Security Now 1061 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte [00:00:00]:
It's time for Security Now. Steve Gibson is here. We're going to talk about RAM pricing. We're going to talk about Claude code and vibe coding. The six day certificates are now out from let's Encrypt. And yes, it's the return of Ghost Poster. Malicious browser extensions. You need to watch out for all that.
Steve Gibson [00:00:21]:
Coming up next on Security now, podcasts.
TWiT.tv [00:00:26]:
You love from people you trust.
Leo Laporte [00:00:29]:
This is Twit. This is Security now with Steve Gibson. Episode 1061 recorded Tuesday, January 20, 2026. More ghost posting. It's time for Security now the show we cover your security, your privacy, how computers work the best sci fi vitamins, magnesium and more with this man Right here, Mr. Stephen Gibson. Hello, Steve.
Steve Gibson [00:00:58]:
Am I bored or what?
Leo Laporte [00:01:00]:
No, you're. What you are is a polyma. Yes, that's the word. You have many diverse interests and you are a very quick learner and you like sharing what you've learned with us and that's.
Steve Gibson [00:01:14]:
We're grateful, I have to say that. Probably that sure fits. I'll go for that.
Leo Laporte [00:01:21]:
I was always an enthusiast. I would like get really excited about something for six months and then lose interest, move on to the next thing. You're a little bit more, thank goodness, devoted a little less.
Steve Gibson [00:01:34]:
What is that? Is that ADHD or ADD or what? Do they have some initials for that?
Leo Laporte [00:01:40]:
There's probably some diagnosis. I'm sure.
Steve Gibson [00:01:42]:
Sure there is. We're all on the spectrum somewhere.
Leo Laporte [00:01:44]:
Yeah.
Steve Gibson [00:01:45]:
Okay, so we're going to talk about ghost posting again after more worrisome information surfaced following our first discussion of it four podcasts ago. It was our last podcast of 2025. I thought we were done with it, but no, but more interesting stuff and some good takeaways I think for this security now number 1061 for what is happening with January. It's almost gone. That's the 20th. I guess our last podcast of January will be next month, I mean next week, so. Wow. Okay.
Steve Gibson [00:02:29]:
But we're going to look at other things first, of course. It turns out that not only are PCs going to be affected by what's happening with RAM, but there have been some recent studies and surveys that demonstrate that enterprise, high end enterprise networking like firewall equipment is similarly going to be hit, so.
Leo Laporte [00:02:54]:
Oh, I'm sorry.
Steve Gibson [00:02:55]:
Yeah, yeah. Because the, the high end equipment is using a lot of RAM in order to do what it's doing. And so we're going to see that going up too. Anthropic has provided sizable support to the Python foundation, which is good. And Interesting in a couple ways. The FTC has clamped down on general mot secret sale of driving data. A new. It's not an organization.
Steve Gibson [00:03:24]:
A new. I don't know what it is. It's a government thing. It's. It's.
Leo Laporte [00:03:31]:
No, I know why you don't know what it is. Yeah, yeah.
Steve Gibson [00:03:33]:
It's abbreviated anchor A, N, C H O R. Which agency? Agency. I like that. That's an agency which replaces C I, I, I. I don't know how you pronounce this except cpac. Although it's not the cpac. We're all familia. Pac.
Steve Gibson [00:03:51]:
That was that agency that was terminated when Trump. Shortly after Trump became president for the second time, which is that. It's that private public information sharing where the industry was relying upon their ability to disclose their own mistakes with. Without fear of retribution from the government. So anyway, we're going to catch up on where that is. Germany, it turns out, is planning to legislate themselves total access to the Internet's global data. And Leo, we were talking about the inability to pronounce things before we began the podcast. I've got a German word that.
Steve Gibson [00:04:41]:
I mean, it looks like. Like your. The Scrabble set fell on the ground and they just assembled the letters in an arbitrary sequence. Luckily it's got letter abbreviation. But anyway, we'll. We'll talk about this legislation from this organization in Germany. Grubhub has not completely confessed, but we now know that they are the Shiny Hunters most recent extortion victim.
Leo Laporte [00:05:09]:
Jeez.
Steve Gibson [00:05:10]:
Huh. So Shiny Hunters. The shine has not been lost yet. Let's encrypt. Six day certs are now available to anyone who wants them, which is the way it should stay. Not mandatory, but yeah. Okay. I'm really nervous about my inability to protect my certificate, you know, despite the fact that I'm running a web server that has to have one, you know.
Steve Gibson [00:05:35]:
Okay, so I want six days anyway. We'll get there. Iran has said. Well, actually not said publicly, but there are internal reports and internal machinations which force people to draw the conclusion that they plan to permanently remain off the Internet as they have been since January 8th. Not coming back. We'll talk about what that means also. Oh, I got two so cool graphs. An HD Tune before and after.
Steve Gibson [00:06:14]:
An HD Tune is a utility. You know, HD as in hard disk. It was run on an SSD by one of our listeners and spinride owners before and after. And that's my favorite, my favorite chart. Also, we've got some great listener feedback and then we're going to get around to talking about the fact that ghost poster turned out to have been. I hope we can use the past tense. It's not clear. Much worse than was believed.
Steve Gibson [00:06:45]:
And then that we knew four weeks ago when we talked about it for I think it was 10:57 was our last podcast of last year. And of course we've got a picture of the week that many of our listeners have written back saying, because I. I sent this all out last yesterday afternoon, early afternoon, they said, oh yeah, I remember that.
Leo Laporte [00:07:10]:
Okay, well, I can't wait to remember what that is, but we'll find out in just a little bit. It is.
Steve Gibson [00:07:16]:
Yes, it's the follow on to the famous Be Kind rewind.
Leo Laporte [00:07:21]:
Oh, yes. Oh, yeah.
Steve Gibson [00:07:22]:
Which Blockbuster put on all of their VHS tapes.
Leo Laporte [00:07:27]:
You know, it was also the name of a movie about a guy who works in a video store. I can't wait. We have lots to talk about and of course this is the place to talk about it. If you're interested in security, we will get underway with our Picture of the Week. Again, I have sealed myself in a soundproof booth for the last seven days. I have no idea what the Picture of the Week is. We will look at it for the first time together. Although, as you have pointed out, people who subscribe to your newsletter get it a day before and they've been probably already talking about it and everything.
Steve Gibson [00:08:03]:
So there have been some.
Leo Laporte [00:08:04]:
I'm probably the last to know. Yeah. Yes. Before we get to that, though, let me talk about our sponsor for this segment on security. Now, our great friends at Bitwarden and I know you know about Bit Warden, Steve. We talked a lot about it a few years ago. We decided that the password manager we were using might not be the best one in the business. Even though they were at the time a sponsor.
Steve Gibson [00:08:29]:
We were driven off.
Leo Laporte [00:08:30]:
We were driven off, it's true. But we found, I think, a very, very good replacement. I. I don't know about you, but I am super happy with Bit Warden. Now, one of the reasons I was happy to move to Bit Warden is because it's open source. And I'm a firm believer that if you're going to trust something that has crypto in it, it has to be open source crypto so that you know they're using the best algorithms. They didn't roll their own, they didn't make it up, that there are no backdoors and it does what it says it'll. It does.
Leo Laporte [00:08:56]:
You can look at it. It can be audited in A nutshell, that's bit warden, GPL license, the codes on GitHub. There's no surprise they have become the trusted leader in not just passwords. By the way, pass keys, secrets, management. Frankly, I put everything that I want to keep secret in Bitwarden. Bitwarden is consistently ranked number one in user satisfaction by G2 and by software reviews. 10 million users now across 180 countries, more than 50,000 businesses. Steve and I are not alone.
Leo Laporte [00:09:28]:
And when I say business that's really important, I mean it's one thing for your passwords. Anybody watches this show is using a password manager. You know about good password hygiene, you know how important that is. But if you have a business, can you say the same thing about your employees? We know you know your employees are probably doing all the things everybody else does that's wrong, like reusing passwords using bad weak passwords that are easy to remember, putting, putting their passwords in a. Actually we had to fire an employee who was putting all of the company's networking passwords and everything in a spreadsheet that he posted publicly. So he said, I have easy access to it. No, that's why. I know, I know.
Leo Laporte [00:10:14]:
That's why you need Bit Warden for your business. It keeps you secure all year long. One of the things Bit Warden has just added, they always had nice new features. What other advantage of being open source? I think with the new Bit Warden access intelligence, organizations can detect weak, reused or exposed credentials and then with the employee, immediately guide remediation so the employee understands why this was bad, what happened, and helps them replace those risky passwords with strong unique passwords. Passwords done right and that closes a huge security gap. We've talked about it many times. Credentials are perhaps the top cause of breaches. Access intelligence from Bitwarden makes those bad passwords, those reused passwords, visible, prioritizes remediation and corrects them before exploitation can occur.
Leo Laporte [00:11:05]:
But it's not just business. Bit Warden's for everybody. They love the individual. They've just introduced something I think so cool called Bit Warden Lite L I T E. It's a special lightweight self hosted password manager. So this is perfect for a lot of our audience. It's built for a home, lab or personal project, any environment where you want quick setup, minimal overhead and tno trust no one because you're hosting it. Bitwarden is now enhanced with real time vault.
Leo Laporte [00:11:35]:
You don't have to use this, obviously this is just one feature, one of many features. They're enhanced all the time. They're improving Bitwarden Real Time Vault Health Alerts. As I mentioned, they've got those password coaching features that help users identify weak, reused or exposed credentials. This is not just as businesses for everybody, using Bitwarden helps you take immediate action. I do it all the time because I've. I have thousands of passwords over the last, what is it, 20 years and they're all in my Bit Warden vault. And every once in a while I use one of Bit Warden says we want to change that right now.
Leo Laporte [00:12:04]:
Here, let me help you. That's fantastic. Makes it easy. Bitwarden also makes it easy to move from the browser password manager, which so many people use. It's probably what your mom uses, probably what Uncle Vinnie uses. Whether it's Chrome, Edge, Brave, Opera, Vivaldi. Direct import means they don't have to export. This is what Steve and I did when we moved.
Leo Laporte [00:12:27]:
We had to export our passwords. And then you're in that scary point where everything's in clear text on your hard drive. Import them in and you got to remember to delete it. Not anymore. Bit Warden supports direct import. Direct import copies or imports credentials from the browser into the encrypted vault. In fact, when you install Bitwarden, it'll offer to do that without requiring that separate plain text export. That makes migrations fast, easy, and eliminates the exposure that's associated with the manual export and deletion steps.
Leo Laporte [00:12:58]:
I love that. They're always thinking, they're always improving. G2 winner 2025 the most recent G2 report says that Bit Warden continues to hold strong as number one in every enterprise category. That's the sixth straight order. Congratulations, Bitwarden. The setup is easy. It'll import from most password management solutions. It's a quick move and it's painless.
Leo Laporte [00:13:21]:
And you're going to be so glad you moved to Bitwarden. Bitwarden's open source code is regularly audited by third party experts. They meet SOC2 type 2 GDPR, HIPAA CCPA standards. They're ISO 2700-12002 certified. Get started today with Bitwarden's free trial for your business of a teams or enterprise plan or get started for free as an individual user. Bitwarden.com TWIT that's bitwarden.com TWIT thank you Bitwarden for supporting Steve and the work he does here. Okay, okay. Picture week time.
Steve Gibson [00:14:00]:
I found the sales pitch for this device, Leo. Okay, it reads never pay another DVD rewind fee again.
Leo Laporte [00:14:14]:
It's A DVD rewinder.
Steve Gibson [00:14:16]:
It is a DVD rewinder.
Leo Laporte [00:14:19]:
Oh well, wait a minute.
Steve Gibson [00:14:20]:
I know. Wait, hold on.
Leo Laporte [00:14:22]:
It.
Steve Gibson [00:14:22]:
No, it's compatible.
Leo Laporte [00:14:23]:
Wait a minute.
Steve Gibson [00:14:24]:
All disk formats with dvd, R, dvd, RW DVD plus R, DVD plus rw cdr, CDRW Audio cd. In fact, you can see down there, the little switch. It says DVD or MP3.
Leo Laporte [00:14:42]:
Oh yeah.
Steve Gibson [00:14:44]:
It'll rewind your audio discs as well. Wow. So, and then in, in the, the marketing material that came along with it, they explained, they said we've tested the DVD rewinder with the next generation disc media including Blu Ray and HD. The DVD Rewinder also works with Sony PlayStations, Xbox and other disc based console system media. The DVD Rewinder works with all disk based digital media to provide optimized digital experience. Visual indicators, blink and audible sounds are played while your digital media is reversed. The DVD rewinder also has, get this Leo, this is so clever. A USB port for MP3 players and USB media.
Steve Gibson [00:15:39]:
So it will even rewind your, your USB media when it, when like it hits the end, you know, and even.
Leo Laporte [00:15:47]:
Ipods, ladies and gentlemen, everything. It'll rewind your ipod.
Steve Gibson [00:15:52]:
It's an amazing device. I can't understand why it's no longer available. You Sometimes you can one a stray one on ebay, but yeah.
Leo Laporte [00:16:04]:
Oh my.
Steve Gibson [00:16:05]:
You know, sometimes the most, the obvious things just you, you just miss them.
Leo Laporte [00:16:10]:
I want this for the next White Elephant party because that would be a.
Steve Gibson [00:16:13]:
Comes along and they go, nobody did a rewinder for DVDs. It's like the missing link.
Leo Laporte [00:16:21]:
Be kind rewind that DVD.
Steve Gibson [00:16:23]:
That's right. That's right. And the truth is, Leo, that when Blockbuster switched From tapes to DVDs, the employees still put, put the please, you know, be kind please rewind sticker on the box DVD box.
Leo Laporte [00:16:42]:
Well, that probably stimulated the, the demand for this.
Steve Gibson [00:16:45]:
They were. Well, what, what are you gonna do? You don't want one of those fees. Sometimes in some places would charge you a fee if you did not rewind your media. So you could probably hold this up and show them, hey, I have a DVD rewinder. These are. All the DVDs I'm returning are fully rewound.
Leo Laporte [00:17:04]:
Steve, you understand there's an entire group of our members of our audience that have no idea what we're talking about. They've never been to a video.
Steve Gibson [00:17:14]:
Bulk of our audience are old.
