Security Now 1068 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte [00:00:00]:
It's time for Security Now. That's Steve Gibson in the flesh. I'm Leo Laporte. We're live in Orlando, Florida for Zero Trust World. Steve's presentation, The Calls Coming from Inside the House. And extra Security Now coming up in— oh, we better get going. We're on!
Leo Laporte [00:00:18]:
This episode of Security Now is brought to you by ThreatLocker. ThreatLocker's Zero Trust platform blocks every unauthorized action by default, stopping known and unknown threats, including VM-based malware that evades traditional antiviruses. Ring-fencing constrains tools and remote management utilities, preventing lateral movement or mass encryption. ThreatLocker works across all industries, supports Mac environments, delivers comprehensive visibility and control, and provides 24/7 US-based support. Trusted by JetBlue, Heathrow Airport, the Indianapolis Colts, and the Port of Vancouver, and recognized with G2 High Performer and Best Support for Enterprise Summer 2025, PeerSpot #1 in Application Control, app best functionality and features 2025. Get unprecedented protection quickly, easily, and cost-effectively. Visit threatlocker.com/twit to get a free 30-day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com/twit.
Leo Laporte [00:01:34]:
This is Security Now, Episode 1068, recorded live Wednesday, March 4th, 2026, at Zero Trust World 2026: The Call Is Coming From Inside the House.
ThreatLocker Speaker [00:02:00]:
All right, welcome back, everybody. It's time to close this out. This is our final main stage session of the day. Security now, the call is coming from inside the house. So for years, we've built stronger perimeters, better firewalls, better detection, better external defenses, and we got pretty good at it. But the next frontier isn't outside, it's inside. Some of the biggest breaches in recent years didn't happen because the perimeter failed. They happened because internal systems were overturned.
ThreatLocker Speaker [00:02:41]:
Too much access, too little segmentation, policies built on assumptions instead of verification. Zero Trust was born to solve exactly that problem. And there are few voices that are more respected in this space than the hosts of Security Now. Steve Gibson, founder and CEO of Gibson Research Corporation, has been programming since 1970 and brings decades of deep technical insight on modern internet security. His passion for low-level computing and secure system design is legendary. And Leo Laporte, founder of This Week in Tech Network, has been hosting and shaping tech media since 2005, bringing clarity, context, and conversation to millions of listeners worldwide. Today's session is a live recording of the Security Now podcast, and yes, it will run a little bit longer by design, followed by a meet and greet in the Solutions Pavilion. This is our final session, and this will be a strong finish.
ThreatLocker Speaker [00:03:52]:
Zero Trust world, are we ready? I want more of those guys. Zero Trust, are we ready? Ladies and gentlemen, Steve Gibson and Leo Laporte.
Leo Laporte [00:04:13]:
Hey, everybody. Great to see you. Thank you for coming. This is Steve Gibson.
Steve Gibson [00:04:18]:
We got some people.
Leo Laporte [00:04:20]:
Yeah. Let's sit down, Steve, and we're going to talk. So I never on Security Now have I gone through your full bio.
Steve Gibson [00:04:28]:
Thank God.
Leo Laporte [00:04:29]:
So I decided to ask AI who you are. So get ready. And if I say anything wrong, it's going to be hallucinating. You got— did you start writing software when you were 13 years old?
Steve Gibson [00:04:42]:
Okay, well, they got that right.
Leo Laporte [00:04:44]:
PDP-8.
Steve Gibson [00:04:44]:
That's right.
Leo Laporte [00:04:45]:
For Data General. Says Data General, see that's a lie.
Steve Gibson [00:04:49]:
For DEC. DEC, close.
Leo Laporte [00:04:52]:
Okay, close. When he was 15, Steve got a job, high school student working a summer job working at the Stanford AI Research Lab, SAIL. That's pretty amazing. And at the SAIL lab, you were working on speech synthesis. Now this is what, 1975?
Steve Gibson [00:05:11]:
This was in '70, like '71, very early.
Leo Laporte [00:05:17]:
The speech synthesis he worked on ended up as part of Texas Instruments Speak Spell. Did you ever, when you were little, did you have that thing? You press the button.
Steve Gibson [00:05:27]:
If anybody remembers those things.
Leo Laporte [00:05:30]:
A, B, C. He also wrote a light pen application for the Apple and the Atari, right? Hardware. I'll skip the ad agency part. Nobody cares about that. Now, he in 1985 founded GRC, the Gibson Research Corporation. And one of the, one of the things that I first became aware of Steve was your InfoWorld column, which I loved in 1986, Tech Talk from 1986 to 1993. Steve wrote about technology in an accessible, fascinating way. He's always been a little bit of an iconoclast, kind of an outsider banging at the wall of technology.
Leo Laporte [00:06:12]:
And I loved that. In fact, I started writing for InfoWorld because of you, so thank you for that. Now, when you were, in 2001, when you were working in security, you got mad at Microsoft.
Steve Gibson [00:06:30]:
I do that frequently.
Leo Laporte [00:06:32]:
You may remember that in Windows XP they released something, a capability to use raw sockets, which meant you could impersonate any addressed, right?
