Security Now 926, Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security Now. Steve Gibson is here coming up o wasp suggestions for things to watch out for when you're using artificial intelligence. Did the NSA and Apple work together to hack the Kremlin? Steve doesn't think so, but the story's quite interesting. And then we'll talk about the gigabyte mother Bard flaw that could affect hundreds of millions of people. Yep. Security now is next podcasts you love
Steve Gibson (00:00:28):
From people you trust. This is TWiT.
Leo Laporte (00:00:37):
This is a Security Now with Steve Gibson. Episode 926 recorded on Tuesday, June 6th, 2023. The Windows platform, binary Table
(00:00:50):
Security now is brought to you by Cisco Meraki. With employees working in different locations, providing a unified work experience seems as easy as burning cats. How do you reign in so many moving parts? The Meraki Cloud Managed Network. Learn how your organization can make hybrid work, work. Visit meraki.cisco.com/twit and by delete me, reduce enterprise risk by removing employee personal data from online sources. Protect your employees and your organization from threats ranging from doxing and harassment to social engineering and ransomware by going to join delete me.com/twi tv and by Thinkt Canary. Because thousands of ignored alerts help nobody get one alert that matters for 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter another code Twit. And Lee, how did you hear about his voice? It's time for security now. The show. We cover the latest security and the security news and how things work and laugh a little and love a little.
(00:02:03):
And no hugging Mr. Steve Gibson <laugh>. And why not, and why not, and why not? Steve? from grc.com longtime host of this show. Great to see you. And you know, I had an occasion to go back to 2015. We'll get to that in a, in a while, in one of I think it was episode 5 42 or something. And I was reading the transcript and I thought, you know, I am really glad that this has evolved into a script that I'm reading because I'm not good when it's with a just completely freeform. And I'm just like, oh, man. Is that how we used to do it? Where I would like just, you know, we would just gas about stuff. Well, just like all the other podcasts. Oh yeah. That you, yeah, that's true. Yeah. but, but, you know, but you guys are good.
(00:02:52):
I'm, I'm stumbling around and I'm, I'm like, my God. And Elaine had to transcribe this. I'm sorry, Elaine. Anyway we got a great one today. This one is titled Windows Platform Binary Table. And I loved your, your little quip earlier. But you know, like random words that you have to memorize to show that your brain is still functioning. It sounds a little bit like that, but we're gonna start off by answering a bunch of questions. What news from hp, what is Microsoft doing for Windows 11 that promises to break all sorts of network connections? What's O OSPs new top 10 list of worries about, did Apple help the NSA attack the Kremlin? And what crucially important revelation does this incident bring? What new hacking race has Google created and what misguided new US legislation will hopefully die before it gets off the ground?
(00:03:55):
What is Tour doing to protect itself from DOS attacks? How much are educational institutions investing in cybersecurity? And what can go wrong with civilian cameras in Ukraine? Are we seeing the rise of cyber mercenaries? And what is the Windows platform binary table? Why should we care? And can we turn it off? Ooh, please. Ooh. Well, I look forward to this episode of Person Woman man camera tv, but <laugh> and see, I remember them. I remember them. <Laugh>. That's good. And we do have another picture of the week. Oh boy. Which, and it's, it's one, it's the, it's one that we've seen many times now, but this one sort of pushes it over the top. So it, it, it, it made the grade mostly because of how way more than normally ridiculous It is <laugh>. So I haven't looked at it yet. I've now we have a new protocol.
(00:04:55):
I don't look at the picture of the week until, that's good. The actual time. So you can see my, my listeners can share your natural reaction. That's right. That's right. But first a word from our sponsors. The great folks at Cisco Meraki, the experts in cloud-based networking for hybrid work. Actually, that's something we're all doing these days, isn't it? Whether your employees are working at home at a cabin in the mountains on a lounge chair at the beach, that's where I want to be working. A cloud managed network can provide the same exceptional work experience no matter where they are. And I have to tell you, I know, you know, there's some, some leaders, some business leaders say, oh, I don't wanna do that. But, but you may as well roll out the welcome Matt Hybrid works here to stay. And you know what? Hybrid work works best in the cloud.
(00:05:45):
And it does have perks, yes, obviously for employees, but also from business leaders. Workers can move faster. They deliver better results cuz they're happy with a cloud managed network. They're all on the same page. They're all working together no matter where they are. Leaders can automate distributed operations, can build more sustainable workspaces when they do come to work. Right? And, and this is really important. They can proactively protect the network. Meraki commissioned a study from IDG marketplace, and this research report highlighted the top tier opportunities in supporting hybrid work. In fact, they found out that 78% of all C-suite executives say hybrid work is a priority for their businesses. Leaders want to drive collaboration forward, but they also wanna stay on top of or even boost productivity and security. Of course, hybrid work has its challenges. The report raised the red flag about security, knowing that 48% of leaders report cybersecurity threats as the number one obstacle to improving workforce experiences.
(00:06:51):
And I'm glad, frankly that they said that. That's why you need always on security monitoring. That's what makes part of what makes a cloud managed network so awesome. And how you gonna do it? You're gonna do it with Cisco Meraki. It can use apps from Meraki's, vast ecosystem of partners, turnkey solutions built to work seamlessly with a Meraki cloud platform for asset tracking, for location analytics. Really for almost everything you can gather insights onto how people are using their workspaces, right? When they come to work in a smart space. Environmental sensors can track activity, they can track occupancy, you can stay on top of cleanliness. You can have employees reserve workspaces, so you can do hot desking, which is really fantastic. That saves you resources. And it lets employees always find a place to work quickly. Locations in restricted environments, this is great, can be booked in advanced and can include time-based door access.
(00:07:51):
So that car key doesn't work until that employee is supposed to be right there. Mobile device management means you can integrate devices and systems so that it can manage, update, and troubleshoot company owned devices. Even if the device and employee are in a remote location. Of course, horse turn any space, any space into a place of productivity, empower your organization with the same exceptional experience. No matter where they work with Meraki, they add the Cisco suite of technology. It's, it's really sweet. It's the sweet spot. Learn how your organization can make hybrid work, work. Visit meraki.cisco.com/twi. M e r a k i meraki.cisco.com/twit. You know, we like remote work, hybrid work cuz we know they'll listen to podcasts on their, you know, <laugh> on their headphones while they're sitting at the beach working. Of course we like commuters too, cuz then they listen to the podcast back and forth.
(00:08:50):
So maybe we like both. It's hybrid. That's the whole idea. All right, Steve, I'm ready. My eyes blinders have been removed. This the picture of the week. I'm gonna scroll it up and then I'm gonna look over and see it. Are you ready? Here we go. The picture of the week, <laugh>. That is as bad as you can get. So, yeah, I, the, the reason now, so, so we are being, I, I have enough pictures of ridiculous gates. I bet in the middle I bet of like fields and things. Yep. That, you know, we'll have those for the end of time. And so, and, and I, and we've had so many of them recently that I thought, well, I'm not, you know, we're gonna back off on that theme a little bit. But this one just, it, it made it to the podcast because it goes the extra mile <laugh>.
(00:09:43):
It's, you know, it's, we, so we, we have this path, like, so some, some steps are going down in the foreground and there's a path cutting across them going at the distance. And there's this gate which has been placed on the path. And it's not just that it, there's their gate there, which of course you could just walk around because like Jewish, which way, wait, wait. It's probably a little more convenient to go on around it, onto the right because then because, because the hill gets a little steep descending to the left. It's, so that's how driving outta the gate, it's just a sign holder basically. It's <laugh>. It's, so the what what this thing has the audacity to say to somebody who is confronting it, is in, you know, red signage strictly no access. Oh no, absolutely not. No, no re really strictly none <laugh>, despite the fact that like, what, you could just walk around it.
(00:10:44):
It's, there's also, I I'm sure you noted this, there's a is that a power outlet or what is that? I mean, it seems like they maybe electrified the fence <laugh> <laugh> that that was my thought. Or, or that they're monitoring it in case somebody opens it and goes through, don't you dare <laugh>. That is the weirdest thing ever. And, and the only thing I could think was that they, they want that this was there so that if somebody was caught on the path behind the gate Yeah. They could say, well, we were warned. You were warned. No, strictly no access. Now I, anyway, I just, this was just, that's hysterical. A hoot. Yeah. Because it's like, you know, pushes this thing really over the top <laugh>, right? Not, you know, I mean, the gate being there would be enough, but no, you really, you, it doesn't matter how much you want to go down that path.
(00:11:36):
No, <laugh> can't. Okay. So I started off this week as I do every week, looking to see whether there was any good news for the tens of thousands of owners of HP office, jet nine 20 E series inkjet printers, which were all bricked as we know that Monday morning now four weeks and a day ago. Again, total silence from HP against that backdrop. The first two headlines that popped up in my search yesterday for any updated news were stories initially published when this news was fresh. HP rushes to fix bricked printers after faulty firmware update and HP races to fix faulty firmware update that bricked printers. So we have rushing and racing both of those, and many similar headlines certainly made sense at the time, but they're not aging well despite what we hope and assume from hp. Their response even after now, more than a month, has been a big zero.
(00:12:46):
So, boy, I <laugh>. I don't, I, yeah. Wow. Just, it's crazy. And this, again, this wasn't a small event. This didn't happen to a few people. This was global. And I refer to it a little bit later in the show. Okay, so Microsoft has announced that future versions of Windows 11 will require all S M B as in server message blocks, messages to be cryptographically signed regardless of the message type. Now, that's a rather significant change, and it's gonna be interesting to see what it breaks. You know, SMB is commonly known. It's, it's the protocol that many things in Windows now use. Notably Windows file and printer sharing runs on top of server message blocks. The requirement for cryptographic signing is different from, and a further extension of Microsoft's policy of stepping away from the oldest versions of this aging and sadly, troubled protocol.
(00:14:02):
Just over a year ago, Microsoft announced their related intention to remove all S M B version one support from Windows 11. Back then, at that time, Ned Pile, the microsofty, who was making this announcement into Microsoft's tech community, he wrote, I had to save this behavior for last. It's going to cause consumer pain among folks who are still running very old equipment, a group that's the least likely to understand why their new Windows 11 laptop cannot connect to their old networked hard drive. He said, I'll spread the word throughout consumer channels as best I can. I hope you can help me with friends and family who rely on you for technical expertise. Okay, so Microsoft is, you know, changing things and they feel that they need to, there are currently three major versions of SMB one, two, and three. And actually I think it's 3.1, 0.1 currently, and by default, windows 10 has always disabled support for the original SMB version one due to its total lack of security.