Leo Laporte [00:17:19]:
But seriously, there's a whole generation that's never seen a VHS cassette.
Steve Gibson [00:17:24]:
That's true.
Leo Laporte [00:17:25]:
That's amazing. And, and soon there'll be a generation that's never seen a CD or dvd.
Steve Gibson [00:17:30]:
Well, and I was saying to Lori the other day, imagine kids now growing up, never being in a world that never had AI that you could talk to and would answer. I mean, it's here all of us oldies are like, oh my God, have you seen what it can do?
Leo Laporte [00:17:54]:
It's amazing.
Steve Gibson [00:17:55]:
It is.
Leo Laporte [00:17:56]:
And, and every day.
Steve Gibson [00:17:57]:
And now the, the, the, the next round they're going to be like, eh, yeah, I, you know, I just grocked it.
Leo Laporte [00:18:03]:
Yeah, I just crocked it. Let's hope that does not become the verb. I'm just saying.
Steve Gibson [00:18:08]:
Yeah, yeah, okay. So any of our listeners who provide purchase planning guidance for high end network security products may wish to consider advising those who have, you know, make the final decisions that maybe they should be purchasing sooner rather than later if, like, they already know what they were going to do but just haven't pulled the trigger. Some recent commentary about the effect of the rising cost of RAM will also likely have on the security equipment sector suggested that prices could be expected to rise there as well shortly, the commentary said the current price hikes and supply shortage of DRAM memory chips are expected to also impact firewall makers and the cybersecurity market. DRAM is a crucial component for the manufacturing of modern next gen firewalls, a staple in the cybersecurity defense of any major enterprise investment advisory firm. Wedbush says firewall companies will see thinner margins this year due to the rising DRAM costs. The this will impact their bills of materials, with the extra costs being passed on to consumers as product price increases. This will likely lead to lower sales, smaller profit margins and weaker investor yields. Companies like Fortinet, Palo Alto Networks and Check Point are expected to see the biggest headwinds on the stock market this year as a result of DRAM hikes.
Steve Gibson [00:19:46]:
Firewall makers join laptop, PC and smartphone vendors, all of which are expected to see big headwinds this year due to collapsing sales. DRAM prices have been up between 60% and 70% since last year and are expected to grow another 50% in the first quarter of the year alone. The production of most of this year's DRAM supply has already been purchased by AI companies for use in their future data centers. DRAM maker Micron has exited the consumer market and focused strictly on supplying AI and data center makers. South Korean company SK Hynix is also pondering a similar decision from both the DRAM and and and NAND SSD markets. So I mentioned previously that I purchased my Next small form factor desktop PC from Lenovo a couple of months ago before I planned to deploy it. Deploy it probably March, another two months still. And I did that due to the expectation that PC vendors will soon have no choice other than to raise the prices for their systems.
Steve Gibson [00:21:07]:
And since it'll be done across the board by the industry, it's not like they're going to, you know, lose out of the competition. The competition is going to have to do the same thing as well. And I also had mentioned previously several months before that that I had, that I was, I become similarly glad to have recently purchased replacement servers for grc. After the second of the five that I currently had had died. That used up two dying out of five used up my margin. I no longer had any spares. So I wanted to be ready with replacement server standing by in case I were to lose another. At the time those server replacements were for that just in case instance.
Steve Gibson [00:21:57]:
But now I'm glad since I always prefer to stuff my servers with as much RAM as they can handle. You know, that's a good thing for their health. And last summer RAM was still amazingly inexpensive. Not so any longer. So I think that the takeaway here is that if as I said, if somebody already had plans to purchase high end RAM intensive network security equipment like sometime soon, it might make sense to cut the purchase order like very soon because prices are expected to rise again. Not surprisingly, I, the, the, the little small fact form factor PC that I purchased, I was unable to max out its RAM and I went looking for the balance and I decided okay, I'm gonna wait because you know, this crazy RAM pricing is not expected to last forever. I hope it doesn't but at the current RAM prices, I'm not willing to buy another 64 gig to bring this thing up to 128. I'll stay where I am, which should be fine.
Steve Gibson [00:23:08]:
Or maybe it was 32 and it can take 64. I, I don't quite remember but I looked at, at current prices and it's like ow, yeah, I, you know, I don't need it that badly.
Leo Laporte [00:23:22]:
Just hope you're, you know, you're where you need to be for now, right?
Steve Gibson [00:23:26]:
And yeah, oh yeah, I've got, I had, I, I, it had at least 32 gig which may be 64, I'm not sure, but it could take twice what I had. And I thought, well, I want to give it all it can because I expect to be more in a virtual machine environment also you know, moving forward. So last week the Python Software foundation announced some very welcome financial support from Anthropic. Under their headline anthropic invests $1.5 million in the Python Software foundation and Open Source Security, they wrote. We are thrilled to announce that Anthropic has entered into a two year partnership with the Python Software foundation to contribute a landmark total of 1 1/2 million dollars to support the Foundation's work with an emphasis on Python ecosystem security. This investment will enable the psf, that's Python Software foundation, the PSF to make crucial security advances to C Python, which is the product that's the Python written in a hybrid of C and Python itself. And the Python.
Leo Laporte [00:24:39]:
Actually it's a Python that compiles, that's written in C and compiles to C. But you Write in Python CPython.
Steve Gibson [00:24:45]:
Oh yeah. Wait, so, but written in C?
Leo Laporte [00:24:48]:
Well, I think Python in general is written in C. Some of the libraries are written in Python, but CPython.
Steve Gibson [00:24:53]:
Right.
Leo Laporte [00:24:54]:
Instead of. So Python's normally an interpreter. C. Python writes C code which is then compiled.
Steve Gibson [00:25:01]:
I see, So I got you. Gotcha. So it outputs C code that is then compiled. Got it.
Leo Laporte [00:25:09]:
May be wrong. Correct me if I'm wrong. Chaver.
Steve Gibson [00:25:11]:
So, CPython, and also Pypy, which we're talking about all the time for not good reasons. The Python package index will also be receiving the benefit of.
Leo Laporte [00:25:22]:
This is great.
Steve Gibson [00:25:23]:
So yeah, it's really good. And so they said it will also sustain the Foundation's core work supporting the Python language ecosystem and global community.
Leo Laporte [00:25:32]:
Just because Python is really the language of AI.
Steve Gibson [00:25:36]:
AI, Exactly. And they said Anthropics funds will enable the psf. Exactly. It's a strategic investment. Right on. On Anthropic part.
Leo Laporte [00:25:46]:
Yeah.
Steve Gibson [00:25:46]:
Anthropics funds, they said, will enable the PSF to make progress on our security roadmap, including work designed to protect millions of PI PI users from attempted supply chain attacks. And get this. Planned projects include creating new tools for automated proactive review of all packages uploaded to PyPi, improving on the current process of reactive only review. We intend to create a new data set of known malware that will allow us to design these novel tools relying on capability analysis. One of the advantages of this project is that we expect the outputs we develop to be transferable to all open source package repositories. As a result, this work has the potential to ultimately improve security across multiple open source ecosystems, starting with the Python ecosystem. This work will build on PSF security developer in residence Seth Larson's security roadmap, with contributions from PYPI safety and security engineer Mike Fiedler, both roles generously funded by Alpha Omega. Anthropic support will also go towards the PSF's core work, including the Developer in Residence program, driving contributions to CPYTHON community support through grants and other programs running core infrastructure such as PYPY and more.
Steve Gibson [00:27:19]:
We could not be more grateful for Anthropic's remarkable support, and we hope you will join us in thanking them for their investment in the PSF and the Python community. So as you said, Leo, this is great and welcome news. One and a half million likely makes a big difference to the Python project, as it would to any volunteer driven open source effort. And given the insane flows of cash the AI sector is seeing where one and a half million doesn't even qualify as a drop in the bucket, it's more like some vapor for the likes of any mainstream commercial AI vendor. At the same time, much as this will be welcome support on the receiving end, you know, and we should also acknowledge, right, that it's likely a clever investment on Anthropic's part. You know the line from the announcement, as I said, that caught my eye. Plan projects include creating new tools for automated proactive review of all packages uploaded to PyPi, improving on the current process. So yes, automated proactive review.
Steve Gibson [00:28:31]:
In other words, deploying AI to examine all newly submitted Python package code. And whose AI do you imagine the Python Software foundation will choose to deploy? You know, given even if it weren't Anthropic, given Claude's current code analysis, you'd use Claude anyway.
Leo Laporte [00:28:54]:
That's right, yes.
Steve Gibson [00:28:55]:
Anthropic solution would probably be the one to choose.
Leo Laporte [00:28:58]:
You're not going to use Brock for that.
Steve Gibson [00:29:00]:
They're certainly not going to use a competitor AI with the one and a half million dollars. I was kind of wondering if some of that might have been in AI token credit. But they said cash so yeah.
Leo Laporte [00:29:14]:
Anyway this I think more comp every company now uses open source software a.
Steve Gibson [00:29:19]:
Lot in fact and author many be.
Leo Laporte [00:29:22]:
Supporting they everybody should be doing this. If you're using open source source, fund those projects because they're underfunded and they need help and you're making money off of them. So put some of it back in.
Steve Gibson [00:29:35]:
I talk a little bit later again about my plans to switch to let's encrypt TLS certs when I'm forced to and that much as I do for Wikipedia that, you know, sends me a little email every month thanking me for my, my, you know, drip of. Of contribution. I'm going to do the same thing for let's encrypt because I'll be using their certificate services for free and I and that that's a hell of an infrastructure that needs to keep, you know, running and going. So yeah, I agree with you Leo. I think that's it's the right model. One of the more egregious privacy invading behaviors that has come to light is the idea that car makers might be generating additional revenue for themselves behind their car owners backs by selling data about their individual drivers driving to insurance companies. The question has been whether or not individual drivers may have consented to this. I would argue strongly that it is not possible to actually consent to something that's never explicitly described and explained and which probably appears in a purchase agreements legalese fine print.
Steve Gibson [00:30:58]:
I've been driving for about 55 years now and I purchased a few cars in during that time. I've never attempted to read any of the fine print. I presume that as a U S consumer my rights will be protected by my government's agencies whose job it is to be a check on corporate greed and to make sure that consumers who don't read the fine print get a fair shake. Nevertheless, to that end, last Wednesday the FTC posted an announcement under their headline FTC Finalizes Order Settling Allegations that GM and OnStar Collected and Sold Geolocation Data without consumers informed consent. They wrote. The Federal Trade Commission finalized an order with General Motors and OnStar settling allegations that they collected, used and sold consumers precise geolocation data and driving behavior data. You know, like acceleration and braking. We we know that the cars are are tracking that from millions of vehicles without adequately notifying consumers and obtaining their affirmed consent.
Steve Gibson [00:32:15]:
Under the order finalized by the Commission, General Motors LLC, General Motors Holdings LLC and OnStar LLC collectively GM, which are owned by General Motors Company, are prohibited from sharing certain consumer data with consumer reporting agencies. They also are required to take steps to provide greater transparency, which I would argue is any transparency and choice to consumers over the collection, use and disclosure of their connected vehicle data. In a complaint first announced in January 2025, so this took a year, the FTC alleged that GM used a misleading enrollment process to get consumers to sign up for its OnStar connected vehicle service, an OnStar smart driver feature. The FTC also alleged that GM failed to clearly disclose that it collected consumers precisely geolocation and driving behavior data via the smart driver feature and sold it to third parties without consumers consent. The final order approved by the Commission imposes a five year Ban on GM disclosing consumers geolocation and driver behavior data to consumer reporting agencies. This fencing in relief is appropriate given GM's egregious betrayal of of consumers trust and for the entire 20 year life of the order, GM will be required to, and we have four bullet points, obtain affirmative express consent from consumers prior to collecting, using or sharing connected vehicle data, including sharing data with consumer reporting agencies with some exceptions such as for providing location data to emergency first responders. Second, create a way for all U.S. consumers to request a copy of their data and seek its deletion.
Steve Gibson [00:34:21]:
Third, give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology. And finally, provide a way for consumers to opt out of the collection of geolocation and driver behavior data with some limited exceptions, again like emergency conditions. The commission, I got a kick out of this. The commission, they, they said voted 2 to 0. So Leo, both of the commissioners, 2 to 0 said okay, we like this.
Leo Laporte [00:34:57]:
Steve and I vote 2 to 0.
Steve Gibson [00:35:00]:
Thank God it wasn't a tie. What would have happened? So in addition to General Motors, we know that Hyundai has been found to be sharing its, its driver's data with a company called Versic. That's one of the major brokers of such information. Both Honda and Toyota are believed to be doing the same. And you know this nauseating spying on the part of automakers feels so similar to the idea of consumer ISPs. Like the, all of the companies that we use to connect us to the Internet surreptitiously monitoring and tracking their own subscribers Internet usage and behavior without knowledge or permission technically. Right. Maybe it's in, you know, they'll say something down in there about you know, for business purposes without ever, you know, being express about what it is just to you know, their attorneys have like give them an out legally.
Steve Gibson [00:36:00]:
And remember Leo, you used to introduce me on this podcast as the person who coined the term spyware, right? And who created the world's first spyware removal tool. Both of those things are true. I named that first anti spyware utility Opt out. And I oh, I will never forget the raw fury that was expressed in the email end users were sending to that spyware parents company at the time named Oriate. They, they shared some of the email with me. I mean, oh, it was way over the top. I mean it's like get higher security guards to protect your family. The oh people were so upset.
Steve Gibson [00:36:55]:
But that's how people reacted to the affirmative discovery of secretly installed spyware residing inside their machines. It was never my intention to put ORIATE out of business, but it turned out that their entire business model was only viable while they remained unknown and secretive. Once people learned about them, no one wanted anything to do with them. My creation and publication of Opt out generated so much antipathy toward them that I spoke, as I mentioned to their leadership on several occasions. I came to understand that individually they were not bad people. The ORIATE system was a revenue generation library that shareware and freeware authors could embed into their software to display advertisements on the app's UI surface. So the ORIATE system was supposed to advertising enable shareware to generate some revenue from the shareware's use. The big mistake ORIATE made was in relying upon the freeware and shareware authors to notify their users.