Steve Gibson [00:06:42]:
So the big problem was that, as we know, Bill Gates wanted to compete with the Source and CompuServe, so he created— he was doing the Microsoft Network, MSN, and that was gonna be dial-up modems and things, and then he got surprised by the internet, which was not what he expected to have happen. So they had Windows, but it was like with a modem, and so they got a TCP/IP stack and stuck it on Windows and put it on the internet. So this was Windows on the internet, and this predated NAT routers. We didn't have NAT routers then. So my company, I thought, oh, the internet's happening, let's put our machines on the internet. And it turned out that other people had Windows and all of their C drives were shared on the internet. It was freaky.
Leo Laporte [00:07:37]:
I mean, you could— a slogan that we often use at SecurityNow, what could possibly go wrong?
Steve Gibson [00:07:44]:
And so this was the genesis of Shields Up. I created Shields Up to show people your ports are open. And so that was my first—
Leo Laporte [00:07:52]:
how many of you have used Shields Up to secure your networks or secure your router at home? I use it every time I set up a new router.
Steve Gibson [00:07:59]:
And, and so its genesis was that Microsoft just stuck Windows on the internet, which was the original upset. And then as you were saying, they, they, they produced, they, they took an operating system, Windows 2000, which was more enterprise-oriented, and they created XP. But they, but because they took the, the, the network stack from 2000 to XP, consumers were going to have the ability to generate raw, raw data on the internet, which was going to create a DDoS nightmare.
Leo Laporte [00:08:34]:
You did get DDoSed by a raw socket attack. Yeah, shortly thereafter. You also got a lot of hate, not only from Microsoft but people in general, saying, 'What, you're all worried about raw sockets?' 3 years later, with Service Pack 2, Microsoft said, 'Oh yeah, maybe you're right.' Well, and there was no firewall in Windows until—
Steve Gibson [00:08:53]:
it would— they introduced it in XP, but it was disabled by default, right, until Service Pack 2.
Leo Laporte [00:08:57]:
So, so I first met Steve I'll give you an idea of how long ago it was. He had just written a program called Trouble in Paradise, which was able to diagnose the click of death on a zip drive. Do you remember zip drives? Yeah, that's— yes, who could forget? And we had him on The Screensavers, the TV show that I was doing. This was probably 1998, talking about the click of death. And we've been friends ever since. We first got together to do a podcast 21 years ago. We've been—
Steve Gibson [00:09:31]:
this was your idea. You and I were doing some TV up in Canada because you had, you had Tech TV and Call for Help, right? And during our break, we would do 4 programs in one day, and between— like, they had to rewind their tapes or something. And so between that, you and I were just talking. You said, hey, how would you— what would you think about doing a podcast about Security, and I said, what, cast?
Leo Laporte [00:09:57]:
And this was very early on. You were also concerned that there wouldn't be enough material.
Steve Gibson [00:10:00]:
Oh, we're going to run out of stuff to talk about.
Leo Laporte [00:10:03]:
21 years later, the show isn't getting shorter by any means. It's getting longer. We're going to do a short version of Security Now today. Don't worry, I promise we'll get you to the cocktail party in time. Steve proposed— actually, over this 21 years, we've seen big changes in security. Early on, it was all about protecting the perimeter. It was all about firewalls, as you mentioned. But things have changed quite a bit.
Leo Laporte [00:10:28]:
And I think it wasn't so long ago, maybe last year, where you started to say, you know, there's a different issue at hand. And this is where the title, The Call, The Threat Is Coming from Inside the House.
Steve Gibson [00:10:40]:
So, yes, one of the— again, we've been doing this for 21 years. I remember early in the podcast, talking with you about the fact that there were viruses, you know, I mean, there was mischief being conducted, you know, DDoS attacks, people were like, you know, getting pushed off the internet, but there didn't seem to be a purpose. There was no reason for it. It was just, you know, bored kids. It was for the lulz. Yeah, I mean, it was just to see if it could happen. I think that probably the the most pivotal defining change was the emergence of cryptocurrency. Because it was the ability for bad guys to extort and for there to be a way for them to get paid that turned this from, you know, hobbyist hijinks to, you know, foreign state actors having a motivation.
Leo Laporte [00:11:46]:
You may remember in the early days, they were asking for you to go down to the drugstore and buy cards that you would then mail to them. Not the best way to extort, but as soon as you could do it anonymously with crypto, everything, everything changed.
Steve Gibson [00:12:02]:
And so I think what we've seen is that, you know, one of the The things I wanted to make sure I shared today was to, for everyone to understand that the bad guys don't care about the data that they're taking, right? I mean, you and I, after that most recent data breach last year, we looked up our Social Security numbers.
Leo Laporte [00:12:30]:
Oh yeah, the data broker breach, yeah, yeah.
Steve Gibson [00:12:33]:
The personal data is out there. It's already escaped. But the value of cryptocurrency is that it allows extortion. And if bad guys are able to get into an organization's network and maybe cripple their machines, but certainly exfiltrate their data, then they have something that they can ransom. And in the same way that a kidnapper doesn't want the entity, the person they've kidnapped, that person's a liability to them. You know, they— the value is extortion, right? And so, so one of the things that has changed, because— and we heard this 20 years ago— nobody would want to attack us. We, you know, why would anyone want to attack our our enterprise, our organization. It is for the sake of extortion.