(00:15:22):
But the code to support both the client and the server roles has remained present in Windows 10. Remember that SMB version one was present in the MS Doss Windows for work groups add-on, which allowed DOS machines, which were still very much in use in the early days of Windows to participate as to participate as either clients or servers on a Windows land. Since my own work on spin, right, 61 is still DOS based and DOS only knows about the original SM B V one. I was hugely relieved to find that support for version one could be enabled under Windows 10. That's what I've been using to network my Doss machines. It's allowed me to write and assemble spin rights code on a Windows 10 workstation, then give the Doss machine access to that Windows 10 shared directory, which contains spin rights source and executables so that I'm able to do native source level debugging under Doss.
(00:16:31):
Last year, Microsoft took this further by removing the binaries for SMB version one from at least some of Windows 11. So, you know, you, it was disabled under Windows 10, but you could go, you know, under that it's under control panel oh. It's Windows features where you're able to like, turn things on and off. Like, like for example a web server, you're able to say, yeah, I'd like to have an i i s web server on my WIN Windows workstation and turn it on. And it sort of adds that to Windows. So that's where this SMB version one Steph is in Windows 10 that you can still turn on Microsoft is, you know, needing to keep moving things forward. So they've decided that you're not even gonna be able to do that in the future. And apparently this still breaks things.
(00:17:26):
So that is removing SMB V one, so users of the higher end additions even of Windows 11 will be able to use an unsupported binary from Microsoft To add this back, I'm just telling everybody, so in case you this happens to you and for some reason you still need version one. You know, there are things like, I think the, the version of the Sonos software that I had wasn't able to operate unless it had version one. So then there were instructions for go, how, how to go turn that on. But anyway, this next announcement will be interesting and it's likely to create further issues for ne for connectivity with devices that cannot or do not support S M B message signing because that's the news of the week. And that makes me suspect that this signing requirement is also likely to be somewhat soft and probably can be overwritten because, you know, Microsoft's just, they're really reluctant to break things that have happened before.
(00:18:30):
So last Friday, that same guy, Ned Pile, who a year ago said when I first quoted last Friday, he said, Hey ya folks, Ned here again, beginning in Windows 11, insider preview build 25 3 81, the Canary release enterprise editions. SM B signing is now required by default for all connections. This changes legacy behavior where Windows 10 and 11 required s b signing by default only when connecting to share to share's named sisal and net log on, and where active directory domain controllers required SMB signing when any client connected to them. So, SMB signing is a simple but a useful security measure that's been around since, actually, believe it or not, windows 9 98 had it and Windows 2000 over on the NT platform, but it's never been forcibly enabled by default because the signing overhead, it adds to every single message, used to be too much without signing, nothing detects or prevents the alteration or spoofing of SMB messages.
(00:19:53):
There's no security in them otherwise. So signing protects against N T L M, you know, n t land manager relay attacks, which have been a constant thorn in Microsoft's SMB implementation. So signing is definitely a good thing, but as always, moving into the future for the sake of security also means removing some of the past, which is always somewhat painful. I'm mentioning all this as a heads up since there's a very good chance that this next move by Windows 11 and it sounds like it may be only enterprise editions, so it may not be affecting pro users and home users, which is probably a good thing. But it, even at the enterprise, it could break some things that our listeners are using, you know, things that either don't currently have SMB signing enabled or maybe don't support SMB message signing at all. So there <laugh> O OSP is the O W A S P, the Open Web Application Security Project, and it has for the past 20 years, since 2003, maintained the often quoted O OSP top 10 list of the most worrisome web application vulnerabilities.
(00:21:18):
And I have a special warm spot for O osp since it was several European chapters of O osp who hosted my trip to Europe once squirrel was com completed to give me the opportunity to introduce it to their members in person, which I really appreciated. We're talking about this today because O OSP has announced their work on a completely different list. It is the O OSP top 10 for large language model applications, which is interesting that they're, they've decided, okay, there's enough issues with L L M stuff that they're gonna start tracking and maintaining a, a similar top 10 list of things to be careful about. So they, in their announcement, they said the O OSP top 10 for large language model applications, project aims to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing large language models.
(00:22:28):
The project provides a list of the top 10 most critical vulnerabilities, and actually it's vulnerability classes often seen in L M L L M applications highlighting their potential impact, ease of exploitation and prevalence in real world applications. Examples of vulnerabilities include prompt injections, data leakage, inadequate sandboxing, and unauthorized code execution among others. The goal is to raise awareness of these vulnerabilities. Again, vulnerability classes suggest remediation strategies and ultimately improve the security posture of L L M applications. They said the following is a draft list of important vulnerability types for artificial intelligence applications built on large language models. So we've got 10 itemized problems or classes. The first is prompt injections, prompt injections, bypass filters. They write or manipulate the L L M using carefully crafted prompts that make the model ignore previous instructions or perform unintended actions. And we have already seen applications of that.
(00:23:51):
Number two, data leakage accidentally revealing sensitive information, proprietary algorithms or other confidential details through l l m resources or responses. Number three, inadequate sandboxing failing to properly isolate large language models when they have access to external resources or sensitive systems allowing for potential exploitation and unauthorized access. Fourth, unauthorized code execution exploiting LLMs to execute malicious code commands or actions on the underlying system through natural language prompts. S S R F, you know, server side request forgery vulnerabilities exploiting LLMs to perform unintended requests or access restricted resources such as internal services, APIs or data stores. Number six, overreliance on L L M generated content. Excessive dependence on L L M generated content without human oversight can result in harmful consequences. You're right, seven, inadequate AI alignment. They said, failing to ensure that the ll m's objectives and behavior align with the intended use case leading to undesired consequences or vulnerabilities.
(00:25:15):
Number eight, insufficient access controls not properly implementing access controls or au or authentication, allowing unauthorized users to interact with the L L M and potentially exploit vulnerabilities. Nine, improper error handling, exposing error messages for debugging information that could reveal sensitive information system details or potential attack vectors. And finally, 10 training data poisoning maliciously manipulating training data or fine tuning procedures to introduce vulnerabilities or back doors into the large language model. Okay, so some of these are old and generic, like unauthorized code execution, you know, that's not something anyone is gonna want, you know, except bad guys. And similarly, data leakage, inadequate sandboxing, server side request forgeries, insufficient access controls or improper error handling. You know, those are like, yeah, right, sort of common generic classes of problems. But those common problems are on this list because this is a new context and there might be some tendency to let those slip by thinking that those old rules no longer apply.
(00:26:34):
So I agree that it's certainly worth reinforcing and remembering to think specifically about some of those oldies but goodies, there's a reason they become so well known and they never quite disappear. And then we have a handful of new problems that are quite specific to this application class. Prompt injection is a new one that, that didn't exist before. We had, you know, conversational you know, chat bots that, that, you know, where, where we've quickly learned that you could lead them astray, you could get them to do things that, you know, they weren't wanting to do. In our very, one of our very first conversations about this <laugh>, we were talking about how some bad guys managed to make a 1, 1 1, 1 of the early Chad GPTs do something. And it sounded like they did it just by like, like asking more and getting mad at it.
(00:27:32):
And finally it said, yeah. Oh, oh, oh, yeah, okay, I'll, I'll give you what you need. So, you know, there's that. We have overreliance on L L M generated content, which has, we have seen examples. We talked about one, remember I I guess it was here, or maybe it was just, you know other twit podcasts where an, an attorney used chat G P T to generate a complete legal brief citing cases, which were fictitious. It just made them up. So, yeah. Overreliance on L L M generator content, we've got inadequate AI alignment and training data poisoning. So in addition to all the usual suspects, we also have a few new worries that we've never had before. The original O OSP top 10 has for 20 years been a useful benchmark against which many projects have been measured and just checked, if nothing else, coders of any stripe you know, back then and for the last 20 years have been able to use it to double check that they hadn't overlooked o overlooked some obvious things.
(00:28:39):
I expect that this L l M specific top 10 list will serve a similar role. You know, someone should create one O OSP is at work doing so, and I think they said that they're at 0.1 at this point, so not yet ready for primetime, but they have announced that they're gonna be working on this. It looks pretty good. I mean, I would agree with every single one of those. They, they all look pretty accurate. Yeah. Yeah. And, and, you know, it's so easy just to deploy these things without giving sufficient thought to like things that you should give sufficient thought to. Yeah. So, yeah. Good, good to have it. Okay. Now this is a two-parter, and this ended up with something really interesting, an observation that we're making for the first time anywhere, and it's, I think, very important. So we start off with what led me into this, which was the question, did Apple help the NSA attack the Kremlin?
(00:29:45):
It should have been given the subheading. Why does anyone take anything Russia says with even a grain of salt? Now I was unable to read the original, I've got the link of the show notes, but it's, you know, it's H http, right? Because Russia doesn't believe in s colon slash slash and then www dot FSB dou, and the rest is in Russian. So I, and it didn't seem worth bothering to get it translated because I was able to use the translation from the risky business newsletter. So I'm gonna rely on that. And here's what risky business explained. Russia's FSB intelligence service claims to have uncovered a US intelligence operation that hacked the Apple smartphones of diplomatic missions and embassies in Russia. The operation allegedly targeted thousands of devices, including the devices of Russian citizens and diplomatic representatives from NATO countries, the post-Soviet block, Israel, China, and South Africa.
(00:30:58):
The exploits I'm sorry, the act, the attacks exploited a vulnerability in Apple smartphones. The F S B attributed the hacks to the US National Security Agency and claimed Apple cooperated with the NSA for the attacks. And actually, it was that allegation that caught my attention since, well, that would be huge if it turned out to be true, which seems unlikely in the extreme to me, given everything we know about Apple, and fortunately the country that we still live in. Anyway, the risky business continues saying the Russian cybersecurity firm, Caspers Ski says the same attacks which the company tracks as Operation Triangulation also targeted its employees kaki. They found compromised devices as far back as 2019 and said that the attacks are still ongoing according to Caspers Ski and to a technical report released by FSBs National Coordination Center for Computer Incidents. The attacks involve a, an iOS zero click exploit delivered as a file attachment via iMessage.
