Transcripts

Security Now 992 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
 

0:00:00 - Mikah Sargent
Coming up on security. Now I, micah Sargent, am subbing in for Leo Laporte again this week. Steve Gibson kicks things off by talking about what the heck happened at the recent Microsoft Summit, where they, you know, aimed to talk about what went wrong with CrowdStrike. Plus, we talk about storage and how, regardless of what you're using to store data, all of it falls to entropy in the end. Then a conversation about a really fascinating investigation regarding Starlink and the US Navy, and a very important conversation about password managers and how many of them are vulnerable to attacks.

0:00:48 - Steve Gibson
All of that, plus so much more coming up Podcasts you love, from people you trust.

0:01:02 - Mikah Sargent
This is Security Now, episode 992, recorded Tuesday, September 17th 2024. Password manager injection attacks. It's time for Security Now, the show where we talk to the Steve Gibson about cybersecurity. Each week. I am Micah Sargent subbing in once more for Leo Laporte. Hello, Steve Gibson, reporting from another secret cave buried deep underground, An undisclosed location. Yes, good to see you. Likewise, Micah Great.

0:01:46 - Steve Gibson
to be with you for our second of two. You standing in for Leo while he's out somewhere Gallivanting, gallivanting around the territory? Yeah, yeah, I'm looking forward to this who has previously been the source of many of our interesting and many times wacky sort of side channel leakage issues. So today's podcast 992, yes, closing in on 999, but no longer the end of the road, for the podcast is titled Password Manager attacks and, of course, the idea that password managers could be in any way subject to security trouble gets everybody's attention they actually did they did.

They did two papers one on password manager injection attacks and another on end-to-end encrypted messaging apps, specifically whatsapp and signal injection attacks, and another on end-to-end encrypted messaging apps, specifically WhatsApp, and Signal injection attacks. I'll talk about that a little bit just to kind of give some context. But because everyone is using password managers and the last thing you want is them to have a security problem, that gets center stage for us. But we're also going to talk about what happened during Microsoft's recent Windows Endpoint Security Ecosystem Summit, which was the thing that they did in reaction to the CrowdStrike global outage from a month and a half ago, and what, if anything, will result from that. Also, and completely sort of off on the side, but of interest to our listeners, is how reliable is any form of digital storage when used for long-term archiving? Lots, you know CDs, tape, hard drives, solid-state memory, cds, tape, hard drives, solid state memory. It turns out that we've got problems in terms of long-term archiving and, my God, talk about an explosion in the amount of storage and thus the amount of problem that we have. Also, what happened when an illegal Starlink internet network was set up on a US Navy ship without permission, which is a big no-no, as we'll see what's the best solution for securing the internet-facing edge of enterprise networks.

A security magazine reviewed all of the contenders and I'm pleased that the one that had impressed me previously, last Halloween, turned out to win. We'll come back to that briefly. Also, I finally started rolling out the notification of Spinrite 6.1 to all of the 6.0 owners and I've learned a lot, which I'll talk a little bit about. Also, why this is actually a common question that I've had. As a result of that, might running SpinRider on an SSD appear to make the SSD run more slowly rather than more quickly? And finally, why is the moral of this story underlying these password manager injection attacks is why is true secrecy so difficult to achieve and how were most password managers leaking some of their secrets? So I think a great and interesting podcast for our listeners and we've got another great picture of the week as well. So I think a lot of interesting podcast for our listeners and we've got another great picture of the week as well, so I think a lot of fun for everybody.

0:05:29 - Mikah Sargent
Absolutely. I am very much.

I don't know if looking forward to is the right word the stuff involving password managers, but can't wait to hear about it for sure. We will take our first break, though, so I can tell you about ThreatLocker, which is bringing you this episode of Security. Now here's a great question that I think I know the answer to Do zero-day exploits and supply chain attacks keep you up at night? Well, if you are a person who answers yes to that question, worry no more, because you can harden your security with ThreatLocker. Worldwide companies like JetBlue, for example, trust ThreatLocker to secure their data and keep their business operations flying high. Imagine taking a proactive deny-by-default approach to cybersecurity, so you're blocking every action, process and user unless they're authorized by your team. Threatlocker helps you do exactly that and also provides a full audit of every action for risk management and compliance. Its 24-7 US-based support team fully supports onboarding and beyond. So stop the exploitation of trusted applications within your organization. Keep your business secure and protected from ransomware.

Organizations across any industry can benefit from ThreatLocker's ring fencing by isolating critical and trusted applications from unintended uses or weaponization and limiting attackers' lateral movement within the network. Threatlocker's ring fencing, by the way, was able to foil a number of attacks that were not stopped by traditional EDR the 2020 cyber attack on Solar Wind's Orion was foiled by ring fencing. That's huge. Threatlocker works for Macs as well. Get unprecedented visibility and control of your cybersecurity quickly, easily and cost effectively. Threatlocker's Zero Trust Endpoint Protection platform offers a unified approach to protecting users, devices and networks against the exploitation of zero-day vulnerabilities. Get a free 30-day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. Visit ThreatLockercom. That's ThreatLockercom, and we thank ThreatLocker for sponsoring this week's episode of Security Net. All right back from the break and let's kick things off with a wonderful photo.

0:07:52 - Steve Gibson
Okay. So it didn't occur to me just until I was looking at this picture, as you were talking about our sponsor, that maybe I should have blurred this person's license plate. I didn't take the picture myself, so it's out on the internet, so it's already out there, but still, you know anyway, this is. He probably doesn't care, he's probably liking the attention.

Yes, because clearly he's into attention. Okay, so this starts with a GMC truck, and this is apparently kind of a techie owner, because we notice from his back window in the lower left-hand corner he's got this stenciled transmission lineman as in one of those high-tension tower, like you know, makes your hair stand on edge. You want to be very careful, like with every single movement that you make. Sort of high-tension towers at the bottom back of his truck are angled such that they actually really do resemble HDMI ports, and so he went to the trouble of labeling them HDMI 1 and HDMI 2 on the back of his truck. And so the truck was parked somewhere and somebody you know thought that was kind of cool and took a picture of it. I also noted that, and the caption I gave this picture was not only does this truck have dual HDMI outputs but great signal strength and is fully charged, because in the upper right-hand corner of the back window we see that he's added four bars and full Wi-Fi strength and 100% charge on his car.

0:09:58 - Mikah Sargent
So anyway, clearly a techie. I'm thinking about adding those, not the HDMI, because it wouldn't work for my little Subaru, but I love the.

0:10:06 - Steve Gibson
Wi-Fi Isn't that great. Yeah, I love that. It's just a kick and yes they do look like HDMI ports.

0:10:13 - Mikah Sargent
Oh my God, I'm just imagining the giant HDMI port that some clown would get out of the car and run behind and plug it back. Oh, just funny. Well, and if it were an e-car, then you know that would be great. If it was a charging port, oh, so good so good, okay.

