Security Now 1031 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Leo Laporte
It's time for security. Now Steve Gibson is here. We are going to talk about, as usual, some terrifying security issues on the internet. Your state healthcare portal may be leaking information about you to data brokers and others. We'll talk about Facebook getting a Passkey login, apple adopting the new Passkey portability, which is great, and then a deep dive into how Chinese government hackers got into our phone system. Turns out, there's one American company that's at fault. Steve has the deets. Next on Security Now Podcasts you love.
0:00:40 - Steve Gibson
From people you trust.
0:00:42 - Leo Laporte
This is Twit from people you trust. This is Twit. This is Security Now with Steve Gibson. Episode 1031, recorded Tuesday, june 24th 2025. How Salt Typhoon gets in. It's time for Security Now. Oh, the show you wait for all week long. Every Tuesday, we get together with this guy right here, mr Steve Gibson, and we learn about all the nasty, horrible, terrible, no good, very bad things that are happening on the Internet. Hello, steve, and every so often other stuff.
0:01:20 - Steve Gibson
Yeah, and all the other stuff too Great to be with you for episode 1031. For this last episode Wait, is this? No, the 31st July.
0:01:30 - Leo Laporte
This is June 24th, yeah, so the next one will be June 30. No, it'll be July 1st, right, because 30 days have September, april, june and November. Yep, all the rest have 31, except for February, which is all messed up. I can never remember the rest have 31, except for february, which which is all.
0:01:45 - Steve Gibson
I can never remember the rest of that rhyme well, you know again, as somebody who codes things with dates and times, oh, you're dividing by 60 it's like what where's 60?
0:01:56 - Leo Laporte
who came up with that and 24 and the leap year every oh my god, every fourth year. Except if a year ends in a 400, if it it's divisible by 400, then it's not a leap year.
0:02:07 - Steve Gibson
So today we're going to talk about something that we've been skirting around. Salt Typhoon was active for some time before and it was like okay, another Chinese.
0:02:22 - Leo Laporte
APT. Oh little did we know.
0:02:24 - Steve Gibson
But, oh boy, these guys are in a class by themselves, unfortunately. We were just last week talking about how they were found in Digital Realty, which was this major cloud provider that Amazon and Google and others buy their cloud resources from, and one other telecom I can't remember now because there's now 10 of them. Anyway, we're going to talk about how they get in because earlier this year, cisco themselves, which is unfortunately the entry vector, their Talos group laid out the story and, as always, I try to do more than just recite news. I try to create some context and see if there's something that we can learn from this, and I have a proposal as a consequence of this, in addition to all the other events and evidence that we see of what has to happen, what has to change, and it's maybe not what people would expect, so we're going to talk about that. We're going to talk about another victim of them, or two having been identified. Also, the fact that state health care portals are tracking and leaking, probably to no one's surprise, but it's sad.
Apple adopts Fido's PassKeys and other credentials transport, which is fabulous news. For what's going on with PassKeys? Facebook is adding PassKeys. I heard you mention it was either on Sunday, or just now, leo, that TikTok has been extended yet again.
0:04:25 - Leo Laporte
Yeah, another 90 days. Yeah, yeah, yeah, I think you can count on that every three months.
0:04:30 - Steve Gibson
Yep, we have a Canadian telco that has acknowledged their infiltration by Salt Typhoon. This is the first known one. In Canada, Microsoft has announced they're going to be removing unwanted and hopefully unneeded hardware drivers, which we touched on before when they were first talking about it. Now they have actually they're moving on it. The Austrian government has legislated court-warranted message decryption, which I think is almost funny because you can ask, which I think is almost funny because you know you can ask.
And in something of a surprise, I want to cycle back once again to a topic we've touched on a number of times, which is artificial intelligence, because I asked ChatGPT a question on Saturday, asked chat GPT a question on Saturday. Its answer stunned me and I'm, as a consequence of that, and I guess just months now of living with this, I believe I have full clarity finally, finally, at least for myself. I'll see if it transmits to our audience on what this is, what AI is, and from that I would be willing to place a bet on its limits, because I think I get it. Finally, why we're confused, why we've been confused, why my screen just went dark.
I have a short duration screen blanker that I forgot to disable before I started talking.
0:06:16 - Leo Laporte
That's your light. You can't do that. It's your key light.
0:06:18 - Steve Gibson
Yeah, it is, anyway. So anyway, I have something that I think that I haven't said before. That resolves this for me, and so this may be the last time I talk about this for a while, and then we're going to take a deep dive into Salt Typhoon's operation and how they got in, sadly, why they're still getting in and what I think we have to do to change this.
Finally, so I think maybe it's good to know there's something we could do, even there is, and I also think some of this is as a consequence of this incredible delay that we see throughout the whole system. You know, ipv6 was finalized in 1998. And it's I don't. You know I don't have it, need it. Grc doesn't have any IPv6 IPs. So one of the things that's happening is that nothing changes unless it has to.
0:07:27 - Leo Laporte
There's a lot of inertia in this system.
0:07:28 - Steve Gibson
Yes, there's so much inertia.
0:07:30 - Leo Laporte
Yeah.
0:07:32 - Steve Gibson
And now, with somebody like Cloudflare being able to host a huge percentage of the internet behind a subset of IPs thanks to SNI server name indication, suddenly the pressure is off. It's not like we're going to run out. For a while, remember, we had the end of IPv4 countdown and doomsday coming, and the price of IPv4 addresses was shooting up. Well, not so much anymore.
0:08:03 - Leo Laporte
Well, by the way, speaking of Cloudflare, we're going to get their CTO, john Graham, coming on Intelligent Machines at some point, because you know he's created a site. You know there's a huge demand for steel. That was created before the nuclear age, right, because it's got no radioactivity and they use it in medical uh devices and things interesting. And the only source of it is things like ships that were sunk during world war one and they could bring them up. And then there's you reuse that steel in very careful circumstances. So he has created a website of text information that was created before the age of ai. Isn't that brilliant, that is.
That is really good yeah so we're gonna get him on to talk about that, but I I will also ask him a lot about cloudflare. They've done such an amazing uh job with uh. What they've done and what they offer is such a public service for free. Uh, it's kind of amazing, you know. Uh, really, uh, I like john a lot.
0:09:06 - Steve Gibson
He's a great well I like him and, uh, you know, I I agree with you.
0:09:11 - Leo Laporte
We're often talking about them because they do such a great job let's do a good job for our next sponsor and then we will get to the picture of the week. What do you say? How about that? Our show today brought to you by one password. Another great group, over half of it pros. Get ready for this.
Over half of it pros say securing sas apps is their biggest challenge. If you think about it, in the enterprise s SaaS sprawl is a growing problem, and shadow IT, you know. It all started with BYOD and it's just getting worse and worse. It's not hard to see why. Well, 1Password has an answer. It's called Trellica. Trellica by 1Password can discover and secure access to all your apps, whether they're managed or not, and that's what you need these days. Trellica by 1Password inventories every app in use in your apps, whether they're managed or not, and that's what you need these days. Trellica by one password inventories every app in use in your company, every one, shadow IT or not. Then pre-populated app profiles, and they cover everything, by the way. Assess the SaaS risks. Let you manage access, optimize spend, enforce security, best practices across every app, not just the approved ones, but every app your employees use. It lets you manage shadow IT. It's also helpful for securely onboarding and offboarding employees and meeting your compliance goals too, because everybody has to deal with that these days. Trellica by one password provides a complete solution for SaaS across governance, and it's just one of the ways that 1Password's extended access management helps teams strengthen compliance and security.
1password's award-winning password manager is trusted by millions of users and over 150,000 businesses, from IBM to Slack, and now they're securing more than just passwords with this 1Password extended access management. 1password is ISO 27001 certified, of course, with regular third-party audits and the industry's largest bug bounty. 1password exceeds the standards set by various authorities. They're a leader in security. You'll be glad to have them on your team. Take the first step to better security for your team by securing credentials and protecting every application, even unmanaged shadow IT. Learn more at 1passwordcom slash security now that's 1passwordcom slash security now all lowercase. We thank 1Password so much for supporting the very important work that Steve does here on Security. Now 1Password dot com slash security now. All right, I am ready to scroll up, as we say, on the picture of the week. It's been hiding on my screen all this time.
0:12:00 - Steve Gibson
So I gave this picture the caption when a bit of punctuation might save a life. Hmm, when a bit of punctuation might save a life All right.
0:12:12 - Leo Laporte
Scrolling up here, let me just see it's a sign, a sign you should pay attention to Sign has two lines.
0:12:23 - Steve Gibson
First line says crocodiles. First line says crocodiles. Second line says do not swim here.
0:12:31 - Leo Laporte
Butch. Henderson in our Discord says why don't we want crocodiles to swim there again?
0:12:35 - Steve Gibson
Yeah well, because people should be allowed to swim there. So I think the sign is just this might be in Florida, you never know. It might just be saying so.
0:12:44 - Leo Laporte
just so you swimmers know crocodiles don't, don't swim here no, so no, that's not what it means, steve, what I think they're saying. There are crocodiles here.
0:12:57 - Steve Gibson
Do not swim here or it could be a message to the crocodiles, I don't know, oh no, what would you?
0:13:05 - Leo Laporte
put there put a couple exclamation points. Or just an exclamation point crocodiles, exactly yeah. Or maybe just say don't stay out of the water. How about that one? Beware, that's hysterical. I love it. I like that.
0:13:23 - Steve Gibson
Okay, so the dark reading outlet reports under their headline, telecom giant Viastat is latest salt typhoon victim with a subheading. The communications company shared the discoveries of its investigation with government partners, but there's little information they can publicly disclose other than that there seems to be no impact on customers. It's like, okay, well, of course that's the story they want to share.
0:13:56 - Leo Laporte
Yeah, unless you're the president, the national security chiefs, things like that.
0:14:01 - Steve Gibson
Well, yeah, and what does it mean? Like, well, no one's password was exfiltrated. It're a telcom provider, you're you're a viastat anyway. So, dark reading said viastat is the latest telcom business to fall victim to tall, to salt typhoon. Now I should note the probably more accurate to say, the the latest telecom business to acknowledge or to discover or to reveal whatever it's not. Well, anyway, we got a lot to speaking of Salt Typhoon.
The breach of the satellite communications company was discovered earlier this year and has been identified as one of the threat group's targets during the 2024 presidential campaign. According to Bloomberg News, which first reported the breach, the California-based company that is Viastat operates a satellite fleet and various ground stations to support a global network providing CVSS, or well, or CVE was involved and and we have the backstory which we're going to be getting to, as I said, the company said quote upon completing a thorough investigation, no evidence was found to suggest any impact to customers. Due to the sensitive nature of information sharing with government partners, we're unable to provide further details. Viastat believes that the incident has been remediated and has not detected any recent activity related to this event. Again, hard to prove a negative, but okay, salt Typhoon, they write, meanwhile, has targeted several telecom companies this year alone. In January, the group targeted Charter Communications, consolidated Communications and Windstream. Then, in February, cisco confirmed that the group exploited a Cisco vulnerability so that it could infiltrate telecommunications providers, including T-Mobile, at&t and Verizon last fall maintaining access to the compromised environments for extended periods of time and, if you can believe it, in one case three years. They were found to be in networks. Us officials, they write, have previously raised suspicions of hackers targeting the companies to steal telephone audio intercepts and record call data. Attacks have occurred in the lengthy cyber espionage campaign that CISA, our Cyber Security and Information Security Agency, was prompted to issue guidance to the telecom sector, alongside the National Security Agency and FBI.
In addition, the House Committee on Government Reform dedicated a hearing to Salt Typhoon on April 2nd to address what actions the US could take in retaliation, though Edward Amoroso, research professor at New York University, advised against hacking back in his testimony, stating that the country should see these attacks as a wake-up call to shore up its defenses. And again, this all ties back to today's topic, which we'll be getting to. So we have Verizon, at&t, t-mobile, spectrum, lumen, consolidated Communications, windstream, then, as we talked about last week, comcast and Digital Realty and now Viostat. It's a mess. The best news about this is that we have seen over and over and for months and finally come to the attention of the US Congress US Congress. Maybe there's a chance that this will finally get companies to sit up, take notice and assign someone to the task of critically examining the security of their older equipment. We now know a great deal about how Salt Typhoon did what it did and, as I said, we're going to take a deep dive into the depths of that into the depths of that typhoon at the end of today's podcast. Before we leave the topic, I also want to share what Bleeping Computer reported, since it adds some additional depth to this Bleeping Computer. Of course, we know them well. Wrote.
Satellite communications company Viastat is the latest victim of China's salt typhoon cyber espionage group, which has previously attacked I'm sorry, hacked into the networks of multiple other telecom providers in the US and worldwide. It's not just us here in the States. Viastat provides satellite broadband services to governments worldwide and aviation, military, energy, maritime and enterprise customers. Last month, the telecom giant told shareholders that it had approximately 189,000 broadband subscribers in the US. The company discovered the salt typhoon breach earlier this year and has been working with federal authorities to investigate the attack. As bloomberg first reported via stat told bleeping computer quote via stat and its independent third-party cyber security partner investigated a report of unauthorized access through a compromised device and and again, we're going to know all about that. Upon completing a thorough investigation, they said no evidence was found to suggest any impact to customers. Viostat engaged with government partners as part of its investigation due to the sensitive nature of information sharing. So this is a repeat from the previous article. They said of information sharing, so this is a repeat from the previous article. They said Bleeping Computer first contacted Viostat. They wrote in February with questions regarding a potential breach, but received no reply at the time. Russian hackers also breached Viostat's KASAT consumer-oriented satellite broadband service in February.