Leo Laporte [00:13:31]:
Right.
Steve Gibson [00:13:31]:
It is so that they can say, we've got your data. You may have a backup of it, but, you know, what's it worth to you for us not to tell the world or to leak the personal and business data that we have stolen from you?
Leo Laporte [00:13:49]:
Right. So they have the means. They have the motive.
Steve Gibson [00:13:52]:
The motive is extortion and payment.
Leo Laporte [00:13:56]:
Yeah. The opportunity, it's really up to these guys to keep the oppor— keep them from getting the opportunity. Is that right?
Steve Gibson [00:14:03]:
I think so. And the, the, one of the other issues I think for anybody who's doing IT security is, you know, the, the famous expression is it's not possible to prove a negative. It's how do you get credit for your organization not being attacked? How do you demonstrate that it's because you have the budget that you have for IT and the equipment that you have and the staff that you have? You know, there's certainly, there's profit pressure in any enterprise. And so when the guys who are controlling the purse strings look around for where they can cut, They're like, well, we haven't had any problems with our IT. Everything's going great.
TWiT.tv [00:14:51]:
Right.
Steve Gibson [00:14:51]:
So let's cut there. And it's like, wait a minute. The reason everything is going great and you haven't had any attacks is that we've been able to keep the defenses up. We've been able to, you know, purchase expensive network gear that, you know, even though the old stuff was still working, it was now no longer being serviced. And, and we know that there are probably vulnerabilities there. So it, it's crucial that, that we continue to fund this enterprise of keeping the network safe.
Leo Laporte [00:15:26]:
I suspect that you all know, I'm seeing heads nodding out there. It's like, yeah, surprised. But do you think though that that's changed a little bit? I mean, for the longest time there was this, incredible pressure on IT to do more with less to be secure. But I think with all these breaches and all the issues that are coming up, do you think organizations are starting to understand, no, no, this is really—
Steve Gibson [00:15:47]:
I think there's much more traction that's available now for the security side to say, you know, would you like our enterprise's name on the board of shame of, you know, of outfits that have been breached.
Leo Laporte [00:16:03]:
There's that wonderful site, do you remember what the name of it is?
Steve Gibson [00:16:07]:
Oh, in real time.
Leo Laporte [00:16:08]:
In real time, every day it would show you the breaches that have happened today. It was usually a dozen, 20 breaches in a single day.
Steve Gibson [00:16:16]:
In the morning, not so much, but then in the afternoon.
Leo Laporte [00:16:21]:
Yeah, you don't want to be on that list. No. And I hope that business leaders are realizing that the best way not to be on that list is to take IT seriously.
Steve Gibson [00:16:32]:
Right. And so the— when we were thinking about what it was we wanted to, to say today, uh, and came up with the, the title of this, my sense is from what you and I have seen over the last couple decades is that we are getting much better about protecting the perimeter. Not 100% yet. There's still a way to go. One of the issues, I think, is that there is a pain associated with increasing security. Always. Yes, always.
Leo Laporte [00:17:15]:
There is a security versus convenience.
Steve Gibson [00:17:17]:
Convenience versus security trade-off. And one of the— One of the biggest problems that we see is it would be possible to further increase, for example, perimeter security. I've been saying for a while now on the podcast that authentication doesn't work. I mean, if it did, we wouldn't keep over and over and over seeing serious problems with authentication failing. Cisco just had a 10.0 authentication failure in their SD-WAN product, which enterprises use to, to, to interlink satellite offices. And as we know, you have to really try hard to get to 10.0.
Leo Laporte [00:18:05]:
CVE of 10 is hard. That's like, uh, Nadia Comaneci.
Steve Gibson [00:18:09]:
That's infection. It's easy to do, And it's not a low probability attack. You just figure out how to do it.
Leo Laporte [00:18:19]:
Is that one in the wire?
Steve Gibson [00:18:20]:
In the wild? You just cut right through. Oh yeah, it's in the wild. The Australian signals director discovered it. And then all of the various security organizations around the world started screaming about it.
Leo Laporte [00:18:34]:
At one point it got so bad with breaches that we stopped reporting them.
Steve Gibson [00:18:38]:
They were boring to our listeners.
Leo Laporte [00:18:40]:
There was no point. Everybody is like, oh, okay, every day there's another breach. That's not news.
Steve Gibson [00:18:46]:
No. And so, so the— an example in this SD-LAN or SD-WAN breach is, is a perfect example where it was an authentication failure, some bug in Cisco's system that was allowing bad guys And they were, in this case, Chinese state-backed attackers, probably located in China, getting into enterprise networks through this authentication failure. So I asked the question, why could someone in China get a connection? Why? Do you want people in China trying to connect to your SD-WAN? No, right? So put a firewall rule in front of it because you know where the entities are that you do want to have connecting. Everybody else should be locked out, right? But it's, you know, whoa, what if their IP changes? That would, you know, then we wouldn't be able to connect. Again, some lack of convenience in trade for much greater security.
Leo Laporte [00:19:56]:
You should probably whitelist, not blacklist, right? You know what IP addresses.
Steve Gibson [00:20:00]:
Oh yeah, it ought to be. Yeah, it ought to be a blanket. You are, you, you, unless you're, no packets come in unless it's from this IP, this IP, this IP, or that.
