell, now had to ensure that their antics would
1:50:16
be would
1:50:19
successfully lure attention away from
1:50:23
their escaping comrades. To do this,
1:50:25
they had to be certain that
1:50:27
they left bait big
1:50:30
enough to satisfy all of the opposing forces
1:50:32
stretching his analogy, Conte would
1:50:34
have to perform a grand
1:50:38
finale, one big enough to live up to the group's
1:50:41
name. And finally, on
1:50:43
May eighth, Costa
1:50:46
Rican president Rodrigo Chavez
1:50:48
declared a national emergency as the
1:50:51
result of a major cyber attack executed by
1:50:54
the Conte ransomware gang.
1:50:58
The massive attack which took
1:51:00
place against multiple Costa Rican
1:51:02
government agencies seems almost like
1:51:04
a last ditch effort by
1:51:06
the group to squeeze a few more drops of riches
1:51:09
from foreign government funds.
1:51:11
However, advanced intel's
1:51:15
unique adversarial visibility and intelligence findings led
1:51:17
to what was in fact
1:51:20
the opposite
1:51:23
conclusion. The only goal Conte had
1:51:25
for this final attack
1:51:27
on Costa Rica was
1:51:32
to use the platform as
1:51:34
a tool to publicly perform their own
1:51:38
death and subsequent rebirth.
1:51:41
Advanced Intel has been tracking the preparations
1:51:43
for this attack since April fourteenth. Days
1:51:48
before even the initial
1:51:50
compromise. Our provincial alert was sent on April fifteenth three
1:51:56
days before the first
1:51:58
incident compromising Costa Rica's Ministry of Finance occurred. Their
1:52:04
report Okay. And so okay.
1:52:06
So so they said that. Now then their report links to a tweet thread in Spanish,
1:52:08
but it appears to be
1:52:11
dated from the eighteenth. But
1:52:15
they then provide a screenshot, which
1:52:17
indeed appears to substantiate a
1:52:19
three day early
1:52:21
warning of an impending
1:52:23
attack. in our pre
1:52:26
and post attack investigation,
1:52:29
we have found Three
1:52:31
things. First, the agenda to conduct
1:52:33
the attack on Costa Rica for
1:52:36
the
1:52:37
purpose of publicly instead of
1:52:40
ransom I'm
1:52:41
sorry. For the purpose of
1:52:43
publicity, instead of
1:52:46
ransom was declared internally
1:52:49
by the county leadership. Second,
1:52:51
internal communications between group members suggested
1:52:53
that the requested
1:52:56
ransom payment was
1:52:58
far below one million US
1:53:01
dollars despite unverified claims
1:53:03
of the ransom being ten
1:53:05
million US dollars followed by
1:53:07
Conte's own claims that the sum
1:53:09
was twenty million dollars. A low
1:53:11
demand such as this
1:53:13
made to a state entity no less
1:53:15
was only made with the knowledge that the
1:53:17
group would never see payment for the ransom
1:53:20
either way. You
1:53:22
know, because their payment had on the against Russia
1:53:24
and by their
1:53:27
pronounced affiliation with Russia. And
1:53:31
third, Conte was very vocal about
1:53:34
the
1:53:34
attack, constantly adding new political
1:53:37
statements. And, you know,
1:53:39
that's this kind of junk
1:53:41
that we talked about
1:53:43
last week. They say the attack on Costa Rica indeed brought Kati
1:53:47
into the spotlight. And helped
1:53:50
them to maintain the illusion of life for just a bit while
1:53:52
the real restructuring
1:53:55
had already taken place. While
1:53:59
Conte had been busy with its diversion
1:54:01
tactics, other brands such
1:54:03
as CaraCurt, Blackbite, and
1:54:06
numerous other groups which existed as
1:54:08
extensions of Conte, but without
1:54:10
taking the group's name were
1:54:13
extremely operationally active, although working in silence.