Three years ago 2022, wiping satellite modems using acid rain data wiper malware, roughly one hour before Russia invaded Ukraine. The 2022 cyber attack impacted tens of thousands of broadband customers in Ukraine and Europe, including modems controlling roughly 5,800 wind turbines in Germany. As the FBI and CISA confirmed in October, the Chinese Salt Typhoon state hackers had breached multiple telecom providers and they enumerate them again and other telecom companies in dozens of countries. They enumerate them again and other telecom companies in dozens of countries. While inside US telecom networks, the attackers also accessed the US law enforcement's wiretapping platform and gained access to the private communications of a limited number of US government officials. That was again. Congress said what you know. Now you're talking about us. Earlier this month, nsa and CISA officials also tagged Comcast and Digital Realty as potentially compromised in Salt Typhoon's telecom attacks, and now we know that has been confirmed.
Salt Typhoon and in fact both companies have acknowledged that Salt Typhoon has been breaching government organizations and telecom companies since at least 2019 and kept actively targeting telecoms between December 2024 and January 2025, so the very end of last year and the very beginning of this year breaching more telecommunications providers worldwide via unpatched Cisco iOS XE network devices, which is where we're going to be spending a lot of time. The flaws that were once present in Cisco's you know iOS is a confusing name because, of course, we're talking about Apple stuff all the time. In this case it's Internet Operating System, and Cisco's iOS acronym predates Apple's you know iOS for iDevices. These XE network devices were leveraged to admit the attackers into these networks, but Cisco had found blame for once, having vulnerabilities, they fixed those flaws years before they were used, which is a key factor in the import of this story.
I'm at a loss to know how we can ever get this behavior to change, because it should have changed already. Right, I doubt we're ever going to be able to hold the purchaser and user of these products accountable. Companies purchase them. I mean like practically accountable companies purchase them. I mean like practically accountable. Sure we can say, oh, you're legally responsible, but I mean in practice, so that so that it's not a matter of of ascribing responsibility and blame and victims licking their wounds but not having the intrusions in the first place well, and also remember the biden administration had an order, which I'm sure no longer exists, that companies would be liable for keeping their software and hardware reliable, like the sellers as well.
0:24:52 - Leo Laporte
There has been some rollback of those regulations? Of course there has been, because yeah.
0:24:58 - Steve Gibson
So what happens is companies purchase these devices they didn't make them, they didn't create them so they see them as a drop-in turnkey solution which they configure and install, wire up, plug in, power up and then forget. They just assume that they will continue working correctly until they unplug and retire the device correctly. Until they unplug and retire the device, the problem is in a sprawling organization with thousands of routers and switches spread across this continent and others, where every device is receiving periodic updates from its manufacturer, keeping practically, from a practical standpoint, keeping everything updated, with the risk as we know that is also there that an update might cause more trouble than the potential trouble, which you know is unrealized. But this could be a problem. So you're being asked to update something that might break something that's working, because maybe something bad could happen if you don't. Um, so asking the client owners of these devices to be completely responsible for them is, unfortunately, the best we've managed to come up with so far, and this salt typhoon mess clearly demonstrates that this is not working. We've talked about having devices phoning home for updates, but that's also risky, since it opens the door for a failed update to break a perfectly working system, even when it might only be theoretically vulnerable, and it's interesting.
I had an outage of my residential network about a week and a half ago I guess, and I was aware of it pretty quickly because things quickly stopped working and I thought well, what's going on? So I ran to the closet where that equipment is located and caught the tail end of my Asus router rebooting itself after it updated. So on one hand that was good and I gave it permission to do that and I said yes, you know, even I mean and I'm doing it more from a because I'm a you know, in the same way that Jerry Pornel used to try dumb things so that his bulletproof. But I wanted to experience turning on automatic updates, which I've been preaching for routers. But here it did. It chose to update for some reason not at 3 am but in the early evening, and so it created a problem. It solved itself too, but still you can understand why, at a high-end, big iron telecom environment, they don't want Cisco reaching in and updating their equipment. Got work to do here yeah, right.
0:28:22 - Leo Laporte
So my um, my comcast business modem that we use for the shows, uh kept dying and uh, russell, our msp, called him and they said, oh yeah, there's a problem with the firmware. We'll just, uh, we're going to send you out, uh, we're going to update the firmware and reboot it. And they did it and fixed it. But, but, you're right, I mean then that's a business device. So they didn't do it automatically. We had to call them and say there's a problem and they said, yes, we know, and we're going to fix it for you. So, yeah, but you don't want to kind of oh, you're down this week, oh right, I guess we won't have to sell widgets this week.
0:28:57 - Steve Gibson
So, given given everything we've just said, this leaves us with only one solution that I can think of, impractical though it may be, it's going to sound ludicrous, but really I mean, if you do the math and that is for brand new devices that are sold to never contain any exploitable vulnerabilities from the start, from day one, nor to have any introduced downstream through updates. Now, given the realities of after sales I mean I know how that sounds given the realities of after sales maintenance that we keep seeing in the real world, expecting reliable after-sales patching of exploitable vulnerabilities, which is the way we're operating today, it's not reasonable, I mean it is not a reasonable thing to ask, and it doesn't happen. And it doesn't happen. Even where organizations, it people, kind of have this uncomfortable feeling that keeps them up at night that they really should be more on top of this, it doesn't happen.
So, if that's the case, it leads to the inexorable conclusion that never deploying any insecure hardware is the only way that we're going to have security in the field. Now, of course, the world has become accustomed to the idea that it is not possible just not possible, to have flawless software and that might be true in 2025, but it can also be a matter of degree. Recall that when we went through remember back, it was about 10 years ago. We went through a period where Cisco was apparently discovering I'd have that in air quotes, unknown backdoor accounts that had been left in their own products.
0:31:08 - Leo Laporte
Yeah, that's not good. It's like what we could do better than that.
0:31:14 - Steve Gibson
It's like you know. It should be ludicrous to imagine that any company such as Cisco would not be sufficiently aware of the contents of their own firmware to know that built-in accounts might be present. How could they be discovering them in the field? Oh, whoa, what do you know? Bad guys are leveraging an account that we left in by mistake. What you know, like you anyway. Hopefully, as I said at the time, they actually did know that those accounts were present and that you know they were there due to a maintenance policy that had not aged well. Now and we've often talked about policies that do not age well Inertia likely kept that policy in place until the malicious abuse of those hidden backdoor accounts indirectly exposed that policy and forced its reevaluation. Suddenly, cisco was surprised by the presence of those accounts.
Right, but my point is things are better today and I suspect that things will be even better in the future than they have been recently. I think things are improving. I think we really need to keep in mind how slowly and reluctantly things change. We're seeing the consequences today of decisions and policies that are a decade old, with hardware and firmware that was in place long before the need for much stricter and stronger security was widely appreciated. Vulnerable hardware that's not patched continues to present the significantly weaker security profile that was in use and acceptable at the time of that hardware's original design. It is still there in use and it's 10 years old. It would not be designed today the way it was designed then. But because of this refusal to update, refusal to patch and in some cases right, these, these old systems go end of life. They're still working, but so you can't get a patch for them any longer. Their manufacturer has withdrawn support, yet the packets are still flowing you said something, though that's pretty provocative.
0:34:04 - Leo Laporte
Is it possible to ship flawless?
0:34:07 - Steve Gibson
software. We have to. How Well. The shuttle computer famously had no bugs. It was expensive to create the software but it didn't have any bugs because it couldn't. It couldn't, I mean it literally could not have a bug.
0:34:24 - Leo Laporte
You can't send a repairman up to fix it, or we would have flown those guys into the sun by mistake, right?
0:34:31 - Steve Gibson
So I, you know, and we know that, like Microsoft, how many tens of thousands of bugs did Windows have when it shipped? Remember, famously, I mean. So they knew, yeah, it was already. Yeah yeah, they had a list right and they said, well, these aren't that bad, and it only happens on tuesday. If some guy's standing on his right foot and clicks the you know a left-handed mouse three times, I mean, okay, so we'll let that one go.
0:35:00 - Leo Laporte
Well that's kind of the problem. I mean windows is a general purpose program. Significantly, I think, more difficult to to make perfect than, say, a space shuttle well, or a router, a router.
0:35:13 - Steve Gibson
A router you could make perfect. We're coming back. I've got some very pointed things to say to cisco, yeah, by the end of today's podcast, because what, what was done, what was found, should have never been possible. But yeah, we're going to talk about the unfortunate state of of health care website portals after this break.
0:35:43 - Leo Laporte
Oh, that'll be fun. Oh, leo, I can't wait for that. Oh well, let's talk right now about hawks hunt. All right, this is our sponsor for this segment on security. Now, I love this company. Uh, as a security leader, you get paid to protect your company against cyber attacks. Probably for a lot of you, that's why you listen to the show every week.
It's not easy. It's getting harder, more cyber attacks than ever and a lot of this, you know, comes through the over the transom with phishing emails, and they're getting better because, well, the bad guys are using AI to generate them. You can't say, oh the ungrammatical stuff, just throw it out. You need your employees to really be smart about this. But I think you probably already know those legacy one-size-fits-all awareness programs. Maybe you've been using them. They don't really stand a chance. They're out of date. They send at most four generic trainings a year. Most employees just ignore them. And then you, you know, if somebody actually clicks, they're forced into embarrassing training programs and that feels like punishment and that is not the way to get people to learn. This is why more and more organizations are trying Hoxhunt, h-o-x, hoxhunt, h-u-n-t.
Hoxhunt goes beyond security awareness and actually changes behavior, and it does it by gamifying it. It rewards good clicks. It coaches away the bad. This is training employees like. In fact, when I talked to the Hoxhunt folks, they said people want more phishing emails. They say give us more. We love this. This is like a game, it's fun. It makes it fun.
Whenever an employee suspects that an email might be a scam, hawkshunt will tell them instantly, giving them a nice dopamine rush. You say is this a scam? Hawkshunt says good job, gold star, you get that dopamine rush. I know it sounds silly, but it gets people to click, learn and protect your company. And people are not going to learn if they're not enjoying it. And for you, hawks Hunt is great.
It makes it easy to automatically deliver phishing simulations in any way. They might come in across email, Slack Teams and, of course, just like the bad guys, you get to use Hawks Hunt's very good AI to mimic the latest real-world attacks. So you can make these things very convincing. Even more, simulations are personalized to each employee based on department location and more, so you know what You're going to challenge your employees and they love it. Instant micro-training solidify understanding. They're quick, they're fast and they drive lasting, safe behaviors. We know this from actual studies. You could trigger gamified security awareness training that awards employees with stars and badges and boosts completion rates, ensures compliance.
There's a huge library to choose from a customizable training packages, but that AI can also help you generate your own. You can purpose-build something to meet your unique situation. I love this program. Hoxhunt has everything you need to run effective security training in one platform, meaning it's easy to measurably reduce your human cyber risk at scale. You need to do that, but you don't have to take my word for it. There are over 3,000 user reviews on G2, making Hoxhunt the top-rated security training platform for the enterprise. They won easiest to use, best results, also recognized as customer's choice by Gartner. Thousands of companies use Hawks Hunt Qualcomm, aes, nokia. They use it to train millions of employees all over the globe and they know it works. Visit hawkshuntcom security now, right now, to learn why modern, secure companies are making the switch to Hawkshunt. That's hawkshuntcom security now. It's really nice to be able to recommend something that is so smart about getting the job done. Hawkshuntcom slash security now. States are not good about healthcare privacy. What's this, oh boy.
0:39:54 - Steve Gibson
The publication, the Markup, has the tagline challenging technology to serve the public good, which is their mission, and I would agree with the need for more of this sort of tech savvy investigation and public airing of widespread misbehavior. Here's what they're reporting. Last Wednesday found the headline of their most recent investigation was, quote we caught four more states and we'll be looking back retrospectively to what they'd found previously sharing personal health data with big tech, and the subhead was healthcare exchanges in Nevada excuse me, in Nevada, maine, massachusetts and Rhode Island shared user-sensitive health data with companies like Google and LinkedIn. And, of course, you know, begs the question what? Four more on top of what. So here's what they reported.
They said state-run health care websites around the country, meant to provide a simple way to shop for insurance, have been quietly sending visitors sensitive health information to Google and social media companies. The data, including prescription, drug names and dosages, was sent by web trackers on state exchanges set up under the Affordable Care Act to help Americans purchase health coverage. The exchange websites ask users to answer a series of questions, including about their health histories, to help find them the most relevant information on plans. But in some cases, when visitors responded to sensitive questions, the invisible trackers sent that information to platforms like Google, linkedin and Snapchat, and in their reporting they have some screenshots of asking someone to enter the drug name that they're interested in and then select the dosage, and in this case, when an individual indicated that they took fluoxetine, commonly known as Prozac, on the Nevada Health Link site, that information was sent to LinkedIn, so they wrote the markup audited.
0:42:25 - Leo Laporte
Could add that to my resume, would you?
0:42:28 - Steve Gibson
Jeez, louise. That's unbelievable, leo. Just wait though. It's so bad they wrote.