Leo Laporte [00:20:10]:
It's that same idea, right?
Steve Gibson [00:20:11]:
Yes, it is. It is exactly. Yeah. And, and so the, so even though we're, we've gotten way better at securing our perimeter, we could still get a lot. There's still a long ways to go because again, we all understand the notion of multi-layered security. Unfortunately, too many people are just assuming that authentication works at the— Still. —border. Still today.
Steve Gibson [00:20:40]:
Yes, otherwise we wouldn't be seeing these breaches. Right.
Leo Laporte [00:20:44]:
And so you think that part of it is, and we talk about this a lot, that there's the impression that, well, it's nation-state hackers that have the sophistication to do this. We aren't gonna be the target of a nation-state hacker, so we're probably okay. People assume their threat model, they don't have to worry about.
Steve Gibson [00:21:03]:
We are financing North Korea.
Leo Laporte [00:21:07]:
That's the problem, right? Yes. Because there is a motive for that because of hard currency. Yep. Yeah, and we saw the number a couple of weeks ago.
Steve Gibson [00:21:17]:
Huge amount of money that is flowing to North Korea because their hackers are good and they're jumping on problems as soon as they occur, and our border defenses are still not what they could be. Because it is much less convenient to do that. I mean, I guess if I had one thing I would urge everyone to do. It would be to assume that authentication doesn't work because that's what we see. We see example after example after example. And so if you assume it doesn't work, then take the responsibility of what happens if it fails. Imagine if bad guys could connect to your your enterprise VPN, then what? Well, the simplest protection is simple IP address filtering. Because most enterprises aren't like residential consumers whose IP will change, but even there it doesn't change much.
Steve Gibson [00:22:28]:
I mean, it is my entire defense I have 3 nodes, 2 places I work from, and, and GRC's facility at, in, in, in what used to be a Level 3 data center, but they've been purchased about 12 times since then. So I don't even know what they call them.
Leo Laporte [00:22:45]:
Who owns them now?
TWiT.tv [00:22:45]:
No one knows.
Steve Gibson [00:22:46]:
I don't know. But my IPs don't change. My entire defense is that I have IP address filtering in all 3 locations. Right. So they can only talk to each other. And I have— yeah, yeah, and within that, of course, I'm authenticating. But, you know, I look like just a black hole to the rest of the world because for that simple expedience of using a firewall in front of those 3 locations.
Leo Laporte [00:23:15]:
Yeah, you would think they are saying, well, we're going to route it through Africa so you won't know it's China. But it's funny, I still see all the time on my home network Chinese logins one after the other trying to get through the NAS or getting— you actually told me I set up my SSH server, which is now off, so don't get any ideas. And I set it up with port 22. And I thought, well, they can use Shodan, or they can find the port, so why use an obscure port? And security through obscurity doesn't work. But you said, no, you should still use— there's It's, in other words, it's not a silver bullet. There is no silver bullet. But you shouldn't also make it easy for them. Right.
Leo Laporte [00:23:57]:
They're, so, right. And I had port 22 open and you immediately, vroom, all these Chinese attacks.
Steve Gibson [00:24:04]:
If your goal was, to give everyone a better sense of this, if your goal was to have SSH as a global service.
Leo Laporte [00:24:15]:
Which is a mistake.
Steve Gibson [00:24:16]:
To begin with, then yes, you'd want it to be on port 22 where the globe would know to look for it, right? And if you want to run a web server, that's got to be on 443, and email's got to be on 25, and so forth. The only places you should use default ports are where default users who don't know specifically where your service is would go to look, right? Otherwise, why leave it in all the default port. Yes, it's not— it's not going to protect you from someone who's going to scan all your ports, but it's trivial to put it somewhere else, right? So why not, right? So it— so it just cuts down on opportunistic attack. It's layers. You got to do a lot of things. I would— and I would use them all. Yeah. I mean, just, you know, so many.
Steve Gibson [00:25:02]:
And so— so that, you know, yes, maybe something's gonna be fragile and break occasionally, But again, even though you're not gonna get credit for not being attacked, you get to sleep at night.
Leo Laporte [00:25:14]:
I've learned so much doing this show. We remember we used to talk about Hitachi or Hamachi, not Hitachi, Hamachi, which then got sold to LogMeIn and we stopped using that. And, uh, Tailscale and WireGuard and all of these, uh, techniques. It's one of the reasons I love doing this show cuz I learn so much for it. This is kind of a special edition of Security Now. We usually do the show on Tuesdays we usually spend a couple hours at least talking about attacks, what's happening in the world, the latest security news. Have any of you ever listened to Security Now? Is there? Just a few of you? Okay, all right. The entire front row has listened to this show.
Leo Laporte [00:25:52]:
The rest in the back are going, I don't know, it's just, where's the free dinner? So good, we're doing a special version of this. I'm gonna pause for a moment because we have a commercial break. Thanks to our great sponsors here, ThreatLocker, who brought us out for the event, and we really appreciate ThreatLocker, and they've been a great sponsor for us, and they're all the way into 2026. We're very happy to have them. We'll come back, and when we come back, we're gonna talk about remediation, what you can do to protect yourself in this kind of new world, 'Cause, well, we'll talk about what that call coming from inside the house is. It's not a babysitter sitting downstairs and a bad guy upstairs, it's something else. This is Security Now.