Steve Gibson [00:38:21]:
It was all about notification notify their users that this was taking place. None of their authors did that, or if they did, again buried down in the licenses in the software's license agreement that no one ever bothered to read or understand. I explained to the ORIATE management that they needed to take independent responsibility for their operation of their system by displaying their own permission dialogue to get the end user's permission. Most of the anger and oh, it was palpable was over the fact that this was going on behind people's backs, users backs and it just engendered fear, right? I mean they were afraid of the idea that something was watching them. So today the names have changed, but the behavior has not. GM knows that if their users were clearly asked whether they would like to have detailed data about their driving habits sold for GM's profit to third parties who would then resell it to their insurance providers to justify increases in their own insurance rates. Who would say, you betcha, sign me up for some of that? No. Nobody, right? Similarly, ISPs know that no one would want to have their detailed use of the Internet resold to data brokers.
Steve Gibson [00:39:53]:
But ex ISP employees have said they know firsthand that's happening. So we know that the opinions and votes of our politicians can deeply influence or can be their votes can be deeply influenced by commercial interests, you know, through lobbying. So thank goodness we have, you know, independent consumer watchdog agencies such as the FTC to to watch our backs for us.
Leo Laporte [00:40:25]:
A lot of insurance companies will give you a this is how they get around this.
Steve Gibson [00:40:29]:
You think it works? It works both ways.
Leo Laporte [00:40:32]:
Yeah. Well what they do is they offer you as their insuree a reduced rate if you agree to be tracked. Right. And Then they have an app that you can install so that directly with the company. Right. It's not. And, and no car company is making money on that. Selling your information without your knowledge.
Leo Laporte [00:40:51]:
You're agreeing with the insurance company. I think that's okay.
Steve Gibson [00:40:56]:
Yeah, yeah, yeah, yeah.
Leo Laporte [00:40:58]:
In that case that's actually good because that reduces our expense if, if, you know, because insurance companies don't want to insure bad drivers. Right. They only ensure.
Steve Gibson [00:41:08]:
I, I, the other day I, I showed Lori my 20 plus year old beloved BMW sedan. Died like two years ago. It's okay. And I, I, I replaced it. And since then my aggregated driving shows an average of 26 miles per hour.
Leo Laporte [00:41:36]:
Now I, I, you should see what my aggravated driving is. Now that's good Steve, you follow the speed limit so I, well not because.
Steve Gibson [00:41:48]:
I want to, it's just because there's cars in my way.
Leo Laporte [00:41:52]:
I live in LA area. You can't, you can't go any faster even on the freeway. Hey, I want to correct myself. Cpython I did not know this actually is the official name of real Python. It is called C Python because it was written in C. C, Y T H O N S on is the one I was thinking of which is compiled C and that is not a Python Software foundation project. So they don't get any, they don't get any of the money. C Python is Python.
Leo Laporte [00:42:21]:
It's the same thing. They just, I don't know, they call it Python.
Steve Gibson [00:42:25]:
Okay, before we figure out what ANCHOR and CIPAC are, let's take a break and we're going to figure out what the Department of Homeland Security is up to and whether the replacement Anchor Council is going to make anybody happy.
Leo Laporte [00:42:48]:
Yes, Security now, brought to you this week by fincst Canary. This is not a external USB drive, nor is this 64 gigs of RAM.
Steve Gibson [00:43:00]:
Nor does it need to be rewound.
Leo Laporte [00:43:02]:
You know, it doesn't have to be rewound. This is the best darn honeypot ever made. This is the thinkst canary and you're going to love it. You need it as part of your overall security strategy. I have a question for you. If, if, and you know it's not going to happen, but let's say you were breached, your company's network was breached by a bad guy. How would you know? It's a question that a lot of bosses don't want you to ask. How would you know if somebody were in your network? You can assume the bad guys are clever, they're covering their tracks.
Leo Laporte [00:43:37]:
They're not going to say, hey, I'm in here, I'm working here. They're going to sneak around and what are they going to do? They're going to look for places they can hide time bombs, little ransomware time bombs. They're going to look for proprietary information, your secrets, maybe customer information. They're going to exfiltrate that stuff so they can blackmail you before they set off the time bombs and ransomware, you, you need a way of knowing that somebody's in your network. On average, companies do not know they have been breached for 91 days. That's three months for the bad guys to wander around unimpeded. Again, you need this. It's a honey pot.
Leo Laporte [00:44:16]:
Now, writing your own honeypot is not an easy thing to do. Our sponsor, ThinksCanary has done it for you. This is a Thinkst Canary. It looks just like an external USB drive. A little difference here though. It has an ethernet port and a USB connection for power. You plug this in, you put it in your closet, anywhere you want, you're going to want one for every land segment for sure. You might want more.
Leo Laporte [00:44:39]:
Just sprinkle them all around. And if you have, you know, remote offices, etc, every one of them should have one. The idea is you want to sprinkle these around because they don't look like honeypots. They don't say, hey, I'm a Thinks Canary hacker. They say, I'm a SharePoint server, I'm an IIS server, I'm Microsoft Windows 9 or whatever. Some they, they could be anything. They could be a SCADA device. This one is turns out to be a Synology nas.
Leo Laporte [00:45:08]:
It's a fake one though. I mean, you can't tell. The bad guy can't tell. It's got the Mac addresses, right? They have the company Mac addresses. They have the full login pages. Anything that a bad guy would use to say, is this the real thing? They've done? It's a perfect impersonation. The other thing these things canaries can do, which is so cool, is they can create files, lore files that can be a whole variety of things. Anything from a wireguard configuration file to an Excel spreadsheet sheet.
Leo Laporte [00:45:34]:
You can name them with provocative names like employee payroll information, and you can put them anywhere, even on your cloud. I have some on Google Drive. You have them on local, on Prem hardware, you can spread them around. These are like trip wires, right? So you've got the Thinks Canary honeypots, you've got these trip wires. They can be deployed in minutes. It literally you could set these up in just a few minutes. You get this great console. It's got a drop down menu.
Leo Laporte [00:45:59]:
You choose what it is. You, you could, you can. Even if it's a server, if it's a Windows NT server, you can say, turn on every service, make it a Christmas tree. Or you could say no, no, just the, just a few special services like, I don't know, rdp. Make that public. You can, you can do whatever you want right, once you set this up. But then you let it sit there. You relax, you wait.
Leo Laporte [00:46:24]:
The minute somebody accesses one of those Lore files and they can't resist what, a wireguard configuration. I can't wait to get in there. Those spreadsheets with Social Security numbers, that's for me. Or if they try to brute force your server, your fake SSH server or NT server, you're going to get from your thinkscanary an alert. No false alerts. Just if you get an alert from your thinkscanary, something you need to pay attention to and you're going to want that alert. It's very simple. By the way, the alerts can come any way you like, or all of them.
Leo Laporte [00:46:55]:
Email, sms, Slack messages, webhooks, they support webhooks. There's an API, syslog, of course. You just choose a profile for your thinkscanary device. So easy you might change it every few days. I sometimes, just for fun, change it every day. Then you register with a hosted console. You'll get your monitoring, your notifications, and then you wait. Attackers who breach your network, malicious insiders, other adversaries cannot help but make themselves known by accessing your things to Canary.
Leo Laporte [00:47:26]:
Now, if you're a big bank, you might have hundreds of these, as I said, spread out all over. A small operation like ours might just have a handful. But let's give you an idea. Visit canary tools. Twit. 7,500 bucks a year will get you five thinks canaries. You also get your own hosted console. You get upgrades, you get support, you get maintenance.
Leo Laporte [00:47:45]:
If you use the code Twit when you sign up in the how did you hear about us Box, say Twit, you'll get 10% off the price. And not just for the first year, but for life. You can always return those things. Canaries. They've got a great 2 month, 60 day money back guarantee for a full refund, no questions asked. I do have to tell you though, we've been doing ads for Things. Canary will be 10 years this summer. 10 years.
Leo Laporte [00:48:11]:
In all that time in that entire decade, that refund guarantee has never once, not once been claimed. Visit Canary Tools Twit. Don't forget, enter the offer code TWIT in the how did you hear about us? Box. That's Canary Tools Twit. It's awesome. Now, speaking of awesome, back to Mr. Wonder.
Steve Gibson [00:48:34]:
No rewinding necessary.
Leo Laporte [00:48:36]:
No rewinding this. You couldn't rewind it if you tried. There's nowhere to stick it in. All right.
Steve Gibson [00:48:45]:
Okay. So last year we touched upon the crucial need for industry executives to be able to disclose known security incidents, that is, you know, their own known security incidents. And these are like, you know, infrastructure agencies, you know, major power companies and so forth to government officials without fear of reprisals from the government. This was the critical role that CIPAC had, I guess. Cpac. CIPAC stood for the Critical Infrastructure Partnership Advisory Council. Last Wednesday, the publication cyberscoop published a very nice piece about the pending replacement agency. Cyberscoop wrote, the Department of Homeland Security is finalizing plans for a new body that would replace the functions of the Critical Infrastructure Partnership Advisory Council and serve as a communications hub between industry and government to discuss ongoing threats to US Critical infrastructure, including from cyber attacks.
Steve Gibson [00:50:00]:
Under previous administrations, CPAC served as a nerve center for federal agencies, industry and other stakeholders. While industry widely praised its utility, the council was one of many DHS advisory bodies that were shuttered last year by Secretary of Homeland Security Kristi Noem after President Donald Trump returned office. Now, according to multiple sources, a proposed regulation for a new replacement council is in the final stages of review and approval from nome's office. The new body will be called the alliance of National Councils for Homeland Operational Resilience, which has the initials anchor A N C H O R Alliance of National Councils for Homeland Operational Resilience and will also serve as an umbrella organization for other federal sector risk management agencies. Its goal is to restart conversations and planned and planning conversations and planning around infrastructure security that took place under the previous cipac, according to a former DHS official. The official, who requested anonymity to discuss the administration's plans, said all 15 federal sector coordinating councils have been briefed on Anchor. One of the primary differences between CPAC and ANCHOR will be in structural authorities and liability protections. And now the liability protections is the key issue, right? I mean, that's what industry executives explained that they have desperately needed.
Steve Gibson [00:51:52]:
The article says CPAC was essentially, quote, an advisory council that could be chartered to create other advisory councils that needed secretary level approval and contained rigid rules requiring separate charters for every new council that was then stood up. He said this created a waterfall effect of bureaucracy that made CPAC a poor vehicle for holding broad conversations between not just DHS and industry, but all other federal sector risk management agencies and sector coordinating councils. So it kind of sounds like it may have been the way it was implemented before. A little bit of a bureaucratic nightmare. The official said, quote, what DHS has strived to do is create a new framework for engaging on threat conversations conversations and pre deliberative policy conversations impacting security outcomes with sectors and the private sector without having to create all these waterfall advisory councils or new charters and all that stuff, unquote. Okay, so so far that all sounds good, right? Any reduction in needless bureaucracy sounds like a good thing. Cyber Scoops reporting continues saying under cpac the the original organization conversations between government and industry were also closed by default, which is a. In.
Steve Gibson [00:53:26]:
In double quotes. So that was a. A term of art. Closed by default to the public with mandatory liability protections for every conversation and setting. Often the most the government could do was issue a press release or cite comments under Chatham House Rule. Under Anchor, there is expected to be wider latitude for DHS or other councils to open certain meetings to the public or provide transcripts of conversations they hold with stakeholders. And of course that could put a chill on the conversations, right? Because previously the government was essentially gagged, Cybers Group says. However, the official emphasized that liability protections remain one of the last unresolved issues.
Steve Gibson [00:54:19]:
The administration is still determining when those protections would or would not apply to Anchor related discussions between government and industry, and further changes could be made to assuage the industry. Other federal laws, such as the Cybersecurity and Information sharing act of 2015, only provide liability coverage for one to one conversations between a company and the government. The previous entity, cpac, by contrast, provided a liability shield for one to many engagements where a company may engage with federal, state and local agencies as well as other companies and entities. The officials said, quote, that created a well understood and important liability shield which allowed senior officials all the way up to the CEO of private sector companies to openly communicate with each other. Following the initial publication of this reporting, a DHS spokesperson in a statement did not dispute the description of Anchor provided by cyberscoop, but called discussions of an imminent regulation release premature. The spokesperson said, quote, we look forward to sharing more details once we have something to announce. Unquote. This week, Adrian Lotto of the American Public Power association told Congress that liability protections in CPAC were critical to fostering open dialogue between industry and government around cybersecurity and infrastructure protection.
Steve Gibson [00:56:04]:
She also signaled that a new advisory council was forthcoming, saying industry was apprised by DHS that the administration's proposed CPAC replacement is ready for publication in the Federal Register, while encouraging the administration to finalize the plans quickly. Even with some uncertainty around Anchor's structure and liability protections, many industry executives are likely to embrace the return of information sharing partnerships that they believe were vital to understanding the digital and physical threat landscape facing their industry sectors. Last year, industry groups lamented the disbanding of CPAC to members of Congress, prompting Representative Andrew Garbino, now chair of the Homeland Security Committee, to pledge he would look into this and hopefully speak to the administration to try to fix this, unquote. The former DHS official said they expected Anchor to be largely welcomed by many industries who have called for the restoration of cpac. And even as they look to grapple with the Trump administration's new approach, the official said, quote, everybody who wants to talk in groups is going to be excited to have it back. At the same time, those who are concerned about the amount of risk it opens up will need to see the details. So I, I clearly recall us reporting on the industry's concern over the disbanding of that original cpac, since there were clearly things. There are clearly things that the government alone can do which private, private industry, you know, may need their help with, you know, if.
Steve Gibson [00:57:54]:
If nothing else, you know, setting laws and regulations that, that, you know, allow the industry to do what it needs to do. But if a fear of the consequences of divulging serious incidents and problems keeps industries silent, which CPAC didn't because of its blanket liability protection, then that would not be good for anchor. You know, I like the sound of an improved structure that sidesteps the sidesteps, you know, the need to design and spawn endless subcommittees and create charters for them. And it sounds as though, you know, the need for liability protections at least, is clearly understood now. So let's hope that, you know, Anchor happens and that it provides the. The protections that the executives need in order to openly speak with the government and, you know, at all levels and among themselves. Okay, so, okay, Leo, the word is German. It's B u n d S.
Steve Gibson [00:59:00]:
Yes. N a C H R I C H. Right. T e n D I E N S T. Nist Perfect. And there you have it. So I have some reporting that was obtained from translations from German, and at this point, since it describes Germany's new legislation as pending as opposed to enacted, I didn't want to spend any more time digging into the source material which would all have needed translation. And also my assumption is that if or when this does occur, it will have plenty of multi sourced coverage translated for us in English.