The markup audited the websites of all 19 states that independently operate their own online health exchanges. While most of the states contained advertising trackers of some kind, the markup found that four states exposed visitors' sensitive health information. Nevada's exchange, nevada Health Link, asks visitors about what prescriptions they use, including the names and dosages of the drugs, to help them find their best options for health insurance. When visitors started typing, it suggests specific medications right to help them spell them correctly including antidepressants, birth control and hormone therapies. As visitors answered the questions, their responses were sent to LinkedIn and Snapchat, according to tests conducted by the markup in April and May. On the other side of the country, maine's exchange, covermegov, sent information on drug prescriptions and dosages to Google through an analytics tool. It also sent the names of doctors and hospitals that people had previously visited. Rhode Island's exchange, healthsourceri, sent prescription information, dosages and doctor's names to Google. Massachusetts Health Connector another exchange, told LinkedIn whether visitors said they were pregnant, blind or disabled. After being contacted by the markup, nevada's health exchange stopped sending visitors data to Snapchat and Massachusetts stopped sending data to LinkedIn. Additionally, the markup found that Nevada stopped sending data to LinkedIn in early May as they were testing the markup, discovered the sharing after finding that California's exchange, known as Covered California, told LinkedIn when a visitor indicated they were blind, pregnant or a victim of domestic violence. Pregnant or a victim of domestic violence?
Security and privacy experts said state health exchanges use advertising trackers is troubling, if not particularly surprising. Such tools can help organizations to reach visitors and tailor ads for them. And I'll just say why do we need ads on state health care sites? Google Analytics, they wrote, allows website operators to better understand who's coming to their site and to optimize advertising campaigns. The LinkedIn and Snapchat trackers, like a similar offering from Meta, help companies target their social media ads from Meta help companies target their social media ads. Nevada uses the trackers to help target marketing at uninsured residents, according to Russell Cook, executive director of the state agency that operates Nevada's exchange, silver State Health Insurance Exchange.
But health care services need to be especially careful with these tools, said John Haskell, a data privacy attorney who has previously worked as an investigator for the Department of Health and Human Services. Haskell said quote it doesn't surprise me that organizations that have these massive tech stacks that rely on third-party resources don't have an understanding, a full understanding of what the configuration is, what the data flows are and then, once they go to somebody, what that data is being used for. It's something that needs to be addressed. In other words, as I think, evidenced by the fact that the sites that were contacted by the markup said whoops, sorry, and like, discontinued this. It wasn't deliberate, it was just naive, it was just dumping trackers on websites, not recognizing what the privacy consequences were for sites that are transacting sensitive data, they said. After the markup reported on Covered California's sharing of health data with LinkedIn, the exchange, meaning Covered, california removed its trackers and said it would review its data practices. The news triggered a class action lawsuit and questions from federal lawmakers.
The markup then examined websites operated by 18 states other than California, as well as Washington DC, to see what information they shared as users navigated them. The sites were established under the Affordable Care Act, which requires states to offer health insurance either through their own exchanges or one operated by the federal government. And, of course, we all remember back at the time that the crazy scramble to get these websites online and that there were problems and delays and they were crashing and not working and you know line, and that there were problems and delays and they were crashing and not working and you know government meets computer. To test them, they wrote. We first ran the sites through Blacklight, a tool we developed. We, the markup developed to reveal web trackers. We then reviewed network traffic on the sites to see what data the trackers received when visitors filled out forms. The results showed that 18 used some sort of tracker. Some were filled with them. Nevada, for example. Leo, are you sitting down, nevada?
for example, used nearly 50, 50 50 50 trackers hey, health care ain't free, buddy somebody's gotta pay for it.
Yeah, by contrast, they said, blacklight found no tracker of any kind on washington dc's exchange. Popular websites use on average seven trackers, according to Blacklight scans. Of the 100,000 most trafficked, not trafficked, not trackered websites on the web, many of the sites use trackers in relatively innocuous ways like counting page views. The four exchanges they said we found sharing sensitive health data, sent varied responses to questions about the tracking. Cook said in a statement the trackers placed by his Nevada agency were quote inadvertently obtaining information regarding the name and dosage whoa of prescription drugs.
0:49:29 - Leo Laporte
Whoops it was an accident, it was inadvertently, we didn't mean it and sending it to linkedin and snapchat.
0:49:38 - Steve Gibson
Wow, and you know that these aggregators, they're just sucking anything and they can get their hands on.
0:49:43 - Leo Laporte
Oh they, they're thrilled. This is exactly the kind of information they love.
0:49:47 - Steve Gibson
Prozac Yay Okay. Cook acknowledged such data was quote wholly irrelevant to our marketing efforts unquote, you think and said it had disabled tracking software pending an audit. Jason Lefferts, a spokesman for Massachusetts Health Connector, said in a statement that, quote personally identifiable information is not part of the tool's structure and no personally identifiable information, not even the IP address of the users of the tool, has ever been shared with any party in any way via this tool. But LinkedIn's tracker documentation makes clear that it correlates the information it receives with specific LinkedIn accounts, so companies can use the data for features like retargeting website visitors. The company's documentation also states it later obscures this information and eventually deletes it. Oh sure, right, yeah. So if this spokesperson in massachusetts believes what he's saying about no ip addresses, he just may not understand how trackers operate.
0:51:02 - Leo Laporte
you know, I mean it's because I understand how the internet operates right.
0:51:06 - Steve Gibson
Exactly. The hosting website page provides some script, or at least a url to the tracker's home. When loaded, that causes the you. When the script is loaded, that causes the user's browser to fetch something from the tracking site and that immediately reveals their public IP address. Of necessity, yes, anyone who imagines that a facility that was established for the sake of tracking will not be capturing and logging that IP has not been paying attention. The Markups article continues. Spokespeople for the Rhode Island and Maine health exchanges said that they pay a vendor. Consumers Checkbook.
0:51:54 - Leo Laporte
Well, there you go. What could possibly?
0:51:58 - Steve Gibson
go wrong to run a separate site that allows visitors to explore what plans are available to them through their state's exchanges. So they subbed it out. It was from these sites. They wrote that sensitive information was shared to Google. Consumers checkbooks sites are at a different web address than the exchange sites but are prominently linked to on the exchange sites and display identical branding, like the state health exchanges logo, making it unlikely that an average visitor would realize they were no longer on the state-run domain.
Right, and saying that it's not our fault because our health management subcontractor is doing something wrong, you know that doesn't do much to avoid those pesky class action lawsuits. Christina Spate O'Reilly, a spokesperson for HealthSource RI, rhode Island, said the company uses Google Analytics to study trends but not to serve ads, and quote disables Google signals data collection, ensuring that no data is shared with Google ads for audience creation or ad personalization and no session data is linked to Google's advertising cookies or identifiers. Unquote. Health Source RI's terms of use mention the use of Google Analytics, she noted. A spokesperson for CoverMegov made similar points, saying that the agency does not collect or retain any data entered into the tool. Right, but again, the markups. Independent testing found 10 ad trackers to which medication names and dosages, doctors and hospitals were being leaked. So this tells us that these spokespeople are, you know, in the best case, well, I guess it's a mixed bag clueless, but that either way, anything they claim should be treated as here's an acronym for you PRBS and independently verified by actual traffic analysis, which is exactly what these markup guys did. You know actual traffic analysis, which is exactly what these markup guys did. They wrote consumers checkbook. The subcontractor in two cases declined to comment.
Beyond the exchanges comments, all of the exchanges said that individually identifiable health information, like names and addresses, was not sent to third parties. But the point of the trackers is to enhance information. This is them Enhance information sent about a user with data the platforms already have on that user. As we know, they're aggregators and every tracker they wrote found by the markup logged details about individual visitors, such as their operating system, ip, browser device and times of visit. In response to requests for comment, the tech companies whose trackers we examined uniformly said they do not want organizations sending them potentially sensitive data and the doing so is against their terms of use. Oh, that's right, don't send it to us, but you know if you do well, we got to log it because it came in and we'll have to look at it later. We'll get around to that Right.
Steve Ganim, director of product management for Google Analytics, said quote by default, any data sent to Google Analytics does not identify individuals and we have strict policies against collecting private health information or advertising based on sensitive information. Unquote. A spokesperson for LinkedIn, breonna Ruff, said that advertisers are not allowed to target ads based on sensitive data categories, such as health issues. A spokesperson for Snapchat, owner Snap said the same, noting that sending purchases of supplies like prescriptions would run afoul of the company's rules about sensitive data. A Google Analytics information page specifically discusses how organizations that use the company's tools should comply with the Health Insurance Portability and Accountability Act, of course known as HIPAA, which protects health data. The page notes that Google makes no representations that Google Analytics satisfies HIPAA requirements themselves, that's on you, buddy.
That's right. It's important to ensure that your implementation of Google Analytics and the data collected about visitors to your properties satisfies all applicable legal requirements, says Google's page. So, okay, there are several trackers that we would hope would be more responsible, but the markups report listed the number of ad trackers discovered on the state health care portals they examined. Of decreasing tracker count, california took dubious first place with 63 track. Oh whoa, you betcha the golden state where we're gonna, we're gonna we're gonna.
0:57:38 - Leo Laporte
Well, I have family members on the uh california. This is on the covered california yeah, yes, state-sponsored affordable care act oh boy portal 63 trackers, I think I yeah, holy cow.
0:57:52 - Steve Gibson
That was followed by nevada with 49, maryland with 31, massachusetts with 28, georgia with 16, new mexico, colorado, new york and new jersey each having 15, pennsylvania with 14 trackers, maine with 12, the state of washington, rhode island and idaho each holding 10, merely 10 yeah, connecticut and virginia with nine each, kentucky with four, minnesota with two and Vermont with just one.
And, as the article noted, washington DC's site somehow had not a single one. How do they do it without trackers? That's a model to follow. Yes, wow, the markup's investigated finishes by noting state exchanges aren't the only health sites that have sent medical information to social media companies. In 2022, the markup revealed that dozens of hospital websites shared information with Facebook's parent company, meta, through a tool called the Metapixel and, of course, we were just talking about the infamous Metapixel, since that's the thing that was connecting to a local device meta app on the local host IP for the sole purpose of de-anonymizing them to every instance of the Metapixel appearing on the web, such as, apparently, any of dozens of hospital websites they might have the occasion to visit, which was sending sensitive information to Facebook. Wow, the hospitals faced scrutiny from Congress and legal action, says the markup. Another markup investigation found trackers logging information about online drugstore visitors purchasing HIV tests and plan B. So what could possibly go wrong with that, they said? In 2023, a New York hospital agreed to pay a $300,000 fine for violations of the Health Insurance Portability Accountability Act, hipaa In response to a series of incidents, the Department of Health and Human Services said in 2023 that use of social media trackers to log health information could violate HIPAA.
Although recent court decisions have narrowed how the law can be applied against companies that use those trackers, some plaintiffs have used state laws, like those in California, to argue that they should be compensated for having their health data sent to third parties without their consent. Others have argued that this kind of tracking runs afoul of wiretapping and even racketeering laws afoul of wiretapping and even racketeering laws. So they end with a quote from John Haskell, that data privacy attorney who had previously worked as an investigator for the Department of Health and Human Services, who now advises clients to be very careful about the information they track on their sites. He said, quote organizations are not investing enough time and resources into properly vetting everything they do. Organizations saying they did not understand the consequences of the tools they're using will not be seen as an effective defense as an effective defense.
So what does this mean for consumers, who need to use and trust the privacy of these sites?
In practice, it means that the advertising, tracking and profiteering that has become the true underlying fabric of the web has shredded privacy and made a complete joke of any guarantees of a site's claim of HIPAA compliance. The only thing the Covered California site is covered in is tracking technology, and notice that none of it, not a single bit of it, is about doing the job that the site is there to do for us doing the job that the site is there to do for us. As I said at the top, I am very glad that groups such as the markup are there to keep bringing these egregious privacy failures to light. I'm glad they're asking states. You know what is going on and that class actions are being brought against anyone who's making a mockery of HIPAA. You know, again, this is all going to get better over time, but only if it is forced to do so, and unfortunately, you know well, fortunately we have organizations like the markup to do the forcing. Yeah, that's a good thing.
1:02:50 - Leo Laporte
While we're on, the topic of pass keys. We're on the topic of pass keys. We're on the topic of pass keys.
1:02:52 - Steve Gibson
No, you mentioned you meant you said the word. I think I changed the order of this. We do have something about that, but I did want to mention an announcement during the recent apple uh worldwide development uh developer conference regarding their support for passkeys was significant. For that and for a bit of additional background, let's turn to Ars Technica's Dan Gooden, who posted under the headline Coming to Apple OSs a seamless, secure way to import and export passkeys secure way to import and export pass keys. The subhead he gave it was Apple OSs will soon transfer pass keys seamlessly and securely across platforms. Dan wrote Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of pass keys the industry-wide pass keys, which, he's adding, is the industry-wide standard for website and app authentication that is not susceptible to credential phishing and other attacks targeting passwords. He said the import export feature, which Apple demonstrated at this week's Worldwide Developer Conference, will be available in the next major releases of iOS, mac OS, ipad OS and Vision OS. It aims to solve one of the biggest shortcomings of passkeys as they've existed to date.
Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily with other Apple devices connected to the same iCloud account, transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible. That limitation has led to criticisms that pass keys are a power play by large companies to lock users into specific product ecosystems. Users have also rightly worried that the lack of transferability increases the risk of getting locked out of important accounts if a device storing pass keys is lost, stolen or destroyed. The FIDO Alliance, the consortium of more than 100 platform providers, app makers and websites developing the authentication standard, has been keenly aware of the drawback and has been working on programming interfaces that will make the passkey syncing more flexible. A recent teardown of the Google Password Manager by Android Authority shows that developers at Google are actively implementing import export tools, although Google has yet to provide any timeline for their general availability, and he has in parens. Earlier this year, the Google password manager added functionality to transfer passwords to iOS apps, but the process is clunky, he said. A recent update from Fido shows that a large roster of companies are participating in the development, including Dashlane, 1password Bitwarden Devolutions, nordpass and Okta.