1:54:15
Working concurrently with them,
1:54:19
talented infiltration specialists who
1:54:23
were in who were ultimately the backbone of
1:54:25
Conte's gang were also more
1:54:28
active than
1:54:30
ever, forming alliances cat, Evoce
1:54:33
locker, Hive, Hello Kitty,
1:54:36
five hands, and
1:54:38
a whole other cadre of
1:54:41
ransomware groups. These pen testers maintain personal
1:54:43
loyalty to the
1:54:46
people who created Conte
1:54:49
but ultimately continued their work with other gangs in
1:54:51
order to fully shed Conte's name and
1:54:56
image. The situation presents the
1:54:58
first and foremost reason for Conte's timely end,
1:55:04
toxic branding. Indeed, the first two months of
1:55:06
twenty twenty two left a major mark on the conti
1:55:08
name. While there's no
1:55:11
tangible evidence to suggest that
1:55:14
the well known Conte leaks had any impact on the group's operations, the event provoked
1:55:20
the leak Kanti's claim to
1:55:22
support the Russian government seems to have been the fatal blow
1:55:24
for the group
1:55:27
despite being revoked almost
1:55:32
immediately. And we noted that at
1:55:34
the time, remember that Kandi posted
1:55:36
the Kandi team is officially
1:55:39
announcing A FULL SUPPORT OF RUSSIAN GOVERNMENT. IF
1:55:41
ANYBODY WILL DECIDE TO
1:55:44
ORGANIZE A
1:55:47
cyberattack or any war activities against Russia, we
1:55:49
are going to use all
1:55:51
our all possible resources to
1:55:54
strike back at the critical infrastructures
1:55:57
of an enemy. That
1:56:00
statement
1:56:01
had several key
1:56:03
consequences. Advanced Intel
1:56:03
wrote, all of which deeply
1:56:06
reshaped the environment Conte was operating
1:56:08
within. First,
1:56:11
by engaging in political discourse,
1:56:13
Conte broke the first
1:56:15
unspoken rule of
1:56:17
the Russian speaking
1:56:20
cybercrime community which is not to
1:56:22
intervene in state matters. In advanced intel's public blog
1:56:24
regarding civil's ultimate takedown
1:56:27
by the Russian government, Advanced
1:56:30
Intel provided an in-depth analysis
1:56:33
of this unspoken agreement,
1:56:35
making case studies of
1:56:37
the two most notable
1:56:39
groups to break it. Avedon and Rival.
1:56:41
With the ongoing Russian invasion of Ukraine, it
1:56:43
may be very plausible
1:56:47
that Russia's state security apparatus is attempting to exert
1:56:49
governmental control over its
1:56:52
cyberspace, even
1:56:54
taking down groups that appeared to have been allies,
1:56:56
but who exhibited undue
1:56:58
independence with their actions.
1:57:03
Advanced intel has seen internal communication of the
1:57:05
Kanti leadership suggesting that the
1:57:07
Russian FSB had
1:57:09
been pressuring the group and even though
1:57:11
non factual evidence was involved, the evil
1:57:14
scenario may have simply repeated
1:57:16
itself with
1:57:18
Conte. The group's brand becoming a target for
1:57:20
Russian authorities despite their
1:57:23
pledged loyalties. Second, Conte's
1:57:25
allegiance to the Russian
1:57:27
invasion of Ukraine provoked internal
1:57:30
conflict and brought shame on the Conti name
1:57:32
from members who
1:57:35
were either ethnically Ukrainian or
1:57:39
were Russian but supported Ukraine simply
1:57:41
wanted to maintain an anti
1:57:44
war ethic. Considering
1:57:46
that one of these members decided
1:57:48
to betray the gang and
1:57:51
leak private county chat
1:57:53
logs We talked about that
1:57:55
too, not long after the conflict began, this illustrated the final nail in
1:57:58
Conte's self made coffin.