Steve Gibson [00:59:50]:
So today I'm just going to share the reporting that I have and everyone will quickly see why it was worth sharing, you know, as is for now. So the reporting read. German lawmakers are working on a new law that will grant the country's intelligence agency new and extensive hacking and surveillance powers. The primary intent of the new law is to free up the Bun Bun. Yes. The BND from relying on the U. S. National Security Agency.
Steve Gibson [01:00:35]:
Our nsa.
Leo Laporte [01:00:36]:
Yeah. Which I think everybody's looking at ways to get around that. Yes.
Steve Gibson [01:00:40]:
Yeah. Well, because you can't count on it now. Right. For threat information and bring Germany's interception capabilities on par with with other European countries such as France, Italy, the Netherlands and the UK According to a draft of the new law obtained by German media, the bnd, everyone knows who they are, will have. I guess it's the equivalent of the nsa.
Leo Laporte [01:01:08]:
Right.
Steve Gibson [01:01:08]:
The Germans NSA is the bnd. So that's right. Done. Will have the power to intercept full Internet communications and not just metadata as it is allowed today. The agency will also be allowed to store the data for up to six months, which will allow it to better index and search it for threat intelligence. The BND will also have its offensive hacking mandate extended. The law will allow the agency to hack foreign Internet service providers and retrieve information about its targets if the companies do not cooperate or provide the requested data. What? According to reports, this provision will apply to major US Companies, meaning the hackies.
Steve Gibson [01:02:02]:
This provision, the ability to be hacked by the BND will apply to major US companies and infrastructure providers like Google, Twitter and Meta, which have been known to be prickly. Imagine that. About surrendering such information. In the past, the agency could previously intercept the communications of individuals abroad. But now the BND will also be allowed to put any foreigner in Germany under surveillance. The same goes for journalists working for foreign state run media organizations which German lawmakers say are acting more like agents of a foreign state than independent reporters. Wow. Finally, BND agents will also be allowed to enter apartments and deploy their Federal Trojan on a target's device.
Leo Laporte [01:03:01]:
Great.
Steve Gibson [01:03:02]:
What could possibly go wrong? The Federal Trojan has. You've been federally Trojanized. According to reports, the new laws draft is 139 pages long because all the words are as long as the BND is. So you need more pages. Right. And all that almost doubles the BND's previous capabilities. So I, I think the short version of what this means is thank goodness for state of the art encryption.
Leo Laporte [01:03:34]:
Yes.
Steve Gibson [01:03:35]:
Which we have every reason to believe is utterly unbreakable by anyone.
Leo Laporte [01:03:42]:
The math is your friend.
Steve Gibson [01:03:43]:
Oh, and while Germany's legislation might at first seem, you know, like egregious overreach, we know that the US National Security Agency, our beloved NSA, has already built a massive data center of over 1 million square feet about 20 miles south of Salt Lake City, Utah. And while the details are kept close, it's well known to be a massive data storage facility. We've often noted that there may be value in storing massive quantities of encrypted data, and probably selectively, that cannot be deciphered today, but may be decipherable using tomorrow's technology. So it's easy to imagine that the internal encrypted communications of the US's global adversaries may be tapped and tagged and sent to Utah for long term archiving. And Then once the NSA's quantum computing technologies come online in the future, the public key crypto handshakes that established the ephemeral secret symmetric keys might be broken and those communications, even though by then no longer current, still might be important to obtain. So I feel, you know, I sometimes feel that the EFFs, you know, the electronic freedom foundations, absolutism about privacy rights and encryption goes a little overboard, you know, like, boy, did their knees jerk quickly, you know. But when we see examples like this of how aggressively foreign governments and our own are pursuing information that for the most part they probably have no need for, they're just sucking it up because they can. I appreciate that the EFF is working to always provide some counter pressure against these tendencies because, you know, it just, there does just seem to be an increase in this going on.
Steve Gibson [01:05:59]:
Leo?
Leo Laporte [01:06:00]:
Yeah, this is perfect. Forward secrecy protects us against this ultimately though, right?
Steve Gibson [01:06:07]:
That's, no, no, no, because all that's happening there is the, the perfect forward secrecy means that, that the, the key is changing. So that, so, but the, but the key is changing because you're, you're continually renegotiating during the, the, the communication. But all of those renegotiations are similarly in, are similarly interceptible.
Leo Laporte [01:06:37]:
So, so they have that too.
Steve Gibson [01:06:39]:
Yeah, so if, if it were a, if it were a very static key, then that would be worse because you, you, you just break it all at once and you get the entire conversation here. You do need to be doing successive re. Keying.
Leo Laporte [01:06:56]:
Right.
Steve Gibson [01:06:56]:
And you know, but the NSA presumably is able to do that, the new.
Leo Laporte [01:07:01]:
Key is arranged using the old key. So once you get the old key, you can find the new key and then you continue to do that as a chain. All right. Yeah, that's why they're saving everything. They can have my old messages.
Steve Gibson [01:07:16]:
And yes, you know, and again, I, I, we know law enforcement and moans more than they ever have, but they have also never had a greater wealth of data. All of us went online rather than, you know, walking around doing things and all of this data is, is being tapped. So it's not that like there's any great dearth of, of, of information available.
Leo Laporte [01:07:49]:
No.
Steve Gibson [01:07:50]:
Okay. So we appreciate that. It could happen to anyone. You shared your story with us last week, Leo. I shared that I almost, you know, I got it.
Leo Laporte [01:08:03]:
Yes.
Steve Gibson [01:08:03]:
I, I got a little text that I, that me initially like, oh, that looks. Whoops. Anyway, now appears that someone inside GrubHub clicked a link they should not have which permitted the infamous Shiny Hunters gang to obtain authentication credentials. Bleeping Computer, which reported on this exclusively last Thursday, headlined their reporting grubhub Confirms Hackers Stole Data in recent security Breach, Bleeping Computer wrote. Food delivery platform grubhub has confirmed a recent data breach after hackers accessed its systems, which sources tell Bleeping Computer the company is now facing extortion demands. I'm sorry, with. With sources telling Bleeping Computer the company is now facing extortion demands, Grubhub told Bleeping Computer, quote, we're aware of unauthorized individuals who recently downloaded data from certain GrubHub systems. We quickly investigated, stopped the activity and are taking steps to further increase our security posture.
Steve Gibson [01:09:14]:
Sensitive information such as cross financial information or order history was not affected, unquote. Now they wrote grubhub would not respond to any further questions regarding the breach, including when it occurred, whether customer data was involved, or if they were being extorted. However, the company confirmed that it is working with a third party cybersecurity firm and has notified law enforcement. Last month, in other words, clearly something happened last month, Bleeping Computer wrote Grubhub, was also linked to a wave of scam emails sent from its b.grubhub.com subdomain that promoted a cryptocurrency scam promising a tenfold return on Bitcoin payments. Grubhub said at the time that it contained the issue and took steps to prevent further unauthorized messages, but would not answer further questions related to the incident. It's unclear whether the two incidents are connected. While Grubhub would not share further details. Multiple sources have told Bleeping Computer that the Shiny Hunters cybercrime group is extorting the company.
Steve Gibson [01:10:28]:
Bleeping Computer attempted to verify these claims with the threat actors, meaning the Shiny Hunter guys, but they too refused to comment. Now, I'll just interject here that the threat actors silence at this juncture would be expected since part of their promise in return for receiving an extortion payment would be their silence, since they presumably still hope that the returns from their data breach will result in a payday. Much as they have shown a willingness to brag in the past, they're certainly not going to talk to the press until it's clear that doing so would not compromise their negotiations and their extortion payout if any Bleepy computer continues. According to sources, the threat actors are demanding a bitcoin payment to prevent the release of older Salesforce data from a February 2025 breach and the newer Zendesk data that was stolen in the recent breach. And of course that all tracks the reporting that we've been doing here where we noted that a month or two ago the Shiny Hunters gang had switched to attacking Zendesk users after they had apparently fully played out their multiple earlier Salesforce breaches. Leaping Computer concludes writing, grubhub uses Zendesk to power its online support chat system which provides support for orders, account issues and billing. While it's unclear when the breach occurred, Bleeping Computer was told that it was through secrets and credentials stolen in the recent sales loft Drift data theft attacks so the attacks that keep on giving In August, they wrote, threat actors use stolen OAuth tokens for sales lofts Salesforce integration to conduct a data theft campaign between Aug. 8 and Aug.
Steve Gibson [01:12:40]:
18 of 2025, according to a report by Google's threat Intelligence team Mandiant. The stolen data was then used to harvest credentials and secrets to conduct follow up attacks on other platforms. Google reported by their their tig their Threat intelligence group that UNC6395 that's their their formal nomenclature for Shiny Hunters, targeting sensitive credentials such as Amazon Web Services and access keys, passwords and Snowflake related access toke tokens. Shiny Hunters claimed at the time to be behind the breach, stating they stole approximately 1.5 billion data records from the account contact case opportunity and user Salesforce object tables for 760 companies. So that was a major, somewhat downplayed event and attack. And Leo, we're at an hour, let's take a break and then we're going to talk about the availability of let's encrypt six day certs now available. Fortunately only if you want them.
Leo Laporte [01:14:02]:
Six days. Wow. I might vibe code an Acme cert downloader so that I don't have to think about this anymore. What could possibly go wrong? Our show this week brought to you by threatlocker. We are getting ready for a trip to Orlando. It is ThreatLocker's Zero Trust World. Let me tell you about Zero Trust and ThreatLocker first and I'll tell you about Zero Trust World and how you can save if you're planning to visit us in Orlando. ThreatLocker is zero trust, which takes basically it's.
Leo Laporte [01:14:38]:
You could say it in three words. A proactive deny by default approach. That's the key. Deny by default. Every unauthorized action is blocked unless you explicitly say yes, this person can do this with this tool. This tool can do this.
Steve Gibson [01:14:56]:
It can't.
Leo Laporte [01:14:58]:
Now that protects you. It's kind of amazing from any. From so much from both known and unknown threats. You don't need to know what the threat is. You just say, hey, I don't know what this threat is. It can't do that. Modern attacks hide inside endpoints. You know, this attacker controlled virtual machines, sandboxed environments or VM based malware.
Leo Laporte [01:15:20]:
And why do they do that? Because it, it basically evades traditional antivirus software. It's inside the the sandbox. Right. Well, doesn't work. ThreatLocker Zero Trust prevents VM based attacks before they can launch. Yes. It even works with VM based attacks. Critical vulnerabilities in your everyday tools that your employees use.
Leo Laporte [01:15:43]:
Even seemingly harmless apps, those can be a gateway for attackers. ThreatLocker stops those too. ThreatLocker recently detailed how 7zip use 7zip. We talked about this on the show. I think 7zip's symbolic link extraction bug enabled arbitrary code execution when administrators or service accounts tried to extract a maliciously crafted zip. That's all they're using.7 zip. They said, there's a zip file, let's extract it. Well, you should take note that ThreatLocker's application control denies unapproved binaries.
Leo Laporte [01:16:19]:
And ThreatLocker's ring fencing limits what even allowed apps can access. So even if 7zip is allowed, you could say, but they can't work on that with Threat Locker. Even approved tools can't become attack vectors. This is such a powerful concept and it's so effective. Threat Locker works across all industries. They've got amazing US based support. It's there for you. 247 so you're never on your own.
Leo Laporte [01:16:47]:
Works with Windows, but it also works with Macs. It enables comprehensive visibility and control. In fact, that's one of the real benefits of Threat Locker's ring fencing. You get compliance built in because you have a record of every action. Threat Locker is trusted by those companies that cannot afford to be down for one minute. They say we just can't afford to be hit by ransomware. Companies like JetBlue, Heathrow Airport, the Indianapolis Colts, the Port of Vancouver. They all use Threat Locker.
Leo Laporte [01:17:17]:
Threat Locker consistently receives high honors and industry recognition. A G2 high performer and best support for enterprise summer 2025 peer spot ranked threat locker number one in application control. GetApp's best functionality and features award in 2025. I can go on and on. Get unprecedented protection quickly, easily and cost effectively with ThreatLocker. Visit threatlocker.com TWIT to get a free 30 day trial. You also learn more about how ThreatLocker can mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT for a limited time, we've got a code for you to Zero Trust World in Orlando.
Leo Laporte [01:17:58]:
Use the code ZTWIT26ZTW for Zero Trust World TWIT for this Week in Tech 26 for the year. ZTW TWIT26 all one word to save 200 bucks off registration for Zero Trust World 2026. And this is the full package. You get access to all sessions. You get hands on hacking labs, you get meals. There's that fabulous after party, the most interactive hands on cybersecurity learning event of the year. It's coming up March 4th through 6th in Orlando, Florida. And don't forget if you registered save 200 bucks ztw twit 26 we're really looking forward to this.
Leo Laporte [01:18:39]:
This is going to be a very fun event and I can't wait to see you out there. We already have heard from a number of people that are coming out just to see you, Steve. So get ready, it's going to be great.
Steve Gibson [01:18:49]:
I will not be in costume, but I will be there.
Leo Laporte [01:18:52]:
So you know when I tell you what the theme is, which is secret still, you might want to be in costume. You might say, oh, I could do that. It's not the Grinch. It's not the Grinch. Don't get sight.
Steve Gibson [01:19:03]:
Okay, okay. Last Thursday, January 15, let's Encrypt announced under their headline Six day and IP address certificates are generally available. They wrote short lived and IP address certificates are now generally available from let's encrypt. These certificates are valid, get this LEO for 160 hours. Oh wow. Just over six days. That's in order to get yeah. In order to get a short lived certificate, subscribers simply need to select the short lived certificate profile in their Acme client.
Steve Gibson [01:19:45]:
Short lived certificates improve security by requiring more frequent validation and reducing reliance on unreliable revocation mechanisms. If a certificate's private key is exposed or compromised, revocation has historically been a way to mitigate damage prior to the certificate's expiration. Unfortunately, revocation is an unreliable system, so many relying parties continue to be vulnerable until the certificate expires. A period as long as 90 days. Well, yeah, 90 for them. With short lived certificates, that vulnerability window is greatly reduced. Short lived certificates are opt in and we have no plan to make them the default at this time. Subscribers that have fully automated their renewal process should be able to switch to short lived certificates easily if they wish.