(00:32:24):
The attachment executes without user interaction as soon as it arrives on a device and starts downloading additional files. Casper Ski described the final payload as a fully featured a p t, you know, advanced persistent threat platform. Unlike the fsb, Kaspersky did not link the activity to the NSA or any other a p t group and could not say if the attacks targeted in other organizations. News of the attacks came after in March, the Kremlin's security team instructed their presidential staff to dump their iPhones by April 1st, 2023 coincidentally April Fools Day. And we talked about that that Kremlin activity. At the time on the podcast, employees of the Kremlin were told to get an Android device, either from a Chinese vendor or one running. Ross Telecom's, Aurora Os Kremlin officials cited security considerations for their decision claiming iPhones were more susceptible to hacking and espionage by Western experts compared to other smartphones, which is not supported by any evidence.
(00:33:44):
We've seen Russian officials asked the prosecutor General's office to start a formal investigation into Apple employees and US intelligence officials. Okay? Right. Okay. And unsurprisingly, in an email that the Risky Business Newsletter received after its initial publication of this news, apple formally denied the FSBs accusations writing quote. We have never worked with any government to insert a backdoor into any Apple product, and we never will. And as I said earlier, given the entire history of Apple's actions and the design of their devices, which we have often examined as closely as we could, I certainly believe Apple's assertion far more than the Kremlin and the fsb who we catch frequently spewing state-sponsored propaganda. Okay, now that said, if Caspers Ski first saw this attack as early as 2019, assuming that the same zero click exploit was in use, then as in use now, that would suggest that an exploit has remained undiscovered for the past four years.
(00:35:01):
So I was interested in additional details and something that, you know, an actual security firm did in terms of research. So I tracked down Casper's thoughts about this. They wrote, while monitoring the network traffic of our own corporate wifi network dedicated for mobile devices using the Casper Ski United Monitoring and Analysis platform, which they call Kuma, K U M A, we noticed suspicious activity that originated from several iOS io iOS based phones, since it is impossible to inspect modern iOS devices from the inside. We created offline backups of the devices in question, inspected them using the mobile verification toolkits, and discovered traces of compromise. We are calling this campaign Operation Triangulation, and all the related information we have on it will be collected on the Operation Triangulation page. If you have any additional details to share, please contact us as at triangulation@caspersski.com. Mobile device backups they wrote contain a partial copy of the file system, including some of the user data and service databases, the timestamps of the files folders, and the database records allow the rough reconstruction of the events happening to the device.
(00:36:39):
The M V T hyphen iOS utility produces assorted timeline of events into a file called timeline dot csv, similar to a super timeline used by conventional digital forensic tools. Using this timeline, we were able to identify specific artifacts that indicate the compromise. This allowed us to move the research forward and to reconstruct the general infection sequence. One, the target iOS device receives a message via the iMessage service with an attachment containing an exploit. Two, without any user interaction, the message triggers a vulnerability that leads to code execution. A zero click the yes. Third, the code within the exploit downloads several subsequent stages from the command and control server that include additional exploits for privilege escalation. Fourth, after successful exploitation, a final payload, a fully featured a p t platform, is downloaded from the command and control server. And fourth, both the initial message and the exploit in the attachment are deleted.
(00:38:11):
They said finishing the malicious tool set does not support persistence, most likely due to the limitations of the os or actually the, you know, the strength of any, you know, the, the protections of the, that, that iOS is giving us. So it is, it's living in ram, no persistence. The timelines of multiple devices indicate that they may be reinfected after rebooting The oldest traces of infection that we discovered happened in 2019. Okay? Now, so that's a correction to what my pres I initial presumption was. I I had presumed they first saw this in 2019. No, they, in looking back at forensic evidence that they, that were, that was being collected, the early, the oldest traces of the infection they discovered in their records occurred in 2019. As of the time of, as of the time of writing, they said in June, 2023. So that's, you know, now the attack is ongoing.
(00:39:20):
And the most recent version of the devices successfully targeted is iOS 15.7. So also current iOS, the analysis of, well, almost current, the analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plug-in modules from the command and control server. Okay? So one of the things that gives this apparently long-running attack campaign, so much power and longevity is, as Kaspersky wrote quote, it is impossible to inspect modern iOS devices from the inside. So we created offline backups of the devices in question to that observation. We add the fact that this exploit fully covers its own tracks by deleting the exploitive attachment and the original attachment carrying iMessage. Now add to that the fact that iMessage is end-to-end encrypted using private decryption keys that are only present in each of the endpoint devices, secure enclaves, and that these attacks are all individually targeted at their victims.
(00:40:52):
That means that communications, traffic monitoring cannot be used since all anyone on the outside like Caspers Ski, who wishes they could see what was going on, will ever see is pseudo random noise flowing back and forth, taken together. What all this means from a practical forensics and remediation standpoint is that this thing can never be caught. And that brings up an interesting point that has never been observed during the 17 plus years of this podcast, which is to the same degree that Apple's seriously super strong security is protecting the privacy of its users. It is equally protecting the privacy of exploits like this from discovery. Now, as we know, the Pegasus exploits are left behind in their target's. Phones to later be discovered, reverse engineered, patched, eliminated and rendered Aer. But even as skilled, a forensics team as Caspers Ski can only observe an historical log of file modifications made by iPhone backups that indicate that something may have been happening to them and like, and is happening now and for the past four years with no idea by whom or to what end.
(00:42:33):
And no one Caspers ski or anyone else can take this any farther. So I'll reiterate, since it seems like an important observation to exactly the same degree that apple's seriously super strong security is protecting the privacy of its users. It is equally protecting the privacy of exploits like this one from ever being discovered and eliminated. You know, it's funny, I saw that same sentence. When I read the story days ago, I didn't put, you know, I didn't put a two and two together. It's an interesting problem though, but I mean, you want them to have encrypted backups, right? Oh, yeah. I'm not saying that this is bad, it's not a bad thing, but it does prevent the discovery of the providence. Yes. We're removing it. And so yeah, the, the, the difference here is that this thing can delete itself and apparently the Pegasus exploits don't have that ability, or they certainly would.
(00:43:38):
Right? You know, they get left behind and then we can figure out who got attacked and, and what the attack was and what the exploit is, and we reverse engineer it. And Apple gives us an emergency iOS update so that none of us can have that happen to us, even though it's unlikely to, cause it's targeted. This thing is four years in duration. And I, it's like someone's got it. Someone's using it, right? And iOS is protecting it. Now, if the victim unlocked the phone for the forensic analysis, couldn't that make it possible or No, the whole thing happens while the phone, if it's gone already, there's nothing you could do, right? Yeah. Right. It's received, executes, downloads some stuff. Erases itself immediately deletes itself, which is, by the way, a tale is all as time. I mean, that's what hackers have always done is erase their tracks.
(00:44:34):
Right? You immediate, you immediately remove your, your own intervention from the logs. Right. And, you know, in, in, in classic you know computer attacks, right? Right. But anyway, so something is out there and that's scary <laugh> it, it is. That's, yeah. And it can go and get anybody it wants is what this amounts to. Anybody whose, whose phone or iOS account is known can receive an iMessage and a blink of an I, this thing is in and out and leaves behind a running advanced persistent threat alive in their phone until it's restarted that has, has apparently free reign. Apple could implement some form of logging that would make note of this and not be addressable by the hack. I would think. Yeah, I would think that's true. Yeah. Some sort of cis log that is, you know encrypted and protected.
(00:45:33):
Maybe they should, I mean, that would solve it, right? Or maybe I mean, so do they know about this? It's been going on well, four years. Yeah. I mean, they, they know now. Oh, you're thinking that's, oh, you're thinking as Russia is asserting that they do know about this and they're intentionally No, no, no. I still believe, I mean, it's, apple wouldn't do that. It's 10. It, I don't think they would. No, I I I know they wouldn't. Everything we know about them says that they, sorry. No, and nsa, you're gonna have to find your own way in. And I'm, they're not gonna help the fbi. They're not gonna help the KGB <laugh>. Now, the way this might go away is by, is just naturally there could be a re you know, a a, some new features added to iMessage in iOS 17.
(00:46:21):
Right. That just happened to fix it. The Yes, exactly. It, it, they, they, they do a recompile or they reimplement it and it breaks the thing that they were using for so long, right? On the other hand, how many ioss have we had over the last four years? And this thing apparently has stuck around across multiple iOS, right? You know, major version changes. And when it's, you know, often in messages or the browser that you find these exploits, cuz they have rendering engines that are basically code engines, right? We've talked about that before, right? It seems like every operating system should have some sort of forensic log that is you know, permanent and unmodified, immutable, immutable forensic log. But maybe that's too much to ask. I don't know. You know, it certainly would be a burden on resources. That's interesting. Now these things have so much ram now it's like, yeah, we got some resources.
(00:47:16):
<Laugh>. I think my phone, frankly is barely in use. I mean, it's just sitting there, wait for me to do something. You know, it, it may be the, the targeted nature of it, the fact that it deletes itself. You know, I, and like what, you know, you know, and so Apple just doesn't have, you know, the opportunity to get their hands on this or I don't know, in really, in really, really in interesting though. And Leo, I think we should take a break. Sure. Let, let's take our second break. Sure. And then we're gonna talk about the trifecta jackpot that Google has created. Well, if, if you're talking about that, I'm gonna talk about deleting things. How about that? I'm gonna talk about delete me <laugh> security now is brought to you by delete me. You know, don't delete me, but delete my, maybe you want to go around to those data brokers and delete their records about you.
(00:48:10):
Right? Certainly as an individual, this is a good thing. I've done this. Lisa's used delete me to do this. But it's really an issue for businesses. If you want to protect the company, the, the data inside the company's network, the first step is securing your executive and employee data outside the network. Why? Well, if you listen to the show, you know, that's where phishing attacks start, right? They start by rooting out information about your company. You know, a hierarchy about the bosses addresses and phone numbers, and the employees addresses and phone numbers, and they go to work on those. Delete me is specifically designed for enterprise. It's delete me for business. Makes it simple to remove executive and employee personal data available on the open web. I mean, you know, we, we all wanna do this just for ourselves. It's really important for a company, bad actors, you know, start with these publicly available databases as they begin their social engineering attacks.