1:58:02
The third and most important factor by
1:58:05
pledging their allegiance to
1:58:07
the Russian government, Kanti
1:58:09
as a brand, became associated
1:58:11
with the Russian state, a
1:58:13
state that is currently undergoing
1:58:15
extreme sanctions. In the eyes
1:58:17
of the state, each ransom payment going
1:58:20
to Conte may have potentially
1:58:22
gone to an individual under sanction.
1:58:26
Turning simple data extortion
1:58:28
into a violation of
1:58:31
OFAC regulation and sanction
1:58:33
policies against Russia. This liability
1:58:35
came to a TWiT on May sixth
1:58:37
when the US state department
1:58:39
offered rewards up to ten
1:58:41
million US dollars for information
1:58:44
that led to the takedown of
1:58:46
the Conte group. As a result of these limitations, Conte had essentially cut
1:58:48
itself off from the
1:58:51
main source of income. They
1:58:54
wrote our sensitive source intelligence
1:58:56
shows that many victims were
1:58:59
prohibited from paying ransom
1:59:01
to Conte. Other victims and companies who would
1:59:04
have negotiated ransomware payments were
1:59:06
more were more ready to
1:59:08
risk the financial damage of
1:59:10
not paying the ransom than they to make payments a pro sanctioned entity.
1:59:15
As advanced intel previously
1:59:18
stated the end of the Conte brand does
1:59:20
not equal the end of
1:59:22
Conte as an organization. As
1:59:24
seen with the Costa Rica case,
1:59:26
Conte has been carefully planning its
1:59:29
rebranding for several months,
1:59:31
preparing a comprehensive strategy
1:59:33
to execute it This strategy is based
1:59:35
on two pillars. First, Conte is
1:59:38
adopting a network organizational
1:59:43
structure more horizontal and decentralized
1:59:46
than the previously rigid county hierarchy.
1:59:48
This structure will
1:59:51
be a coalition of
1:59:54
several equal subdivisions, some
1:59:56
of which will be independent,
1:59:58
and some existing within another
2:00:01
ransomware collective. However, They will all
2:00:03
be united by internal loyalty to both
2:00:06
each other and the Conte
2:00:08
leadership, especially
2:00:12
Rechev. At this point, this
2:00:14
network includes the following groups. The first type being
2:00:16
autonomous
2:00:19
No no malware locker involved, pure data
2:00:22
stealing. That's Kerakert, Black
2:00:27
Basta, and Blackbite. The second type being
2:00:30
semi autonomous, acting as conti loyal collective affiliates
2:00:32
within other collectives in
2:00:35
order to use their malware
2:00:38
locker. That's Alf Alf v or Alf five maybe,
2:00:40
Black cat, Hive
2:00:43
Hello
2:00:43
Kitty, five hands and
2:00:47
Evos locker.
2:00:48
The third, type being
2:00:50
independent affiliates working individually
2:00:53
but keeping their loyalty
2:00:55
to the organization. And finally,
2:00:57
the fourth type being mergers and acquisitions where
2:00:59
Conte leadership infiltrates a
2:01:03
preexisting minor brand and
2:01:06
consumes it entirely, keeping the small brand name in place. The small grapes
2:01:09
the small group's leader
2:01:11
loses their independence but
2:01:15
receives a massive influx of manpower while
2:01:17
Conte obtains obtains
2:01:19
a new subsidiary
2:01:22
group. This is different from ransomware as
2:01:24
a service. Since this network, at
2:01:26
least at the time of writing does
2:01:29
not seem to be accepting new members
2:01:31
as part of its structure, Moreover,
2:01:33
unlike ransomware as a service, this model seems
2:01:35
to value operations being executed in
2:01:38
an organized team led
2:01:40
manner. Finally,
2:01:43
unlike ransomware as a service,
2:01:45
all the members know each other
2:01:47
very well personally and are
2:01:49
able to leverage these
2:01:52
personal connections and the loyalty they bring.