Steve Gibson [01:20:43]:
But we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime. We hope that over time everyone moves to automated solutions and we can demonstrate that short lived certificates work well. Our default certificate lifetimes will be going from 90 days down to 45 days over the next few years. As previously announced, IP address certificates allow server operators to authenticate TTLs connections to IP addresses rather than domain names. Let's Encrypt supports both IPv4 and V6 IP address certificates must be short lived certificates, a decision we made because IP addresses are more transient than than domain names, so validating more frequently is important. You can learn more about our IP address certificates and the use cases for them from our post announcing our first IP certificate. We'd like to thank the Open Technology Fund and Sovereign Tech Agency, along with our sponsors and donors for supporting the development of this work. And as I said before, the shortening of the maximum lifetime of web server DV domain validation certificates will eventually drive GRC my company to use let's encrypt Free certificates.
Steve Gibson [01:22:18]:
Once I switch to their solutions, I will definitely establish a periodic voluntary payment to them, much as I have with Wikipedia. As I mentioned at the top of the show, since I feel that it's important to support the infrastructure that makes that possible. Even if the entire necessity of any of this is something I could not disagree with more, so be it. It's never been clear to me who has such a problem holding on to their web servers private keys. All indications are that the entire thing is a made up problem. Remember that even if even if A bad guy could somehow arrange to obtain a valuable domains certificate. It's not as if just having that in any way allows them to impersonate the target site. They must still somehow arrange to cause their victim's Internet traffic to believe that it's going to the real domain's IP address while it is instead being rerouted to a spoofed server where the stolen certificate resides.
Steve Gibson [01:23:36]:
So you need either a DNS compromise also, or some physical interception and rerouting of the actual packet traffic must be achieved. None of which is easy to do either. So if this was, if this was ever happening, if it ever happened, it would be big news. We would know about it instead. Crickets. And I get it that the let's Encrypts guys need to say that revocation is broken. I understand that, but that is no longer true. I have a picture of going to revoked.grc.com on the screen.
Steve Gibson [01:24:23]:
Anyone's invited to go to revoked.grc.com it says error sec underscore or yeah, error code underscore sec underscore error underscore Revoked underscore certificate. No browsers are fooled any longer and any of our long term listeners know that I was on to all of this, pointing this out and drawing attention to this as loudly as I could before anybody else was doing so. I looked a little foolish at the time, like I was tilting at windmills, saying that this was a problem. You know, what's the big deal? I created that revoked.grc.com site to clearly demonstrate that none of this was working at the time. It is now everywhere and it's even been, you know, solved quickly on the client side with no privacy compromise thanks to Bloom Filters, which we talked about in detail for this specific application. And just that I'm just so that I'm clear, I. I think it is truly great that let's Encrypt is now offering six day tls, DV and IP validated certificates for those who feel they need them. I don't know why anyone would, but okay, great.
Steve Gibson [01:25:47]:
It's the being forced to use shorter life certificates, whether for the web or for code signing, that feels so wrong and regressive to me. I don't need a nanny. Few of us do. And as I've said, if anyone did, like if this was actually a problem, it would be making news. The only news it's making is that it's, you know, discomforting everybody who's having to use these increasingly short lived certificates for no apparent reason. Okay, I. Several News outlets are, are reporting have reported on something that caught my attention mostly because it's so sad and in my opinion wrong minded. The news is that the country of Iran plans to extend its current disconnection from the Internet which began in the evening of January 8th, their time permanently, which hard to even believe but yes, technical reports have indicated that efforts are being made to restrict the use of messaging apps for internal use only.
Steve Gibson [01:27:09]:
All satellite dish antennas of all ilk are being gathered up and technology is being finalized to identify network traffic that transits across Starlink and other space based providers. Iran's ruling theocracy, you know, it is what it is. It's been clear that the influence of the west largely through, you know, although I, I guess I would say largely, though not exclusively brought to Iran by the Internet, it's been a challenge to the nature of its historical theocratic rule. But Iran's population today is not old. Its median age is somewhere between 33 and 34, meaning that half of Iran's population is younger than 33 or to 34, somewhere in, in that range. And currently about a quarter of the population are children under the age of 15. So cutting that population off from all external Internet access certainly seems, you know, destined to fail in the long run. I, I, okay, I just wanted to report on that.
Steve Gibson [01:28:22]:
I imagine we'll be looking at that in the future, if in fact that continues. I have, as I mentioned at the top of the show, I've received from one of our listeners and a spinrite user a pair of charts that, that I had never seen before. And I got a big kick out of them. I wanted to share them. The listener's name is Don with two N's. Don Edwards. He wrote. Dear Steve, you've often mentioned how spinrite improves SSD performance and we've seen the results of its benchmark tests.
Steve Gibson [01:28:58]:
But here's a different view. My friend panicked when his computer would not boot. It has a crucial 480 gigabyte SSD boot disk and a Seagate 1 terabyte hard drive data disk. Not knowing whether the problem was hardware related or not, I rescued the drives. He meant, you know, removed the drives and connected the SSD to my own desktop PC to see if the data was intact. All appeared fine. So I ran HD Tune to look at the smart data and run its benchmark. And he, he included, he, he included the, the chart for the before spin right alongside the chart for the after.
Steve Gibson [01:29:49]:
He said the drop in performance shown in the HD Tune Pro chart on the left, particularly at the start of the drive. Actually it's about the first two thirds he said was troubling. So I ran spin right six one on level three and it took around three hours. I could see it having trouble writing to the drive. But in the end no data was lost afterward. And he says see the post spin right chart on the right. It's clearly fixed. I backed up all the data files from his hard drive and put both drives back in the PC.
Steve Gibson [01:30:27]:
When we plugged in all the cables and screens, his PC worked. So whether it was the SSD or a bad cable connection or something else, I don't know. But what I do know for sure is that his SSD is working much better than before. The graphs show it and he is very relieved. Keep up the good work. Don Edwards Johannesburg, South Africa and Leo, you can see there on on the left the ever many people are familiar with HD Tune. This is showing the drives speed across its mass storage surface essentially. So from 0 gigabytes to 480 gigabytes and the the top of the chart is 4450 megabytes per second.
Steve Gibson [01:31:18]:
You would expect a solid state drive being solid state right would just be a. A straight line. People who have run HD Tune on spinner on spinning drives see a characteristic downward stepping in performance. Typically going to about half speed by the time they get to the inner cylinders of the drive. Because those cylinders having a a shorter circumference the data transfer rate is much lower because they have many fewer sectors here. Instead on this well used SSD we see like. Like deep downward spikes coming Almost down to 50 megabytes per second from the normal of around well looks like about 425 and it's really bad for past the. Past the halfway point and then it goes up high.
Steve Gibson [01:32:19]:
And in fact what's interesting then is if you look at the chart on the right you'll see first of all it's all gone from. It's got completely fixed from a running a spin right level three on the drive you do see a little bit reduction in an area that used to be. That used to look full speed. The reason is and this surprised us when we began working with Spinrite those areas the, the on the chart on the left were not actually being read. That's not actually 425 gigabytes per second. Those areas had been trimmed so the drive knew they had never been written to. And so it was just giving back zeros. It was sending zeros back after running spin right across the drive.
Steve Gibson [01:33:18]:
Those Areas were written to by spinrite. As soon as the operating system re trims the drive, which happens, you're able to do it on demand by command if you wish, just running the little optimize command in Windows, does a re trim on the drive, then it'll run right back up to flatline at maximum speed. But what really matters here is that a drive that was running like what, 18 as fast as it should and and it wasn't booting because there were some errors which didn't show up in. In Don's just quick mounting of the drive where it looked like he saw all the files. Spinrite fixed those problems and also restored the drive to its original performance. Anyway, just a very cool set of charts, right? Using a third party utility that many of our listeners are used to. Okay. Jeff Xtrand wrote, you can find.
Steve Gibson [01:34:20]:
Oh, this is so cool. You can find the advertising ID on Roku via some secret menus on the remote. You can do some convoluted button pushes to access these menus. One of them contains the advertising id. I do not remember which one. Then he provided a cheat sheet. So, and it happens that, I mean I played with it. It's the secret screen number two is where the advertising ID is found.
Steve Gibson [01:34:53]:
This all relates to us talking about the. The California legislation where you re. You're able to give Cal Privacy this information and then they provide it to the data brokers using that information to help find you in order to force them to scrub your data and to no longer offer it for sale. So if you have a Roku, you press the home button five times, then up, right down, left up. So you sort of go around the. Around the arrow pad, clockwise home button five times, then up, right down, left up. And sure enough, that suddenly switches the screen. And there was my advertising id, which was a grid formatted identifier, you know, four sets of hyphens of.
Steve Gibson [01:35:49]:
With hex code, hexadecimal code of various sizes. So there's a developer setting screen, a wireless secrets screen, a secret screen, secret screen number two. That's where the advertising ID was. The an HDMI secret screen, a platform secret screen channel info menu and a reboot shortcut, although I'm not sure how much of a shortcut that is. You have to hit the home button five times, then up, then the rewind button twice and the fast forward button twice. It's pretty much easier just to use the normal menus. Anyway, I got a link to the YouTube video that this guy found for us. Yeah, and you know, there's a bunch of other information, as is generally the case.
Steve Gibson [01:36:38]:
And I'm sure you've seen this too, Leo. These sorts of hidden Easter eggs are initially they initially look like, oh, you found some massive treasure trove. But it's kind of internal counters and stuff that doesn't don't really have much value.
Leo Laporte [01:36:53]:
This is cool.
Steve Gibson [01:36:55]:
Like what's your Mac address? It's like, okay, well, I mean. And yeah, the Mac address is there for Bluetooth and WI fi and so forth, so if you want that, you can find it. Anyway, thank you very much Jeff, I appreciate that. And it's an 11 minute YouTube. It was posted two months ago on November 19th. It has had 1.2 million views. So this seems to be of interest to some people. Anyway, I got a kick out of it.
Steve Gibson [01:37:26]:
Thank you Jeff. Michael Wright said hello Steve, I'm a first time emailer to you who's been listening to your show for a couple of years now and find it a great resource to keep up with developments in the world of cyber security. Thanks so much for the podcasts. I'm a week behind with the podcast and today finished last week's podcast. You made a good point about how there should be no legitimate reason for anyone to have their MongoDB server accessible over the Internet. That got me wondering if people are deploying MongoDB servers without even realizing they are publicly accessible. I'm referring to cloud deployments where for many flavors of deployment a public IP address is automatically created with traditional on prem, making a server accessible over the Internet required work to be done, right? You got to poke a hole through, typically through a NAT or a firewall or something. I mean, you had to work in order to create a public presence.
Steve Gibson [01:38:35]:
I think he's right there. He said, for example. Oh yeah, he's making my point. Creating a NAT rule on a firewall to translate a public IP address to a private IP address. However, with public cloud, this is often done automatically if people are deploying systems to the cloud without having an understanding of cloud deployment and how this differs from on premises, I could certainly see how it could be possible to deploy a system without realizing you just made it accessible to anyone anywhere on the Internet. It would be interesting to know how many of the 86,000 exposed servers are using IP addresses reserved for public cloud. Keep up the great work. P.S.
Steve Gibson [01:39:27]:
on the topic of British time travel series, he said, I found bodies to be a pretty good effort. Certainly a different take on the subject. Not sure if you've seen that one Regards, Michael so I suspect Michael is right and that many of those MongoDB server instances are spun up in the cloud. And although this may be an explanation, it certainly isn't an excuse. What's happening is very wrong. So the question is how you know, how did this happen? It's likely a case of the user assuming that those in charge are doing the right thing, whereas those in charge wrongly assume that their users are aware of the implications of spinning up random server instances in the cloud, and they assume that those users will prevent public exposure if they don't want it. In other words, one hand doesn't know what the other one is doing, and they then they each assume that the other one is taking responsibility for the expected and needed network security. The problem is that those who designed these system services, you know, heavily promote their super ease of use, you know, one click server activation.
Steve Gibson [01:40:59]:
So they're offering their inherently insecure solutions to a level of user who has very little comprehension, if any of the full implications of clicking on that yes, Please create a MongoDB server instance for me button. I wanted to focus on this specific instance because I suspect that this lack of communication with its assumption that the other party is taking care of securing things, has long been a major source of network insecurity for the entire industry. Several months ago I noted that the early Cisco routers, which had no built in notion of public facing WAN interfaces versus private facing network LAN interfaces, they treated all of their network interfaces identically. There was no concept of LAN and wan. Those early routers also had their various network services enabled out of the box. Back then, for example, you had to manually add a no HTTP command to the router startup configuration script if you did not want the router's built in HTTP server to be running by default. I very clearly recall needing to deliberately turn off of a handful of services that I knew I had no need for and I certainly didn't want to have running every time that the router booted. And I had to do that every time I set up a Cisco router, the engineered designers of these early routers must have assumed that their devices would only and always be used by other expert network engineers.
Steve Gibson [01:43:01]:
And since Cisco was always selling the security of their products as one of its benefits, non expert purchasers reasonably assumed that Cisco would have their back and that the router's operation would be secure out of the box when it was anything but. Instead, as we know, it was bristling with enabled and insecure gee whiz features that were entirely peripheral to the router's core operations. So the lesson here is that each side's assumptions about the other were wildly incorrect and serious vulnerabilities resulted. This is why a couple months ago when I read that piece from the the guy at Cisco who like it, you know, made it clear that if this actually came to pass, they really did finally understand what was going on. So, you know, thank goodness. Still, we just need more communication. And as we've said, these, these devices absolutely have to be secure out of the box and you have to, you have to take serious, deliberate action to damage their security to, to, to do things which are insecure. And maybe you have to be asked, are you sure? And maybe you need to be asked, are, are you really sure? Okay, so I got an email from someone named Bob whose note was cyber attack.
Steve Gibson [01:44:34]:
Was my experience unique. He wrote, hello GRC team. I've been a big fan and spin right customer since learning about your spin right product on the Tech guy. Remember that Leo?
Leo Laporte [01:44:47]:
I heard of that show, yeah, he.