0:10:32 - Steve Gibson
So we recently noted that microsoft was responding, as we and they knew they must, to what's now being referred to as the Cloudflare outage. Wait, I wrote Cloudflare, I don't mean that CrowdStrike. Wow, sorry, cloudflare, crowdstrike outage Duh, it was late last night, although you know, as we know, the proximate cause of this global meltdown was a bad update to CrowdStrike's kernel-level code, which forced a Windows kernel panic and thus shut down the fact that third-party vendors are, first of all, allowed to install their code into the Windows kernel and, secondly, that Windows lacked any graceful resiliency, as we all painfully saw that would have allowed it to somehow arrange to get back on its feet using some sort of rollback to the pre-crowd strike update. So this all meant that Microsoft also received some measure of blowback themselves.

So this summit was held last Tuesday. They called it their Windows Endpoint Security Ecosystem Summit, and then, on just this past Sunday, microsoft posted about what happened, who attended and some of what was said. So this is what they shared with us. They said on Tuesday, september 10th, we hosted Windows Endpoint Security Ecosystem Summit. This forum brought together a diverse group of endpoint security vendors and government officials from the US and Europe to discuss strategies for improving resiliency and protecting our mutual customers' critical infrastructure. Although this was not a decision-making meeting which okay, be nice- to have some decisions, but no, no, they said.

We believe in the importance of transparency and community engagement. Therefore, we're sharing the key themes and consensus points discussed during the summit, offering insights into our initial conversations. There is a hand gesture I could make at this point, but this is a podcast for families, so I won't do that. We want to thank every one of our summit attendees for dedicating their time to participating in these meaningful discussions. The CrowdStrike incident in July underscored the responsibility security vendors have to drive both resiliency and agile adaptive protection and it was inspiring to see the engagement throughout the events, agenda and activities. Together with our Microsoft Virus Initiative they'll refer to that later as MVI partners companies who develop endpoint protection and additional security products for Windows, covering client server and IoT we discussed the complexities of the modern security landscape, acknowledging there are no simple solutions right, otherwise we would have done that. A key consensus point at the summit was our endpoint security vendors and our mutual customers benefit when there are options for when there is, you know, some interesting reading between the lines here, right, when there are options for Windows and choices in security products. It was apparent that, given the vast number of endpoint products on the market, we all share a responsibility to enhance resiliency by openly sharing information about how our products function, handle updates and manage disruptions. In the short term, we discussed several opportunities to improve how we support the safety and resiliency of our mutual customers. First, we spent time going into depth on how we employ safe deployment practices at Microsoft. In other words, you know, this is what we did, folks, why aren't you doing that? Anyway, they said and where we can create shared best practices as a community, including sharing data tools and documented processes. We face a common set of challenges in safely rolling out updates to the large Windows ecosystem from deciding how to do measured rollouts with a diverse set of endpoints to being able to pause or roll back if needed. A core SDP that's their safe deployment practice. A core SDP principle is gradual and staged deployment of updates sent to customers. Microsoft Defender for Endpoint publishes, sdps and many of our ecosystem partners, such as Broadcom, sophos and Trend Micro, have shared how they approach SDPs as well. This rich discussion at the summit will continue as a collaborative effort with our MVI partners, the virus initiative partners, to create a shared set of best practices that we will use as an ecosystem going forward.

So right, in other words, crowdstrike. You didn't do that and I believe the proper term would be bitch-slapped at this point for not enforcing any sort of staggered rollout of their updates. I mean that's like the most obvious thing you could have done. That would have caught this immediately. Instead, the entire world was hit with this thing at once and the entire world went down, everyone using CrowdStrike. There's no way to read this from CrowdStrike other than it's suggesting a level of we-can-do-no-wrong arrogance that did indeed come back to bite them, and you know the lack of like. It's just impossible to justify that in retrospect. There's no good answer to the question. You know why the heck weren't you just deploying any sort of staggered rollout? But you know they weren't.

Anyway, microsoft continues saying beyond the critical safe deployment practices work, there are several ways we can enhance our support for customers in the near term. Building on the Microsoft Virus Initiative program we have we discussed how Microsoft and partners can increase testing of critical components, improve joint compatibility testing across diverse configurations, drive better information sharing on in-development and in-market product health and increase incident response effectiveness with tighter coordination and recovery procedures. These are a sampling of the topics we plan to make rapid progress on to improve our collective customers' security and resiliency. In addition, our summit dialogue looked at longer-term steps serving resilience and security goals. Here, our conversation explored new platform capabilities Microsoft plans to make available in Windows, building on the security investments we have made in Windows 11.

Windows 11's improved security posture and security defaults enabled a platform to provide more security capabilities to solution providers outside of kernel mode. And, of course, that's a key aspect of this right. The problem is, in order for endpoint security to do what it needs to do, because Microsoft has been relatively stingy about what they allow user mode code to do, it's not able to get the deep access that it needs. Microsoft is saying well, windows 11 is better Now. My eyebrows went up when I saw that because we're approaching end of life for Windows 10. And this is going to be controversial because nobody wants 11. And I mean the enterprise has not moved. There's a massive install base of 10 that can't upgrade to 11 as it stands now. So we're going to have some interesting times coming up this year and I'm glad we're going past 999.

So they said, both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with SDP, can be used to create highly available security solutions. In other words, everybody's saying, look, we don't want to be in the kernel either. It terrifies us because of you know something like this happening, but you're not letting us do what we need to do from user mode and I would argue that that's probably never going to happen, not because microsoft wouldn't want to, but it it's you. You. It's difficult to have user mode hooks in the kernel that won't dramatically slow down Windows, because in order to do what needs to be done, you need to not have user mode, kernel mode ring transitions constantly so to deeply get into the kernel. That's the only place you can watch everything going on without significantly slowing down Windows. So I mean it really. It's truly a problem, which I understand, that Microsoft gets gets, and it's why they're saying well, the truth is, they can't allow all this to be done from user mode or there'll be constant user mode and kernel mode transitions that will dramatically slow things down.

It's the reason that GDI, the graphics device interface, was moved into the kernel. We saw huge security implications and compromises as a consequence of that decision and on one hand, microsoft can be held responsible for that. The flip side is back when systems were a lot slower than they are today. They had no choice because the graphics device interface level had to make such deep and frequent access to the kernel. That's why they moved it into the kernel.

So, anyway, they said some of the areas discussed during this summit include performance needs and challenges. Oh there, it is Outside of kernel mode anti-tampering protection for security products. Right, because if you're in the user, if you're in user mode, you don't have the protections afforded by kernel mode. Security sensor requirements, development and collaboration principles between Microsoft and the ecosystem, and secure by design goals for future platforms, they said as a next step, microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners, to achieve the goal of enhanced reliability without sacrificing security. And I'll just note that this is all happening as a consequence of that outage. None of this would be happening if it weren't for that.

0:22:53 - Mikah Sargent
In other words, isn't that frustrating that it? How often does it take something going wrong for people to start doing things correctly? Going wrong for people to start doing things correctly right is that not the crux of so many issues? It's. It's really frustrating that and it shouldn't have to be that way.