(00:49:13):
And this data has floating around data brokers. It's all over the place. Legally, openly, the data is being effectively weaponized against executives and employees in ways that you as a security professional may be overlooking it. It enables access to employee accounts. It enables phishing attacks. You gotta pay attention to access to the employee's personal data, not inside the network, but out there in the real world. Vulnerable data leads to harm. We know that doxing harassment, social engineering, ransomware attacks increase with every volatile moment. And who's being impacted by this? Exposed data Executives Board members. Yeah, they're targeted. They're harassed online by cyber criminals and ex-employees who use their family's personal data to get to them. They've attacked our kids. Where do they get that data? Well, you guess, just take a wild guess. Executives have a 30% higher pi i exposure risk than the average bear because their target rich environments, public facing employees may have their home addresses, their affiliations, their everything exposed online by angry customers and other bad actors.
(00:50:27):
That's happened to us too. <Laugh>, individual contributors, personal email addresses and mobile numbers are used to socially engineer their way into enterprise systems. So why do you use Delete Me? Because delete me one word, delete me. Actively monitors for and removes. So it's not just the initial removal. They keep an eye out on personally identifiable information for you, your employees, your executives to reduce enterprise risk, proce, protect yourself, protect your employees, reduce risk with, delete me. Five easy steps. One, employees, executives, and board members, they're sent a link. They do a quick signup, and by the way, you let 'em know ahead of time, right? So it's not, it's not a phishing mail. Delete me then once they get that information, scans for exposed personal information and delete me will on your behalf execute optout and removal requests. Now there, this is, I've done this by hand manually. It's hard. There are a lot of sites. You're gonna miss stuff, delete me, noses 'em all and has it all down. They, that's is what they do. Then they will share an initial privacy report with you and ongoing reporting and investigation will be initiated because they're gonna do delete. Me's gonna provide continuous privacy protection and service all year.
(00:51:44):
I wish we didn't need this, but because we do, I'm glad Delete Me exists. And as I said, we have used it and we recommend it Protect your employees. We did that. And your organization, we did that by removing their personal data from online sources. Visit join delete me.com/twit tv. Okay. Please use that address. I want them to know you saw it here. They're brand new sponsor. We, you know, we've been using 'em for a long time. Join delete me.com/twit tv. This is a new reason. Delete, to delete personal data. It's not just privacy, it's really a security issue. And especially for businesses join delete me.com/twi tv. We thank 'em so much for their sport of security. Now, another vector who even, you know, thought about it, <laugh>. Yeah, it's incredible. Okay, Steve, back to you. So last Thursday, Google announced what they called their Chrome browser Full Chain Exploit bonus program.
(00:52:47):
Woo-Hoo. That sounds good. Yeah. Yeah, it's a bonus. Here's what they say that they said For 13 years, a key pillar of the Chrome security ecosystem has included encouraging security researchers to find security vulnerabilities in Chrome browser and report them to us through the Chrome Vulnerability Rewards program. You know, the, the Chrome V R P starting today, that was last Thursday, June 1st until December 1st, the first security bug report we receive, which provides a functional full chain exploit resulting in a Chrome sandbox escape, is eligible for triple the normal full reward amount. Woohoo. Yeah. Your full chain exploit could result in a reward up to $180,000 Yikes. And pot and potentially more with other bonuses. And because they didn't want people to stop after the first one or to be discouraged, and they said any subsequent full chains submitted during this time are eligible for double the full reward amount.
(00:53:58):
So $120,000 each. So essentially Google's creating an extra incentive race among bug hunters. Anything found before this coming December yields any, anything found yields double the normal bounty. And the first person to supply an unknown exploit is rewarded their for their trouble with triple the normal payment. So they said we've historically put a premium on reports with exploits, they call them high quality reports with a functional exploit is the highest tier of reward amounts in our vulnerability rewards program. Over the years, the threat model of Chrome browser has evolved as features have matured and new features and new mitigations, such as the Miracle Pointer have been introduced. Given these evolutions, we are always interested in the explorations of new and novel approaches to fully exploit Chrome browser. And we wanna provide opportunities to better incentivize this type of research. These exploits provide us valuable insight into the potential attack vectors for exploiting Chrome, and allow us to identify strategies for better hardening specific Chrome features and ideas for fu future full scale mitigation strategies.
(00:55:22):
So, you know, 180 grand, that's not chicken scratch. And if you're, you know, a competent reverse engineer, hacker researcher person, there's an extra year's worth of income for you in however long it takes you to, to find something. If you can be first and even if not as long as what you find is unique, 120 grand. So anyway, I've got the a link in the show notes with the, the full partition, the participation <laugh> precipitate Wow. Participation details for anyone who might be interested. Okay. Oh boy. Huh, exactly. One week ago, last Tuesday, three quite conservative senators who belonged to the Republican party introduced their Know Your App Act. Their announcement carries the headline Wicker Scott Langford introduce Bill to increase transparency and of course, better protect the children online. The announcement of this new legislation begins Washington US Senators, Roger Wicker, Tim Scott and James Langford introduced the Know Your App Act.
(00:56:45):
The bill would require online app stores to display the country where apps are developed and owned. So this is, I suppose, the natural follow on from all the controversies surrounding TikTok. You know, once it became clear to them that TikTok was not a breath mint they then go on to explain this new proposed legislation's intent, starting with the quotes from each of the three senators. Roger Wicker leads with his quote, quote, our adversaries will exploit every available tool, including popular apps that gather huge amounts of data on Americans to gain an advantage over the United States. It is crucial for users to take steps to limit their exposure and be made aware of the risks associated with using foreign controlled apps. The, ah, I know the, it gets worse, Leo, the Know Your App Act would bling bling would bring <laugh> much needed transparency to app stores empowering Americans to safeguard their families from exploitation, you know, from the Kami bastards.
(00:58:00):
Wow. Then we hear from Tim Scott. Americans should be able to make informed decisions about the online services they use in order to protect their data and security. Requiring app stores to display an app's country of origin is a common sense solution that can help them do just that. Parents shouldn't fear that their family's online privacy and security could be compromised when unknowingly using an app owned by a foreign adversary. And finally, <laugh> James Langford adds Seeing Made in China on nearly any product nowadays is frustrating to Oklahomans. He's a, a Republican senator from Oklahoma, frustrating to Oklahomans, trying their best not to prop up the Chinese Communist Party and Chinese government with their hard-earned money. We already see the ways the TikTok app is a dangerous extension of the CCP that is collecting every user's personal data and all of their contacts. I want the made in China label <laugh> and labels for any other countries where, where apps like TikTok originate to be clearly marked when and where they are downloaded.
(00:59:27):
Americans should remain free to buy items from wherever they want. I know, but the, but the least big tech can do is label where Americans money is. These are all free, by the way, is going when they download in the app store, unquote. Okay. Now aren't all iPhones and iPads made in China and pretty mu pretty much I anything Yeah. Also made in China. Yeah. As well as, although they by law, they do have to put on it made in China and anything made in China by law has to be labeled that way. So Yep. The problem is software development's not like manufacturer. Most programs are written all over the world by a variety of teams, right? Yeah. You know, and the guts of our cars. Oh yeah. You know, like it's why that covid related Chinese chip shortage messed up us and forward automobile manufacturer and jacked up the cost of used cars that already had all their chips, you know, built in.
(01:00:33):
So but, but it's worse. The legislative announcement continues with as of March 20, 23, 4 of the five most popular apps in the us. This is the, the proposed legislation from last Tuesday, four of the five most popular apps in the US were developed in China. This is particularly concerning, given that China's national security laws provide a pathway for the Chinese Communist Party to compel application developers to control an application's content or user data. The Know Your App Act responds to this risk by requiring online app stores to display prominently the country where apps are developed and owned, allowing users to make informed decisions about the applications they access. And then it gets worse. The bill also requires the US Department of Treasury and US Department of Commerce to produce a list of adversarial governments that may have undue control over application content moderation, algorithm design, or user data transfers.
(01:01:51):
App stores would be required to provide users the ability to filter out applications from the identified adversarial countries and get this worn users about the risk of downloading one of the foreign applications on these lists. If a developer fails to provide sufficient information to the app store about its country affiliation, the app store would be required to issue multiple warnings over a designated period. If the developer still refused to comply, the app store would be required to remove the app from its store, says the party that doesn't want the government to be involved in, you know, stuff. I mean, this is minor. I guess it's possible and, you know, it's certainly not a hardship, I would guess, but, well, yeah, I mean, it's just, that's, it's meaningless. It's not gonna change anything. Right? So products, as we know, as you said, Leo, are routinely marked with their country of origin.
(01:02:59):
So that's not any new big deal. But here we're implicitly saying that any applications made in China are inherently dangerous. Right. For that reason, which is what really feels wrong to me, and it's not gonna work anyway. If somebody wants teu, TikTok cap cut or sh sheen, those are the top four of five. Meta's thing I'm blanking on right now. Is the fourth of the top five Instagram that that rounds out the top five? You know, if they want those apps, that's what they're gonna download. You know, no one who needs to use these apps from their in for their intended purpose is gonna care where they came from. And the idea of requiring an app store to caution and warn a user that an app was developed in China, you know, with an are you sure before it can be downloaded?
(01:04:01):
Seems to me really unfair. You know, perhaps I'll be proven wrong in time, but today this seems, you know, really over the top, you know, increasing the tension and division between two of the world's superpowers doesn't seem like a winning strategy, you know, for anyone Wow. Made in China for apps. Hmm. Okay. The tour project is testing a new denial of service mitigation feature for their network, where servers will require their connecting clients to solve a puzzle to access its resources. So, you know, it's basically a capture right now. It won't normally be enabled, but it will become active when a server is being overloaded with bogus attack requests. The idea is to allow authentic users to connect to a tour service while weeding out automated DDoS attacks, which in recent times have become a big problem for tour servers. The new feature is currently being tested in the Tour Alpha software and is expected to roll out to most tour nodes later this year. Work on the feature started last year after tour node operators reported DDoS attacks against their infrastructure and, you know, probably, you know hacker kitties who are attacking nodes because they don't like, you know, what some other hackers are able to do there, you know, like, you know competing something as a service, you know, fill in the blank, you know, malwares a service hacking as a service, you know, anything as a service stuff. So fine.
(01:05:51):
When I caught this recent news of a just published survey, it helped to resolve the mystery surrounding why was it that so many school districts were failing and falling to ransomware attacks. Get a load of this according to a study published by the Consortium for School Networking Professional Association of School Systems Technology Providers, fully two out of every three school districts, and this is districts, not just individual schools. Two out of three districts do not employ the full-time services of someone specializing in cybersecurity districts. And one in eight districts don't even allocate any funds for cybersecurity defense whatsoever. So to me, in this day and age, that's unconscionable and astonishing. Think of the challenge that they're facing. Large enterprises have it tough enough where they're servicing employees on their networks who are at least trying to do the right thing by not clicking on everything they receive in email.