Steve Gibson [01:44:50]:
Said, recently I experienced a type of cyber attack I had not heard of. I can go into more detail, but basically a program, Screen Connect, was remotely installed on my PC and launched with no interaction by the client, me, he said. I became aware of the attack when I was at my mom's house and my phone started notifying me of money transfers that I did not initiate. I freaked out. As you might imagine, I rushed home and when I got there I found that my machine had been hijacked. My screens were blacked out with Screen Connect in large white letters. I was unable to do anything other than shutting down the machine.
Leo Laporte [01:45:42]:
Yikes.
Steve Gibson [01:45:43]:
Needless to say, I've been dealing with the aftermath and fortunately I'm not out too much money. But I found out who my friends and foes are in terms of how they did or did not help me cancel the transactions. In short, PayPal's response was abominable. I assume the criminal used a sniffer to find my IP address and since my machine was idle, they were able to install and launch Screen Connect without detection. He said perens no client interaction to install and launch. The software is considered a feature of the product, he said. In my opinion, the software is like a gun. Misuse can lead to devastating results.
Steve Gibson [01:46:31]:
They offer a free 15 day trial, but I didn't check to see if it is full featured. What do you think about this? Short of keeping my machine powered off, what could I have done to block this type of attack? Any insight would be appreciated. Regards, Bob okay, so this is the nightmare scenario for any individual. I've admitted Bob's last name to protect his identity. No one wants to be required to authenticate with every service we use, every time we use them, right? So being persistently logged into many services is the choice most of us make. But with that convenience, that persistent logged on convenience, comes the consequence that anyone and anything that's able to use our persistently logged in computer can act on our behalf. The abuse of persistent logon is what bit Bob. Bob doesn't know.
Steve Gibson [01:47:47]:
So we don't know exactly how someone managed to crawl into his PC. Through the years of this podcast, we've seen many different ways this could have happened, but by far the most likely is that Bob or someone using Bob's computer clicked on a malicious link. Last week, as we mentioned, Leo, you, you shared your own incident which forced you to cancel and have two credit cards reissued. And I mentioned that I'd received a text message that I briefly, and I briefly considered to be valid because by pure chance it fit into the context of, of my life and it made sense to me. So it's certainly not the least bit far fetched to imagine that Bob or someone who uses Bob's PC might have made the mistake of clicking on a malicious link in email or maybe on a web page. Who knows? That's all that's needed. That could have established an outgoing connection to an attacker who was then able to install the client free screen connect remote control software. The attacker could then have waited until that PC had been left running and unattended, showed through, you know, and it could determine that through no use of its keyboard or mouse for some period of time.
Steve Gibson [01:49:14]:
Then they took the opportunity to begin sending the owner's money to remote accounts. For example, PayPal allows zero authentication transfers of cash from the bank accounts and credit cards associated with the person's PayPal account. If they remain logged into PayPal statically, it just brings up a. A dialogue on screen. You click, you know, complete the transfer and the money is gone. So when Leo and I speak to the attendees of Threat Locker Zero Trust World Conference in Florida this coming Wednesday, March 4th, our discussion will be titled the Call is Coming from Inside the House. We're going to be talking about the growing need for enterprises to actively protect themselves from anything their own employees might do. Whether it's deliberate or inadvertent doesn't matter, since the result of the enterprise is the same either way, doing this effectively means imposing significant limitations upon everyone who has access to the enterprise's.
Steve Gibson [01:50:24]:
Internal network. I'll be arguing that while it will not be at all easy, there is no longer any other way to further increase security from where we are today. Given everything we've seen in the past year, it's clear that the spoofing of employees, of enterprise employees is the next big growth threat vector. But for the individual PC user at home, no one wants to impose severe restrictions upon themselves when they're working within their own safe enclave in their residence. I certainly wouldn't in this case. This happened to Bob because his PC was able to act without his physical presence to send his money out. The practical solution to this would be the inclusion of a simple biometric authentication for anything that requires Bob's presence. Having a fingerprint reader integrated into our keyboards or mice to confirm the identity of anyone who is requesting a protected action would prevent these sorts of unattended or, you know, other attended attacks.
Steve Gibson [01:51:45]:
And for example, a sponsor of this podcast, Bitwarden's Password Manager, fully supports unlocking with biometric authentication on Windows, Mac OS and Linux, and also using all Chromium based browsers, Firefox and Safari. So setting this up would certainly be possible. Of course it means incurring this overhead all the time, because there's no way to know if and when someone might get a hold of your computer behind your back. And even so, this still leaves user spoofing as a problem, since something happened to compromise Bob's PC. To start with, the most reasonable explanation of how Screen Connect remote control software found its way onto Bob's machine is that something he did deliberately? Maybe downloaded and installed some piece of software that incorporated this malicious functionality as a back door without ever realizing it. So even biometric authentication would not have prevented that initial event because it was done by him. But requiring authentication for every single high risk transaction might. We're not there yet, but I wouldn't be surprised if in the future, you know, that's the shape of things.
Steve Gibson [01:53:18]:
There are available keyboards and mice both that have fingerprint readers built in, and Windows hello can be engaged to require them for specific actions. So it kind of feels like where we're going to go. It's unfortunate, but if someone wants to really protect their machine against their own or somebody else's who shares their machines misuse, something like that's going to be necessary. And Leo, we're an hour and a half in, let's take a break and we're going to continue with feedback.
Leo Laporte [01:53:55]:
Indeed. Indeed. Yeah, I think Bob doesn't really know how he got hacked it's very.
Steve Gibson [01:54:01]:
Well, yeah. And behind a nat. I'm sure he's behind a NAT router. Everybody is. And so you just can't, you know, just getting his IP doesn't allow somebody in.
Leo Laporte [01:54:11]:
Yeah, I just wanted to say that so that people don't go, wait a minute, my computer's always on. We, right. We used to have people say, no, you have to turn your computer off when you're not at it. Which as a security precaution. No, I don't.
Steve Gibson [01:54:26]:
I, I mean, I guess turn none of mine off. When I, when I, when I talked about the, the solution I've come up with after Lori and I move in a couple months that I've got the dumbest laptop with the biggest screen I could find because I'm going to connect to my computer. It's a terminal, you know, it's a terminal and that. And my machine is never turned off. It's like, you know, it's just 24 7. Yeah.
Leo Laporte [01:54:53]:
I know people who not only turn off their machines, but disconnect the Ethernet cable just in case.
Steve Gibson [01:54:58]:
It's like GRC servers. I've got, I've got servers. They're publicly exposed. They're servers, they have to be publicly exposed. You just, you don't turn them off.
Leo Laporte [01:55:06]:
Right. But you know, I used to get calls all the time on the tech guy show. I'm not surprised Bob listens to the tech guy show because that was, I'd always get. People say they hacked me just by, you know, I didn't do anything. The problem is when you click on that link, you don't know that that malicious link did anything. Life goes on.
Steve Gibson [01:55:24]:
It's.
Leo Laporte [01:55:25]:
And then it's later they exploit you.
Steve Gibson [01:55:27]:
And if you download some software that is going to be like to sort your spreadsheets or something, right. You know, it's like, oh look, it sorted my spreadsheets. Yes. And it also ran Screen Connect persistently in the background waiting for you to go visit your mom.
Leo Laporte [01:55:44]:
Yeah, yeah. Let me talk about our sponsor and we will get back to work with Mr. Steve Gibson. You're watching Security now, our show today, brought to you by a brand new sponsor, Meter. I think maybe I talked about them last week. This is the company building better networks. Remember Meter? If you're a network engineer, you know the headaches. Meter was founded by two network engineers who knew the headaches.
Leo Laporte [01:56:09]:
Legacy providers with inflexible pricing. IT resource constraints stretched new thin. That's never changed, has it? Complex deployments across fragmented tools. You are mission you, yes, you, you're mission critical to the business, but you're being forced to work with infrastructure that wasn't built for today's demands. That's why so many businesses are switching to Meter, much to the relief of their network engineers. Meter delivers full stack networking infrastructure. These guys said, you know what, the only way we can do this right is if we cover it all from, from the ground up. And when I say all, I mean wired, I mean wireless, I even mean cellular.
Leo Laporte [01:56:54]:
And it's all built for performance and scalability. I had not heard of these guys. When I talked to him, I was so blown away. Meter designs the hardware. That's how much they care. They know if you're going to control the stack, you actually have to design the hardware. You've got to write your own firmware, you've got to build the software, you've got to manage the deployments. You, you got to do the support.
Leo Laporte [01:57:15]:
And they offer everything, including ISP procurement. They, when they do that survey, and you can have them at any level you want, but when they do this survey, if you say no, no, fix it all, they will do it from ground up. ISP procurement, security, routing, switching, wireless, firewall, cellular, even electrical power, even DNS security, they'll do, they'll set up VPNs and SD WANs for you. They can help you with multi site workflows and all in a single solution. In fact, this is one of their biggest sweet spots. One of the, one of the biggest customer bases comes from people who've acquired. You know, the business is humming, it's going fine. They acquire a warehouse and it's completely different, right? The wiring's different, it's old, it doesn't work, whatever, they've got to integrate it into their existing system.
Leo Laporte [01:58:10]:
Oh, Meter can do this. Meter's single integrated networking stack scales. It's, they use it in major hospitals and if, you know, hospitals are really a challenging environment. Just the last time you were in the hospital, did your cell phone work? No, because they have all this stuff, this electrical stuff, the MRI machines, the CAT scans, it's hard. This is a tough environment. Meter works there. They love that kind of challenge. Branch offices, warehouses, large campuses, data centers, even, even Reddit uses Meter.
Leo Laporte [01:58:46]:
That's actually a pretty good testimonial. If it works for Reddit, it's going to work for you. The assistant director of technology for the Web School of Knoxville is a fan. He said, quote, we had more than 20 games on campus between our two facilities. Each game was being streamed via wired and wireless connections. The event went off without a hitch. We could never have done this before Meter redesigned our network. With Meter, you get a single partner for all your connectivity needs, from that first site survey to ongoing support without the complexity of managing multiple providers or tools.
Leo Laporte [01:59:22]:
There's a real benefit to having an integrated stack like this. Meter Stack is designed to take the burden off your IT team and give you deep control and visibility, reimagining what it means for businesses to get and stay online. And these days that's basically it's table stakes. It's fundamental. You've got to get and stay online, don't you? Meter built for the bandwidth demands of today and tomorrow. We are so thrilled to have Meter as a sponsor. We thank Meter so much for sponsoring go to meter.com securitynow book a demo. That's all I ask.
Leo Laporte [01:59:58]:
M e t e r.com Security now to book a demo. I was so impressed with what these guys do. Like I said, I'd never heard of them. When I found out when I dug deep, I it blew me away. You should do this. Go to meter.com security now. You owe it to yourself to see what Meter can do for you. M e t e r.com Security now.
Leo Laporte [02:00:22]:
Thank you, Meter. Welcome to the Security now family. Okay, hang around for a while. I might come have him come here and fix me up. Go ahead.
Steve Gibson [02:00:34]:
Rob Sherman. His subject was feedback on Claude AI. He said, hi Steve. I just finished listening to last week's SN episode and as someone who's been using it constantly since the update came out, I wanted to give you some feedback. In short, it is absolutely insane how good it is. I'm a product manager and not a programmer. So when my CTO told me that I needed to try it, I wasn't sure why. I am now.
Steve Gibson [02:01:09]:
He said I had an internal project that I had been waiting to get programmer resources for over six months. Once I got Visual Studio set up with Copilot, I gave it my product brief and after answering a few simple questions that Claude had, it began coding. An hour later I had a fully functioning Alpha. It did all the coding, designed and built a UI and implemented a scanner to get all the data out. Since then, when I have a few hours, I'll just go in and tweak it. That dark mode I've been asking for last year is in there. The toggle for it is labeled. I finally got my dark mode.
Leo Laporte [02:01:56]:
That's the beauty of having hyper personalized software. That can be the name of the switch I Love it.
Steve Gibson [02:02:02]:
The build reporting and error checking I was told we wouldn't be able to do. It's done.
Leo Laporte [02:02:08]:
Oh wow.
Steve Gibson [02:02:09]:
I have also completed three other projects that we weren't supposed to get to until Q3. It's amazing. I am so sold on it that I got myself a personal license and this weekend did a write up on the ED application I've been waiting for someone to build. I gave it to Claude and now I have my very own alpha version.
Leo Laporte [02:02:34]:
This is so addictive. I completely know how this guy feels, he said.
Steve Gibson [02:02:38]:
This is not to say that it has been 100 smooth sailing. There's a learning curve to Claude especially and I have blown through my 200% of my monthly request at work in 14 days, he said. A few tips to for anyone looking to get started with this. First, your individual chats he has in quotes with Claude have a size limit. Once you hit that limit you have to start a new chat. If you're just asking it a simple question, you'll be fine. But any larger projects you will run out of room. I recommend starting any project by having Claude write up a programming plan and tracking document, then have it keep those files updated.
Steve Gibson [02:03:29]:
That way if you have to start a new chat you can tell it to go read those docs to get up to speed. That's sort of like chaining these chats together, he said. Second, Claude in Visual Studio Copilot won't let you upload PDF or other docs, but you can add MD files. I've taken to having Chat GPT summarize any files and turn them into MD format which I can then put into my project repo. Once in there, Claude is all set. Third, Claude will lie to you. It is always a good idea to have it double check its own work. I had it write a bunch of new code when it was done.
Steve Gibson [02:04:19]:
I told it, hey, would you take a look at this new code and check it for errors? It found four items that needed fixing. Thanks for everything you do Rob. And he said P S started taking magnesium last week. So Leo on the subject of Claude.
Leo Laporte [02:04:38]:
It is very addictive. There he is just starting to get into it. So there's a few things I would say about his tips. One is yeah, he's talking about token context and when you, yeah, when you get the context starts to fill up, it starts to hallucinate. That's when it starts to hallucinate.
Steve Gibson [02:04:56]:
Okay, interesting.
Leo Laporte [02:04:57]:
There are a lot of tools out there for compacting tokens for handling this. He needs what you probably should do is start going to YouTube and looking at some best practices. Anthropic has a bunch of videos, but there are other people who have put together a bunch of videos on best practices with Claude. And then you want to start looking at Claude skills and plugins because there are a lot of plugins. For instance, the double check its own work. There are some really good plugins that Claude will use to find flaws, to double check itself. There's plugins for security assays. I have Claude do regular security assays, not just on the stuff it writes, but on everything in my system because it's very good at finding flaws.