0:23:11 - Steve Gibson
It shouldn't have to require things going this poorly to go, oh right, now's the time, but it's just so built into to the the way things work well and and in this case there had been sort of a sort of a detente had been achieved where microsoft didn't like the fact that they had to open the kernel. They did because the eu forced them to, because windows defender has access to the kernel. And they're saying well, if your own endpoint protection technology, if you've given that technology kernel access, then you must open it up to the competition in the interest of creating competition. And arguably these third-party products like CrowdStrike do a much better job than Microsoft's endpoint protection system does. So customers are getting a better result at the consequence of this kind of event being possible, and I will actually be surprised if much changes.

I think this is face-saving for Microsoft. They had to do something to respond to the outage and to oh, we're going to have a summit and we're going to get everybody together and we're going to figure out how to prevent this from happening. The fact is, crowdstrike should have never let this happen, because these things like incremental deployment are trivial to do. They're doing it now. I mean they've said you know it's already in place.

They will never let this happen again. Well, they shouldn't have let it happen the first time. So there was some arrogance on their part. They've learned their lesson. But the fact is, to do what these products need to do, the truth is they have to be in the kernel, they have to be allowed that kind of access, because it just can't be done up in user land. Anyway, so they had this first meeting.

They quoted a bunch of their partners coming out of this. Adam Bromwich, who's Broadcom's CTO, chief Technology Officer and Head of R&D for their Enterprise Security Group, was quoted saying Organizations today benefit from a diverse layered security defense. As a result, industry collaboration is vital to helping organizations stay ahead of persistent threats and remain resilient when unexpected business disruptions occur. As a longtime Microsoft virus initiative, so MVI partner Broadcom recognizes that working closely with Microsoft and other security vendors not only helps improve our customer security posture, including endpoint protection, but also the greater global digital ecosystem. Drew Bagley, the VP Counsel for Privacy and Cyber Policy from CrowdStrike you know the bad guys in this particular stumble that caused this summit to be created said we appreciated the opportunity to join these important discussions with Microsoft and industry peers on how to best collaborate in building a more resilient and open Windows endpoint security ecosystem that strengthens security for our mutual customers. In other words, he said nothing.

0:26:55 - Mikah Sargent
Thank you, because that's what it sounds like to me. Yeah, exactly, it was like okay fine.

0:26:59 - Steve Gibson
We're sorry that we brought the earth to a standstill where we realize the error of our ways and we won't let it happen again. And they quoted ESET and Sentinel-1 and Sophos and Trellix and Trend Micro. You know Trend Micro. I applaud Microsoft for opening its doors to continue collaborating with leading endpoint security leaders to make our mutual customers even more cyber resilient.

0:27:28 - Mikah Sargent
Looking forward to more collaboration and, as I said, my feeling is that this was mostly for show in fact, everybody probably I'm saying this tug and cheek everybody probably walked away with a nice tote bag filled with lots of Microsoft goodies. It's like and here's your gift card for this quote and here's yours for this. It just feels very hollow.

0:27:52 - Steve Gibson
Yes, well and the photo that accompanied this blog posting was a perfect representation of this meeting. It shows a bunch of executives of various stripes sitting around a conference table in a stunningly opulent office building conference room setting. There's the requisite whiteboard and a UI projected onto another screen. Then we have the four world time digital clocks, which are visible, showing the time in london, moscow, beijing and sydney. For whatever, reason exactly for like what?

and the one laptop that we can see open is distinctly a mac. Yep. So okay, I don't know what that means. Maybe the guys you know installed windows 11 on his mac because it runs better than it does on the surface.

0:28:48 - Mikah Sargent
Anyway.

0:28:49 - Steve Gibson
I think my point is that nothing ever really gets accomplished at these kinds of meetings. This was all just for show for the government and for Microsoft shareholders. It's okay, we realize we did bad. We're responding to this problem. What's actually going to happen now will be a long, multi-year series of slow, plotting, back and forth negotiations where Microsoft will present and may implement some next generation set of user land hooks for use by their various third party vendors. The vendors will examine them and explain how what Microsoft is offering still doesn't give them the total freedom that they really want and I think they can argue they need which is only still available through true kernel level operation, and so it will go back and forth. Perhaps something will eventually come of it, but you know that's far from certain.

I think at this point, so long as this meeting has been held and the parties are now you know, quote working on it together unquote Face has been saved Lawsuits will trundle forward and the vendors will all work harder not to make another similar horrible mistake. As I said, if CrowdStrike had not made this mistake, this would have never happened. It would never happen on its own, because things were kind of okay, you know. I mean the third-party vendors had the deep access they needed. They hadn't brought the world to a standstill and Microsoft had given only as much as they had to, you know, access in user mode. My only hope was that since Mark Russinovich who is truly a serious security kernel level guy we all know him from his founding of Sysinternals back in the day, which Microsoft then bought Mark Russinovich tweeted about this, saying that this really did represent some future hope. So I have some more hope that something might actually change.

But nobody should be holding their breath. We know that in retrospect, crowdstrike now realizes it needs to be able to catch anything like this before it is ever rolled out to the entire world. And it's trivial to do. That's what's so mind-boggling is it's not like this is rocket science to do an incremental release. Everybody else does that, so anyway, we know that they're going to be doing it. They've got that in place already. It also means that everyone else must do the same and never fail at this trivial to implement requirement. So you know, no more cowboy developer jock behavior. The stakes are now far too high.

0:32:00 - Mikah Sargent
Amen Amen.

0:32:03 - Steve Gibson
Okay, michael, let's take a break, and then we're going to talk about the problem of archiving digital data on any media.

0:32:13 - Mikah Sargent
All right, we will do that momentarily, but I want to tell you about Delete Me. We're bringing you this episode of Security Now. If you've ever searched for your name online and you didn't like how much of your personal information was available, well, I don't blame you. Maintaining privacy isn't just a personal concern. It's actually a family affair. See, with Deleteme's family plans, you can ensure that everyone in the family feels safe online.

Deleteme helps reduce risk from identity theft, cybersecurity threats, harassment and more, and in fact, that is one aspect of going through the delete me process myself was seeing how these different data brokers have connected me to different family members out there and having it try to break that away and say, no, you don't need to know about me. No, you don't need to know about my mom, you don't need to know about my grandparents. And to then go further with that and be able to help make sure that they are also removed means that there's less of a chance that, for example, a person could put two and two together and try to use my name as a means of getting money from my grandma, or something similar to that. Delete Me experts will find and remove your information from hundreds of data brokers, you can assign a unique data sheet to each family member that's tailored to them. So you say, here's everything that you need to know about this family member. Go out, find it and make sure you get rid of it. With easy-to-use controls, account owners can manage privacy settings for the whole family, and Deleteme will continue to scan and remove this information regularly because, yes, it continues to make its way into these data broker systems, including addresses, photos, emails, relatives, phone numbers, social media, property value and so much more.