2:01:54
And I implied in that, of course, would be some protection against
2:01:56
US based
2:01:59
bounties against their members if they're,
2:02:01
you know, maintain a loyal
2:02:03
cohesive group. You
2:02:06
know, one turns one in, and they they're
2:02:08
subjecting themselves to similar
2:02:11
reprisal. And finally, they finished
2:02:14
this model is more flexible and adaptive
2:02:16
than the previous conti hierarchy,
2:02:18
while also being more secure
2:02:20
and resilient than
2:02:23
ransomware as a service. And finally, the
2:02:25
other major development for this new ransomware model is
2:02:27
a transition from and
2:02:30
this is really interesting. From
2:02:33
data encryption to data
2:02:35
exfiltration, covered extensively by
2:02:40
advanced intel in our analysis
2:02:42
of CaraCurt and Blackbite. In a nutshell, relying
2:02:45
on pure
2:02:48
data exfiltration maintains most
2:02:50
major benefits of a data encryption operation
2:02:52
while avoiding the
2:02:55
issues of a locker
2:02:58
altogether. Most likely,
2:03:00
this will become the
2:03:02
most important outcome of
2:03:05
Kati's rebrand. The actors that formed
2:03:08
and worked under Conte name
2:03:10
have not and will not
2:03:12
cease their forward movement within
2:03:14
the threat landscape. Their impact will simply leave
2:03:16
a different shape. So
2:03:18
to our listeners, if
2:03:21
anyone in your cyber sphere
2:03:24
announces that Conte has shut down
2:03:26
and disbanded. Well, now we know
2:03:28
better. It
2:03:30
appears that earlier this year as a consequence
2:03:33
of of, you know,
2:03:35
we've talked previously
2:03:37
about the entire reason that
2:03:39
ransomware has has come into
2:03:42
existence, whether it be
2:03:46
encrypting malware, or exfiltrating and holding that
2:03:48
data for ransom, it's the ability
2:03:50
to get paid thanks to
2:03:53
cryptocurrency, which has, you
2:03:55
know, made that practical from
2:03:57
a from an
2:03:59
underworld standpoint. But the sanctions against Russia, Kati's original
2:04:04
proclamation that they were
2:04:06
standing with with with Russia,
2:04:08
essentially cut them off from
2:04:10
extra Russian payment of cryptocurrency into
2:04:15
them and that set
2:04:17
them on a multi month
2:04:19
course to to basically
2:04:21
kill Conte off while continuing to
2:04:23
function as a viable ransomware
2:04:28
organization learning
2:04:31
from the mistakes they'd made before, changing their
2:04:33
structure, and probably, apparently,
2:04:36
changing the nature
2:04:38
of, you know, what they do maliciously.
2:04:40
Well, they're not fooling
2:04:43
anyone. Okay? That's
2:04:46
the truth. We know better.
2:04:48
Not so cool, was the
2:04:50
news of last week's last
2:04:53
pass breach announcement which, as I've mentioned
2:04:55
before, overwhelmed my Twitter TWiT.
2:04:58
So I wanted to
2:05:00
lead with this because so
2:05:02
many of our listeners, myself included,
2:05:04
are using LastPass. So I had,
2:05:06
as a consequence, also received an
2:05:11
email from LastPass, the current last
2:05:13
past CEO and I I say current because it's
2:05:16
been it's
2:05:19
been jumping around somewhat recently. A guy
2:05:22
named Karim Tuba had the following to say
2:05:24
in their online
2:05:27
blog posting, which echo the email that
2:05:29
he sent to everyone. He said, I want to inform you of a development that we
2:05:31
feel is important for
2:05:35
us to share with our last past
2:05:37
business and consumer community. Two weeks ago, we detected some
2:05:40
unusual activity within
2:05:43
portions of the last past development environment.