Leo Laporte [00:26:35]:
Hey everybody, this special episode of Security Now is brought to you by guess who? ThreatLocker. We're here right now at Zero Trust World where ThreatLocker is hosting some of the brightest cybersecurity experts for the 6th year in a row. I gotta tell you, this is a great conference. Zero Trust World provides crucial education and training to support IT professionals, along with full session access, hands-on hacking labs, meals, an afterparty, even the opportunity to take the Cyber Heroes certification exam. Be sure to check out this exciting, interactive 3-day event that happens every year to get hands-on cybersecurity training, expert insights, and more. You know, ThreatLocker Zero Trust platform takes the proactive deny by default approach you want That's the key. Deny by default blocks every unauthorized action. Unless you explicitly permit it, it doesn't happen.
Leo Laporte [00:27:31]:
And that protects you from both known and unknown threats. ThreatLocker's innovative ring-fencing constrains tools and remote management utilities so attackers just can't weaponize them. They don't get lateral movement. They can't do that mass encryption ransomware thing. ThreatLocker works in every industry. They've got great 24/7 US-based support. They work on Windows. They work on Macs.
Leo Laporte [00:27:54]:
In every environment. And with ThreatLocker, you get comprehensive visibility and control. Just ask Emirates Flight Catering, a global leader in the food industry, 13,000 employees, and happy ThreatLocker customers. ThreatLocker gave them full control of apps and endpoints, improved compliance, and delivered seamless security with strong IT support. The CISO of Emirates Flight Catering said this, quote, the capabilities, the support, and the best part of ThreatLocker is how easily it integrates with almost any solution. Other tools take time to integrate, but with ThreatLocker, it's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a CISO.
Leo Laporte [00:28:34]:
ThreatLocker is used by enterprises and infrastructure companies that just can't go down, not even for a minute. Companies like JetBlue, they use ThreatLocker. Heathrow Airport, the Indianapolis Colts, the Port of Vancouver, they all use ThreatLocker. ThreatLocker consistently receives high honors and industry recognition. They're a G2 High Performer and Best Support for Enterprise Summer 2024. Their peer spot ranked number 1 in application control. They got GetApps Best Functionality and Features Award in 2025. Visit threatlocker.com/twit to get a free 30-day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance.
Leo [00:29:12]:
That's threatlocker.com/twit. And we'll see you next year, please, at Zero Trust World.
Leo Laporte [00:29:20]:
Now back to the show. This is Security Now. We're coming to you from Orlando, Florida. We're here at the ThreatLocker Zero Trust World Conference. We thank ThreatLocker for bringing us here, Steve Gibson and Leo Laporte, and a really nice crowd. They're about, I think they told me, they're 1,800, 1,900 people here learning about security. I did a hacking lab earlier. I didn't realize this, Steve, they have, I just asked Heather, something like 900 laptops for these labs.
Leo Laporte [00:29:53]:
You haven't gone into one of the labs. Labs, right? It's really cool. I want to do the Metasploit one, but it was jammed. There was nowhere to get in. But they have laptops for everybody. They can come in, they can sit down and do these hands-on workshops, which is really, really cool. I learned how to hack the web today. It was fun.
Leo Laporte [00:30:14]:
So that's really cool. And there have been some wonderful speakers. So we're really pleased we could be here. I hope we can do this again next year, and I hope we'll see you all. Ball again next year. So let's talk about, given that the world has changed, uh, incentives have changed, the means have changed, the motives are clear, um, where is the biggest threat right now?
Steve Gibson [00:30:36]:
So we've, we pretty much covered keeping the bad guys out at the network level. Um, authentication cannot be relied on. Packet filtering is so dead simple that I can't, you know, that if there's any way it can be used, it should be used.
Leo Laporte [00:30:56]:
I run fail bans, so if people try to log in too many times, it just boots that IP.
Steve Gibson [00:31:00]:
Yeah, just, I mean, just assume that authentication is a weakness and engineer yourself so that you're not worried about that. So the thing that we've been seeing seeing in the last couple years is a— because I think in general things are getting better in terms of the secure perimeter, is the bad guys going around the perimeter. The Shiny Lapsus Hunters group.
Leo Laporte [00:31:34]:
That's social engineering primarily.
Steve Gibson [00:31:35]:
The social engineering. Yeah. You know, we talked last week, they're trying to hire women They are hiring women and paying them a lot of money, $500 to $1,000 upfront to place social engineering calls with a woman's voice under the logic that that will be more convincing.
Leo Laporte [00:31:56]:
The customer service rep is going to say, oh, you poor lady. We were talking last week about— I remember there was a hack where a woman called, my husband's "out of town," and that she had a recording of a baby crying in the background. And it's all to get the customer service rep, whose job is customer service, to do the SIM jack. To make a mistake. To swap the SIMs. To make a mistake.
Steve Gibson [00:32:19]:
To make a mistake.
Leo Laporte [00:32:20]:
They're very good. These shiny 8 lapsus hunters is pretty amazing what they can do.
Steve Gibson [00:32:25]:
And you had an instance in the last couple months.
Leo Laporte [00:32:29]:
You don't have to talk about that.