So protect yourself, reclaim your privacy, your family's privacy, by going to joindeletemecom slash twit and using the code twit T-W-I-T. That's, joindeletemecom slash twit with the code twit for 20% off, and we thank Delete Me for sponsoring this week's episode of security. Now all righty, back from the break and let's talk about how. How, uh, it's a good idea, not a good idea. Maybe it's safe, maybe it's not. There's a problem with saving stuff yeah.

0:34:39 - Steve Gibson
Um, a listener forwarded this piece from ars technica to me which was titled titled Music Industry's 1990s Hard Drives, like All Hard Disk Drives, are Dying and the subhead is the Music Industry Traded Tape for Hard Drives and Got a Hard-Earned Lesson. So I'll just share a bit of what they said. They said One of the things Enterprise Storage and Destruction Company Iron Mountain does is handle the archiving of the media industry's vaults. What it has been seeing lately should be a wake-up call. Roughly one-fifth, so one out of five, of the hard disk drives dating back to the 90s it was sent are entirely unreadable. Wow, yeah, yeah, you just think okay, here's a drive, you guys store it for us and we may need the data in the future. We'll let you know and then we'd like it back.

Music industry publication Mix spoke with the people in charge of backing up the entertainment industry. The resulting tale is part explainer on how music is so complicated to archive, now part warning about everyone's data stored on spinning disks. Robert Kozella, global Director for Studio Growth and Strategic Initiatives at Iron Mountain, told Mix quote Hard drives gain popularity over spooled magnetic tape as digital audio workstations, mixing and editing software and the perceived downsides of tape, including deterioration from substrate separation and fire. But hard drives present their own archival problems, present their own archival problems. Standard hard drives were also not designed for long-term archival use. You can almost never decouple the magnetic disks from the reading hardware inside, so if either fails, the whole drive dies. There are also general computer storage issues, including the separation of samples and finished tracks or proprietary file formats requiring archival versions of software. Still, iron Mountain tells Mix that, quote if the disk platters spin and aren't damaged it can access the content. But if it spins is becoming a big question mark. Musicians and studios now digging into their archives to remaster tracks often find that drives, even when stored at industry standard temperature and humidity, have failed in some way with no partial recovery option available. So it's completely dead. Cozella says, quote it's so sad to see a project come into the studio, a hard drive, in a brand new case with the wrapper and the tags from wherever they bought it. Still in there. Next to it is a case with the safety drive in it. Everything's in order and both are bricks.

Mix's passing along of Iron Mountain's warning hit Hacker News earlier this week which spurred other tales of faith in the wrong formats. The gist of it. You cannot trust any medium, so you copy important things over and over into fresh storage. Optical media rots, magnetic media rots and loses magnetic charge, bearings seize, flash storage loses charge, etc. Entropy wins, and sometimes much faster than you'd expect.

There's a discussion of how SSDs are not archival at all. How floppy disk quality varied greatly between the 80s, 90s and 2000s. How linear tape open, a format specifically designed for long-term tape storage, loses compatibility over successive generations. How the binder sleeves we put our CD-Rs and DVD-Rs in have allowed them to bend too much and stopped being readable. I know one thing after another. One format after another failing, they said.

Knowing that hard drives will eventually fail is nothing new. Ours wrote about the five stages of hard drive death, including denial, back in 2005. Last year, backup company Backblaze shared failure data on specific drives, showing that drives that fail tend to fail within three years, that no drive was totally exempt and that time does generally wear down all drives. Google's server drive data showed in 2007 that hard disk drive failure was mostly unpredictable and that temperatures were not really the deciding factor. So Iron Mountain's admonition to music companies is yet another warning about something we've already heard, but it's always good to get some new data about just how fragile a good archive really is really is. So I can speak for myself.

I run a bunch of my own servers, my own actual hardware. I think I have four separate physical servers. Each of the servers has four hard drives. Actually, one of them may still have SSDs, but I'm beginning to swap them out because I have not found them to be more reliable than lower size. Smaller size, and by that I mean like two terabyte, is sort of what I've settled on drives of redundancy. So any two of the four drives could fail and I lose nothing. And all of the RAIDs, all four of the RAID arrays, are being monitored continuously and every so often I receive email telling me that one of the drives has failed. So that's okay. Another one could still fail in that group of four and I'd still lose nothing. So it's not an emergency. But within a day or two I go to level three, go through all the security measures, get access to my hardware, pull the dead one out, put a new one in. It spins up and the raid rebuilds itself, reestablishing its raid six to drive failure, and it happens maybe every six months or so, and it's in fact I right here. This is. I have it because I've been meaning to run Spinrite on it. This is the most recent drive to die. It's a two terabyte Seagate Barracuda hard drive. Something about it my system doesn't like and so I'll run Spinrite.

The time before that this happened there was sectors are not actually 512 bytes any longer. They still look like they're 512 bytes because they always were in the past. They're actually 4K. It's much more efficient to have larger physical sectors because you get much more efficiency from error correction and you just don't need all of the gaps between sectors take up space. So what I found was there was a single block of what looked like eight logical sectors, but eight 512 byte, which is half a K. So eight half a K sectors is actually one 4K physical sector.

It was bad and the RAID said okay, I quit Bad drive, anyway. I I quit Bad drive, anyway. I ran Spinrite on it. It said, oh, you've got a contiguous run of eight sectors which have a problem. Spinrite did what it could to recover it. It rewrote the sector and it was fine, and that was all that was wrong with the drive. In other words, nothing actually wrong, just a tiny region, some set of bits that were uncorrectable, and so the raid said sorry, this drive's no good. In fact, it was fine, it just needed a little bit of fixing, and then it was good to go.

So there is good reason to believe that performing a periodic rewrite of either magnetic spinning or electrostatic solid-state mass media is an extremely useful thing to do, and you don't need Spinrite to do that, although Spinrite does make that easy and it provides a great deal of feedback about the state of the drive, you know, and if there is any sort of trouble it'll fix it for you.

But we learned, for example, a few years ago that and it was a surprise at the time, but it's's not anymore that offline SSDs just sitting on a shelf tend to lose their data more rapidly when they're stored at high temperature. Since SSD storage is just about charge leakage, it makes sense that higher temperature would tend to weaken the strength of the dielectric insulation which isolates the charge bits. And so you do want to, if you have. If an SSD is offline, you want to store it in a cool place. But the lesson here really is and this is the point that the article made at one point it said. At one point it said don't assume that anything sitting on a shelf for years will be readable when you need it.

0:45:44 - Mikah Sargent
You really do need to periodically plug it in, make sure it's still readable, and I would rewrite it just to strengthen the bits. I need to go back, though, because did I hear you write in that you said every six months, you're having to replace a drive? Yeah, so I have four times four.