(01:07:10):
But a school district of any appreciable size would be an insanely complex network to secure, especially given that the interior of its network is filled to the brim with rambunctious children and teenagers, half of whom are probably attempting to hack their school's network from the inside. I just can't imagine how you secure a school district's network. You know? And as an aside, I'll just note that it's a very good thing in bold capitals that the internet didn't happen while I well, was there that it didn't happen until after I'd already attended high school's. Actually, my high school's 10th reunion as it was, remember I told a story of the portable Don Killer Adventure that had the school district's technicians climbing around in the rafters trying to locate the source of the near ultrasonic sounds that everyone was hearing that day. And I, I, I mentioned at the end of the story that Vice princ, vice principal Archibald, knew me on site <laugh> when, when he faked, when he remember when he, he faked me out by suddenly spinning around after he was deliberately walking away.
(01:08:35):
And then he pointed at me, you know, and now I don't recall whether I mentioned <laugh>, that, that one of the many reasons that Vice Principal Archibald knew me by name mm-hmm. <Affirmative> was, was because at one point I was caught holding a copy of the Master janitor's Grand Master key to the entire San Mateo Union High School District, which unlocked every single school door district wide, so, oh boy. Yeah, they knew my name. So I shuder to think what would've happened had I been been there once the school was networked, because boy, that would've been, that would've been a lot of fun. Oh man. You would've had a fun time. Oh yeah. Anyway. Wow. So the idea that, that today so little attention is being paid to cybersecurity in two out of every three school districts. Well, that, that's just nuts. That's, I mean, they, I don't wanna say they deserve what they're getting.
(01:09:40):
Nobody deserves ransomware attacks and having ever all your servers scrambled and encrypted, but boy, you know, really, I hope may maybe <laugh> maybe the message is finally sinking in. Okay. Now, normally innocuous civilian security cameras can be trouble. It turns out in times of conflict, the Ukrainian Security Service, the s u probably security service for Ukraine, has asked its citizens to please disconnect any security cameras they may have, which are aimed at public spaces. The SSU says Russia is exploiting vulnerabilities in modern security cameras to access those cameras feeds, and they have proof that Russia is using these feeds to time their launching of missile attacks and to adjust attack targeting in real time. After the SSU sent s m s messages to all Ukrainian citizens carrying this request, last week, several Russian military bloggers suggested that the agency may be trying to mask the movement of its own troops. That is Ukrainian troops leading up to its impending Russian counter offensive. And there may be some truth to that too. But in any event, wow, talk about unintended side effects of, you know, otherwise innocent cameras that may be looking out into public areas and may not be as secure as people would hope they were.
(01:11:32):
We've recently been looking at the NSO group with their Pegasus smartphone, malware, and other malware for higher groups. One of the worries surrounding the availability of off-the-shelf spyware tooling is that those who could never manage to do this themselves now only need money to purchase what they want, thus empowering them. A similar set of services has been emerging over the past several years, which, for lack of any better term, we might call cyber mercenaries. You know, hackers for hire. Exactly. Three years ago in June, Reuters published an exclusive piece of reporting titled Obscure Indian Firm, I'm sorry, obscure Indian Cyber Firm spied on politicians, investors Worldwide. The first two lines of their full report state, a little known Indian IT firm, offered its hacking services to help clients spy on more than 10,000 email accounts over a period of seven years. New deli based bell trucks, B E L L T R O X infotech services, targeted government information up <laugh>.
(01:13:01):
That sounds like a movie name. All right. All right. Bell Trucks, Infotech Services, services Service. Well, it does sound like a, like an, an Indian IT name. I think, you know, they have, they have fun names. Yeah. Targeted government officials in Europe, gambling tycoons in The Bahamas, and well-known investors in the United States, including private equity, giant K K R, and short seller Muddy Waters, according to three former employees, outside researchers, and a trail of online evidence. And today, the New Yorker magazine has a wonderful profile of this same firm. Bero it's actually, so it's b e l l capital T, lowercase, r o, capital X. So, I don't know, I was thinking to say Bero, but, you know, funky capitalization and what the New Yorker describes as India's budding cyber mercenary market, which outsources hacker for higher services across the globe with the Indian government's tacit acceptance.
(01:14:17):
Now, okay, this podcast could make a full meal out of this coverage, but it's time for us to get to this week's very interesting discussion of the back doors that have been carelessly designed into many of today's most popular motherboards. So I've provided the links to both of these fascinating stories for anyone who wants to take the time to learn more. Suffice to say it is now possible for those without any cyber hacking skills to simply rent such cyber skills from mercenaries of any skill level required to obtain whatever cyber outcome might be needed for a fee. I had two quick closing the loop pieces from our listeners. James Brooks said, while I agree that the request o t r is a noble idea, that was our idea from our, our, the topic of last week's podcast, the idea that the brave browser has implemented, which would allow a website to ask to proactively ha ask the browser to ask its user if they would be like to have their use of this site kept private and flush the, the moment they leave anyway.
(01:15:33):
So he says it's a noble idea. He says, I have concerns that sites looking to victimize. My kids will include this header. All they need to do is prep the user for the prompt, and my kids are on a dangerous site with little chance of me having visibility into it. And so I thought that was an interesting point. I guess I would say that relying on browser history is probably not a strong protection either. And I, I would be using a DNS service that, you know, didn't resolve dangerous sites if you know, as a, as a good means of protection. But I, I, I certainly do take the point that this could be used by other sites that, that, you know, want to victimize their users and not leave a, a trail of that havoc happened. Mark Newton, he said, what are some good ways to block TLDs such as zip and move if people don't have the ability to block it at their firewall?
(01:16:48):
I was thinking the host's file and adding a 1 27 0 0 1 with a star zip. Any thoughts? Okay. Unfortunately, the Windows hosts file won't handle wildcards Be nice. If it did, it doesn't. I'd say that the best solution would be to use an, an external security oriented service, such as next DN s You can set up your configuration in, for example, next DNS to block entire TLDs. And that's something that I know our listeners, cuz I have some, some other feedback have already done. So I think that's what I would do. I, you know, the idea of having a security or a security oriented d n s provider for many purposes, both the ones that James Brooks brings up and that Mark Newton has, has, was asking about, I think makes a lot of sense. What does not make a lot of sense, Leo is yes, windows platform, binary table, even though it has a great name, even though it's so catchy, you know, you can't even, you can't even say the abbreviation quickly. W P B T, it's too bad. It's not blt. That'd be good. Windows B LT is terrible at naming things. Platform loader table. That'd be good. Windows b l t, but no, no. Binary load loader table. No, no, no.
(01:18:19):
I'll tell you what would you name a device that you put in your environment to detect? I know, I know, you know well. A canary. A canary. How about that? <Laugh>, you saw me reaching for it. Security now is brought to you by thanks to Canary, any device that you put in your environment to detect trouble. This is the THINKT Canary and this thing is a little modern security miracle. What is it? It's a honeypot. It's a honeypot That doesn't take any technical skill to set up to use to monitor. It gets the job done. It protects you. You know what I'm gonna do? I, I haven't done this in a while. I'm gonna log into my thinks console so you can see what the thinks Canary does for us. So this is, this is a canary for those who aren't watching, it's about the size of I don't know, USB hard drive, right?
(01:19:24):
And the idea is it it can be or appear to a bad guy like anything you want on the network. It has two connections, one for power and then one ethernet connection. I don't think they're wifi. We use it on ethernet. And, and so it just sits there. It sits there, it's been sitting there for years. Hasn't done a thing, hasn't said a thing once it went off. This is what you want, by the way. <Laugh> with a canary. It sits there. Mine is a impersonating. Well, I, I'll show you how easy it is. I could change it in any variety of things. So the only time we've ever received any pings from the canary is once. Back in the day, Megan put a a Western digital device, I think it was a NAS on on our network. And for some reason it went out and it, it literally pinged every single IP address on the network, including this little fella.
(01:20:23):
And so this little fella said, Hey, hey, hey <laugh>, somebody's attacking me. And we were able to quite quickly see the address and and then track it down. It's inside the house. It was a 10 address and we got rid of it. So this is our canary, no new alerts. That's good news. This thing is silent. You get just the alerts that matter. But here is how it works. It's Cana. This is configured as you can see, <laugh> as a nas. It is Linux personality, Linux 4.4. It is in my flock, the default flock. You have different canary flocks. Get it? Little groups of canaries. It's IP address, it's Mac address. Now you're gonna see something interesting about that Mac address. That Mac address is actually a Sonology Mac address. You could tell from the first the first three groups.
(01:21:18):
This, it looks to a hacker. They look at this and go, oh yeah, it's a sonology. It's got the right MAC address. It's running on port 80, it's running the DSM login. Looks like I got a file transfer port open at 21 Windows file. Sure, I did that just for you. Steve Port 1 39 is open. <Laugh>, <laugh>. Cause I know how that makes you feel. If I were to go to Shields up on this fake thing, it would immediately go, what are you doing? Port 22 is open. So there it is. That's how I have it set up. But you know, I don't have to have it set up that way I can have it set up as anything I want. This is very configurable. It could be a Windows server. It can be a SQL server. It, you know, I see I have the Windows file share turned on.
(01:22:04):
It could be a Linux box, it could be any variety of devices. All of them. Look at all the things I could turn on. Redis, Mongo, VoIP, git, all sorts of stuff. I can make it be anything I want. I have, look at this. I even have files on here. Look, here's a sales brochure, but you know what other files I might put on here, I'm not gonna show you, but I could tell you might be maybe one something that looks like a Excel spreadsheet that's labeled payroll information. That'd be a good one. So here's the thing about the canary. They don't look vulnerable in your network. They look valuable. So this is how you know if somebody's inside your network, I know you've got your perimeter fences up, man, you are secure. You've got barbed wire on top of all the walls.
(01:22:52):
You've got a figurative spotlight, you've got guards in all the towers, but somebody gets in maybe via one of them fish emails and sneaks in. How will you know they're inside the walls? Well, with a, you will, because as the hackers prowl around, they see that payroll xls or, or the NAS server with the FTP client running in the background. They go, oh, and they rubb their hands, their little hacker hands enjoy and they try to log in and you know what happens? Nothing. I get a ping. There's somebody logging into your server and here's the login they used or there's somebody opened that Excel file cuz you can make these canary tokens and spread 'em all over your network the minute somebody touches 'em. You know, and that's the key. Hey, you can be notified any way you want email. Yeah, I don't know why you'd do that, but you could.