2:05:46
After initiating an immediate
2:05:48
investigation, We've
2:05:50
seen no evidence that this incident involved
2:05:53
any access to customer
2:05:55
data or encrypted password
2:05:57
vaults. We've determined that an unauthorized party gained access to portions of the last
2:05:59
past development environment
2:06:04
through a single, compromised developer account
2:06:07
and took portions of source code and
2:06:09
some proprietary last
2:06:11
past technical information. In
2:06:15
response to the incident, we've deployed
2:06:17
containment and mitigation measures
2:06:19
and engaged a leading
2:06:22
cybersecurity and forensics firm. While our
2:06:25
investigation is ongoing, we've achieved a state
2:06:27
of containment, implemented additional enhanced security
2:06:31
measures unauthorized activity. Based on
2:06:33
what we've learned and implemented,
2:06:36
we Laporte evaluating
2:06:39
further mitigation techniques to strengthen our environment.
2:06:41
We've included a brief
2:06:43
FAQ below of what we
2:06:45
anticipate will be the most
2:06:47
pressing initial questions and concerns from you. We will
2:06:50
continue to update you with the
2:06:52
transparency you
2:06:55
deserve. Thank you for your patience understanding and support. So,
2:06:57
note that there's not a
2:07:00
categorical denial. That
2:07:03
anything like password false. It's
2:07:05
just no evidence of. Right.
2:07:08
So I feel like there's
2:07:11
we we're not completely out of the woods. That I'd like
2:07:13
to know that there
2:07:14
is, in fact, not merely no
2:07:16
evidence of, but
2:07:19
it didn't happen. Okay? I'm
2:07:21
I'm curious what you think about that. The other thing is I think this is part of the
2:07:23
the Twilio breach that this
2:07:26
is a follow on On
2:07:29
the Twilio hack, which turned out to really be problematic, it was pretty
2:07:31
deep because so many people used Twilio
2:07:34
for authentication and other. You
2:07:38
know, texting. So so, of course, that we have the the problem of proving a negative. So,
2:07:41
you know, lack
2:07:44
of evidence is
2:07:46
there evidence of lack and so forth? Right.
2:07:48
Okay. So so the the short version of
2:07:50
the FAQ, I I don't I'm not
2:07:52
bothering to share it all. TWiT it was
2:07:55
basically that there that they
2:07:57
believe there is to be
2:07:59
zero impact upon last past
2:08:01
users you know, no need to
2:08:03
change do or sure they're
2:08:06
unhappy that this occurred
2:08:10
since, you know, I'm sure that they
2:08:12
hold their proprietary information in high
2:08:14
regard and don't want attackers to
2:08:17
snooping around in it. But we've
2:08:19
always known since I first
2:08:21
checked out the technology that
2:08:23
Joe Segrist originally designed
2:08:26
is that so long as
2:08:29
the last pass code that
2:08:31
runs our local browser vault is
2:08:35
not itself compromised. No.
2:08:38
And that's the that's the key. I
2:08:40
mean, that's the that's the golden
2:08:42
goose there. Is the is the
2:08:45
the the script in our browser
2:08:47
that knows how to decrypt the local copy
2:08:49
of the vault. As long
2:08:51
as that's not compromised, the
2:08:54
only thing we're providing to
2:08:56
LastPass The only thing
2:08:58
they have of ours to
2:09:00
lose is a very well
2:09:02
protected encrypted blob of entropy. One
2:09:06
from each of their users. You know, that's what they hold for us in the cloud, which allows them to
2:09:08
link all of
2:09:11
our devices together. And
2:09:14
I'm sure this is no
2:09:17
longer unique technology. I don't know
2:09:19
that it was back then,
2:09:21
but although I haven't looked,
2:09:23
I would imagine and hope that's what every other manager also
2:09:28
does. Because it's the
2:09:30
only way to do what we all want safely. We
2:09:32
know that LastPass
2:09:35
uses a strong many
2:09:37
iteration PBKDF, you know, a password based key derivation
2:09:40
function, which runs
2:09:42
in our local browser to
2:09:46
encrypt all of our password data before it ever leaves our local machine. need
2:09:48
to have a good strong
2:09:50
password to protect your vault if
2:09:55
you have that, you're as safe as
2:09:57
you could be. And
2:09:59
presumably, you know, adding any
2:10:01
of their other security measures such as
2:10:03
multi factor authentication, hardware, dongles,
2:10:05
etcetera, only strengthens things
2:10:07
from there.