Steve Gibson [00:32:32]:
And I did. Where I didn't click the link. I did. But it was like, it was reasonable looking.
Leo Laporte [00:32:45]:
You know, Jeff Jarvis just did the same, texted me this morning. He got a text from AT&T and he clicked it. You know, I was offered free headphones. I thought, well, that's a good deal. And I started to go through the process until I realized that it was a website in the Philippines and I was trying to give them my credit card number. So, and we're presumably relatively sophisticated, we're aware. The problem is they get you at a weak point. I'd been getting a lot of text messages from my carrier.
Steve Gibson [00:33:16]:
You're late for lunch and so you just think, okay.
Leo Laporte [00:33:19]:
I hadn't had my coffee, that was my excuse. Yeah.
Steve Gibson [00:33:24]:
So, so I think that this, And that's, to my way of thinking, that's the next frontier for enterprise security.
Leo Laporte [00:33:33]:
The call is your employees, let's be frank. Right.
Steve Gibson [00:33:37]:
The reason a personal computer is so much fun, the reason we all got our own PCs, is we could do anything with it we wanted.
Leo Laporte [00:33:47]:
It's a general purpose device.
Steve Gibson [00:33:48]:
There were no constraints. You could download software. Run it, do whatever you wanted to do. That model doesn't work inside the enterprise. You— and I mean, and this is the reason I think it's like the final frontier. It's also the biggest problem is that your users have personal computers at home. They know the way it's supposed to be.
Leo Laporte [00:34:12]:
They want freedom, right?
Steve Gibson [00:34:13]:
But they can't be trusted with that freedom. And that, again, You and I couldn't be, because we almost clicked the link. I mean, so it's not about who they are or lack of training, it's that there is tremendous pressure created by the opportunity to extort, which there wasn't historically, but there is now, thanks to cryptocurrency. So there is pressure, and that's, I mean, I don't want to have anyone come away undervaluing the importance of that. You know, your boss says, well, who would want to attack us? Who would want to, you know, we don't have anything. You do.
TWiT.tv [00:34:59]:
You do.
Steve Gibson [00:34:59]:
You have extortability. Right. And so this tremendous pressure is motivating endless cleverness.
Leo Laporte [00:35:13]:
You know what scares me? We get these emails all the time. We unfortunately, I think we're gonna change this, have an easily guessable email address for our accounting department. Somebody said, oh. And so we get literally, you know, several emails a day, right, Lisa? Saying, you know, your bill is due, And now we're a small enough company so that our accounting people know enough not to do that. But if you have a large company with a big accounting department, a lot of invoices coming in, that terrifies me. That would be so easy, just buy it, you know, just say, oh yeah, well, let's pay that invoice. How do you control that? That's really problematic.
Steve Gibson [00:36:02]:
I think that what this next frontier of security that is to deal with this— the call is coming from inside the house. It's necessary to unfortunately reconceptualize the internal networking architecture. You need to assume not that you have an evil made, as it's called, you know, and we're gonna have to change that, by the way. An evil, an evil butler, how about that? Or evil janitor or something. No, it's not, it's not a bad employee. It's somebody who, who a social engineering hack tricked.
Leo Laporte [00:36:50]:
And they're really good now. They've gotten gotten better, these engineers.
Steve Gibson [00:36:54]:
Yes, and they're going to keep getting better. Again, don't underestimate the pressure to get inside. And so, you know, anyone who's listened to Security Now has heard me talk about the model I have of security as being porous, where it's not as open as a sponge, but more like, you know, some porous stone. Where if you have sufficient pressure, you can get some leakage through. So you have security, you have a wall, but it isn't perfect.
Leo Laporte [00:37:30]:
But nothing is perfect.
Steve Gibson [00:37:32]:
And this is the problem, is that it only takes one mistake from one employee one time who, you know, who allows something onto their machine.
Leo Laporte [00:37:43]:
You guys have to be perfect. The bad guys only need to succeed once.
Steve Gibson [00:37:48]:
So, in the same way that I would urge people to, from the outside looking in, to assume that authentication doesn't work, you cannot rely on authentication. The sad reality is you cannot rely on your employees not making a mistake. Making a mistake is human. And you can give them training, and you can be testing them, and we know that we have sponsors of the podcast that specialize in doing exactly that.
Leo Laporte [00:38:24]:
There's people on the show floor doing that, all of this training.
Steve Gibson [00:38:27]:
Yes, raising, maintaining on a level, a heightened level of anxiety, essentially, about like, individually, they're under attack from the outside.
Leo Laporte [00:38:39]:
You're not saying don't do that. It's just insufficient.
Steve Gibson [00:38:41]:
No, I'm saying you need that. Yes, it is insufficient because mistakes can still happen. And so the easy way of setting up an organization's network is to have a big switch and plug everybody in, right?
Leo Laporte [00:38:56]:
And we're one big happy family. And if you're inside the network, you're good. Exactly. Right.
Steve Gibson [00:39:02]:
And the problem is you are then maximally vulnerable in that scenario. So a powerful technique, and I saw it mentioned in some of the notes for this conference, a powerful technique is whitelisting apps. It's also really painful because nothing that's not whitelisted will work, and it's gonna upset people.