0:45:57 - Steve Gibson
I have 16 spinning drives and yeah, I would say every six months or so a drive says okay, I'm hurting, and so the RAID sends me email and I go and swap it. Now I have not yet run Spinrite on this drive. The last time that happened, there was actually nothing wrong with a drive, it just had that one little burst of trouble spin right, rewrote the sector, then the drive was fine and I put it back in the rate array and it hasn't failed since. So you know it there. It's a very touchy um failure, which is not a big problem. But I have had sss actually just completely die. So that's why I'm no longer thinking, oh, solid state, that's way more reliable. I guess what I'm saying is I refuse to have any loss of data. So refusing to have any loss of data means double redundancy and just keep swapping.

0:47:08 - Mikah Sargent
So drives are consumables is the way I guess I would think about it.

0:47:13 - Steve Gibson
They're consumables and I'm consuming a drive at the rate of about maybe one or two a year in order to be running four raids with four drives per raid, and I've never lost a byte of data.

0:47:28 - Mikah Sargent
There you go. That's the brag that you get at the end. It's like, yes, I may be doing it every six months, but never lost a byte of data Okay.

0:47:37 - Steve Gibson
So this story is really fun. The Navy Times recently blew the lid off of an intriguing story of a US Navy warship which had some officers who had installed a secret Starlink-based network on board so that a select few of the upper echelon would not be deprived of their precious internet connectivity while they were deployed at sea. In their piece headlined how Navy Chiefs Conspired to Get Themselves Illegal Warship Wi-Fi, the Navy Times wrote the following, and I'm just going to share the beginning of it. It's a long article I've got the link here for anyone who wants more but here's what they said. They said this will give you the gist.

Today's Navy sailors are likely familiar with the jarring loss of internet connectivity that can come with a ship's deployment. For a variety of reasons, including operational security, a crew's internet access is regularly restricted while underway to preserve bandwidth for the mission and to keep their ship safe from nefarious online attacks. Ship Manchester Gold Crew knew no such privation last year when they installed and secretly used their very own Wi-Fi network during a deployment. According to a scathing internal investigation obtained by Navy Times, as the ship prepared for a West Pacific deployment in April of 2023, the enlisted leader on board conspired with the ship's chiefs to install the secret unauthorized network aboard the ship for use exclusively by them. So while rank-and-file sailors lived without the level of Internet connectivity they had enjoyed ashore, the chiefs installed a Starlink satellite Internet dish on the top of the ship and used a Wi-Fi network they dubbed Stinky, to check sports scores, text home and stream movies. Oh come on. The enjoyment of those wireless creature comforts by enlisted leaders aboard the ship carried serious repercussions for the security of the ship and its crew. The investigation noted quote the danger such systems pose to the crew, the ship and the Navy cannot be understated. Led by the senior enlisted leader of the ship's gold crew, then Command Senior Chief Grisel Marello, the effort roped in the entire chief's mess by the time it was uncovered a few months later. Marrero was relieved in late 2023, and there was a court-martial, by the way, after repeatedly misleading and lying to her ship's command about the Wi-Fi network, and she was convicted at court-martial this spring in connection to the scheme. She was sentenced to a reduction in rank to E7 after the trial and did not respond to requests for comment for this report.

The Navy has yet to release the entirety of the Manchester investigation file to Navy Times, including supplemental enclosures. Such records generally include statements or interview transcripts with the accused. But records released so far show the probe which, wrapped in November, found that the entire chief's mess knew about the secret system and those who didn't buy into it literally buy B-U-I into it were nonetheless culpable for not reporting the misconduct. Those chiefs and senior chiefs who used, paid for, helped hide or knew about the system were given administrative, nonjudicial punishment at Commodore's Mast. According to the investigation, all told more than 15 Manchester chiefs were in cahoots with Marrero to purchase, install and use the Starlink system aboard the ship. The investigation said quote this agreement was a criminal conspiracy supported by the overt act of bringing the purchased Starlink on board USS Manchester. Any new member of the CPO mess which then paid into the services joined that conspiracy.

Following the system's operational status, records obtained by Navy Times via a Freedom of Information Act request revealed a months-long effort by Marrero to obtain, install and then conceal the chief's Wi-Fi network from superiors, including the covert installation of a Starlink satellite dish on the outside of the Manchester. When superiors became suspicious about the existence of the network and confronted her about it, marrero failed to come clean on multiple occasions and provided falsified documents to further mislead Manchester's commanding officer. The investigation states unauthorized Wi-Fi systems like the one Marrero set up are a massive no-no for deployed Navy ships and Marrero's crime occurred as the ship was deployed to the West Pacific, where security concerns become even more paramount among heightened tensions with the Chinese. While Marrero claimed the Wi-Fi system was secretly installed for morale purposes, the investigation notes that such a claim is quote. The investigation notes that such a claim is quote undermined by the selective availability of the Wi buying and installing the Starlink system before the ship's deployment began the following month.

The Starlink dish was installed on the Manchester's O5-level weather deck during a blanket aloft period, which requires a sailor to hang high above or over the side of the ship During a blanket aloft. Duties are not documented in the deck logs or the officer of the deck logs. According to the investigation, it's unclear who harnessed up and actually installed the system for Marrero due to redactions in the publicly released copy of the probe, but records show Marrero powered up the system the night before the ship got underway to the Pacific, to the West Pacific waters of US 7th Fleet, marrero and her cohorts paid $2,800 for a Starlink high-performance kit with a personal credit card and contacted Starlink to expedite shipping so the system would arrive in time for the deployment.

0:55:48 - Mikah Sargent
I'm glad our tax dollars weren't used to purchase it. I'm glad to hear that.

0:55:54 - Steve Gibson
At least it was paid for with personal money, right?

0:55:58 - Mikah Sargent
Yes, whether it was then sort of you know came out in the wash, I don't know. But at least up front. It was paid for with personal money.

0:56:05 - Steve Gibson
They said, starlink offers plans ranging from $90 to $5,000 a month and allows users to control network settings via a cell phone app. The Navy is installing such authorized capabilities aboard some ships in the fleet, but that was not the case aboard the Manchester, where Mararo set up payment plans for the chief's mess to pay for the system either $62.50 a month or a one-time fee of $375. It's a whole business.

0:56:44 - Mikah Sargent
It's a business it's subletting Wi-Fi.

0:56:50 - Steve Gibson
So that the ship's chief petty officer association treasurer collected the money into a chief's mess checking account.

0:56:59 - Mikah Sargent
This is a whole system. This is wild.

0:57:03 - Steve Gibson
Those involved also used the chief petty officer's association's debit card to pay off the $11,000 monthly Starlink bill. Ah, so they went for the $11,000 a month. $1,000, not $11,000. Sorry, sorry. Yeah, $1,000 a month Starlink bill, and Marrero warned the chiefs to only use the network in their rooms. Marrero served as the gatekeeper of the system records show, downloading and maintaining the Starlink app from her phone and naming it stinky wi-fi kingpin. That's right. Only she could add others to the network and would directly type the password into their devices so that they would know what the password was. So it's like don't worry, I'll type the password in, then you, then you just use it and it'll remember it. After Manchester got underway from San Diego, Marrero and the chiefs soon realized the Wi-Fi signal oh darn didn't cover all areas of the ship, maybe because it's a lot of metal everywhere.