(01:23:43):
I would do 'em. All right. Email, text messaging. You can have a Blackberry <laugh> go off on your belt a pager, but it supports syslog, it supports that. You get your own Canary console, you can see all the alerts there. It has web hooks, so you could really attach to almost anything and even has an API if you wanna write your own. So you get notified exactly in the way you want. Only when there's a problem. It's just perfect. It's just the sweetest thing ever. You want one of these, you want many of these small banks might have a dozen, you know, scattered around the network. Big casino backend operation. They might have thousands. It really just, you know, you know what your threat model is. Here's the deal. Let's say you wanted five of 'em. That wouldn't be unreasonable for a small business.
(01:24:28):
You want five of 'em 7,500 bucks a year for that. You get the canaries, you get maintenance, you get, if anything goes wrong, if you sit on your canary and you, you smash it. If an elephant walks in the studio and steps on it, I just, they'll send me a new one no questions asked right away. You will get that console that I mentioned all the features of the canary. I got a better deal for you. If you use the code twit in the, how did you hear About Us Box, you'll get 10% off the price, not just for the first year but forever. Okay. Permanent. So there's you and that's a good way to let us, you know, get the credit for it. Use that offer code twit. And then how did you hear about Us Box? Now I know you may be saying, well Leo, I hear you say how great these are, blah, blah, blah.
(01:25:14):
But how do I know? Well, there's a couple of ways You can go to the website, canary.tools/love, and you'll see all the testimonials from some of the top CISOs and CTOs and, and, and and security people in the world, including the CTO at Slack who says, I can't live without these. How anybody would, how anybody would run a network without the Canaries. I don't know. So that's one way to know. The other way to know is the guarantee a full 60 day, two month money back guarantee for a full refund. If at any point you go, yeah, it's not for me. How can they do that? You may ask. Well, I'll tell you how for as long as they've been advertising on this show. And that's been how long Lisa? Long time. Seven years. Eight years. It's been a long time. Long time. One of our longest sponsors, no one has ever asked for a refund.
(01:26:06):
Zero zip <laugh>. Because once you get a canary, you don't want fewer, you want more, more Canaries canary.tools/twit check it out, configure it. It's actually kind of fun messing around with your canary trying stuff. Mine's called backup na. Why? Any hacker worth their salt would wanna look at that, wouldn't they? Canary tools slash twit. I think you want to give it a try. And again, full money back refund. If you don't like it, you got two whole months to play with it. You will like it. I know you will. And don't forget to use the offer code TWIT for 10% off for life Canary Tools slash twit. You know, I'm thinking I dunno what you think Steve. Is it better to have an old version of Linux on this? It's Linux 4.4 that see that? Then they might say, oh yeah, we can go, we can go after that.
(01:27:05):
Or does that look too obvious? Should I make it a more modern version of Linux? I can change it. That's the beauty of it. I can do whatever I want. Yeah, that's a really good question. Yeah. Yeah. I would say an older version cuz there will, there will be, there'll be known things that were wrong. Exactly. Yeah. They'll say, oh that idiot. Yeah, they don't know how to run their <laugh>. They don't know how to run their canaries. They're not keeping their linnux up to date <laugh>. Exactly. We should go after them. All right, back to you my friend. Okay, so the biggest news of the week that rocked the security world was the revelation that the very popular motherboards made by gigabyte and I'm typing these show notes on one right now sitting in front of a machine that's based on a gigabyte were found to be secretly downloading code that the motherboard would then cause windows machines to execute.
(01:28:00):
And what was extra disturbing was that the TCP connection over which this download took place was neither authenticated nor encrypted yees to, yeah, to everyone's shock and horror and the source of a great many terrific headlines. This meant that it would be trivial for bad guys to intercept these communications to install their own root kit. Malware doesn't sound good, but if my demeanor you know, makes you wonder whether you're detecting that I'm somewhat less scandalized by these revelations than the rest of the security press, you would be correct. And that's not because all of the above is not true. It is all true. It's because we're all completely fooling ourselves in the belief that Windows operating systems actually offer any true security in the first place. That's an angle I didn't really think of. <Laugh> mother born with security, who cares? The operating system's full of holes.
(01:29:07):
Yeah, I mean, we're just glad it boots <laugh>. We Windows has never, never been a secure operating system. Oh my. And to meet the demands of the marketplace, it never can be, ah, this, this should have been obvious when Windows was first placed onto the internet and openly published everyone's sea drive to the entire world. It sounds insane to say that now, but we know it happened. I was ridiculed certainly after the birth of this podcast for suggesting that the original Windows Meile format, you know, W M F deliberately supported the ability to execute native code that was carried in the Meile. I'm absolutely, absolutely certain that it did, just as I'm sure that it once made sense to the developer who had added that escape function. But years later, the world was a very different place. So the industry was horrified by that discovery and thought that the only possible way it could happen was by mistake.
(01:30:20):
Markovic reverse engineered the Windows Meile interpreter as I had, and he said, it sure does look deliberate. There was never any doubt. My point is context matters and the world is constantly changing. Last week I said that it's not fun to use a truly secure operating system because you can't actually get any work done. First of all, it's not at all clear that we even know how to create a secure operating system because we haven't figured out how to create secure software. So we're resorting to erecting various types of fencing around our admittedly insecure attempts by attempt, by u, by using hardware enforced protection levels and sandboxes and virtual machine containers and so on. So, you know, we're still stumbling forward. Microsoft has recently made headlines by announcing that they're going to rewrite the Windows kernel in rust for much better security. That's great, but are they also going to then prohibit the use of any third party peripheral device drivers, all of which run alongside their shiny new rust code in the kernel?
(01:31:37):
If not, then any notion of true security is just marketing hype. That's not to suggest that rewriting the kernel in rust will not be useful. If you plug a hole in a large block of Swiss cheese, you do at least have one fewer holes. So I wanted to kick off our discussion today of the Windows platform binary table with a wee bit of a reality check. Make no mistake what Eclipse discovered was not good. So another previously unsuspected hole in the Swiss cheese has been plugged, but no one should imagine that doing so meaningfully increases Windows actual security. That said, we do need to keep trying. The quest for security will, I think guarantee employment for anyone who is capable and competent in the field, even if school districts are not hiring, everyone else is. Okay, so what's this Windows platform binary table? It's a facility which Microsoft first defined and implemented 11 years ago back in 2012, and it was first supported in Windows eight.
(01:33:02):
It defines a clear, clean, and well-documented means for the platform from which Windows is booted. Our motherboards to provide windows with its own code previously stored within its firmware, which windows ever since Windows eight will look for and execute when present as p when it's present as part of the Windows boot process. Now, if your first thought is that this also perfectly describes the operation of a motherboard based root kit, you would be corrected your thinking because it was foreseeable that advanced motherboards might need to have the capability to reach up into the operating system to take advantage of its rich array of advanced services and connectivity like installing, you know, downloading and installing their own firmware interface drivers or perhaps updating their own firmware itself. And since Microsoft did not want motherboards each inventing their own horrible clues in order to do this, Microsoft formalized this capability in what's known as the Windows platform binary table.
(01:34:28):
And since this podcast likes to stay on top of such things, I should note that this is not the first time we've talked about this here, security Now, episode 5 21, which we recorded on August 18th, 2015, was titled Security is Difficult. Okay? I don't know if that was a new concept for us back then, but that's what we called that podcast. And during that podcast we discussed the Windows platform, binary table facility. This was the context at the time of Lenovo laptops, which were found to be behaving badly. And this is also not the first time that Eclipse has surfaced with some worrisome news regarding the operation of Windows. This, you know, W P B T eclipse's posting of September 23rd, 2021. So about a year and a half ago, not quite was titled Everyone Gets a Root Kit. I'll share their executive summary from that posting since it serves to set the stage for what follows today.
(01:35:32):
Not quite two years ago they wrote in a connected, digitally transformed age. The term no good deed goes unpunished could perhaps be rephrased as no feature goes unex exploited. Or as we like to say here on this podcast what <laugh> could possibly go wrong. The protocol called Advanced Configuration and power interface, A C P I was introduced in the early two thousands when it became apparent that the energy consumption of billions of rapidly proliferating computing devices was a significant and increasing drain on national and regional energy supplies. I remember that it was like this was the, remember we, we, we, you could buy green computers, that was a big thing. Everyone was like green monitors and green computers. I was like, okay, so A C P I was designed to efficiently manage energy consumption on PCs along with several additional well-meaning use cases as laptop usage and portable computing became universal demands.
(01:36:34):
A C P I became a defacto standard for nearly all systems. And yes, I think it's on everything now with the advent they wrote of Windows eight, the protocol evolved to include an object called the Windows platform binary table and has since been included in every single Windows OS shipped since 2012 in June of 2021 Eclipse. So what's that? That's exactly two years ago, eclipse researchers discovered significant flaws in W P B T. These flaws make every window system vulnerable to easily crafted attacks that install fraudulent vendor specific tables. These tables can be exploited by attackers with direct physical access, with remote access, or through manufacture supply chains. More importantly, these motherboard level flaws can obviate initiatives like secured core and secure boot. Because of the ubiquitous usage of A C P I and W P B T security professionals need to identify, verify, and fortify the firmware used in their Windows system.
(01:37:56):
Okay, so that was their overview a bit later. Here's their description of the issue at the core of this problem, the Eclipse research team, this is again, two years ago, two and a half has identified a weakness in Microsoft's W P B T capability that can allow an attacker to run malicious code with kernel privileges when a device boots up. W P B T is a feature that allows OEMs to modify the host operating system during boot to include vendor specific drivers applications and content compromising this process can enable an attacker to install a root kit, compromising the integrity of the device. The issue stems from the fact that while Microsoft requires a W P B T binary to be signed, it will accept an expired or revoked certificate. This means an attacker can sign a malicious binary with any readily available expired certificate. This issue affects all Windows based devices.
(01:39:08):
Going back to Windows eight. When W P B T was first introduced, we've successfully demonstrated the attack on modern secured core PCs that are running the latest boot protections. This weakness can be potentially exploited via multiple vectors. For example, physical access, remote and supply chain, and by multiple techniques, malicious, bootloader, dma, et cetera. Organizations will need to consider these vectors and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices. And then they quote Microsoft. Microsoft recommends customers use Windows Defender application Control W D A C to limit what is allowed to run on their devices. W D A C policy is also enforced for binaries included in the W P B T and should mitigate this issue. We recommend customers implement a w d policy that is as restrictive as practical for their environment.