Leo Laporte [02:05:44]:
As you start to use it, you will see more and more of stuff that you can do and get it really refined. It's revolutionary. I don't think I've ever seen anything. This reminds me of first discovering the Internet. It's amazing.
Steve Gibson [02:06:02]:
And the thing you're experiencing, the things you're explaining sound like the early days. Like, you know, in three years, it's the wild west. This will all be automatic. It'll be built in. I mean, it'll, it's. It feels like, you know, we're in the, in, in the learning curve stage. The fact that these things have to kind of be learned and figured out and added and done afterwards and so forth. Forth.
Leo Laporte [02:06:30]:
Well, even. It's funny, even Anthropic, the creators of Claude, they don't know all of the ins and outs. There was a guy I told you about, Ralph Wiggum, the Ralph Rigam tool. Right. That was created, but just somebody else who said, you know, if you told Claude to keep going, to keep looping over and over again until it got to a, a state that you sub. You submitted, like, no more errors. It will. And, and in fact, Anthropic said, oh, that was a really good idea.
Leo Laporte [02:06:59]:
And they've now added Ralph Wiggum as part of their official plugins. So there's more what we're seeing. There's one called Superpower. Harper Reed, who. That's the other thing. If you can find a guru, somebody who's been using Claude and really knows how to use it, that helps too. Harper Reed is my personal guru on this. He was on Twitter on Sunday and he uses something called Superpower, which adds a bunch of very good plugins.
Leo Laporte [02:07:22]:
I would check. He says, you use Superpower, of course, Leo. I said, what's that? And I went and found it. Most of the stuff's on GitHub. There are a lot of YouTube videos. Yeah, you're just getting started it's amazing and, and it's easy to blow through your credits. That's why I ended up getting the Claw Max subscription, which by the way has been sufficient. So that's good.
Steve Gibson [02:07:45]:
We want them to stay in business. And if people are getting, you know, I mean, it sounds like it would be Easy to get $200 a month worth of value out of it. I feel really using it.
Leo Laporte [02:07:56]:
That was the question. I thought, is this worth it? And then I thought, you know, if I were going to buy software to do these things, I spent a lot more than that.
Steve Gibson [02:08:05]:
And it would never be, it would be customized. It wouldn't be exactly what you wanted.
Leo Laporte [02:08:09]:
Yeah, look what Rob's done. He's just getting started and look at all the things he's done already. Your trust in Claude will improve as you understand it better and understand where the pitfalls are and things like that. It actually can be proven pretty, I think, very, very reliable.
Steve Gibson [02:08:25]:
And again, we have pitfalls because this is the, you know, the wild West. We're just going to crawl. Yes.
Leo Laporte [02:08:32]:
Yeah. And that was my other thought is I don't want to add too many of these third party features and other things because I feel like they're anthropic. Is basically building this in over time. So Claude's getting better and better and better. So you don't need to do as much extending it. I hope as time goes by, it'll probably be able to do everything you want it to do automatically. Yeah. Compact, compact.
Leo Laporte [02:08:54]:
Your context and where do you.
Steve Gibson [02:08:57]:
We were talking before we began recording because I was, I was talking about a conversation that I listened to you having on Mac break weekly about how, you know, from my standpoint, having been programming for about 55 years now, what I recognize is that for me, my, the maturity that I have acquired over these decades is about how to solve the problems, not, not the syntax of the language. I can use any language.
Leo Laporte [02:09:33]:
Exactly.
Steve Gibson [02:09:34]:
It's the structure, the like, it's a refinement of the understanding of how this kind of problem should be solved.
Leo Laporte [02:09:42]:
I agree.
Steve Gibson [02:09:43]:
How does that fit into Claude? I mean, it is using other output in order to produce. So is it getting that or I, I guess, I wonder from, from the, from that kind, from that approach to maturity of coding or is it just kind of like solving the problem? Brute force, like you?
Leo Laporte [02:10:06]:
I want to believe that we are adding something of value. Our many years of experience matter. But I have to say there are people like Rob who've never programmed, who are writing pure English prompts and it's getting the job done and it's working, I think. I mean, I like you. I am not as good as you or as experienced as you, but I think like a programmer, I think so. I tend to approach Claude in a more modular way. I don't. I don't write single prompts and say, just write it and get back to me when you're done.
Leo Laporte [02:10:42]:
It's an iter. It's still an iterative process for me and I feel like I get better results by iterating with Claude. So in that case, your history of really what humans are great is pattern recognition, right? In your history. What's what happens in chess too?
Steve Gibson [02:10:58]:
I think that's intuition.
Leo Laporte [02:11:00]:
It's intuition. We think of it as kind of flash of intuition, but really it's pattern recognition. And you get good at playing chess by, by playing hundreds of thousands of games and seeing hundreds of thousands of positions and internalizing that. And then it's not even a conscious process. You go, oh yeah, well I can know what you. That's. And it's the same thing with coding. I think you rec.
Leo Laporte [02:11:20]:
It's pattern recognition. In fact, they talk about design patterns in coding and so I think it's a higher level. You're not writing login code, but you understand that. Well, I'm going to need some login code here. I'm going to want to encrypt my secrets here so I don't accidentally commit them to GitHub. I'm going to. And so that the, the. Your.
Leo Laporte [02:11:42]:
All of that experience is I think, still valuable. Obviously Rob, who doesn't have that experience, still can get what he wants done. I love that you named it. I finally got my dark mode is hysterical. But that's what, that's, that's the level you're working at now is you're writing your own stuff for yourself. I think it's super empowering.
Steve Gibson [02:12:05]:
Yeah, it does sound also like it's not instant because he like started it going and went off and had dinner and then, you know, came back and it had done it.
Leo Laporte [02:12:15]:
This is one of the big breakthroughs that's just happened in the last few months is this ability for this to run continuously for many hours. That's brand new. And I'm a little uncomfortable with it, to be honest. That's why I like to do, do it more modular because it like, it.
Steve Gibson [02:12:33]:
It could just like completely hallucinate.
Leo Laporte [02:12:36]:
Skynet makes me nervous. But that's why, that's why you use things like Ralph Wiggum, you Use some of these plugins to, to control. So lots of people are running multiple clods at the same time threads at the same time. This seems to be more and more the best practice for these big things.
Steve Gibson [02:12:53]:
And then have the HE provide in financing to Anthropom.
Leo Laporte [02:12:57]:
It could get expensive. Can get expensive. But, but what happens is you can actually have. I want you. You this thread, you. Claude number one, check on Claude number two, make sure he's not doing anything weird. So you can. They call it a mixture of experts now.
Leo Laporte [02:13:15]:
And you can even do that or have other. You could have chatgpt. Look at the Claude code. I mean, it's inception. It's a very interesting world. And you're right, it's. This is why it's fun to get into, because it's wild west now. Even the expert, Andrej Karpathi, the man who created the term vibe coding, tweeted on Christmas Day.
Leo Laporte [02:13:36]:
He says, I can't keep up. It's too fast. It's. I don't, I can't follow it anymore. There's too much going on. It is an explosion right now of, of interesting ideas. And I think it, I think we are very, very close to some big AI.
Steve Gibson [02:13:54]:
I think it's, it's. It feels like it's going to change the world.
Leo Laporte [02:13:57]:
I think it's happening.
Steve Gibson [02:13:58]:
You know, here for the last 20 years, we've been lamenting, you know, security errors in code. In five years, they may be gone.
Leo Laporte [02:14:09]:
I can't imagine that Claude code would write a buffer overflow. It's just not gonna, it's not gonna use strcopy. It's just not gonna. It knows better than that now. There will be subtler things. One of the things people point out with AI is if it can't. If it's. This is.
Leo Laporte [02:14:30]:
This is. This is a coding hallucination. I gotta divide by zero error. Instead of making sure you don't divide by zero, you just hide the error. That's the equivalent of a Claude code hallucination. Hide the error, the error doesn't go away. So you got to watch for things like that. That's the level it's hallucinating at.
Leo Laporte [02:14:56]:
But I think you can say pretty surely that this will all be ironed out. Yeah, there's. I think there's no reason.
Steve Gibson [02:15:04]:
It all feels like, like first steps, sorts of things. Just intuitively.
Leo Laporte [02:15:10]:
Yeah, yeah.
Steve Gibson [02:15:11]:
Wow.
Leo Laporte [02:15:11]:
And you could, you can teach cloud code not, not to make any of those fundamental security errors. Just don't, you know, that's bad. Don't do that no more. Stir Copy.
Steve Gibson [02:15:23]:
Okay, last sponsor and then we're going to talk about the, unfortunately, the return or the persistence or the previous existence, the previous unknown existence of Ghost Posting.
Leo Laporte [02:15:36]:
I gotta find out what that is. That's a good name for it. That's, by the way, at least 50% of the battle if you're, if you're doing malware detection is having a good name.
Steve Gibson [02:15:45]:
Oh, gotta have that. Yeah, yeah. I mean, the reason we all know Heartbleed is it was such a great name. Dripping blood.
Leo Laporte [02:15:53]:
Exactly. All right, we're going to get back to security now and Ghost Posting, as Paris Martineau would say. But first, a word from our sponsor. Delete me. You know, technology is so fun, so exciting, so interesting and, and, and challenging. But it also has brought us some pretty nasty things like data brokers. Data brokers. These are the companies and there are more than 500 of them now that collect your personal information online and sell it off to the highest bidder.
Leo Laporte [02:16:36]:
You, if you've ever searched for your name, you do not want to know how much of your personal data is on the Internet. This is just, it's just, it's more than you think. Not just your name and contact info, literally your social. Steve and I found our Social Security numbers in a data breach. Your home address, information about your family members. All of this is being, and it's completely legal. Unfortunately, we don't have a comprehensive privacy law in this country. All of this is being compiled by data brokers and then sold online to anybody who wants it.
Leo Laporte [02:17:06]:
Marketers. Yeah, but that's the least of your worries. Law enforcement, foreign governments, anyone can, anyone can buy your private details. And of course hackers, which can lead to identity theft, phishing attempts, doxing harassment. You need to do something about it. Now you probably know you can go one by one to every data broker. There's 500 of them, remember? And delete your data and then start over. Because it's like painting the Golden Gate Bridge.
Leo Laporte [02:17:37]:
You'll never be done. And there's new data brokers all the time. Or you can join Deleteme. Delete me does it and they do it right. Anybody who listens to this show is very much aware of how this is going on, how our privacy is being compromised. But I have a solution for you. It's why we use. In fact, as a company, I think it's really important for your company to use this Middle managers, management targeted by these bad guys.
Leo Laporte [02:18:06]:
They use the information they gain to craft very effective phishing Text messages and emails that happen to us. And it. And there's very little defense because it seems so, it seems so real, seems so authentic. That's why we went to Delete me. To solve the problem, DeleteMe removes your personal info from hundreds of data brokers. What you do, you sign up, you're going to give delete me the information you want deleted. They need to know what it is that you don't want online. That way you control it, right? And their experts take it from there.
Leo Laporte [02:18:37]:
They know everywhere to go. They have all the tools to remove that stuff, to demand the takedowns. They will send you regular personalized privacy reports showing what they found, where they found it, what was removed and the most important thing, it's not just a one time service. They're always doing it. They're always working for you. Constantly monitoring and removing the personal information you don't want on the Internet. Because as I said, it's a full time job. You can take it down, but it's going to come back.
Leo Laporte [02:19:08]:
You need delete me to do this. To put it simply, Delete me does the hard work of wiping you and your family and your company's personal information from data broker websites. Take control of your data. Keep your private life private. Sign up for Deleteme. We've got a special discount for our listeners. 20% off individual plans when you go to joindeleteme.com TWIT and use the promo code TWIT at checkout. Now that's the only way to get 20% off is to visit joindeleteme.com TWIT and enter the code TWIT at checkout.
Leo Laporte [02:19:40]:
And again, it's really important. Get the right address because there's other deletemes in the world. Joindeleteme.com TWIT that's all one word. Joinedeleteme.com TWIT and it'll help a lot if you use the offer code TWIT, you'll get 20% off and we'll get the credit. Join deleteme.com TWIT thank you delete me for the great work you do for our audience. Let's get to Ghost Peppers.
Steve Gibson [02:20:06]:
No, not ghost peppers. Ghost Posting.
Leo Laporte [02:20:10]:
Ghost posting.
Steve Gibson [02:20:10]:
Okay, so our final podcast of 2025 was titled Ghost Poster. For the short summary at the top of the show notes, I summed it up by writing how a PNG icon was used to infect 50,000 Firefox users.
Leo Laporte [02:20:30]:
Oh man.
Steve Gibson [02:20:32]:
The discoverer of 17 different malicious Firefox add ons was Koi Security Koi. They discovered that PNG icon files were being used to contain and infiltrate obscured JavaScript into user PCs through Firefox extensions. Some of the extensions were free VPNs and others were junk extensions that, you know, someone who just wanted to collect free browser add ons might add to their browsers. Nevertheless, more than 50,000 Firefox users had this malicious code running inside their browsers. So one of our takeaways was to avoid collecting crap from obscure sources that you don't really need. And by the way, the phrase free VPN is an oxymoron.
Leo Laporte [02:21:29]:
Yes. Do not.
Steve Gibson [02:21:30]:
No, there's something wrong. There's something wrong with a free VPN folks, because you know, it goes along with free lunch. Okay, so yeah, so that was episode 1057. Why are we back here four weeks later for episode 1061? It's because following Koi securities discovery, a different firm, Layer X has reported their discovery of an additional 17 of the same. But this time they're not just attacking Firefox. Users of Edge and Chrome turn out to have been even earlier targets. And get this, with more than 840,000 downloads and installations. So 840,000 downloads and installations.
Steve Gibson [02:22:24]:
Unfortunately, these attacks are incredibly effective, lucrative and that's. We know what that means, right? They're going to continue. Layer X's disclosure headline was Browser extensions gone rogue. The full scope of the Ghost Poster campaign. So here's what we now learn from Layer X's follow on research, they wrote. Last month, researchers from Koi Security published a detailed analysis of a malicious Firefox extension. They actually extension family. They dubbed Ghost Poster a browser based malware leveraging an uncommon and stealthy payload delivery method steganography within a PNG icon file.