Leo Laporte [00:39:31]:
Do you ban all shadow IT? Do you say you can't use outside apps, you can't?
Steve Gibson [00:39:38]:
I think you have to. I heard you just the other day giving the example of the employee who gets their laptop infected at home and then brings it into the enterprise.
Leo Laporte [00:39:48]:
It happened to the NSA, for crying out loud. If it can happen to the NSA, it could happen to anybody.
Steve Gibson [00:39:57]:
Yeah. The final weakness, I think, this, you know, the call that's coming from inside the house is not somebody who's maliciously attempting to do something, but somebody who makes a mistake, who allows something bad to get into their machine, and now their machine has more access than it should have. That's where I'm going with this, is that in the same way that if authentication isn't perfect, then you've got IP filtering to back it up. So they not even have a chance to authenticate because they're coming from an untrusted location on the world where only 3 are trusted. The others, everything else isn't.
Leo Laporte [00:40:48]:
This is zero trust, right?
Steve Gibson [00:40:50]:
Yes, zero trust. Yeah. And, and so it's—
Leo Laporte [00:40:54]:
you used to call it trust no one. You coined that phrase. TNO.
Steve Gibson [00:40:57]:
Well, I got it from Mulder on X-Files. Okay.
Leo Laporte [00:41:01]:
Yeah, that was in a different context. I think there were aliens involved, but it's the same idea.
Steve Gibson [00:41:08]:
So, so you have to then say, okay, if something bad gets into this employee body's machine, what could it do? What access does the machine have? And I would argue that in this day and age, still today, too many endpoints in the enterprise have too much privilege. We talk, we all understand the concept, the concept of least privilege, but it is, it is so difficult to actually implement. Well, try telling the CEO that he can't serve to the upside he wants. Right. Sorry. Because he could make a mistake.
Leo Laporte [00:41:52]:
Well, he will make a mistake. He's probably more likely to make a mistake. I hope this message, though, is getting through to business leaders, to CEOs, to— they understand that, yeah, we're locking you down for a good reason.
Steve Gibson [00:42:08]:
Well, and arranging to send them a spoofed email that they fall for.
Leo Laporte [00:42:13]:
That's one way.
Steve Gibson [00:42:14]:
Would be like to say, well, look, it did happen to you. Yeah. So, so, so the, the, the point being, ask yourself what happens if any endpoint in the enterprise is malicious? Does it have too much privilege. And, and I understand the pain. I mean, the, the, just the, the additional overhead associated with really implementing a least privilege policy on an, on an endpoint by endpoint, node by node basis. It's not the default. It's not easy. As, as I said, the easiest thing to do is to get a switch and plug everybody in.
Steve Gibson [00:43:03]:
You need to segment, you need to think in terms of departmental level access, but what we always see is the bad guys get in somewhere and then they— Lateral movement. Lateral movement within the network.
Leo Laporte [00:43:19]:
We were talking the other day about a hack that somebody had set up, you know, like 90% zero trust, but there was a security camera that had just enough RAM and just enough processor to run an encryption routine, a malware routine. So they used that. That was the one thing that wasn't protected. Yeah. It seems like though, if you really implement true zero trust, that would be easier in the long run. The hard thing is the social thing, is explaining to your users that you superglued their USB port ports.
Steve Gibson [00:43:53]:
It's not easy. Yeah. Or that if you want to log in, you have to jump through some hoops in order to do— you have to continually internally reauthenticate, prove that—
Leo Laporte [00:44:11]:
oh, God, we hate that, though. Yes. I'm sitting at breakfast with my wife. It's going to be hated. Google's making me log in again. But that's why, right?
Steve Gibson [00:44:21]:
That's what you have to do.
Leo Laporte [00:44:24]:
Right. Now, you worked on Squirrel. You had an idea for a good authentication method that did not require a password. Is passkeys— that's part of it, right? Making it easy and still secure. Is it possible to have both?
Steve Gibson [00:44:40]:
It seems to me that where we're going to end up being is pervasive biometrics within the enterprise. Iris or fingerprint or face. Or a thumbprint on your keyboard or on your mouse.
Leo Laporte [00:44:57]:
Your Level 3 facility, your colo had that, right? You had to do a handprint.
Steve Gibson [00:45:01]:
Yeah, I had a hand geometry reader in order to get in. So the way I think this story ends is that in order to do anything, the user needs to continuously reauthenticate. And I don't mean anything, but I mean, like, you certainly, you need to create security perimeters and think this through. A lot of thought will have to be put into this, but it will be necessary for the person to constantly prove that They are them doing this.
Leo Laporte [00:45:41]:
But that's why passwordless is a step forward.
Steve Gibson [00:45:43]:
Well, and that's why biometrics.
Leo Laporte [00:45:45]:
And biometrics too.
Steve Gibson [00:45:47]:
I think because it is, if people are gonna get very used to putting their thumb on something. And it's not so hard. No, exactly, and that's where you get. Or Windows Hello. Like trade-off.
Leo Laporte [00:45:55]:
Yeah, the face recognition, it's a little easier. And it's as secure.
Steve Gibson [00:46:01]:
It's necessary because I think you, You need to have it demonstrated that this is an internal entity, an employee in the organization who wants to do something.
Leo Laporte [00:46:17]:
They should feel good about it because this is what we have to do.