You think so. The senior chief purchased signal repeaters and cable at the Navy Exchange store in Pearl Harbor, hawaii, during a port visit in late April or early May, according to the investigation. That's right. We need to get us some repeaters here so that we'll be able to get. We'll have access to Stinky no matter where we are.

0:58:41 - Mikah Sargent
Honestly, I'm becoming impressed. This is like multi-leveled. It's kind of getting impressive.

0:58:48 - Steve Gibson
So they said, little stays secret within the close quarters of a deployed ship and shortly after.

0:58:54 - Mikah Sargent
You could imagine right and shortly after getting underway phone right now. How are you watching that video?

0:59:00 - Steve Gibson
how do you know what the sports scores?

were, yeah, exactly scuttlebutt started swirling among some sailors about the unauthorized wi-fi network. The ship's former executive officer, commander Matthew Yokely, caught wind of the rumors in May and notified the commanding officer, commander Colleen Moore. Moore confronted Marrero about whether the chief's mess had an unauthorized Wi-Fi network. That same month Another unidentified crew member approached Marrero about a Wi-Fi network aboard the ship after finding available networks on a device that started with the name Stinky. It's unclear who found the Stinky network due to redactions in the report. In both instances, marrero denied that such a Wi-Fi network existed, but she soon changed the stinky Wi-Fi network name to another moniker that looked like a wireless printer, even though no such general-use wireless printers were present on the ship. The investigation found Anyway, wow is right.

1:00:17 - Mikah Sargent
Wow, that's just very impressive. See, and here's the thing, I was very pleased to hear that our tax dollars were not used to make the purchases of this, but the money that went into the investigation of this and the subsequent court-martial and everything that was involved there, we did pay for that. So, yeah, in that way I'm a little bit, uh, perturbed, although, yeah, like this is impressive and I would love to hear marrero's sort of reasoning, you know, because you gotta, is it like we just really wanted to watch our shows?

1:00:54 - Steve Gibson
or whatever it happened to be.

1:00:55 - Mikah Sargent
There's got to be more to it.

1:00:58 - Steve Gibson
With so many people today seemingly unable to separate themselves from the Internet, it's foreseeable that there would be significant pressure to maintain connectivity while at sea. To maintain connectivity while at sea. But at the same time, we know how true it is that any form of internet connection would need to be highly filtered. And that's the problem.

1:01:23 - Mikah Sargent
Can you imagine how much any hostile foreign power would love to get into a smartphone or a laptop of someone on board who were, who clicked the wrong link and you know, they're running tiktok, which is controlled by the communist chinese government indirectly, um, and then, once in there, pivot with that access and jump into the systems in the the ship's internal networks yeah, well, and there's something to be said too, too, for the individual who's behind the company that is responsible for Starlink in the first place, also having that information of where that boat is at any given time. That's also something to consider. And it kind of makes me wonder if Marrero had heard that these other ships were having this done and was like, well, I'm not waiting nine years to finally get it installed on this ship, we'll just do it ourselves, but you bring up a good point that hadn't occurred to me.

1:02:22 - Steve Gibson
The underlying motivation was it because she desperately needed to maintain access to friends and family or something, or was it? Actually a profit center.

1:02:36 - Mikah Sargent
Right, was it like hey I can make some coin here by, you know, selling access to my, you know fellow upper echelon Right, and it could also be simply I mean, I can't speak to what all is involved, obviously, in any of these patrolling bodies, but maybe if you are trying to recruit certain people, it's like, do we want to go to the place that has the Wi-Fi? So whenever we go out on these long voyages and it's like, look, we all have to put some money in because it's expensive, but hey, at least you got access to Wi-Fi and you don't have those pesky um navy blockers on everything so you actually get to look at your tiktok. You know what I mean. Like there could be people who have heard that this is the party ship.

Yes, this is where we want to be you gotta pay a little bit, but it's still the party ship and I think, I think you know.

1:03:31 - Steve Gibson
the another interesting question here is that it really, I mean, I get how addicted people and that's the right word to use, right, how addicted some, especially some people, not everybody, but are to 24-7 internet access and you're a sailor going out on a ship and you're dark, you know what I mean. It's over. And the other thing is, how big and complex must the operation of these ships be, that a Starlink antenna box, sitting like it, can be installed on the deck of the ship, pointing at the sky, and nobody walking by right says what is this?

1:04:17 - Mikah Sargent
what is that? I don't remember that being there, that seems like a nice spy I like.

Come on, huh. Yeah, that's that those things. We got a lot going on, apparently. Wow, wow, what. And the I too. I sort of feel like Marrero could end up hosting one of our shows, given that Marrero knew it was very clever to change it to make it look like it was a wireless printer. That's clever. That takes knowledge of some level of networking, along with everything else that was involved, to think about being the one to do the Wi-Fi. I mean, there's some intelligence there. Maybe eventually Marrero will make her way into, I don't know, the Pentagon or something.

1:05:07 - Steve Gibson
I have a friend who named his own Wi-Fi Norad Scanner or something. It was like nobody's going to dare touch this.

1:05:18 - Mikah Sargent
Yeah, I'll leave that one alone. Thank you, cia watching you, I'll skip that one.

1:05:26 - Steve Gibson
Okay, next we're going to talk about the winner of a recent competition for the best secure access edge service, but let's take another break, since we're at one hour in at this point.

1:05:39 - Mikah Sargent
Sounds good. I would love to tell you about 1Password. We're bringing you this episode of Security. Now it's time for another question for you that we probably know the answer to Do your end users huh, how appropriate always work on company-owned devices and IT-approved apps? Yeah, no, sometimes they set up stinky Wi-Fi networks that aren't running on the company-owned devices. So how, how in the world do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? Well, 1password has an answer to this question Extended access management.

1password. Extended access management helps you secure every sign-in for every app on every device, because it solves the problems that traditional IAM and MDM can't touch. Love this metaphor. Imagine that your company's security is like the quad of a college campus. There are nice brick-lined paths between the buildings that were purposely put there to look great. Those are the company-owned devices, those IT-approved apps and the managed employee identities. But then there are the paths that people actually are using, the shortcuts worn through the grass that are the actual straightest lines from point A to point B. Those are unmanaged devices, the shadow IT apps, the non-employee identities like contractors. Most security tools only work on those happy brick paths, but when you look at it. A lot of the security problems actually take place on those shortcuts.

One password, extended access Management it's the first security solution that brings all of these unmanaged devices, apps and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy and that every app is visible. It's security for the way we actually work today, and it's now generally available to companies with Okta and Microsoft Entra, and it's now generally available to companies with Okta and Microsoft Entra, and it's in beta for Google Workspace customers. So check it out at 1passwordcom slash security now. That's 1-P-A-S-S-W-O-R-D dot com slash security now, and we thank 1Password for sponsoring this week's episode of Security. Now, all right, we are back from the break and let us continue on with our episode.