The narrator of the Apple announcement video says quote people own their credentials and should have the flexibility to manage them where they choose. This gives people more control over their data and the choice of which credential manager they use, which will also work with passwords and verification codes, provides an industry standard means for apps and OSs to more securely sync these credentials. As the video explains, new process is fundamentally different and more secure than traditional credential export methods, which often involve exporting an unencrypted CSV or JSON file, then manually importing it into another app. The transfer process is user-initiated, occurs directly between participating credential manager apps and is secured by local authentication like Face ID. This transfer uses a data schema that was built in collaboration with the members of the FIDO Alliance. It standardizes the data format for passkeys, passwords, verification codes and more data types, to which I say hallelujah. It finishes the system provides a secure mechanism to move the data between apps. No insecure files are created on disk, eliminating the risk of credential leaks from exported files. It's a modern, secure way to move credentials and, needless to say, this podcast will have a full technical readout on this shortly.
Dan finished saying the push to pass keys is fueled by the tremendous costs associated with passwords. Creating and managing a sufficiently long, randomly generated password for each account is a burden on many users, a difficulty that often leads to weak choices and reused passwords. Leaked passwords have also been a chronic problem. Pass keys in theory provide a means of authentication that's immune to credential phishing, password leaks, blah, blah, blah. Anyway, we know all about pass keys. We've talked about them ad infinitum, and Dan gets the explanation exactly right, explaining that it's a switch to a public key crypto system. So I would.
Anyway, I am super happy. We knew that FIDO was working on this. We knew that there was going to be a specification. We didn't know who was going to adopt it, right, because just saying that FIDO has a means you know, an official, specified means for allowing passkey transport doesn't mean that everybody's going to adopt it. The fact that Apple has arguably one of the most closely held, you know, ecosystems is a really great sign. So that is just super news is a really great sign. So that is just super news. That means that it will be possible to finally I mean, we're not going to have dynamic passkey syncing like across the Apple boundary, but at least we'll be able to take all the passkeys we've created inside and outside of Apple and send them in both directions in order to create a single composite. So that's just. That's super welcome news. Login is being enhanced with pass keys. Um, and I, leo, I heard you recently somewhere commenting that you were seeing. You were really happy seeing passwords. Yeah, pass keys being, you know, much more widely adopted across the industry.
1:10:36 - Leo Laporte
Yeah, fast mail now uses it. Google uses I use it for my Google accounts. Uh, meta, yeah, it's good. I mean it's starting to get to the point where you can actually say, oh good, I could just log in quickly. Yep, uh, it's good, I mean it's starting to get to the point where you can actually say, oh good, I could just log in quickly. Yep, uh, it's the only thing that really bugged me. I can't remember what it was. I had a uh, I think it was amazon. I did pass keys and then it said okay, but you still have to give us a six digit one-time password. And it's like dude, no, you shouldn't right there's.
1:11:02 - Steve Gibson
What part of this do you not understand?
1:11:04 - Leo Laporte
yeah, there's no point in that right.
1:11:08 - Steve Gibson
Am I wrong? That is correct, um, because you are. You're. You're talking about um secure biometrics that are being used to unlock the, the user's private key.
1:11:20 - Leo Laporte
Um it's so weird, like in amazon.
1:11:22 - Steve Gibson
You would think would understand this, but but no, I guess the only problem would be, as, for example, password managers that don't enforce biometrics. Right, if somebody else got a hold of that, then you might still want to send something to their phone or use an external authenticator in order to get further verification. So there's a little bit of belt and suspenders on it, but I agree they're the only one that I've seen. Do it what you really want is just seamless authentication.
1:12:01 - Leo Laporte
Yeah, it completely. I mean, then I might as well give you a password if that's what you're going to do, right, right, all right, we will continue in just a moment with security. Now, can't wait to hear more. I know you can't either, but I got to tell you about our friends at OutSystems is our sponsor for this segment. On security, now, this is so cool. This, to me, is exactly the promise of AI. Our friends at OutSystems are the leading AI-powered application and agent development platform. Now, these guys are not new to the game.
For more than 20 years, the mission of OutSystems has been to give every company the power to innovate through software, and they've been doing it all along with low-code, with DevSecOps, automation. Now you put AI in the mix. Now you got something. You got something sweet. So this solves a problem that every IT team knows, every company knows. We knew it.
You typically have two choices when you need new software. Either buy off-the-shelf SaaS products for speed of implantation, but you lose flexibility and you lose differentiation, because everybody else in your sector is probably using the same product. So that's the buy side of the conundrum. Or maybe you think build right, build custom software, but that's expensive. You lose time Right.
Ai has given us a third road between the build and the buy. It's forging another way for the solution. It's the fusion, as I mentioned, of AI, low-code and DevSecOps automation into a single development platform future. Frankly, if you ask me of software, your teams are going to build custom applications, but they're going to do it with AI agents as easily as buying generic off-the-shelf sameware. And because you're using this grayed-out systems platform, flexibility, security and scalability just come built right in. They're standard With AI-powered low-code, teams can build custom, future-proof applications at the speed of buying, with fully automated architecture.
Security, integrations, data flows, permissions it's all built right in. See, outsystems is the last platform you'll ever buy because you can use it now to build anything you need and to customize and extend your existing core systems. Build your future. Build it with Out, build it without systems. This is so cool. Visit out systemscom slash twit to learn more. That's out systemscom slash twit. We thank him so much for supporting security. Now and the great steve gibson. Uh, all, right, and back. We go to mr steve gibson to continue.
1:14:47 - Steve Gibson
okay so, um, I just I mentioned the top of the show. I'll just say it again, and I know that you were talking about this previously. They'll uh, tick tock has been, has had its end of life extended again another 90 days. Third time it gets another 90 days, um, and as I understand it, they're trying to finish negotiating with China to allow some US consortium to purchase it and run it like Oracle or something.
1:15:20 - Leo Laporte
Yeah, but I don't think that's going to happen. I think what they're really trying to do is strong arm china with the tariffs, but china doesn't really kind of take to that too well, so no, so far, we'll see. But uh, but also, the president really likes tiktok, so I don't think they're gonna ban it either yeah, yeah, well, and it's good for, uh, all the tiktokers who don't want to lose that platform.
That is like but you, you know, you heard on sunday jason calacanis said something that actually struck me. He said do you think if we could figure out an app to make the chinese citizens use that, maybe we would be able to get information about half of them and reach them via, via uh content? Would we do it? Yeah, so that kind of that catalyzed it for me that the real advantage to the chinese communist party of owning tiktok, because they do they have a huge social media platform in the us, in the us?
1:16:17 - Steve Gibson
huge influence operation okay, um, one more little piece of sort of prefacing uh, salt typhoon information. Canada has become the first specifically known non-US victim of salt typhoons, cisco-based attacks. Following news was just declassified after I had chosen and completely written the coverage of today's main topic, which is salt typhoon. After I did that I went back looking for other stuff and it's like whoa, now Canada. So, uh, the the details of the technology underlying these devastating and pervasive attacks are what we will get to. So here's the news that just broke yesterday as I was wrapping up this week's show notes the Canadian Center for Cybersecurity, their so-called cyber center, and the United States FBI are warning Canadians of the threat posed by People's Republic of China, prc, state-sponsored cyber threat actor being tracked as Salt Typhoon. The Cyber Center previously joined our partners. Oh, this is an actual announcement from the Canadian Center for Cybersecurity. They're the voice of this announcement. So they said the cyber center previously joined our partners in warning that PRC cyber actors have compromised networks of major global telecommunications providers to conduct broad and significant cyber espionage campaign.
This cyber bulletin aims to raise awareness of the threat posed by PRC cyber threat activity, particularly to Canadian telecommunications organizations, in light of new salt typhoon-related compromises of entities in Canada. The Cyber Center is aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state sponsored actors. Specifically, salt Typhoon to a Canadian telecommunications company, were compromised by likely Salt Typhoon actors in mid-February of 2025. So three devices that they're aware of. The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE, which is an encrypted form of tunnel enabling traffic collection from the network. And at the end of the show, we're going to be looking at the actual Cisco commands that were used, which have been seen in use In separate investigations. They wrote the cyber center has found overlaps with malicious indicators associated with Salt Typhoon reported by our partners and through industry reporting, which suggests that this targeting is broader than just the telecommunications sector. Targeting of Canadian and why wouldn't it be targeting of Canadian devices may allow the threat actors to collect information from the victim's internal networks or use the victim's device to enable the compromise of further victims In other words, you know, pivoting In some cases. We assess that the threat actors' activities were very likely limited to network reconnaissance, while our understanding of this activity continues to evolve. We assess that PRC cyber actors will almost certainly continue to target Canadian organizations as part of this espionage campaign, including telecommunications service providers and their clients, over the next two years. To monitor and mitigate this threat, we encourage Canadian organizations to consult the guidance linked below on hardening networks, security considerations for edge devices and additional cyber threat information pertaining to the PRC. Cyber threat information pertaining to the PRC Telecommunications networks are almost certainly among the highest priority espionage targets for cyber-sponsored cyber threat actors.
State-sponsored cyber threat actors Hostile state actors very likely rely on access to telecommunications service providers and telecommunications networks around the world as a key source of foreign intelligence collection. In other words, it's really bad that this is where the PRC is. It's not inside some random enterprise somewhere. They're in the heart of telecommunications backbone for, in this case, canada, they said TSPs. Telecommunications service providers tarry telecommunications traffic and collect and store large amounts of customer data that have intelligence value, including communication location and device data. State-sponsored cyber threat actors have persistently compromised TSPs globally, often as part of broad and long-running intelligence programs, to exfiltrate bulk customer data and collect information on high-value targets of interest, such as government officials. This includes geolocating and tracking individuals, monitoring phone calls and intercepting SMS messages. State actors have gained access to telecommunications networks and data by exploiting vulnerabilities in network devices such as routers and by taking advantage of insecure design in the systems that route, build and manage communications In 2024,. So last year, partner investigations discovered that PRC state-sponsored cyber threat actors had compromised the networks of major global TSPs telecommunications service providers, including US wireless carriers, very likely as part of a targeted espionage operation. According to our partners, the actors were able to steal customer data call records from the compromised TSPs. The threat actors also collected the private communications of a limited number of individuals, primarily involved in government or political activity. We are concerned with the potential impacts to the sensitive information of client organizations working directly with telecommunications providers. Prc cyber threat actors frequently attempt to compromise trusted service providers, including telecommunications managed service providers and cloud service providers, to access client information or networks indirectly.
Prc cyber threat actors exploit vulnerabilities in edge devices. They finished saying, as we noted in the National Cyber Threat Assessment 2025-26, cyber threat actors are exploiting vulnerabilities in security and networking devices. And let me just say these are not unknown vulnerabilities. That's what's so galling about this. These are long known vulnerabilities which we'll be talking about in detail shortly. They said that sit at the perimeter of networks, including routers, firewalls and virtual private network solutions. By compromising these edge devices, a cyber threat actor can enter a network, monitor, modify and exfiltrate network traffic and we're going to look at the commands they used flowing through the device or possibly move deeper into the victim network as part of this campaign, prc. Cyber actors are targeting these network devices, exploiting existing vulnerabilities to gain and maintain access to DSPs.
Despite public reporting outlining their activities, it is very likely that the actors continue to operate. In other words, as we've seen, tangentially and parenthetically, the people in the know say we don't think we got rid of them, you know, you'll see Verizon saying oh, don't worry about it, we got. You know, we're all clear, we have expunged them from our network. They don't know that. So this alert managed to get a great deal of the facts correct and it nicely serves to place these salt typhoon attacks into the foreground again, where I think it's clear they still belong.
There's an understandably strong desire, especially on the part of the many identified victim companies, from a public relations standpoint, to loudly proclaim that the dastardly bad guys have been found and evicted with prejudice. But by the end of today's podcast, everyone here is going to appreciate why this is a claim that these companies would have a difficult time substantiating. They really don't have the ability to say that, have the ability to say that Removal of unwanted drivers from Windows Update was the headline of last Thursday's announcement from Microsoft. We briefly touched on this before when it was something Microsoft was considering doing, and it's good. But it's also dangerous, because what's an unwanted or unneeded driver? There's a lot of machines in the closet and people still using what was that bar scanning cat thing.
1:26:42 - Leo Laporte
Oh, the Q cat yeah. The Q cat who can forget the q cat?
1:26:47 - Steve Gibson
right? No, I'm sure there's some out there still yeah there's that there's one of the pictures of the week shows. I think it's a bakery or a donut shop or something operating today. It's a contemporary picture with Commodore 64 cash registers. Oh wow.
1:27:06 - Leo Laporte
Well, if it works, why?
1:27:08 - Steve Gibson
replace it.
1:27:09 - Leo Laporte
Right.
1:27:10 - Steve Gibson
Okay so.
1:27:12 - Leo Laporte
And you can play Star Raiders on it. So there's that.
1:27:15 - Steve Gibson
That's right or.
1:27:18 - Leo Laporte
Oregon Trail Space Invaders yeah right.
1:27:21 - Steve Gibson
Okay. So Microsoft wrote. This blog post is intended to notify all Windows hardware program partners, that is, the people who submit hardware drivers to Microsoft published on Windows Update to reduce security and compatibility risks. Reduce the risks brought by security and compatibility problems. They said the rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the Windows ecosystem, while making sure that Microsoft Windows security posture is not compromised.