2:10:08
But this
2:10:10
leaves us
2:10:11
with the question. With LastPass having admitted to
2:10:13
having one of their developer accounts
2:10:16
breached, should we
2:10:19
change password managers? You
2:10:21
know, that's I would ask that directly by many of our listeners. And it's a
2:10:24
worthwhile question. Lacking
2:10:29
any additional information and no additional information is available
2:10:31
at this point, I think
2:10:34
that's an emotional decision rather
2:10:38
than a rational decision, which is
2:10:40
not the discounted. I mean, I you
2:10:42
could argue that the human race is
2:10:45
here because of the result of
2:10:47
emotional decisions. You could argue, God, trust no one is an emotional decision too,
2:10:49
I guess. Right? Yes.
2:10:51
Yes. So the reason I
2:10:53
think that that is this
2:10:56
is that we that we need
2:10:58
a rational decision is that, you know, because there's no there's
2:11:03
no factual basis Currently, for knowing
2:11:05
about what matters to make an
2:11:08
informed decision, TWiT
2:11:11
would be necessary to deeply understand the
2:11:14
company's policies and procedures,
2:11:17
like as
2:11:20
an insider, and to know
2:11:22
exactly how this particular breach occurred. They're not saying.
2:11:24
Their policies and
2:11:27
procedures would tell us how
2:11:30
they have set up the barriers,
2:11:32
which hopefully exist between
2:11:34
their developer resources and their
2:11:37
production services. Yeah. You hate to tell you that it's
2:11:39
so easy that all we have to
2:11:42
do is a social engineer one
2:11:44
person, and it's all -- Yes. --
2:11:46
gone. Right? And Leo, just look at what we just learned about the way Twitter
2:11:48
operates. Yeah. You know, it's like
2:11:50
-- Right. -- trap. Okay. But
2:11:54
but then you would also need to know that
2:11:57
same thing about the
2:11:59
password manager you
2:12:01
were considering switching to. Again, an
2:12:04
emotional decision needs no
2:12:06
justification whereas a rational
2:12:09
decision is only
2:12:12
about justification. Now,
2:12:14
I've always been careful to draw a clear distinction between policies and mistakes.
2:12:19
Policies are deliberate. Mistakes.
2:12:22
Well, they're mistakes. When you're
2:12:24
an employer, for example, and this is
2:12:26
the example you and I've often
2:12:28
used Leo, you know, and
2:12:31
an employee screws up. Do you fire them
2:12:33
because they screwed up? Or do you consider that they
2:12:35
made a mistake and have learned
2:12:38
a valuable lesson from
2:12:40
it? You know, if as a
2:12:42
consequence of having made a mistake, they're now a better and more valuable employee.
2:12:44
Why give them
2:12:47
to your competition? So,
2:12:50
unfortunately, we don't know enough about the inner workings of LastPass to make
2:12:53
an informed decision
2:12:56
about switching. You
2:12:59
know, should we now be more or
2:13:01
less afraid? How does their
2:13:03
actual policy and behavioral
2:13:06
security after this incident compared
2:13:09
to the actual security available elsewhere. Well,
2:13:11
and there's an interesting comparison because it's believed
2:13:15
that the same nation hacker who did the Twilio attack,
2:13:18
we know DoorDash was attacked by
2:13:20
the same
2:13:22
guy. They say yes. But Octas, Signal, and
2:13:24
LastPass. All all reach roughly
2:13:27
the same time using
2:13:29
similar social engineering
2:13:32
attacks. So but who the one
2:13:34
who wasn't, but was attacked was Cloudflare. Remember this? You had this story last week, I think.
2:13:39
They use Yubiquis. And because
2:13:41
they use strong security even the even that the social
2:13:43
engineering attack worked, it
2:13:47
didn't compromise them. Yep.