1:08:03 - Steve Gibson
It was well. I thought it was a few months ago. It turns out it was more like 10 months ago. I shared how impressed I was after meeting with and learning about the technology that the guys at Atom Networks, which is atomnetworks, had created to help secure the Internet-facing border of enterprises. As I've noted several times, that is a daunting task and it's not a job I would want. Daunting task and it's not a job I would want you know, like how do you secure Sony you know entertainment when anybody clicking on a bad link can infect the network?

So while I was delighted to see it, I was not surprised to discover that SC Magazine, a well-known and reputable security industry publisher, after running a head-to-head competitive comparison and evaluation of the industry's many various solutions, picked Atom One, which is the name of this system that they offer, as the winner. Sc Magazine wrote and this is just a one-liner, they said at the top of their coverage of this, they said Adam Networks has claimed the prestigious Best SAS S-A-S-E. I have that what that acronym stands for here somewhere. It's not coming to mind. Oh, secure Access Surface Edge solution. So Adam Networks has claimed the prestigious best SASC solution award at the 2024 SC Awards for its cutting edge product, atom One. In a cybersecurity landscape where traditional reactive methods often fall short, atom One stands out by providing a proactive, zero-trust security solution designed to eliminate threats before they infiltrate networks. This recognition places Atom Networks among the leading innovators in the increasingly competitive secure access service edge market. So, anyway, I just wanted to follow up on what we initially talked about back then, since protecting the enterprise from all of the mischief that those inside the enterprise might get up to is no small task, and since the Adam One folks appear to have the best handle on doing that job. I have a link to the SC Magazine's announcement with many more details in the show notes, and it was episode 946, which was Halloween, october 31st last year, 2023, when I shared the results. These guys won the best in class award for their solution for securing the enterprise perimeter, and I'm not surprised because, as I shared back at the end of October last year, they figured out how to do it and they do it right.

Many of our listeners may have received email from me about the availability of Spinrite 6.1. Of course, that won't come as any news to anyone listening, but for anyone who purchased Spinrite 6.0, which was released 20 years ago, back in 2004, it would likely come as a welcome surprise. So over the weekend I received a note about this from a listener named Patrick. He wrote good morning sir. Quick note to let you know I've received an email from spinritenews. That was the domain that I used for sending the email, he said, but it was flagged as spam by exchange and dumped into my junk folder. He says otherwise. Thanks for the work on Spinrite 6.1. I'll let you get back to work on 7.0 now signed Patrick.

So I replied to Patrick writing. Thanks for your feedback, patrick. Since I'm mailing to all past Spinrite owners for the past 20 years, I'm sending those announcements through that domain. You noted spinritenews, since that domain has not earned a reputation as a valid email sender. Apple is bouncing all incoming email addressed to anyone at mecom, icloudcom and maccom and, as you note, exchange is routing incoming mail to spam. I said. But at least it's not bouncing the mail back. So I said my primary goal for this is twofold I do want to inform any non-podcast listeners of the availability of a free upgrade to Spinrite 6.1. And I also want to remove all bad email addresses from the previously unused domain spinritenews, since I expect that the bounce rate will be high, especially for the oldest 20-year-old email addresses. And I want to keep GRCcom's email reputation as spotless as possible. I said once I've managed to update GRC's creaky old Spinrite owner list, I'll be able to mail from GRCcom using its clean email reputation. I said mail should then get into people's inboxes. So it's been an interesting, it's been an education.

I set up a relationship with the guys at Postmark that are an email forwarding service and established all of the proper credentials and security and cryptographic signing and everything to authenticate email coming from spinritenews. And then I began mailing from the most recent in the direction of the least recent, so from 2004,. Then I mean sorry from 2024, and then 2023, 2022, 2021 and so forth. And, just as you'd expect, as I went back further and further in time, the bounce rate began to increase because people had left the companies where they were when they purchased Spinrite, so their inbox was terminated, and so forth. So I got as far back as 2011. I got all the way back through 2011, and the bounce rate had then reached one out of 10, which is the highest level that these guys are comfortable with me having sending email through them. So anyway, I'm going to come up with a different approach. The interesting thing I mentioned that all of the email into Apple bounced. I saw the same thing occurring when I was first doing the regular podcast mailings, like I did this morning. I sent out 9,400 plus pieces of email for this podcast to the subscribers to the Security Now list, and for the first few weeks Apple flatly blocked all of that. But then it stopped and since, for the last handful of weeks, everything's been working perfectly and the email's been flowing without any problem. So anyway, I thought it was just interesting.

We've talked many times about how, when software is digitally signed, reputation is everything. Anybody can get a bad certificate and bad guys. Do you really have to sign your software now? But if it's not a certificate that has earned itself a reputation as signing non-malware, windows, looks at it with a raised eyebrow and says I don't know if I'm going to let this run and quarantines it. It turns out reputation is just as important for email. So my using in retrospect I'm not sure that I shouldn't just have sent from GRC because I'm able to see what the bounce rate is and throttle back or stop. But I didn't know how it was going to go. It actually kind of went better than I expected it to. I was able to get all the way back through 2011, and now I need to trickle out emails the way I'm going to handle it, but from GRC, I think and just make sure that our reputation stays good. But anyway, sort of an interesting experience.

The one thing that there is a kind of a call to action that I would ask our listeners all of those who are listening who own Spinrite and well, I guess, have purchased it ever, but certainly since 2011,. Check your spam folders and see whether an announcement of Spinrite is in your spam folder and, if so, mark it as not spam. I would appreciate that because that's the way we train the ISPs who are filtering that this is not spam I'm sending. I got your email address because you bought a copy of Spinrite once upon a time. So, anyway, I would appreciate it if people check their spam folders and let their ISPs know nope, that's not spam. I wish I had that in my inbox. And of course, we'll be using those email addresses in the future for other good, useful announcements, other good, useful announcements. And one last point Speaking of Spinrite, I have seen several people who have said hey, you said that Spinrite 6.1 speeds up SSDs.

One guy sent me the three benchmarks that he had from before running Spinrite. It was 131 megabytes per second, then the middle of his drive was 184, and the end was 185. He ran SpinRide on it and it came out at 120 megabytes for all three measures. In other words, from 131 down to 120 at the beginning and then the ends was 184 and 185, also all now at 120. So I replied to him to explain what happened. I wrote. It appears that your SSD was mostly empty. So what happened is that those pre-spinrite benchmark readings were illusory and were not really returning results from reading from the drive's physical media.

Ssds and spinning SMR shingled magnetic recording drives are aware of whether anything has ever been written to individual regions of their media. If nothing has ever been written, then there's nothing to be read, so they don't bother actually reading anything, since nothing is there other than blank space. You know all zeros or all ones, whatever they initialize to, so they just return zeros or ones at lightning speed, at the full speed of the interface that connects the drive to its computer. But when Spinrite rewrote the SSD's entire surface, the drive now believes that all of the media is now in use, even though it may still only be storing all zeros or ones. Now the drive believes that data is important to its owner. So when Spinrite's benchmark is run afterwards, that will be shown. Or rather, what will be shown is the true reading speed from the media, which was exactly 120 megabytes per second everywhere.