Steve Gibson [00:46:21]:
And we made it easy for them. Just put your thumb on the keyboard in order to do it.
Leo Laporte [00:46:25]:
We only have 5 minutes left. What about, I mean, one thing that's really changed the landscape in so many ways, is AI?
Steve Gibson [00:46:35]:
We're so early in AI that I don't think we yet could guess what's going to happen.
Leo Laporte [00:46:42]:
I think that's a fair bet. Yeah.
Steve Gibson [00:46:44]:
I got a piece of feedback actually from one of our listeners last week that— and I'll probably mention it in our next podcast. It was an application of AI for watching, so it ran locally on their machine, and its job was to keep them out of trouble.
Leo Laporte [00:47:07]:
And I think that's brilliant.
TWiT.tv [00:47:08]:
That's a good idea.
Steve Gibson [00:47:09]:
I think it's brilliant. Yeah. I would, you and I could use an AI looking over our shoulder. Do you really wanna click that link? Exactly.
TWiT.tv [00:47:17]:
Yeah.
Leo Laporte [00:47:18]:
Because we're not— But that sounds a little bit like the nanny UAC, Windows UAC. Legacy kind of— people really resent that.
Steve Gibson [00:47:25]:
Except way more, way more intelligent.
Leo Laporte [00:47:27]:
So we're not talking Clippy.
Steve Gibson [00:47:28]:
Do we remember every time to look at the far right end of the URL to see what the TLD is?
Leo Laporte [00:47:35]:
We'd look at it mostly, but AI would always look.
Steve Gibson [00:47:37]:
It would always look, and it would see what the URL underneath the link that we're about to click, right? And neuter our clicking it, you know, with whoops, wait, and then up comes a dialogue saying, wait a minute, you know, No, what you think you're clicking doesn't correspond to what this email is about. So I, you know, none of us want— well, most of us don't want recall, you know, like, you know, recording everything we do with our machines.
Leo Laporte [00:48:04]:
Recall is funny because it was simultaneously too much and too little. Right. So it didn't go far enough and it went way too far.
Steve Gibson [00:48:11]:
But I love the idea where we have Where the way the world has evolved with the external pressures creating an economic incentive for bad guys to breach our security and suborn an employee without their knowledge, having, thus, you know, tricking them into making a mistake, having a local AI which is looking over their shoulder all the time. It's, it's not leaking information. It's not in the cloud. You don't have to worry about it from, from a privacy and security standpoint, watching what they do, you know, like keeping them from pasting something on their clipboard into the run dialog and hitting enter because they don't really— they're following instructions. They don't know that's bad. And it says, whoops, hold on a second.
Leo Laporte [00:49:10]:
All the frontier models are now starting to add security modules to it. And I think, you know, at first I think people were a little nervous about this idea, thinking, well, even with VIBE coding, that the AI may make security mistakes. And maybe early on it was. But you can also— I think you can train AIs not to do buffer overflows. Not to use, you know, strcpy when it could use strcpy. It can, it can look at the patterns that are of common mistakes and, and prevent you from doing those, right?
Steve Gibson [00:49:43]:
My feeling is we're also at the, at the early stages of— it's not perfect yet— AI coding.
Leo Laporte [00:49:50]:
Yeah, yeah.
Steve Gibson [00:49:51]:
The, I— anytime you take a general AI and say write some code, that's a bad idea. You're not doing nearly as good a job is when you have a specific coding AI that you, you know, gave birth to from scratch for that purpose. That's it. That's really gonna be something. We haven't seen that yet.
Leo Laporte [00:50:08]:
Yeah, we're getting there. Yeah, it's pretty amazing.
Steve Gibson [00:50:10]:
Oh, we got a long way. We're at the 1% point, really. I mean, we're, you know, if anyone were to ask 2 years ago, would we be where we are today? With AI. We would not have predicted this. Amazing.
Leo Laporte [00:50:27]:
And, and 2 years hence, who knows?
Steve Gibson [00:50:29]:
No, there's just no way to know. Yeah.
Leo Laporte [00:50:31]:
Um, this is why old guys like us are still excited about doing what we do, because—
Steve Gibson [00:50:35]:
but, but keep an eye, keep an eye out for, for agents that keep your, your employees from making mistakes. I think that's going to be a serious win.
Leo Laporte [00:50:46]:
Yeah, I like that idea. I hope you all will, uh, subscribe to Security Now. You'll find it on our website, twit.tv/sn, or in your favorite podcast app. We do it every Tuesday. Steve is a national, international treasure. We're very glad that he decided to keep doing it. For a while, he was making noises about stopping at his 999th episode, but we're now at 1,068, so that's the good news. Let's hope for another 1,000.
Leo Laporte [00:51:15]:
Thank you so much. We really appreciate it. I thank you, Steve, and we're gonna go to the cocktail party, and if you wanna get a selfie with Steve, we'll be there.
Steve Gibson [00:51:25]:
Or with Leo.
Leo Laporte [00:51:27]:
Well, I'll be behind him with the devil horns. Thank you so much. We really wanna thank ThreatLocker, our sponsors for this show, sponsors for the conference. I think they do an amazing job, and we're really happy to be partnered with them. I hope you have a great conference. See you later.