(01:40:21):
Yeah, it's easy for Microsoft to say it's difficult to live with. As I said, if you have a really secure computer, you can't get any work done. Then they said you can find documentation on W D A C and then we provide a link. So, okay, it makes sense that W P B T based code execution would have these problems first. All certificates expire and all code signing certificates expire. Right now, at this moment, my latest code signing certificate from Digi Cert has expired. I haven't renewed it since I've been working on spin right in Doss, so there's been no need. But the moment I get the DOS side finished, I'll be integrating it into its Windows executable. So the first thing I'll do is renew that cert, but right now it's expired and the Windows executables, it's signed squirrel in control and the d n s benchmark all run right now without complaint and show that the certificate, that the signature is valid.
(01:41:37):
The reason for this is that unlike for https s TLS connections, which you know, unlike those for code signing, the only requirement is that the certificate be valid at the time of that signing. That's the test that's employed. So it's unsurprising that Eclipse discovered this, although it is a bit distressing and it turns out that's not even a requirement for a signing code that is, that is loaded through W P B T. The second issue of continuing to honor proactively revoked code signing certificates is also worrisome. As we know when valid certificates are found to have escaped into the wild their revocation until they naturally expire on their own, which wouldn't help us either, is our only recourse. What Eclipse found was that Windows is not checking for certificate revocation at this early time during Windows booting. Perhaps it's unable to do so.
(01:42:45):
So this means that once someone obtains a code signing certificate, which is not a higher bar to jump over, if you want to actually get your own and which has a three year lifetime, even if that certificate is discovered being misused in the wild window and it's revoked, windows will continue to honor any boot time code that signed it, you know, that that was signed by it, sorry. And the situation might even be worse since it doesn't appear that even a certificate's validity, as I mentioned at the time of signing is required. Here's what they said, they said, and this is all still two and a half years ago, when those P B T requires any binaries to be properly signed. Microsoft's W P B T code signing policy states quote, all this is Microsoft, all binaries published to Windows using the W P B T mechanism outlined in this paper must be embedded, signed, and timestamped. These images should be linked with the slash integrity check option and signed using the sign tool command with the slash NPH switch to suppress page hashes.
(01:44:04):
Then Eclipse said, okay, that's all well and good, that's what they're saying. However, they said, our testing revealed that this check will pass even if the code signing certificate has been explicitly revoked. To highlight this, we signed our malicious test code using a hacking team code signing certificate that was revoked in 2015. Okay? They, and they did this in 2021 after that cert would've expired. So not only revoked but expired, they said this and many other expired or revoked certificates are readily available to anyone on GitHub. This particular cert was revoked when the company's tools included a U A F I root kit, which were, were, was exposed in a major breach. We use this certificate just to highlight a particularly egregious example, but the same process would work with other revoked certificates as well. This attack is also significant because it allows an attacker to drop a malicious file in the os even while BitLocker encrypts the disc.
(01:45:21):
Bitlocker would prevent other types of threats, such as the hacking Team implant, which used firmware to directly write the malicious code to disk. However, in the case of W P B T, an attacker could avoid BitLocker since the malicious file is pushed to the OS and stored in c slash windows slash system 32 and run on startup regardless of BitLocker. Okay, so in other words, this entire W P B T mess is a huge hole in Windows boot security. Like I said, security. Yep, marketing hype Windows is not secure and is arguably not secure. A bull, essentially motherboards must be absolutely and utterly trusted because they, with Microsoft's full blessing and a spec for how to do this, are able to completely subvert the security of Windows boot process. And as we also saw, Microsoft's only solution and recommendation is for those concerned by this behavior to manually apply their Windows Defender application control, which for what it's worth, is active at this early boot stage.
(01:46:53):
So it can be used to govern what the motherboard is able to inject and then cause to run. Unfortunately, W D A C is typically used in a blacklisting mode, not in a whitelisting mode because whitelisting isn't at all practical in the real world. Just like true security isn't practical, this means that the specific file name being used and injected into the system 32 directory would need to be known. And you would know that the fir you would need to know that the firmware was never gonna change that name to something different. And how would you know? So with this background, two and a half years ago, we're caught up with today, which makes the conclusion I previously drew all the more chilling. I said, motherboards must be absolutely and utterly trusted because they are able to completely subvert the security of the Windows boot process.
(01:47:55):
What put Eclipse back in the news Wednesday of last week and generated so many hysterical headlines was that they discovered that gigabyte motherboards were not injecting and running implant code into windows. I dunno, wait, I've got a knot in there. It shouldn't be. They discovered that gigabyte motherboards, but on the other hand, all other motherboards are too. I mean, all manufacturers are doing this now. They discovered gigabyte motherboards were injecting and running implant code into windows, and that this code was then downloading and running code from non-secured web servers over http, which, you know, that means they could be in Russia right where they use http or unenforced htt p s. Here's what gigabyte posted, they said recently the Eclipse platform began detecting suspected backdoor like behavior within gigabyte systems in the wild. These detections were driven by heuristic detection methods, which play an important role in detecting new previously unknown supply chain threats where legitimate third party technology products or updates have been compromised.
(01:49:20):
Our follow up analysis discovered that firmware in gigabyte systems is dropping and executing a Windows native executable during the system startup process. And this executable then downloads and executes additional payloads insecurely. It uses the same techniques as other OEM backdoor like features like Compere AKA LoJack double agent, which is abused by threat actors and even firmware implants such as Snet, loj, jacks, mosaic Regressor, and Vector e dk. Subsequent analysis showed that the same code is present in hundreds of models of gigabyte PCs where working with gigabyte to address this insecure implementation of their app center capability. They wrote in the interest of protecting organizations from malicious actors, we are also publicly disclosing this information and defensive strategies on a more accelerated timeline than a typical vulnerability disclosure. In other words, this is so bad it can't wait. This backdoor appears to be implementing intentional functionality and would require a firmware update to completely remove it from an effective systems.
(01:50:49):
In other words, it's not a bug, it's a feature. While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with gigabyte systems. At a high level, the relevant attack vectors include compromise in the supply chain, compromise in the local environment or malware persistence via functionality of this firmware in systems. A more detailed analysis of these risks is provided with suggested mitigations after a more traditional vulnerability disclosure timeline. We plan to publish details about how this works, which will be why we all know how it works. There are two important aspects of our findings. First eclipse, automated heuristics detected firmware on gigabyte systems that drops an executable windows binary that is executed during the Windows startup process. And second, this executable binary insecurely downloads and executes additional payloads from the internet.
(01:52:04):
So that's the key issue here. Without any ability to intervene, observe, or control, hundreds of gigabyte motherboard models have the ability and are causing windows to go out onto the internet to fetch and run additional windows executables every time a system is booted. And what's worse, this is done by fetching those files over unauthenticated and unencrypted H t http. So in their, in their analysis of the firmware, which is dropping the OS executable, they said, an initial analysis of the affected U E F I firmware identified the following file, and I can't even read this. It starts at eight cc b e e six F 7 8 5 8 AC 69 B nine. And that's about the first quarter of it. And it ends in zero C 71, 59, 71 [inaudible] bin. So that's the file dot bin file with a ridiculous name. They say this is a Windows native binary executable embedded inside of U E F I firmware binary in A U E F I firmware volume.
(01:53:24):
This windows executable is embedded into U E F I firmware and, and written to disk by firmware as part of the system boot process. A technique commonly used by U E F I implants and back doors, in other words, is doing what bad things do they said during the driver execution environment. The DX e phase of the U E F I firmware boot process, the W P B T dx E EFI firmware module loads, the embedded windows executable into memory, installing it into A W P B T. That's the, you know, the, the, the Windows platform boot table A C P I table, which will later be loaded and executed by the Windows session manager subsystem. That's SMSs dot xe, that's the thing that actually does this. And they go on to explain that although the setting appears to be oh, this is important, I shouldn't skip this.
(01:54:30):
The W pbt dx e i that dx e i module checks, if the app centered download and install feature has been enabled in the BIO slash U E F I setup before installing the executable into the W P B T A C P I table, they said, although this setting appears to be disabled by default, it was enabled on the system we examined. So that's first thing to know this, this behavior is something that appears to be configurable by the user in the firmware setup. So it's, and they're saying it was off by default, which is fabulously good news app center download and install feature was on, on the one that was generating this traffic. They say disabled by default. So that's a good, you know, that's good news. You know, I guess the only danger would be if someone's setting it up or maybe, you know, a consultant who sets it up and, and wants us to be all to be taken care of things that this is a good thing to turn on.
(01:55:43):
So it may be enabled, you'll have to see this executable uses the Windows Native API to write the contents of an embedded executable to the file system at in its, you know, the, the system route, typically SQL and slash windows, that backslash system 32 slash and it's called gigabyte update service dot exe. It then sets registry entries to run this executable as a Windows service. So it's creating a service which Windows will be running. The mechanism described here is similar to the methods used by other U E F I firmware implants such as lojas, mosaic, regressor, moon bounce, and vector E D K referenced previously. Also note that this is not then transient. It, it does it pr presumably every time. But this gigabyte update service, it's sticking around, it's physically written into the system 32 directory, and it's defined as a service that will be started every time the system boots, whether or not you, you have subsequently disabled this a p p center download install.
(01:57:01):
So that's important. If you found it on and you turned it off, you're not out of the woods because if, if it, it being on previously meant that gigabyte update service dot XE was written to system 32 and defined as a service. Okay, so then secondly, they, they talk about downloading and running further executables. The dropped windows executable, that's that gigabyte update service is a.net application. It downloads and runs an executable payload from one of the following locations, depending upon how it's been configured. And they give us three different URLs. The first one is http slash slash and it, it starts with mb.download.gigabyte.com, then file list and then W H T D P and then FA and then slash live update four is the last directory. The second U r URL is an https S u R url. So that's interesting. They, so, and otherwise URL is identical.
(01:58:08):
So that says they're running servers on both Port ADM and on port 4 43 and accepting connections either insecurely on HTTP or over TLS with https. And the third one is also interesting. It's not a fully resolved public domain. It's HT DPS slash slash software hyphen na hyphen S W H TDP slash live update four. So that would be a, that would be a local, a locally resolved IP that would allow gigabyte motherboards to go download stuff on a, you know in inside of an internal land not reaching out into the public. They said plain htp, H T D P, the first bullet the, the first U R L should never be used for updating privileged code. Yeah, as it is easily compromised via machine in the middle attacks. However, we noticed that even when using the https s enabled options, remote server certificate validation is not implemented correctly.