This initiative involves periodic cleanup of drivers from Windows Update, meaning removal, thereby resulting in some drivers not being offered to any systems in the ecosystem. Further details of the effort are as follows. Then they switch into a Q&A format. So they ask themselves what category of drivers are targeted in the first cut of the cleanup and they answer the first phase targets legacy drivers that have newer replacements already on Windows Update. So why would you use an older, obsoleted driver when there's a newer replacement? So that seems like a safe thing to do and that's the approach Microsoft is taking is, you know, let's try not to break anything while we do this. Next question what does cleanup mean in this context? They say cleanup here refers to the process of expiring drivers so that they are no longer associated with an audience in Windows Update, resulting in them not being offered to any system. Technically expiring a driver means removing all its audience assignments in Hardware Development Center, which stops Windows Update from offering that driver to devices.
Can partners republish a driver that was expired by Microsoft? Yes, partners will be able to republish the drivers that were expired. Microsoft may require business justification as to why there was a need for republishing. It's like hey, qcat, I need my QCAT. What happens to the cleaned up drivers After the expiry?
Microsoft will publish a blog post mentioning the end of the first cut of driver expiry. After that, there will be a six-month window for partners to get back with concerns, if any. If no action is taken, the drivers will be permanently removed from Windows Update. Will this be a one-time exercise or will similar instances occur in the future? This is meant to be a regular exercise to optimize what Windows Update has to offer. We're beginning with the above-mentioned category of drivers, but we'll expand to cover more categories of drivers that Microsoft deems fit to be expired for Windows Update. Each time such a cleanup occurs, microsoft will communicate broadly so that partners know what to expect, given the history of BYOVD, remember that's bring your own vulnerable driver your own vulnerable driver being successfully used by bad guys.
Being proactive about removing an otherwise endlessly growing collection of old and aging drivers you know, many of which are probably now just taking up space. To me, it makes a lot of sense. They concluded this by writing. In summary, microsoft removing legacy drivers from Windows Update is a proactive measure to safeguard security and improve driver quality for Windows users. As a partner, you should review your drivers in the hardware program, be aware of what your current drivers in the ecosystem are and make sure that any unwanted legacy driver is proactively expired from Windows Update. Moving forward, we expect this cleanup to be a routine practice and prepare for the introduction of new publishing guidelines that will help all Windows users keep their systems in a secure and reliable state. We appreciate your cooperation in this initiative, as it helps ensure that Windows devices run on the most secure and compatible drivers available.
And so yay, I think this is. You know this. This made sense when they talked about it. You know everyone's worried about like their favorite driver disappearing and having you know, like some random widget of hardware that needs something, that Microsoft doesn't realize what this looks like. The only way I can see this becoming a problem would be if hardware has been abandoned by its producer at all unusual, then that producer of the hardware would no longer be enforcing the presence of that driver going forward. So Microsoft would say we don't need this anymore, do we? You've got six months to tell us otherwise no word would come in that that driver is still needed and so it would disappear from Windows Update. I don't know if Windows would pull it back out of use. That's an interesting question. Paul might know if a driver removed from Windows Update could be retroactively pulled out of a working Windows system. I guess we're going to find out over time. So it would break something right. I mean it happens for six months.
It would it yeah I mean, there is a danger of of breakage here, which is why they are deliberately trying to be careful.
1:33:38 - Leo Laporte
Yeah, I think, they have to only take them out if they're not used.
1:33:42 - Steve Gibson
Yeah, unused yeah, um, I I love this bit of news. I just think, what are you guys thinking? That the australian government uh, I love the headline agrees on a plan to allow monitoring of secure messaging? Oh, isn't that nice they agreed last wednesday, reuters news carried an interesting bit of reporting from Vienna. On June 18th, reuters, austria's coalition government has agreed on a plan to enable police to monitor suspects secure messaging in order to thwart militant attacks. Ending what a security officials have said is a rare and dangerous blind spot for a European Union country, because Austria lacks a legal framework for monitoring messaging services like WhatsApp. Police rely on allies with far more sweeping powers, like Britain and the US, alerting them to chatter about planned attacks and spying. None of this makes any sense. But okay, that kind of tip-off led to police unraveling what they say was a planned attack on a Taylor Swift concert in Vienna, which prompted the cancellation of all three of her planned shows there in August of last year. Well, that's a relief. Yeah, jorg Leitchfried of the Social Democrats, the junior minister in charge of overseeing the Directorate for State Security and Intelligence, the DSN, told a news conference. Quote the aim here is to make people planning terrorist attacks in Austria feel less secure. That's good, and increase everyone else's sense of security right by knowing that you can be monitored. That is why this decision by the cabinet today is an important milestone in the fight against terrorism and spying. Okay, against terrorism and spying by spying in Austria. He added.
Under the new system, right Reuters, monitoring of a person's messaging must be approved by a three-judge panel and should only apply to a limited number of cases. Interior Minister Gerald Karner told the news conference it was only expected to be used on 25 to 30 people a year. If it is more than 30, a report must be sent to a parliamentary committee. The government said, addressing concerns about mass surveillance and the infringement of people's privacy. A government statement said the police must have a well-founded suspicion of a possible terror attack to monitor a person's messaging. Under the new system, once Parliament passes the legislation, a tender process for monitoring technology would be launched and monitoring would begin in 2027,. The government said Okay, but wait. Once Parliament passes the legislation, a tender process for monitoring technology would be launched and monitoring would begin in 2027. Well, you bet it's going to be tender. It's probably going to hurt a lot supposed to do this isn't this the wackiest thing?
yeah so I guess they think they can they're like oh, you just turn on the switch process. They mean a purchasing process. Right, they're gonna put it out for a bit, you know we'd like to purchase this monitoring technology. Don't worry, we're only going to use it on 25 to 30 people per year, and and if we, if it's more than 30, if we want to go over that limit, then we're going to have to do some more hoop jumping. What?
1:37:51 - Leo Laporte
uh, do you think reality is going to be interesting when they come up against it, isn't that?
1:37:56 - Steve Gibson
yes, apparently these austrian politicians believe that all they're lacking is a legal framework. Yeah which?
1:38:04 - Leo Laporte
they don't have.
1:38:05 - Steve Gibson
And I wonder, have they not been paying attention? You know, just ask the UK how it's going over there with their demand that Apple allow them access to anyone's data, is it?
1:38:16 - Leo Laporte
possible that we're the naive ones, that, in fact, all encrypted messaging has long ago been cracked by authorities in every country, and that's what they're implying. Well, the five, we don't want to have to go to the five eyes to get that information. We should just be able to get it ourselves. Do the five eyes have it?
1:38:34 - Steve Gibson
We know. What we know is that, for example, in the case that we were talking about recently of Signalgate, where a non-approved signal client was being used, the signal correspondence was being sent to A third party Email was being emailed to somebody that's secure.
So we know that everything is available on a platform before it's encrypted and after it's decrypted Right Right on a platform, before it's encrypted and after it's decrypted right right so. But we also know apple is never gonna comply with some platform-wide austrian like. We promise not to do it more than 30 to on just a few people yeah, 30 people a year, please.
1:39:23 - Leo Laporte
Of course, you have to break it for everybody in order to do it for a few people right, it has to be there and apple is just not.
1:39:30 - Steve Gibson
I mean, that is that that they're not, they're not going to do that. I can't. I mean we haven't yet seen, because it hasn't actually happened where it comes down to a true standoff right of like. You must give us access or you are. You're an outlaw company in our country.
1:39:53 - Leo Laporte
No one wants to see that forget, apple signal's not going to do it. I mean, there'll always be some strong encrypted end-to-end solution that uh terrorists can use, and that's just exactly it.
1:40:05 - Steve Gibson
I mean there will all. If it comes to, if encryption is outlawed, only the outlaws will be encrypting.
1:40:12 - Leo Laporte
Yeah, they'll write their own. These are well understood algorithms. They're not hard.
1:40:17 - Steve Gibson
Yeah, yeah, that horse has left the barn. Okay, I want to talk about AI and the revelation I had. We have two breaks. I want to do one now and then one before we start talking about salt typhoons Awesome.
1:40:29 - Leo Laporte
Thank you, steve. Thank you, dear listeners and viewers. We're so glad you're here. You might be noticing, if you are watching a video, that there are occasional freezes in Steve's video. We are unsure why that's happening. We've tried to figure it out. We'll continue to try to figure it out, but just close your eyes when he's talking and it's amazing. He's perfect and I apologize. Sometimes these things happen.
Our show today brought to you by BigID. Yeah, bigid, the next generation AI powered data security and compliance solution. Now let me tell you why you need BigID. It's the first and only leading data security and compliance solution that can uncover dark data. They do it through AI classification. They can identify and manage risk. They can remediate the way you want. They can map and monitor access controls. They can scale your data security strategy Along with unmatched coverage for cloud and on-prem data sources. Bigid also seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflows. You can take action on data risks to protect against breaches. You can annotate, delete, quarantine and more based on the data, all while maintaining an audit trail. Partners include ServiceNow, palo Alto Networks, microsoft, google, aws and more. With BigID's advanced AI models. You can reduce risk and accelerate time to insight. You can gain visibility and control over all your data. Intuit named it the number one platform for data classification in accuracy, speed and scalability. Now let me tell you about one of their clients. They have many, but I think this should impress.
Big ID equipped the US Army Okay, imagine who would have more sources of data stored in more arcane locations globally than the US Army? Big ID equipped the US Army to illuminate dark data, which helped them accelerate cloud migration and minimize redundancy and automate data retention. They loved it so much. Us Army Training and Doctrine Command gave us this quote yes, from the US Army Quote. The first wow moment with Big ID came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured data, across emails, zip files, sharepoint databases and more. To see that mass and to be able to correlate across those is completely novel. I've never seen a capability that brings this together like BigID does.
Cnbc recognized BigID as one of the top 25 startups for enterprise. They were named to the Inc 5000 and the Deloitte 500 for four years in a row. The publisher of Cyber Defense Magazine said, quote Big Idea embodies three major features we judges look for to become winners Understanding tomorrow's threats today providing a cost-effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach. Start protecting your sensitive data wherever your data lives. At bigidcom slash security Now, get a free demo.
See how BigID can help your organization reduce data risk and accelerate the adoption of generative AI. Organization reduce data risk and accelerate the adoption of generative ai. That's big id big id dot com slash security now. Oh, also, there's a free white paper that provides valuable insights for a new framework you might have heard of it ai trism or ai trust risk and security management to help you harness the full potential of AI responsibly, and you can read all about it at bigidcom slash security now. These are great partners for anybody who's got dark data, who wants to use generative AI but wants to make sure they're training it on the right data. They've got it all together bigidcom slash security now. We thank them so much for supporting the very important work Steve is doing right now. It's not eating lunch, it's delivering these valuable insights to all of our dear listeners. Continue, steve. Continue.
1:45:04 - Steve Gibson
I'm going to bring up another machine by next two. Okay, do you? Think it's a machine, it's a little intel knuck. That's been, oh yeah, for six years. I'm out.
1:45:15 - Leo Laporte
Nothing has changed, but it might be getting old you, can you launch the uh resource monitor and see uh or the activity monitor, see what's. Let's see what's going on, if there's something going on at one point it looked fine, but it's I'm I'm gonna give it a lot more.
1:45:29 - Steve Gibson
Something's happening yeah yeah okay okay, uh, I titled this ai linguistic simulation of intelligent entities and I wanted to share an interact. I want to start by sharing an interaction that I had Saturday with chat, gpt's latest, oh, three highest end large reasoning model, which left my mouth hanging open in disbelief. I love.
1:46:00 - Leo Laporte
Oh three, by the way, very impressive.
1:46:03 - Steve Gibson
Yeah, it is astonishing. Yeah, Now, now, as our listeners know, while I'm not, when I'm not working on this podcast, I'm working to finish off the last bits of the new dns benchmarks core feature set. Um, the the long-term cumulative logging features, which is what the pro edition will have, will follow. Finishing off these core features. For now we're working to finish sort of the new version two base feature set and I'm down to I mean it's like it's done I'm just down to resolving a few remaining edge case mysteries. This new code is able to benchmark the performance of IPv4, IPv6, DOH and DOT DNS resolvers, either side by side or just per protocol, Because oftentimes you just want to find the fastest DOH resolver. You don't care about the others for because you want to, like you know, configure your, your, your browser best. So that's all working beautifully across all of the mainstream resolvers hosted by Cloudflare, NextDNS, Google, Quad9, and others. But I noticed that, while it works on the European Union's new DNS4U DOT resolvers, the current code shows their DOH resolvers in red. So it thinks that there's some problem with them and it won't benchmark them To make sure that they all work from where I am in the US, because I thought well, maybe it's a geofencing problem. I configured Chrome to use DOH for its website DNS and set up the DNS for EU, and I use Wireshark to monitor the machine's network interface for the traffic being sent back and forth. And Chrome worked without any problem at all. So that told me that DOH name resolution was working and available in the US with those DNS for EU resolvers, which meant that something was not working right with the benchmark, Even though, as I said, it works great with Cloudflare and Quad9 and Google and NextDNS and everybody else. Something about the DNS for EU. But it's working for Chrome, so I need to have it working for the benchmark. One thing Wireshark showed me, which was different between what Chrome was doing and what the benchmark was doing by monitoring the packet capture, was that Chrome was using TLS version 1.3, whereas the DNS benchmark was using TLS 1.2. Chrome brings on along with it its own TLS protocol stack so it can do anything it wants, whereas the DNS benchmark uses Windows native networking APIs, including for TLS, something known as S-channel secure channel. When I was originally implementing the benchmark's TLS protocol on Windows, I noticed online a great deal of confusion about whether Windows 10 offers TLS 1.3. So I needed to determine once and for all like is that what the benchmark's not doing? Chrome's using 1.3. I'm using 1.2 with a benchmark. Is that the problem? I'm using 1.2 with a benchmark. Is that the problem?