Steve Gibson [02:23:15]:
This innovative approach allowed the malware to evade traditional extension security reviews and static analysis tools. Right? Because nobody expected an icon to contain any any malicious code and but nor did they expect it to be intelligible. It's a compressed image, so it's just going to be noise, not so much, they said following their publication. Meaning Koi's publication. Our investigation identified 70 identified 17 additional extensions associated with the same infrastructure and tactics, techniques and procedures, so called TTPS tactics, techniques and procedures. Collectively, these extensions were downloaded over 840,000 times with some remaining active in the wild for up to five years. The Ghost Poster malware employs a multi stage infection chain designed for stealth and persistence payload and coding. The initial loader is embedded within the binary data of an extension's PNG file runtime extraction.
Steve Gibson [02:24:32]:
Upon installation, the extension parses the icon to extract the hidden data, a behavior that deviates from typical extension logic. Delayed Activation the malware delays execution by 48 hours or more and only initiates command and control server communication under specific conditions and finally payload retrieval. The extracted loader contacts a remote command and control server to download additional JavaScript based payloads. After activation, the malware is capable of stripping and injecting HTTP headers to weaken web security policies, e.g. hSTS and CSP hijacking, affiliate traffic monetization, injecting iframes and scripts for click fraud in user tracking, programmatic capture solving, and injection of additional malicious scripts for extended control. These features indicate a campaign is not only fine, that the campaign is not only financially motivated, but also technically mature, emphasizing operational stealth and longevity. Right? I mean, these things were there in the extension stores for Edge, Firefox and Chrome for five years. In some cases, the infrastructure they wrote uncovered by Coy Security was linked to 17 Firefox extensions, all sharing similar obfuscation patterns, command and control behavior, and delayed execution strategies.
Steve Gibson [02:26:17]:
Our Automated Extension Malware Lab feature confirmed the same threat actor infrastructure and was also able to distribute extensions on the Google Chrome and Microsoft Edge Add Ons store. Our analysis shows the campaign originated on the Microsoft Edge browser with later expansion into Chrome and Firefox. So I have in the show notes a a timeline for anyone who's interested it it provides a chart which shows that the first known extension infected Edge browser users back in February of 2020 and none of this was known until just last month. So from 2020 it's been there about six weeks later. At the end of March of 2020, Firefox was first hit. It was hit again at the beginning of May. Then a run of eight more malicious Edge extensions were released over the course of two years from the end of August 2020 through the end of September 2022. A month later, at the start of October 22, the first Chrome extension was created.
Steve Gibson [02:27:35]:
Then things were quiet for nearly two years until another because they, you know, these extensions existed and they were just sitting there doing their business. Two years later another Edge extension appeared in August of 2024. But then after that it was all Firefox from the end of October 2024 to today. So it's interesting that throughout all this time, only two known malicious extensions were seen to affect Chrome. It would be interesting to know why, since that's clearly Chrome is clearly the largest potential source of of user installations. But in any event, 840000 is a lot of malware out there. The layer X people expanded upon Koi's earlier findings and they reported 17 additional confirmed extensions with with infrastructure overlap and common loader patterns. Meaning certainly from the same people more than an additional 840,000.
Steve Gibson [02:28:43]:
So that's on top of the 50 that Coy found, bringing us what to 890. Almost 900,000 cumulative installs across Firefox, Chrome and Edge malicious presence dating back to 2020 indicating long term operational successes bypassing all major browser stores security checks. So these bad guys now six years ago found a way to slip malware past all the store's security checks by encoding them in the back end of a PNG icon. And they said malware variants using alternative delivery mechanisms which suggests that there is still ongoing experimentation and adapt and adaptation. Now, beyond the previously identified extensions, we observe a more sophisticated and evasive variant associated with the campaign which by itself accounted for 3,822 installs. I have a picture of it in the show notes only because anybody would install this. It shows Firefox browser add ons. It's got a nice looking icon.
Steve Gibson [02:30:09]:
It's called Instagram Downloader and it's by Instagram Download available on Firefox for Android. It's got 28 reviews at a 4.4 seems reasonable and currently 3,822 users. And there's a nice button. Download Firefox and get the extension. Who wouldn't do this? I mean this is the problem. This looks like a legitimate useful thing. So in this iteration, which the layer X people found, the malicious logic is embedded within the background script and leverages an image file bundled inside the extension as a covert payload container. At runtime, the background script fetches the image and scans its raw byte sequence for the delimiter in in decimal, it's 626-262-62-62 which corresponds to the axi the ASCII string of of a sequence of four less than symbols.
Steve Gibson [02:31:20]:
All data following that marker is decoded as text and stored persistently in Chrome storage local under the key inst logo INST logo. The stored data is later retrieved, Base 64 decoded and dynamically executed as an additional JavaScript payload. This secondary script introduces further evasion by deliberately sleeping for approximately five days before initiating any network activity. This of course is to is to thwart security analysis. You know, security researchers will will load up a browser with stuff, set it to running and watch to see what it does. They generally won't wait for five days. Users do Five days afterwards. Upon activation, it fetches content from a remote server, extracts server supply data stored as base 64 encoded keys, and executes the decoded content, enabling ongoing payload updates and extended control.
Steve Gibson [02:32:28]:
The staged execution flow demonstrates clear evolution toward longer dormancy, modularity and resilience against both static and behavioral detection mechanisms, they said. While Mozilla and Microsoft have removed the known malicious extensions from their respective stores, extensions already installed on systems remain active unless explicitly removed by the user. This persistence underscores the limitations of store takedowns as a containment strategy, particularly for malware employing delayed activation and modular payload delivery. Okay, now they listed a Bunch of their 17 something called page screenshot Clipper only had 86 downloads. The full page screenshot had 2,000 downloads. The convert everything, whatever that is, had 17,171. But the translate Selected Text with Google had a just shy of 160,000 downloads. And the all and among them the biggest was by all time.
Steve Gibson [02:33:52]:
The number one was translate selected text with right click had 522,000 downloads. So this translation hook seems to be offering something that people want. Unfortunately, these things were malicious.
Leo Laporte [02:34:13]:
They're not. They're not going to say something you don't want. No, they're gonna. No, I mean they're gonna say something you want. Right, right.
Steve Gibson [02:34:20]:
And right. And what, what, what this is, is teaching them is that by offering these bogus translation apps, they're able to get a lot of downloads. So that's clearly a hook that interests people.
Leo Laporte [02:34:34]:
They've figured out what it is people are going to download for free. Yeah, it can't be too valuable or you wouldn't think it was free. So it's got to be something like kind of simple and cool.
Steve Gibson [02:34:44]:
Well, like that Instagram downloader. Right. You know, while we all might determine that something seems fishy about an offer of a free vpn, that screenshot that we showed of the Instagram downloader looks entirely legitimate. And I can imagine downloading it without ever being the wiser. So this is.
Leo Laporte [02:35:09]:
It's easy for bad guys to write this stuff now. I mean, the vibe coding that makes it easy for us to write what we want.
Steve Gibson [02:35:15]:
Yep, yep.
Leo Laporte [02:35:17]:
Makes it easy for them too.
Steve Gibson [02:35:18]:
Really true. One thing that puzzles me is Layer X's suggestion that the removal of extensions from the web Store leaves any already downloaded and installed extensions in place and dangerous. We know that all the browser vendors have the ability to remotely disable any browser extensions that are found to be malicious. I suppose it might be the case that a malicious extension that its malicious publisher withdraws from the store might slip under the radar since it's no longer being offered. If it's removed from the store, maybe it just doesn't raise a beacon. And it might also be that the post installation mechanisms which these extensions use by moving their later downloaded code into the browser's permanent store affords them some post removal protection. I don't know. But the convincing appearance of that Instagram download extension is, as I said, that seems unnerving to me.
Steve Gibson [02:36:22]:
It's important to note that Koi was aware of around 50,000 downloads and installs because for whatever reason, they apparently were not looking back far enough. The instrumentation that the Layer X people had gave them five years of history and they found 840 or they found 17 more extensions whose downloads totaled more than 840,000. So I think one of the important takeaways here is that we must always remember that we can never know what we don't know. There's no point in getting overly worked up over things that we cannot control, nor excessively worrying over what we don't know. I would just say be skeptical. Don't install extensions just because, you know, you've got room on your toolbar for more of them.
Leo Laporte [02:37:18]:
You know, seems like a good, useful tool.
Steve Gibson [02:37:21]:
Keep the things you need and that like, seem that they come from real known legitimate enterprises. I mean, I've obviously, I've got bit. Bitlocker. What am I trying to say? Bitlocker. No, not bitlocker. Bit Warden. Thank you. I was just blank, drawing a blank.
Steve Gibson [02:37:42]:
I've got, I'm sitting here looking at. I've got Bit Warden sitting on my, my toolbar and a few other things that I trust that I've been using for years. You know, the, the, the vertical tabs extension for Firefox and a few other things. But I just avoid more. And that would be the advice everybody.
Leo Laporte [02:38:03]:
Rule of thumb for all software and so install as little software as possible.
Steve Gibson [02:38:08]:
Right? It's not just browser extensions. It's, you know, it's like the browser download helper who needs help downloading a file.
Leo Laporte [02:38:18]:
We used to. We used to. That was a very common category that's still in some people's heads, probably the boomers amongst us. But yeah, this was always. I started saying this on a regular basis on the tech guy show. It's a really. The real rule is install as little as possible. You know, if you just got your iPhone and left it with just the stuff it came with, you'd be far better off with performance with battery life and for safety.
Steve Gibson [02:38:50]:
Yep. As I, as I mentioned, I'm very much a living off the land guy, you know, I don't want to install something else if I've already got functionality there. It just. I'd rather.
Leo Laporte [02:39:00]:
That's why I install Emacs everywhere. And that's. That's it. That's all you ever need, really.
Steve Gibson [02:39:07]:
Yes.
Leo Laporte [02:39:08]:
Plus, as easy as it would be to write a malicious plugin for Emacs, I don't think anybody's going to do that. The pickings are slim, let's put it that way. Steve, what a great show. Always, always look forward to Tuesdays. And I hope you do too. Everybody make sure you're here. We do the show Tuesday afternoon right after Mac break weekly. That is for us, 1330 Pacific Time, 1630 East Coast Time, 2130 UTC.
Leo Laporte [02:39:38]:
We stream it live. That's why I mentioned those times. That's when we record the show. But as we're recording, we stream. We stream into the Club Twit Discord. This is one of the benefits our fabulous Club Twit members get. Thank you, Club Twit members. But we also stream it for Everybody's delectation on YouTube, Twitch, X.com, facebook, LinkedIn and Kick.
Leo Laporte [02:40:00]:
You don't have to watch live, of course, because it's a podcast. You can watch after the fact anytime you want. The website has it. TWIT TV SN, there's a YouTube channel dedicated to it. Steve also has it on his website. In fact, there's a number of reasons you might want to go there, not just to get the podcast. Steve's got the very small 16 kilobit audio version. No one else has that.
Leo Laporte [02:40:23]:
No one else has the 64 kilobit audio version. Even Steve's got that. He makes two nice and small versions. He's got transcripts written by a human. Elaine Ferris does a great job. And that is all@grc.com show. Notes Are there as well, although you can get those emailed to you if you go to grc.com email. That is a form that Steve initially set up to whitelist email addresses so that you can email him with suggestions, comments, questions, but it just happens to be at the bottom.
Leo Laporte [02:40:53]:
There are two boxes unchecked. That one is for the weekly show notes email. One is for an email list that I don't think he's used in any living memory anyway, where he will send out an email when he's got a new product. Now you are going to eventually use that for DNS Benchmark Pro, right?
Steve Gibson [02:41:11]:
Yep. I'm in the process of updating the, the, the way the benchmark is purchased and since that will be part and that'll affect the product. So I haven't done the, the walkthrough video because I have to have that in place first and then, and as soon as that's done, then I'll do the mailing to announce it.
Leo Laporte [02:41:32]:
So this is how conscientious Steve is. He wants to do it. Right. And this is why we love him. That is the other reason to go to his website, by the way. Spin. Right. The world's best master storage, maintenance, recovery and performance enhancing utility.
Leo Laporte [02:41:47]:
You saw that graph. That was kind of mind boggling. But also the brand new DNS Benchmark Pro to make sure you're using the fastest DNS provider available to you. That's different for everybody.
Steve Gibson [02:41:59]:
Right?
Leo Laporte [02:42:00]:
Because it's where you're located. So you got to run it yourself. You can. Really nice little program. Not expensive. Lifetime as usual. With Steve, you get a lifetime subscription to it. You could charge monthly, but he doesn't, he doesn't do that.
Leo Laporte [02:42:15]:
All of that grc.
Steve Gibson [02:42:16]:
Everybody hates it. I'm not doing it.
Leo Laporte [02:42:18]:
Nope. He's also got forums if you want. That's another great place to give him feedback or talk with other Security now fans. We have our forums for everybody. They're open to all@twit.community there's also a Mastodon Instance, which I love. It's kind of my favorite way to hang out. You know, I'm better than X. That is at Twit Social.
Leo Laporte [02:42:39]:
In both cases, just mention you heard it on Security Now I'll put you right in. And let's see what else. Oh, most important, you can subscribe to this show. Wow, what a concept. It's free. All you have to do is go to your favorite podcast client, search for Security now, leave us a good review, and then you'll get it automatically after you press the follow button or the subscribe button or whatever they call it. Doesn't cost anything. I don't like subscribe because that implies you have to pay for it.
Steve Gibson [02:43:05]:
Follow.
Leo Laporte [02:43:05]:
Maybe it's also confusing. So there is no good button. But press the button, get it automatically every Tuesday after we're done. Well, just in the nick of time that I decided to drill something outside. So I think this might be a good time to say thank you everybody for joining us and we'll see you next time on Security Now, a week.
Steve Gibson [02:43:26]:
From now, the last podcast of January Bye.
Leo Laporte [02:43:32]:
Hey, everybody. It's Leo Laporte asking you, begging you, pleading with you. There are only a few days left to take our annual Twit survey. This is the best way we have of knowing more about our audience. Help us out. Let us know what you like, what you don't like, who you are. Just fill out the survey. It's on our website.
Leo Laporte [02:43:49]:
Should only take a few minutes. TWiT TV survey 26. Survey closes 1-3-31. So don't delay. And thank you very much. We really appreciate it. Security now.