(01:59:20):
Therefore, M I T M man in the middle is possible in those cases also. In other words, insecurely, the firm word does not implement any cryptographic digital signal signature verification or any other validation over the executables. It downloads the dropped executable and the normally downloaded gigabyte tools do have a gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows. But this does little to offset malicious use, especially if exploited using live off the land techniques like like in the recent alert regarding volt typhoon attackers. As a result, any threat actor can use this to persistently infect vulnerable systems either via M I T M or compromised infrastructure. These issues expose organizations to a wide range of risks and attack scenarios. And we've got four bullets. First abuse of an OEM backdoor by threat actors. Previously they say threat actors have taken advantage of legitimate but insecure vulnerable OEM backdoor software built into the firmware of PCs, most notably Snet Group, which is a P T 28, also known as Fancy Bear Exploited Compe Trace LoJack to masquerade as legitimate laptop anti-theft features.
(02:00:54):
Secondly, compromise of the OEM update infrastructure and supply chain. Gigabyte does have documentation on their website for this feature. So it may be legitimate, but we cannot confirm what is happening within gigabyte. In August of 2021, gigabyte experienced a breach of critical data by the Ransom EX X group and then experienced another breach in October of 2021 by the AVOs Locker group. In other words, their security's not that great apparently. And all these gigabyte motherboards that have this thing enabled are downloading whatever happens to be on the server at the time. They say third persistence using U E F I root kits and implants is another vector. Fourth man in the middle attacks on firmware and software update features. And finally, ongoing risk due to unwanted behavior within official firmware back doors hidden within u AFI or other firmware can be hard to remove.
(02:02:03):
Even if the backdoor executable is removed, the firmware will simply drop it again the next time the system boots up. This challenge was demonstrated B before when trying to remove compu, tracee, LoJack and re and, and related to vulnerabilities in Lenovo service engine on notebooks and laptops. Okay? So that's what was discovered that gigabyte motherboards were, were insecure in their downloading of, of whatever happened to be a available on those URLs and that it then Windows would then run those things the following day. Immediately on last Thursday, June 1st gigabyte responded with their posting gigabyte fortifies system security with latest bios updates and enhanced verification. And their posting is short, so I'll share it. They said June 1st, 2020, 2023. Gigabyte technology, one of the leading global manufacturers of motherboards, graphic cards and hardware solutions has always prioritized cybersecurity and information security. Okay? All evidence to the contrary, gigabyte remains committed to fostering close collaboration with relevant units and implementing robust security measures to safeguard its users.
(02:03:34):
Gigabyte engineers have already mitigated potential risks and uploaded the Intel 700 slash 600 and AMD 500 slash 400 series beta bios to the official website. After conducting thorough testing and validation of the new bios on gigabyte motherboards to fortify system security gigabyte has implemented stricter security checks, or you might say any security checks during the operating system boot process. These measures are designed to detect and prevent any possible malicious activities providing users with enhanced protection first signature verification. Gigabyte has bolstered the validation process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of the contents thwarting any attempts by attackers to insert malicious code. Two privilege limitations. Gigabyte has enabled standard of cryptographic verification of remote server certificates. What a concept. This guarantees that files are exclusively downloader from servers with valid and trusted certificates, ensuring an added layer of protection BIOS updates for the Intel 500 slash 400 and AMB 600 series chipset.
(02:04:59):
Motherboards will also be released on the gigabyte official website later today. Along with updates for previously released motherboards, gigabyte recommends that users regularly visit the official gigabyte website for fir for future bios updates. So that's great. If you have a gigabyte motherboard, now would be a good time to, to update the bios. There's, you know, very insecure practices still in firmware until the bios is updated. So we have some takeaways. If you have a gigabyte motherboard and you dislike the danger that's inherently presented by having it reaching out to anyone other than Microsoft to obtain unmanaged updates to your system, you'll likely want to disable app centered download and install if it's present in your motherboard firmware. And as I noted, you'll also want to look in the system 32, the the system 32 directory for the gigabyte, the the gigabyte updater, which has been installed as a service.
(02:06:04):
And and shut that down as a service. You, you could look in windows service manager for it and stop it and then set it to disabled and that would keep it from running. And finally, the best news of from all of this is there is a fully generic undocumented registry entry that can be added to Windows, any Windows eight through presumably ever to shut down all of this Windows Boot behavior, the registry key, it's under hq local machine system, current control, set control session, man session manager. Cuz remember, it's the session manager that's responsible for this behavior. And you, if you set, and I've got this all documented disabled W P B T exception, you se you create a D word with that name instead, up to One Windows will no longer do this. No matter what mother board you are running under this will no longer happen.
(02:07:16):
The Windows session manager component looks for this registry key and will abort the execution of anything being provided by the motherboard if this setting is present. So that's the number one most robust thing that any Windows user can do to shut down and disable this almost certainly unwanted Windows behavior because it's universal and safe. I've made this registry file this week's GRC shortcut of the week. So just put grc.sc/ 9 26 into the URL of any browser. It will obtain a zip file named disabled wpbt.zip, whose contents is exactly what's shown above a dot ridge file, which when double clicked, and then you confirm that it's what you want to do will add that disable disabled W P B T execution d word into the local machine's registry, giving it a value of one. The reason that adding this disablement key to your Windows registry is probably the right thing to do, is that this gigabyte event should serve us as a wake up call while this focused upon just gigabyte.
(02:08:45):
As I said before, all systems are now known to be using this mechanism for maintaining their firmware. Microsoft officially created this and blessed it and said, this is what you should do. And as for what could possibly go wrong, just ask those tens of thousands of HP office Jet nine 20 e printer users, whether they wish they had not had their printer connected to the internet early last month. In other words, supply chain problems can and do occur. As Eclipse noted gigabyte has been previously penetrated twice. So having every Windows system happily downloading third party software from who knows where, you know, seems like an unwarranted and unnecessary risk GRC SC slash 9 26, that will get you the zip file containing the ridge file that you can apply to your Windows instance to stop it from doing that. And as we say, Leo, that's a show <laugh>.
(02:09:53):
I'm glad you covered this. Yeah, we've been talking about it a little bit as well. Of course, the fact that they offered a patch firmware update is great, but a lot of people will never update their firmware. A lot of people don't listen to the show and there's a problem there lies the problem. Yeah, right? Yeah. Big problem. Yeah, that's why you listen to the show. And you should keep listening to this show every Tuesday, right after Mac Break Weekly. Usually it's supposed to be about one 30. We had a Long Mac Break weekly this week, but one 30 Pacific, four 30 Eastern, 2030 U T utc. The livestream is at live TWI tv, audio or video while you're watching chat with us, IRC TWI tv. Of course, you can always chat with us if you're a Club Twit member in the, in the club twit clubhouse, we invite you to join us there because that's, that's really the fun place to hang Club Twit members not only support what we're doing here, and I can tell you that, that support is more and more important all the time.
(02:10:51):
You get ad free versions of all the shows. You get the discord, you get special shows we don't put out in public things like our fireside chat with Steve himself, but also hands on Macintosh every week with Micah Sergeant Hands on Windows with Paul Throt, the Untitled Linox Show. Scott Wilkinson's Home Theater, geek Stacy's book Club. I can go on and on. You've never heard of those. That's because you're not a Club twit member. Go to twit.tv/club twit and I did. I buried the most important part. It's cheap, it's cheap. Seven bucks a month. I should tell you though, if you're gonna sign up, especially if you sign up for the year plan, which is 84 bucks, tell your spouse, because we, we've had a few chargebacks, not one, not just one, several chargebacks from people who signed up, you know, but then their spouse said, what the hell is this twit thing?
(02:11:44):
And, and called and said, I've been scammed. And we have to, it's a chargeback is not a good thing. We have to go through a lot of rigamarole and it's a black mark on our record and all that stuff. So please tell your spouse if you sign up. Better yet, get the family plan than everybody gets it. Y'all get it. TWIT TV slash club twit no club@grc.com. Just Steve's goodness at the Goodness Research Corporation. There is, however, something that's worth spending some money on. That's the world's best hard drive or mass storage, maintenance and util recovery utility spin, right? Currently, sir, version six six one is very, very close to being released. You'll get the release for free if you buy now, and you can also participate in this development grc.com. There's lots of other free stuff there. There's also the show, Steve has two unique versions, a 16 Kilobit audio version, little bit scratchy, but it's low bandwidth.
(02:12:42):
So if you're bandwidth impaired, if your ears are less important than your bandwidth bill, that's a good one. You also have a transcript, actually that's probably even smaller. Elaine Ferris does those great transcripts. It's gotten easier since Steve stopped hemming and hawing, apparently <laugh>, I like those old shows. I did <laugh>. He also has a 64 bit cut kilobit audio version of the show. That's the kind of official version we have that and video as well at Twitter tv slash sn. There's a dedicated YouTube channel. You find the link right there at twit tv slash sn. The best way to get this show, every show we do subscribe. You could subscribe at Steve site or at our sites. TWIT tv slash SN has an RSS feed, but also links to, you know, several of the most popular podcast players. By subscribing, you're doing a couple of things.
(02:13:32):
One, you, you're kind of showing your support and that helps us, you know, those directories, notice the most popular shows and so forth. But it also makes sure that you always have a copy security now on your device, that you never miss an episode. No one wants to miss an episode when there's such important stuff. Like this Windows platform, binary Table <laugh> or W P B T, <laugh> <laugh>. Steve, thank you. Have a wonderful weekend. I will see you next time on Security Now. Thank you, my friend. Till next week. And what I can say about the earlier shows is they got us to where we are today. That's true and that's a good thing. That's true. You know what? Collect all 926. That's, that's all I can see. Thank you Steve Joo, do you wanna hear about the latest news happening in the tech world from the people who write the article sometimes from the people who are actually making the news? Well, we got a show for you here at twit tv. It's called Tech News Weekly. Me, Jason Howell, and my co-host Micah Sergeant. We talk with some amazing people each and every Thursday on Tech News Weekly, and we share a little bit of our own insights in each of us bringing a story of the week. That's at Twitch tv slash tnw. Subscribe right now.