So I needed to determine whether it might be possible for me to get Windows 10 to use TLS 1.3. Was it there? So the first thing I did, as I often do now, is ask ChatGPT. I decided to see what ChatGPT had to say, so I wrote the following prompt to see what ChatGPT had to say. So I wrote the following prompt. I wrote how can I use the Windows native TLS S-channel API under Windows 10 to establish TCP TLS V1.3 server? Okay, now keep in mind, when I'm reading its reply, that this is a general purpose chatbot that can answer a universe of questions from you know why does my navel accumulate lint? To how many angels can dance on the head of a pin? After thinking for 50 seconds, which is quite some time, yeah if you watch the second hand of a clock you know,
50 five zero seconds. Is you know it like it ground? It was grinding on this um and it performed four Internet searches on its own and consulted seven sources. Chat GPT replied to my question by writing the short answer you can't. It's like wow. Then it said Windows 10's S channel SSP. Now just listen to the listen to every nuance of this. The short answer you can't.
Windows 10 S-channel SSP simply does not expose TLS 1.3 in any released build. So an SSPI client that runs entirely on Windows 10 cannot negotiate a TLS 1.3 session period. The highest version the platform will offer is TLS 1.2. Microsoft's own protocol support matrix makes this explicit. Then it quotes it quote Microsoft's own protocol support matrix makes this explicit. Then it quotes it quote TLS. According Microsoft, tls 1.3 is supported starting in Windows 11 and Windows Server 2022. Enabling TLS 1.3 on earlier versions of Windows is not a safe system configuration. Unquote. Then it provides the link for that reference and it finishes.
The SP underscore, prot, underscore TLS1, underscore 3 underscore, client constant and the newer SCH underscore credentials structure were backported and, by the way, I had seen those and this was the source of the confusion. So it understood the source of the confusion that I had that I mean it intuited it, I guess were backported to Windows 10. 1809 for source compatibility, which it italicized for me and the other places it did bold. I mean those were its emphasis added, not mine. This is just astonishing. It said, but the underlying cryptographic engine that actually implements TLS 1.3 was never shipped in production. Windows 10 builds, insider preview builds from 2022 to 2021 did contain an experimental TLS 1.3 implementation, but that code never graduated to the GA channel and is no longer available.
Again, I just looked at this and I thought to my question, which it appears to have anticipated my confusion over the availability of TLS version 1.3 in Windows 10 and explained why there has been some confusion over the question, and I feel as though I should reiterate that this was not a model trained on this domain. It didn't know what I was going to ask. It could just as easily have answered a question about optimal thread density and caftan robes. I mean, I'm astonished. So I think, because I've spent some time in this domain. I've talked about this from all. We're coming at it from a whole bunch of different angles on the podcast and everyone is wringing their hands over AGI and questions of what it means to be conscious the emergence of these large language and large reasoning models. I think it's going to give cognitive scientists an entire new realm to explore. I mean that's great for them. It'll be interesting to see where that goes once we figure out exactly what we've created been possible to imagine just a year ago. I have finally settled upon where I believe we are with all this and why everyone, including me, has been so confused by this. It's because it's confusing.
There are two distinctly different things here. On the one hand, we have an amazingly powerful linguistic simulation of an intelligent entity and on the other hand, we have actually intelligent entities which produce linguistic outputs. And here's the problem. Both of these systems produce linguistic outputs and the outputs of both systems are identical. The reason for this is that the intelligent entity linguistic simulator is an incredibly good linguistic simulator. It's really good at what it does. So no one considering just its linguistic output would have any means of determining that they were not seeing the output of the authentic intelligent entity whose earlier outputs were used to train the simulator. But in no way does that mean that the simulator is actually intelligent, nor is there any reason to believe that it is ever going to be, nor is there any reason to believe that it is ever going to be. No simulation, no matter how good it is, is the real thing. The simulator may have been trained on the outputs of the real thing, but that's different from being the real thing. Cognitive scientists are probably falling all over themselves at the prospect of determining exactly to what degree a deep simulation of intelligence is and is not intelligence. But consider this Although there is admittedly an interaction between thought and language, that's a whole, that's a realm of itself, of philosophy.
For a truly intelligent entity, language is the means of communicating the thought. The thought is the motivation which precedes its expression in language, for the sake of communication. The difference is that the linguistic simulator has no preceding locus of thought. It is not inspired by thought to express that preceding thought. It simply simulates the result of previous thoughts that were then expressed in language and captured for its training, without being unduly arrogant. I'm convinced that this is the crucial distinction that separates true thinking beings, who use language as a tool, and any language models that can never be anything more than empty language shells. This by no mean diminishes the value of what we've created. Having a linguistic interface to the world's stored knowledge expressed as language is astonishingly powerful and useful, but we are much more than that. But we are much more than that, and so I think, leo, that's for me. That rests my case in my mind. I think that, if you just look, the reason people are so confused is, if you just examine the output, there is no difference, and that's what all these tests and benchmarks.
1:59:49 - Leo Laporte
It looks human.
1:59:50 - Steve Gibson
Yeah, I mean, there is just no difference, right? You know, many people know people who are far less smart, knowledgeable intelligent. That's exactly right Than what we have now, you know, coming out of chat GPT, exactly. So there's exactly right of an intelligent linguistic creature. I mean, it will always be a simulation of an intelligence. In fact, I sent a show notes out yesterday afternoon and one of our listeners wrote back and said the better term than artificial intelligence is simulated intelligence.
2:00:42 - Leo Laporte
Yeah, mimetic intelligence.
2:00:44 - Steve Gibson
Yeah, yeah, exactly, it is simulating intelligence. Simulated intelligence, yeah, mimetic intelligence, yeah, yeah, it's exactly it is. It is, you know, it is simulating intelligence, which that solves, you know, calling it a simulated intelligence solves this problem of you know well, is it an artificial intelligence? What is intelligence being? Blah, blah, blah, you know, and again, it doesn't have to be any better than it is. What I've just read is astonishing.
2:01:08 - Leo Laporte
Well, in fact, don't you think we kind of we looked at HAL 9000 and kind of thought the same thing? We knew that HAL 9000 wasn't a human in any way that made sense. It was a machine. That was very impressive.
2:01:31 - Steve Gibson
And it ran this spaceship. I mean, it was in charge of running this very complicated machine.
2:01:35 - Leo Laporte
Yeah, uh, until it went wrong. Yeah, but, but maybe because of the way, uh, stanley kubrick made its voice, it didn't. It talked like this, it didn't attempt to sound human, and one of the things our current ai overlords really want you to think is it's boy the use of personal pronouns.
2:01:55 - Steve Gibson
Yeah, and you know, let me think about that. Yeah, a minute.
2:01:58 - Leo Laporte
It's like oh, my, and they make the voices as human as they possibly can, and that's what's the deception. I don't think how. I don't think we were deceived by hal 9000. I think we knew it was a simulation right, that's interesting.
2:02:12 - Steve Gibson
I uh, I just I don't have it here. I just put it back on the bookshelf. I wanted to watch colossus the forbin product again, and I have the dvd. I have, I have the original dvd. Oh wow, and I just ripped it in order to move it to a sand and then, yeah, and then Lori and I are going to watch it, but they used a vocoder which is back in. You know, this thing was made in the 70s.
2:02:41 - Leo Laporte
Yeah, colossus, the 4-bin project, yes, right.
2:02:45 - Steve Gibson
And what was really creepy was that it had a hard time. I think they deliberately had it like it had a hard time saying human. It was like oh human. It was like ooh, it gave it a little extra creep factor. But I think you're right. The use of personal pronouns, especially talking about an I, an id, an ego, which is what we assume it talking about itself, means it does humanize it, it anthropomorphizes it. Yeah.
2:03:23 - Leo Laporte
And of course that's what Sam Altman and elon musk and all the others want is they want you to feel like it's a. It's a, it's a human but it probably saw.
2:03:32 - Steve Gibson
Did you see that that recent paper that that compared people who use ai versus don't and the it was such a small sample I don't credit it with a lot of.
2:03:42 - Leo Laporte
It was like 60 people, yeah, and it was pretty clear the researchers were looking for that answer. You know, and that's always a giveaway you could always find it in any any set of data you want. Yeah, uh, look, it's. All we have to say is this is an amazing tool. It does amazing things. It's not perfect.
2:04:00 - Steve Gibson
Yes, it's fascinating and I don't think it's harmful, I really don't, I don't, I don't think, I don't, I don't think it has that like and I don't think it's harmful. I really don't, I don't, I don't think, I don't, I don't think it has that like and I don't know how to regard this. Well, it uh, it uh disobeyed. It's an you know, shut down, that's bs.
2:04:15 - Leo Laporte
Oh, that's bs. Yeah, it's simulating. Again, it's a simulation of how a human would act yes, it is of what a human would act.
2:04:25 - Steve Gibson
Yes, it is Of what a human would say.
2:04:27 - Leo Laporte
Right, it's doing its best simulation.
2:04:31 - Steve Gibson
Yeah, that's all.
2:04:32 - Leo Laporte
Yeah.
2:04:33 - Steve Gibson
And so what I think we have is an incredibly powerful search engine for content.
2:04:39 - Leo Laporte
That's where it's really useful. Yeah, just as your example.
2:04:43 - Steve Gibson
I think it's no surprise that that's where it's really useful, because that's what it? Actually is.
2:04:48 - Leo Laporte
It's a summary of all the data. Yeah, it's just encapsulated all the data, yeah, good. Yeah, I think, steve, the more you talk about AI, the better. I think you're a hundred percent on track, yep.
2:05:04 - Steve Gibson
Okay, okay, last break, then we're going to find out how the world got into this trouble with typhoon oh my what happened, oh my god.
2:05:16 - Leo Laporte
well, our show today, brought to you by z scaler uh, the leader in cloud security. They're a zero trust company, but they use ai to great effect. You know why you have have to. Hackers are using AI oh yeah, to breach your organization. Ai both powers innovation, drives efficiency, but also helps bad actors deliver more relentless and effective attacks. It's as useful for them as it is for us. You notice perhaps? Phishing attacks are on the upswing. Phishing attacks over encrypted channels increased by 34.1% last year, fueled by the growing use of generative AI tools, of course, phishing as a service kits we've talked about those.
Organizations in all industries, from small to large, are now leveraging AI in in response. I guess they want to. They're increasing employee productivity with public ai for engineers. We're talking about coding assistance. Marketers use ai for writing tools to great effect. Finance is using ai to create spreadsheet formats. Don't know how to do a pivot table the ai does. You're also using AI to automate workflows for operational efficiency across individuals and teams. Ai is being embedded into applications and services that are customer and partner facing and, ultimately, ai is helping us move faster in the market, helping you move faster in the market and gain a competitive advantage, but companies really need to rethink how they protect their private and public use of AI and, of course, how they defend against AI-powered attacks.
I'll give you a reference here Jason Kohler. He's the chief information security officer at Eaton Corporation big company. They leverage Zscaler to embrace AI innovations and to combat AI threats. Here's his quote Data loss detection has been very helpful for us. Chat GPT came out. We had no visibility into it. Zscaler was our key solution initially to help us understand who was going to it and what they were uploading right.
Traditional firewalls, vpns, public facing IPs expose your attack surface and they're no match to hackers. In the AI era, it's time for a modern approach. Zscaler's comprehensive zero trust architecture plus AI ensures safe public AI productivity, protects the integrity of your private AI and stops AI powered attacks. This is a perfect example of AI and stops AI-powered attacks. This is a perfect example of AI being a double-edged sword. It's great for you, great for the bad guys, but you can thrive in the AI era with Zscaler, zero Trust Plus AI. Stay out of the competition, remain resilient even as threats and risks evolve. You're just going to evolve just as fast or faster. Learn more at zscalercom slash security. That's zscalercom slash security. We thank Zscaler so much for supporting security now, and Mr Gibson Ready to salt his typhoon.
2:08:21 - Steve Gibson
Okay.
So Cisco's Talos Intelligence Group have posted their analysis of the salt typhoon attacks in a posting titled Weathering the Storm in the Midst of a Typhoon. I don't know whether the fact that salt typhoon used three of Cisco's own previous vulnerabilities has anything to do with their decision to reverse engineer Salt Typhoon, but that's what they did and you know, bravo. I hope they learned some lessons. Cisco's analysis of this super advanced, pernicious, persistent threat group begins with this summary, they wrote. Cisco Talos has been closely monitoring reports, I bet, of widespread intrusion activity against several major US telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the US government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor's activities. Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability CVE-2018-0171, was actively abused. In all other incidents we've investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. That's later contradicted, but we'll get there in a second. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years. A hallmark of this campaign is the use of living off the land techniques on network devices. It's important to note that, while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders, in other words, everybody with Cisco gear, which is pretty much everybody at the high end. No new Cisco vulnerabilities were discovered during this campaign. That's no new Cisco vulnerabilities.