2:13:50
So that's that's the that's the
2:13:52
kind of thing I'd like to see
2:13:54
from LastPass. Yes. Right. And and
2:13:56
and in his note, he was
2:13:58
noncommittal. I mean, what he wasn't specific. He
2:14:01
talked about, you know, increasing their
2:14:03
security and tightening their
2:14:05
boundaries and things. It's like, okay.
2:14:07
Again, it's So so so we
2:14:10
have we have an
2:14:11
example, but
2:14:13
again, to to
2:14:15
make a change you
2:14:18
need to know about where you're changing to, just as much as you need to know about where you're changing from.
2:14:20
So, you know, if
2:14:22
LastPass learned a valuable lesson,
2:14:27
That's great. But I have no idea
2:14:29
and neither does anyone else. Their
2:14:31
track record is all we
2:14:34
really have to go on and it's been good so far because
2:14:36
the security architecture is good
2:14:38
and it's the security architecture
2:14:41
that I'm
2:14:44
relying upon.
2:14:44
At the same time, as
2:14:46
I said, presumably everybody else's security architecture is equally sound
2:14:48
because none of this
2:14:50
should be rocket science anymore.
2:14:53
Would you recognize If I was
2:14:56
changing your last pass password, at this point,
2:14:58
would
2:14:58
that be a reasonable response rather than changing your
2:15:01
remaining. No. No. I I don't
2:15:03
see how that has any effect
2:15:05
because because it's the password which
2:15:08
is used only locally -- Right. -- to
2:15:10
encrypt the blob which we send there. They don't have access to that. Or No. They
2:15:12
they they never have
2:15:15
they don't want it TWiT that
2:15:18
was, you know, Joe's original comp you know, his original concept. So if I were starting out today,
2:15:21
all other things
2:15:24
being equal I
2:15:26
would probably choose BitWarton. You know,
2:15:28
being a sole source. We gotta say
2:15:31
yes. That's not why you're choosing
2:15:33
them, I'm sure. No. And in fact, you
2:15:35
know, being open source, I'd be able
2:15:37
to do the same sort of security
2:15:40
architecture vetting -- Right. -- that
2:15:42
I once did with LastPass' designer
2:15:44
Joe Seagress. Right. As we all
2:15:46
know, as Jen, as you just
2:15:48
said and reminded us, BitWarden is
2:15:50
currently a sponsor of the Twitter network, and
2:15:52
I think that's great. Though it's worth noting
2:15:54
that LastPass had never been a sponsor here at the
2:15:58
time I chose them. Yes. I
2:16:00
chose that to us because you chose them. I
2:16:02
think many years later, I figured it came to us. Yeah. Yeah. You
2:16:05
know, I chose
2:16:07
them because was more open than everyone else,
2:16:09
which allowed me to understand exactly how their system worked and
2:16:12
why it was the proper design.
2:16:14
It's kind of ironic because if in
2:16:16
fact what
2:16:18
the bad guys got from LastPass
2:16:20
is the source code. They weren't so
2:16:22
open source. They they got that
2:16:25
already. Is it right? He's right?
2:16:27
And and in a properly designed system, it shouldn't matter. It shouldn't matter. Exactly.
2:16:32
Yeah. Yeah. So anyway, many
2:16:34
of the flood of DMs I received
2:16:36
last Thursday asked whether I was still using
2:16:38
LastPass and if so, whether I was now planning to
2:16:40
change. Security now,
2:16:42
podcast number two hundred and fifty
2:16:44
six. I love that it was two to the
2:16:46
power of eight, was dated July ninth, twenty
2:16:51
ten, and it was titled
2:16:53
LastPass Security. The little summary description for it
2:16:55
on Twitter says TWiT
2:16:59
thoroughly evaluates LastPass, explains
2:17:01
why high security passwords are
2:17:03
necessary, and tells us how
2:17:06
LastPass makes storing those passwords secure.
2:17:08
So it looks like I've been using LastPass for the
2:17:10
past twelve years, and I still am. If
2:17:16
they ever give me a rational
2:17:18
reason to change, I will in a heartbeat. And whether or not BitWarden is
2:17:23
still a sponsor of the Twitter
2:17:25
network at the time, I would
2:17:27
openness inertia you know? So
2:17:34
anyway, I'm still using
2:17:36
them. I I don't
2:17:38
see any reason to
2:17:40
change. Subject to additional information coming to
2:17:43
light. You know, there's never
2:17:45
been a a breach that
2:17:47
that that affected our our
2:17:49
stored security because of the way it's designed. Yeah. And that's what you know,
2:17:51
and that's really what counts. Yeah.
2:17:53
And then it's a matter of
2:17:56
looking at the pricing and the
2:17:58
features and, you know, does it what
2:18:00
suits your your model best? I
2:18:02
just never have a problem with
2:18:05
it. So it's no worries.
2:18:07
It's not irritating me. And I have
2:18:09
a very soft spot in my heart
2:18:11
for LastPass, not only because of your support Laporte
2:18:13
I used them for many, many years. But when
2:18:16
they became the
2:18:18
studio sponsor a few years ago. They kept
2:18:20
us on the air through COVID. If it weren't
2:18:22
for LastPass, I don't know if we'd still be on the air.
2:18:26
So I have a very soft spot
2:18:28
for LastPass. I do use BitWarden. I like the
2:18:30
idea of open source. But I think there's pretty much feature parity between most password
2:18:35
nurtures at this point. Yeah. And and really,
2:18:37
it's just inertia. It's like I there's no good reason for
2:18:39
me to leave it works. And
2:18:43
if there when there is yeah.
2:18:45
I'll be out of there, like, in
2:18:47
a hot second. But so far, so good. Disaster averted. Nothing
2:18:51
to fear here. Move along. Move along.
2:18:53
Well, that's why you listen to security
2:18:55
now. Right? Because Steve is such a trusted voice. When
2:18:58
he says something's a problem, it's a problem. When
2:19:00
he says it's not a problem, you can trust
2:19:02
him. But that's why you gotta keep listening. We've had a great
2:19:05
twenty twenty two. I thank Steve so
2:19:07
much for making it so, and I
2:19:09
thank you for listening, and I hope you will be back
2:19:11
with us next Tuesday, January third, Whole
2:19:14
new year, whole new security now,
2:19:16
lots of episodes and whatever happens in the world out
2:19:18
there, you know you can count Steven Security now.
2:19:23
Right here. Thanks for being a part
2:19:25
of the show. Thanks to all of
2:19:27
our producers and staff who make this show possible to our producer Jason Howell Of
2:19:31
course, to Steve Gibson, couldn't do it
2:19:33
without him. And most of all, thanks to you for listening. Have a wonderful
2:19:36
holiday season. Have
2:19:39
a good New Year's Eve? Be good.
2:19:41
Because I want you back here January third for security now.
2:19:43
We'll see you then. Happy New Year, everybody. Hey,
2:19:47
what's going on, everybody? I am at
2:19:50
Pruitt, and I am the host of hands on photography here on Twitter TV. I know you got yourself a fancy
2:19:52
smartphone. TWiT. You
2:19:57
got yourself a fancy camera, but your pictures are
2:20:00
still lacking. Can't
2:20:02
quite figure out what the hit shutter
2:20:04
speed means? Watch my show, I got
2:20:06
to cover.
2:20:07
Wanna
2:20:07
know more about just the i ISO and exposure triangle
2:20:11
in general? Yeah. I got you
2:20:14
covered.
2:20:14
Or if you got all of that down, you wanna get into lighting, you know, making
2:20:18
things look better by changing the lights around.
2:20:21
I got you covered on that too.
2:20:23
So Check us out. Each and every Thursday here in the network or the twit dot tv slash
2:20:29
hot and subscribe today.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More