While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we've not identified any evidence to confirm these claims, though others have. The vulnerabilities in question are listed below. Note that each of these CVEs have security fixes available. Again, patches available, patches never applied. The threat actors regularly use publicly available malicious tooling, in other words, proofs of concepts that are published, often on GitHub or on the dark web, to exploit these vulnerabilities, making patching of these vulnerabilities imperative. No argument there. Therefore, they wrote our recommendation, which is consistent with our standard guidance, independent of this particular case is always to follow best practices to secure network infrastructure and, of course, obviously, best practices says keep all your equipment patched up to date. Right, that would be nice. So then they list three CVEs CVE 2018-0171 as Cisco IOS remember that's Internet OS and Internet OS XE software smart install remote code execution vulnerability CVE-2023-219 98. And also 2273 multiple vulnerabilities in Cisco iOS XE software web UI feature. And 2024, 2399 Cisco NX OS software command line injection vulnerability.
Okay, now the fact that a vulnerability think about this the fact that a vulnerability Cisco fixed back in 2018 was successfully used by Salt Typhoon to Cisco's own, with Cisco's own admission this is what they saw, or anyone for that matter to penetrate a major telecommunications vendor in 2024, difficult to explain away by 2024. The patch for a 2018 vulnerability would have been six years old, so Cisco gear from before 2018 had been sitting without anyone considering its need for updating throughout that entire time. Six years, and would you like to guess the CVSS score of that now seven-year-old vulnerability, cve 2018-0171. Believe it or not, at the time, it achieved, and still has, a whopping CVSS of 9.8, which, as we know, we rarely see. You have to really work to get a CVSS of 9.8. This is why I stated earlier that our current system of relying upon the timely or any really any post-sales maintenance of equipment on a security perimeter is fundamentally broken. We cannot rely on it. Web servers are certainly not permitted to be using any certificate that expired six years before, but critical networking gear is allowed to continue operating month after month and year after year with effectively expired firmware containing critical, known CVSS 9.8 scale vulnerabilities vulnerabilities.
So what different activities did Cisco observe on the part of these threat actors known to be Chinese state-sponsored Salt Typhoon Under credential use and expansion? Cisco wrote of these attacks, which they observed. The use of valid stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor. We've observed the threat actor actively attempting to acquire additional credentials by obtaining network device configurations and deciphering local accounts with weak password types, a security configuration that allows users to store passwords using cryptographically weak methods. In addition, we've observed the threat actor capturing SNMP, tacacs and RADIUS traffic, including the secret keys used between network devices and TACACS radius servers. The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use. Then we have configuration exfiltration, they wrote. In numerous instances the threat actor exfiltrated device configurations, often over TFTP and or FTP. These configurations often contain sensitive authentication material such as SNMP, read-write community strings and local accounts with weak password encryption types in use. The weak encryption password type would allow an attacker to trivially decrypt the password itself online. In addition to the sensitive authentication material, configurations often contain named interfaces which might allow an attacker to better understand the upstream and downstream network segments and use this information for additional reconnaissance and subsequent lateral movement within the network. So they were in there, they were exfiltrating everything they could get their hands on and unfortunately, when you're actually looking at the traffic where you assume no one should ever be, there are lots of secrets there and lots of useful information that tells you where to find other secrets.
Under infrastructure pivoting, they said, a significant part of this campaign is marked by the actor's continued movement or pivoting through compromised infrastructure. This machine-to-machine pivoting or is likely conducted for a couple of reasons. First, it allows the threat actor to move within a trusted infrastructure set where network communications might not otherwise be permitted. Additionally, connections from this type of infrastructure are less likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected. The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target. In several instances, some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.
And finally, under configuration modification, they said, we observed that the threat actor had modified devices running configurations, as well as the subsystems associated with both bash and guest shell, they said in parens. Guest shell is a linux based virtual environment that runs on cisco devices and allows users to execute linux commands and utilities, including bash. Now I'll just stop to say that what this means is that we've got Cisco devices, which are being penetrated, that are now powerful enough. They're just not switches, dumb switches with access control lists where packets get routed. They are sophisticated enough to be running Linux-based virtual environments and commands. So these are computers on the edge that have serious vulnerabilities that have not been. These are computers that haven't been patched in seven years. No Linux user would do that and they're critical infrastructure machines. So they said running configuration modifications. They saw included the loopback interface. Ip address was modified.
Gre tunnel creation and use meaning setting up outbound encrypted tunnels to exfiltrate whatever they wanted. Creation of unexpected local accounts. Acl modifications, access control lists. Snmp community string modifications, changing how SNMP access can be done remotely. Modifications changing how SNMP access can be done remotely. Http and HTTPS server modifications on both standard and non-standard ports. So setting up local servers so they can access content remotely. Then, under shell access modifications, they said guest shell enable and disable commands. They said guest shell enable and disable commands.
Started SSH alternative servers on high ports for persistent access, such as SSHD, underscore, underscore, oprns on port 57722 on underlying Linux shell or guest shell. Created Linux level users uh, you, uh, modifying, uh, et cetera, shadow and et cetera, password files and added SSH authorized keys under root or other users at Linux level. So in other words, completely owning this equipment, like taking it over. Setting up servers for remote SSH access. Talk about persistent presence.
So it is no surprise that these threat actors were able to obtain and maintain persistence within someone's network. If you have network machines that no one has bothered to maintain for six years, containing a persistent and lingering CVSS of 9.8 vulnerability, which provides a means for gaining remote entry, and if that system is powerful enough to host a Linux-based virtual environment where it's possible for an attacker to modify access control list rules, start HTTP servers on non-standard ports and fire up SSH servers on high ports. It would be more surprising if they did not obtain a permanent persistence within a victim network. It's just horrifying, and I get it, that Cisco wants to paint the best picture on this that they can. That's only natural, and others have enumerated a total of four vulnerabilities that were used by these salt typhoon attackers.
So far, I've only talked about the oldest one. It created a six-year window of vulnerability for any of these Cisco devices, and notice that we don't know the windows closed yet. Right, I mean, presumably there are still routers out there that are carrying this firmware from 2018. So the window six years, and counting in terms of its duration Um, but even though this flaw from 2018 carried a heart-stopping CVSS of 9.8, believe it or not, it wasn't the worst one. Having a six-year window of opportunity is not good, but all an attacker needs is for that window to still be open when they come knocking. So the fact that one of the other CVEs associated with the salt typhoon attacks was only discovered in 2023 in no way diminishes its severity, so long as it was present at the time of the attacks in 2024. That's all the attackers need. And what CVSS score do you imagine it carries? Would you believe that Cisco's CVE 2023 20198 has been assigned that rarest of the rare CVSSs of 10.0? Yes, it's a 10.0, because it cannot get any worse. Wow, and this is a CVSS for a piece of networking gear that's inherently on the front lines is exposed to the bad guys and being a set and forget appliance will tend not to be on anyone's maintenance and update radar.
As I said earlier, the industries we're doing the best we can and this is the only thing we can think of model of after-sales security maintenance is obviously inherently and badly broken.
There's a chain of responsibility that requires everyone to perform perfectly. Cisco needs to not ever make a mistake and, once sold and deployed, anything that's ever found to be wrong with one of their devices needs to be immediately repaired in the field. But this chain is inherently brittle, with everything working against it. Mistakes happen, entropy is real, so mistakes are always trying to happen and Cisco is going to ship mistakes. Technicians in the field are always going to appear to have better things to do than to continually run around updating the operating versions of the firmware of every device they have every time an update is made available for the sole purpose of keeping them all up to date, especially when the updates that really are critical may be much fewer and rarer. So there's inherently pressure to set it and forget it. Don't break it if it's not broken, even though doing that means that anything that's later found to have slipped past Cisco's testing and quality control at the time of sales will tend to persist in the field at the time of sales will tend to persist in the field.
Now, this podcast has been around for a while, so you might imagine that something like a CVSS of 10.0 might have come to our attention back in 2023 and that I might have believed that this audience should be informed of it.
Oh, yes and and sure enough. Podcast number 945, which you and I, leo, delivered on October 24th 2023, was titled the Power of Privilege, and among the summary items at the top of the show was quote vulnerabilities with a CVSS score of 10.0 are, blessedly rare, but today the industry has another. Months ago, I noted that this was one of those horrific web management UI authentication bypass vulnerabilities and that this meant it could be scanned for and scanned for it was. At the moment of its announcement, around 42,000 instances of Cisco web UI were found to be online and vulnerable, but that number dropped with surprising speed. This was not because the techs at the world's telecom companies were on the ball and promptly responding to the emergency. No, the numbers of vulnerable Cisco devices were observed to drop precipitously because the bad guys, like Salt Typhoon we now know who were on the ball scanned, located, immediately, climbed inside and said thank you very much, see you later, and shut the door behind them.
2:29:27 - Leo Laporte
Oh, my God.
2:29:28 - Steve Gibson
Taking their now compromised device off the map while they set up persistent presence. Did they fix, did they patch the systems? They closed the vulnerability. That's hysterical.
So that nobody else could get them. That's so amazing. Or find them, holy cow. Now we often talk about these vulnerabilities in the abstract, right as we did just over a year and a half ago in this instance, because that's normally all we have is an abstraction. It's not often that we're able to follow up with a whatever happened with that horrific 10.0. But today we can because many security researchers, including Cisco's own Talos Group, have identified that event a little over 18 months ago as one of the principal ways China's Salt Typhoon malicious hacking group obtained access to the networks of many domestic, us and foreign companies' networks. We now know what a disaster has ensued from that event and given the 42,000 initially vulnerable networks scale of this that it's 42,000 networks it's also clear why no one can be really sure that Salt Typhoon has been completely expunged from every network they penetrated. There are just too many of them and they weren't all telecom companies. That's just what's making the news now. The other significant thing we learned from Cisco's Talos after action report is the surprising power of the devices that were found to be infected and that the bad guys knew how to leverage that power to their benefit In their report section describing the commands that were observed or logged to have been executed.
They list they said packet capture. The threat actor used a variety of tools and techniques to capture packet data throughout the course of the campaign listed below. Listed below. Then they list TCP dump, a portable command line utility used to capture packet data at the underlying OS system level. Tpa cap, cisco IOS XR command line utility used to capture packets being sent to or from a given interface via NetIO at the underlying OS level. Embedded packet capture EPC, cisco iOS feature that allows the get this, the capture and export of packet capture data. Then they show the command monitor capture, cap export, ftp colon slash, slash and then a URL of an FTP server.
When I talked about the concerning power of the Cisco devices the attackers had access to, this is what I meant. The operating systems of these Cisco devices support the installation of a tap into network interfaces, which then monitors, captures and exports the intercepted network traffic to any external FTP server. It would be difficult to invent a scenario that was worse than this. If this appeared in the plot of some network hacking movie, I'd raise my eyebrows and think, oh yeah, right, but the attackers were observed to be using those commands on Cisco's compromised gear. It's no wonder the title of Talos's disclosure is weathering the storm.
To give a deeper sense for the sophistication of Salt Typhoon, cisco describes a custom utility. They discovered that Jumbled Path which allowed them to execute a packet capture on a remote Cisco device through an actor-defined jump host and impair logging along the jump path and return the resultant compressed, encrypted capture. So it's encrypting and compressing the capture via another unique series of actor-defined connections or jumps. This allowed the threat actor to create a chain of connections and perform the capture on a remote device. The use of this utility would help to obfuscate the original source and ultimate destination of the request and would also allow its operator to move through potentially otherwise non-publicly reachable or routable devices or infrastructure.
Reachable or routable devices or infrastructure. This utility was written in Go and compiled as an ELF binary using an x86-64 architecture. Compiling the utility using this architecture makes it widely usable across Linux operating systems, which also includes a variety of multi-vendor network devices. This utility was found in actor-configured guest shell instances on Cisco Nexus devices. You know we're really talking about full penetration here. Ouch, you know we're really talking about full penetration here. And what's more chilling is that there's really no way to know where these guys might still be, and you?
2:35:33 - Leo Laporte
really have to blame Cisco for leaving that door wide open? Yes, that's appalling.
2:35:39 - Steve Gibson
It is appalling and we're going to get to appalling in a second. Salt Typhoon also invested in bypassing and evading any defenses. Talos explained. The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists in place on those devices. The threat actor routinely cleared relevant logs, including bash underscore history, authlog, lastlog, wttemp and BTEMP were applicable to obfuscate their activities. Shell access was restored to a normal state in many cases through the use of the guest shell disable command.
The threat actor modified authentication, authorization and accounting AAA server settings with supplemental addresses under their control to bypass access control systems. I mean, these organizations were completely owned by Chinese malicious state-sponsored attackers. In other words, these guys really knew their way around this Cisco environment. You know these were not script kiddie weenies. It would be fascinating to have something we'll likely never see, which would be the salt typhoon view of this. Did they discover or learn of this Cisco CVSS 10.0 vulnerability that immediately jump on? You know, scan, find them, jump on them, crawl inside, close the door behind them and only then tool up and hone their expertise to this level, or were they already fully equipped with this level of knowledge? My guess, knowing Salt Typhoon, is that it would be the latter. I suspect they were already well-versed in Cisco exploit operations, which would probably be conducted previously on a much smaller scale scale, and then this mother load of a publicly exposed 10.0 login authentication bypass fell into their lap, so that they already knew what to do. It was only a matter of identifying victims and doing it all quickly enough.
Under the topic of detection, talos said we recommend taking the following steps to identify suspicious activity that may be related to this campaign and I mean that's just generic pablum. They said conduct comprehensive configuration management, inclusive of auditing in line with best practices. Conduct comprehensive authentication authentication authorization command issuance monitoring. Monitor, syslog and AAA logs for unusual activity, including a decrease in normal logging events right, because the bad guys are deleting the logs or a gap in logging activity. Monitor your environment for unusual changes in behavior or configuration. Profile Fingerprint via NetFlow and port scanning network devices for a shift in surface view, including new ports, opening and closing and traffic to or from. Where possible. Develop NetFlow visibility to identify unusual volumetric changes. Look for non-empty or unusually large dot bash underscore history files. Additional identification and detection can be performed using Cisco forensic guides. Now, okay, none of that's surprising. It's all very generic. But something in their next section under preventative measures caught my eye.
The first item on Cisco's list of preventative measures is leverage Cisco hardening guides when configuring devices. The fact that there's a hardening guide suggests that even today, cisco still doesn't get it. It would be like 10 years ago Cisco's hardening guide saying be sure to delete the default admin credentials shipped with your Cisco device. As we'll recall, cisco was once actually doing that. In other words, there should not be any guide for hardening a device. Shouldn't be necessary. The only guide available should be for optionally loosening a device's security. Oh, I like that. A device's security, oh I like that. It ought to be difficult and require deliberate work to make any such device insecure. There should never be optional advice. Leveraged Cisco hardening guides when configuring devices. We know people don't. And how do we know? Because people don't and haven't.
Talos's report finishes with an analyst's comments section. This should be interesting. They write there are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat actor, including the targeted nature of this campaign, the deep levels of developed access into victim networks and the threat actor's extensive technical knowledge. Furthermore, the long timeline of this campaign suggests a high degree of coordination, planning and patience, standard hallmarks of advanced persistent threat APT and state-sponsored actors. During this investigation, we observed additional pervasive targeting of Cisco devices yeah gee, why do you think they were targeting Cisco with exposed smart install, smi, and the subsequent abuse of CVE-2018-0171, a vulnerability in the start and small feature of Cisco IOS and iOS XE software. This activity appears to be unrelated to the SALT typhoon operations and we have not yet been able to attribute it to a specific actor. Typhoon operations and we have not yet been able to attribute it to a specific actor. The IP addresses provided as observables are associated with this potentially unrelated SMI activity.
Legacy devices with known vulnerabilities, such as smart install, should be patched wouldn't that be nice? And decommissioned okay, if no longer in use. Well, we know they're in use because they're on the front lines. Wouldn't it be nice if that was the world we were living in? Again, all of our real-world experience informs us that it's not. There were 42,000 instances of that vulnerability, that back door open in 2023. When we talked about it in October of that year. They wrote. Even if the device is a non-critical device or carries no traffic, it may be used as an entry door for the threat actor to pivot to other, more critical devices. The findings in this blog represent Cisco Talos's understanding of the attacks outlined herein. This campaign and its impact are still being researched and the situation continues to evolve. As such, this post may be updated at any time to reflect new findings or adjustments to assessments.
An unfortunate bit of closure regarding a very serious Cisco flaw that woke up the entire security world a little more than 18 months ago. At the time that we covered this, I wrote the following for that podcast this first known instance of attacks against Cisco's iOS XE based routers and switches, which appear to have been initial proof of concept probing incursions, occurred at the end of last month, on the 28th. So that would have been September of 2023. Yeah, 2023. 2023 or yeah, 2023. I wrote that more than three weeks passed before Cisco finally released the first fixes last month, october 16th. During those the intervening three weeks, more than 42,000 of Cisco's iOS XE based devices were compromised. We know that it was 42,000 devices because scanners were quickly created by security firms who wanted to track incursions and in response to the visibility of their initial implants, the perpetrators of these attacks updated their malware to make it less visible, and we know at least some of what became of those devices. China's Salt Typhoon Group assessed their massive inventory of access, discovered that they were now inside the networks of the world's telecom providers, not to mention some large ISPs and even digital realty, one of the largest cloud providers, then began taking advantage of their newfound access for espionage and spying. Are they gone? Have all 42,000 instances of their intrusion been found and removed? Given everything we know of the way today's networks are being managed, that's not a bet I would take.
Every listener of this podcast knows that I draw a clear distinction between mistakes and policies. Mistakes happen, but policies are deliberate policies Mistakes happen, but policies are deliberate. In this case, I must take issue with Cisco's deliberate design and design is policy of its crucial web management interface. We know for a fact that some 42,000 instances of their XE class devices had web management exposed globally. Web management exposed globally. There is no management defensible reason for ever allowing global access to a high-end devices public management interface. Everyone listening to this podcast also knows what a fan of simple IP filtering I am. I'm a fan because the technology is so simple and it offers so much leverage.
A slash, 24 class C size network block to be specified to have remote access. Those would allow for remote management across disjoint corporate networks, but simply don't provide any provision for access from any IP anywhere in the world. How can that possibly ever actually be necessary? Who would ever actually need to allow China to access your device's management interface? Because that's what's being explicitly allowed whenever unfiltered remote access is enabled. Sure, an acl, an access control list, could and should have been added to that access, but I bet that it that it says so right there and in bold print in Cisco's illustrious hardening guide.
But that's not the correct policy. What no one ever wants or needs to have happen should not be possible. It should not be possible for any lack of configuration or misconfiguration to give Chinese hackers anywhere outside of one's immediate control, access to something they should not have. It should not be possible, period. I'm sure that if confronted with this, cisco's engineers would say well, no one should leave their web admin accessible to anyone and we provide a very nice access control list that allows anyone to limit that access.
Okay, sure, but the default is wide open, and even if it wasn't, it would be possible to innocently add a wide open rule because, hey, that would be easier. However, nothing changes the fact that there is no demonstrable need for global public access to a high-end router's admin interface. Yet some 42,000 networks were all compromised in the blink of an eye because this was Cisco's responsibility. Transferring policy Quote it's not our fault if you don't follow our optional hardening guide, leo. I am reminded of Douglas Adams' original Hitchhiker's Guide novel, where the Earth is scheduled for demolition by the Vogons due to the need to create an intergalactic bypass, and the novel's protagonist, arthur Dent, says what are you talking about? You can't just destroy the Earth. And he's told that all the proper notices and required paperwork had been filed with the local galactic sector office some time ago.
You know? Similarly, why are they complaining that 42,000 of our XE class devices were all just taken over by Chinese military hackers? Didn't they read the hardening guide that we prepared?
2:50:47 - Leo Laporte
hardening guide that we prepared. It was stored in the basement of the building and the third arm of the galaxy. Yeah, uh, it's amazing, and they should really be. I didn't realize salt typhoon was all their fault. I thought it was ss7 and a variety of other things. It's really the cisco thing, cisco man. They need to really take responsibility for this, and so the fix would be to get. Well, the fix would be to patch these routers, but how do you get if they're already in there? How do you get rid of them?
2:51:19 - Steve Gibson
that's the problem. As we, you and I said 20 years ago, if you have malware in your pc, you can't trust it anymore. You never know, you can never trust it. I mean, we know that malware can live in printers, right?
so or cameras gonna get it there, yeah, cameras I mean it could be anywhere inside, and when you're talking about AT&T, they don't even know the wires they have. I mean it is, it is. It's astonishing. I mean it's just. It's like you know, for for years and years and years on this podcast, there's been a tendency to say, whoa, the sky is falling, oh, we've got the. Well, this is what that looks like. It's not the end of life on earth, but the US's networks have fallen to Chinese military.
2:52:14 - Leo Laporte
And they can't be fixed in a reasonable way.
2:52:18 - Steve Gibson
You don't know where they are.
2:52:19 - Leo Laporte
And people might take issue with your idea that you can make software perfect. But this is so much the opposite of perfect. You definitely shouldn't have software with an open portal on a networking device and then say well, you didn't harden it, it's your fault.
2:52:40 - Steve Gibson
And my point was it should not be possible to allow any IP to access the management interface. What possible need is there? You know what network or a couple IPs should have access to that management interface, so we've long ago learned username and password doesn't cut it. No one should have access. And if you simply drop any IP packet coming in, it doesn't matter if you discover a vulnerability later. Nobody can connect to that port and there's no reason Cisco should have ever allowed it. It's hubris on their part and laziness.
2:53:27 - Leo Laporte
Yeah. And they're not suffering a consequence at all in any way, of course.
2:53:35 - Steve Gibson
No, no, because their license agreement, they're all of their, they're off the hook. Their attorneys are all over us saying, well, all this is is the best effort. Everybody knows things are not perfect, and we aren't either, and you use this at your own risk and any damage that befalls you is yours, and if you don't want that, then don't buy it.
2:53:58 - Leo Laporte
The real problem is that the damage is not to the users of the Cisco equipment, but to their customers.
2:54:05 - Steve Gibson
Right, and that was the point that the, the, the Canadian posting meant the, the telecom service providers, the people that they are selling telecom services to. It's like back in the days where that, that, that, that that dental managed service provider, it affected all the dental offices that were using them as their service provider. Well, this is a telecom service provider. All of their clients, all of their customers, are now victim.
2:54:35 - Leo Laporte
Yeah, Steve, you've done it again. You've raised awareness. I don't know if we fixed the world's problems, but at least people understand a little bit better about why they exist and who's responsible for them. So that's a good thing. Steve Gibson does this show every Tuesday, 11 am. I'm sorry, it's after Mac break. Weekly, that's at 11 am. We do this show 1 30 pm Pacific, 4 30 Eastern, 20 30 UTC. We stream it live so you, if you need it, if you need the freshest version of the show, you can get it. Actually, there's an even fresher version I'll tell you about in a second.
But if you want to watch live, we are on eight different platforms for our club twit members, our valued, valued club twit members. You guys know who you are and we are so grateful to you for your support. They're the ones who put together about 25% of our operating expenses. You, for your support. They're the ones who put together about 25% of our operating expenses. If you're in the club, you can watch on the Discord, although Discord never was designed for streaming videos, so a lot of people choose to watch on some of the other platforms. We're also open to the public on YouTube, twitch, tiktok, facebook, linkedin, xcom and Kik. So pick your poison. In some cases, pick your platform and watch live. After the fact, on-demand versions of the show are available in two different places.
Now Steve has some unique versions of the show. In fact, all the versions he has are unique. At his website, grccom, he's got a 16 kilobit audio which no podcast has put out in 20 years. But he does because it's small. It's a little scratchy, it sounds like thomas edison, but it's okay, it's small and that's that's its chief advantage. There's also a 64 kilobit audio, which is the second smallest version because, for a variety of technical reasons, we we put out a 128-kilobit audio, but the 64 is fine. You can get that from Steve. So, again, if you have bandwidth issues, that's a good place to go. He has transcripts written by an actual human being, not by AI. Elaine Farris does a brilliant job. Those are also available for every show at his site. It takes a couple of days after the show's over to do that course. He also has the show notes and that's the first version of the show you can get the day before in many cases by subscribing easy to do.
Go to grccom, slash email uh, that's designed for you to get your email address on steve's whitelist so you can email him with comments or maybe pictures of the week and something like that. But you'll see when you put in your email address. Below it there are two unchecked boxes. Because Steve's cool, there are two unchecked boxes one for his weekly show notes email and one for a very irregular email about new products, like we're all waiting with bated breath for the DNS Benchmark Pro. You'll get an email when that's available, so that's probably worth signing up to both of those.
But again, that's grccom slash email. You got to check the boxes yourself, you know. You got to choose it. Let's see what else. Oh, while you're there, if you don't already have a copy and I can't imagine there's anyone who doesn't but if you don't already have a, maybe somebody who doesn't have mass storage of any kind already have a. Maybe somebody doesn't have mass storage of any kind, you know, uh, I don't know who that would be, but but if you have technology you probably have mass storage. And if you have mass storage you definitely need spin right this steve's bread and butter. It's the world's best mass storage, maintenance, recovery and performance enhancing utility. Yes, it works with ssds. Just get it at grccom.
Lots of other free stuff, including shields up, which is one of the oldest and best and still operating network utilities to check to see if your router is opening up your ports to the public. Um well, that's just a lot of stuff. It's a fun place to go if you've got an app. Wait. Well, you got an afternoon and spend some time browsing around GRCcom. We have, as I said, 128 kilobit audio and some form of video. I guess it's 1080. I don't know what it is, but I think it's 1080i. Whatever it is, it's up at the website. Find out for yourself at twittv slash SN for security. Now there's a link there to the YouTube channel. That might be a little bit higher quality, I don't know, but you can use that to share clips. A good way to you know if you've got a. If your company's using Cisco routers, for instance, you might want to just send them a little clip from the show and say have you read the hardening guide? Maybe you should. That's a great way to do it. Youtube makes that very easy.
Honestly, the best thing to do subscribe to the show. That way you don't ever miss an episode. It automatically downloads in your favorite podcast client. So whenever you're in the mood for a little, steve Gibson, you can just fire that sucker up. And if you do go that route, please leave us a good review, leave us a five-star review, because it helps spread the word. That is more important than you might imagine.
Next best thing join the club. 10 bucks a month gets you ad-free versions of this show, all of our shows, access to the club, to a discord, a great place to hang out with really smart people, ask interesting questions, talk about what you're doing with ai and images and whatever it is you're up to. Uh, and you get a special feed of content that we don't put out in public. Uh, like I think is be very interesting. On friday we're doing a two-part you know, music thing with my friend, norman maslow, who's a vinyl collector. We'll talk about vinyl records, but then we're also going to talk about the history of MP3s and digital records with the author of a book, a really interesting book. All about that. That's this Friday. Ai User Group is next week. A lot of stuff. There's great stuff going on in the club. Please, twittv, slash, clubtwit. We'd love to have you, steve. We will be back next Tuesday for another thrilling, gripping edition of Security. Now On the 4th of July, yay, see you then Bye.