Now, after running Spinrite and remounting the SSD in an operating system, the OS itself will re-trim the SSD. It runs through the entire SSD's region in use, table marking all of the regions that are not actually storing any file system data as empty again. All current operating systems do this periodically, so this will cure itself Under Windows. This happens weekly for SSDs, although you can run the Windows disk optimizer on the drive to cause Windows to do this on demand. And if you then rerun Spinrite's benchmark on the SSD, you'll then see that the results have been returned to what they were before. So you can usefully then compare them with what spinrite showed, uh, for its pre-benchmark results. So anyway, it's yeah, isn't that cool? So so the the drive saying 184, 185, it wasn't actually reading anything. The drive actually reads at 120 megabytes from the media, but when it knows that nothing was ever written in a region, why bother reading it?

1:22:06 - Mikah Sargent
Meaning. When you say it knows that nothing has ever been written, does that mean it has knowledge of the fact that it is a factory fresh drive, yes or okay? And so that does that suggest then that if I got a drive and then plugged it in and it did not read at those much not much higher, but higher speeds, then maybe that one was quality control tested or something at the factory. Or is there just kind of like a right before it goes out into the world it gets a little blessing that says this is absolutely fresh, it's never been used, it's exactly the second thing that you said so there's a thing known as trim.

1:22:52 - Steve Gibson
It's called trimming the drive, the drive with a resolution of some level of blocks, some number of sectors. It maintains a bit flag that knows whether any of the sectors have ever been written to that drive, and it turns out that it's really cool the way this works. Any of the sectors have ever been written to that drive and it turns out that it's really cool the way this works. The reason it's done is that the way flash memory, which is the NAND memory, the solid-state memory used in SSDs and in flash drives, thumb drives works, and in flash drives you know thumb drives works is when you erase the data, all of the bits are set into one state, like typically they're all set to ones. So in a completely empty region they're all set to ones. But erasing can only be done in relatively large blocks. Tracing can only be done in relatively large blocks the same size as there is a bit for the trim of the block. So the whole block is written to all ones.

Now say that you write a sector of data into that block. Writing the data sets a bunch of those ones to zeros, but it's not possible to set the zeros to ones. That is only the process of erasing the entire block is able to set all of the bits to ones. So writing data is essentially like pushing the bits down. All that can be done is like to push them down to zeros, and so if the system knows that regions have never been written to, then it knows there are no zeros there, so it doesn't need to take the time to erase those.

So it turns out it's a performance enhancing and where minimizing, sort of like background management of the data stored on the drive.

So, and it's completely transparent to the user, you never see that happening.

You know you just store your data on the drive and everything works, but in the background, windows is making sure that, like, so you you delete a file from from the file system and if and you know back in the day, uh, we know that you could undelete things. That was what Peter Norton discovered that made him famous, because he came out with unerase or undelete, where you could just get your file back. But today's file systems that actually release the space. So they release the space, but the space has, as we know, the file is still there until it's actually, like, physically rewritten or until Windows says to the SSD on Sunday night or whenever the so-called optimization occurs, windows will say oh, by the way, that chunk of region no longer contains any actual data, it's no longer part of the file system, and so then the drive takes advantage of that information to know whether or not it needs to preserve it when it's doing its normal work. So a lot going on behind the scenes that people don't normally take a look at.

1:26:38 - Mikah Sargent
Yeah, that is fascinating to me. Honestly, I didn't realize that. It was kind of just yeah, as you said, you don't need to worry about it, but I'm going to worry about it and we'll make sure that we're not doing more than needs to be done. If it ain't broke, don't fix it, Right that sort of situation.

1:26:56 - Steve Gibson
Yep Well, and my favorite reaction to the weekend's mailing was just a one-liner from someone named Jim. He said wow, he got the email. He said talk about turning back time to the days of Madonna. And a portable CD player that took D-cells. And he said love it. And a portable CD player that took D-cells and he said love it. He said I bet if I dig long enough I might be able to find a copy on Floppy of Spinrite from early 1990 or so. And he said awesome, thanks, you saved my tail many times in the past, so anyway, very cool.

And finally, one piece of closing the loop feedback. I mentioned this to you before the podcast. Micah Chris Pates wrote just listen to your podcast and heard you say that you won't be able to find your email address anywhere online. But Perplexity, ai knows where to find it, apparently FYI, he said.

I asked the question what is Steve Gibson's email address at Security Now? And received this reply. Quote Steve Gibson's email address for the Security Now podcast is securitynowatgrccom now podcast is security now at grccom. This address is intended for podcast feedback and is mentioned regularly during the show, although it is not prominently displayed on the gibson research corporation website, and I'll just say that I continue to be surprised by what we're creating here with this, what can only be considered an AI revolution. As we humans continue to push technology further and further, we create both new capabilities and new dilemmas. You know we're rapidly moving into a world that was only recently pure science fiction, so it's going to be truly interesting to see what happens with AI. But, micah, like these sorts of summaries where, like it, appears to actually get the context and like to understand what's going on.

1:29:10 - Mikah Sargent
It's creepy. It gets a little creepy and, honestly, for me, I remember when we first started seeing the generative AI thing take off and I was still in a headspace of I know it's kind of silly, but I would feel bad about challenging the system too much. I would feel as if I was, you know, making it. I didn't want to give it the opportunity to fail me because I I don't like to. I did this, is this is kind of, but I don't like it when I can't, you know, properly achieve a task, and so I would be overly descriptive and overly mindful and try to help it get, get to the right answer that I was looking for, because I didn't want to be disappointed, but I also didn't want it to like work hard. I don't know what was going on psychologically, but that's just where I was, and now I'm very lazy about how I'm I'm asking the things because it does, you know, on the the times whenever I'm asking it to it appears to understand.

It appears to understand. It appears to understand, and I think that that's really going to make all the difference when we see more of this playing out in our virtual assistants. The actor Bella Ramsey has just. Apple just debuted several advertisements featuring Bella Ramsey and they are an actor in the Last of Us and they were showing off some of the aspects of a new version of Siri where you could say, where do I know this person from? And it was able to say, oh yeah, you met them because I can look at your calendar. I can look at this.

And up to this point you know we haven't you have to do so much of the directing for that to happen, and so it is really wild seeing how this is just happening automatically in the background.

And then when you use something like Perplexity because what Perplexity does is it is a search engine that has AI tacked onto it, and so earlier, when we were talking about it, benito had pointed out that that was probably a big part of that is it has access to the transcripts, for security now, which that alone is something that needs to be. You know, if it has access to those transcripts because it does a search on it, finds the show on the Twit website and can read through that, it has information that it wouldn't otherwise have. And another quick thing that I'll say and then I'll get off this topic is I was just you may have saw that Google had updated its Notebook LM system. Notebook LM is the online tool where you can give it your Google Docs or your other Google files, and then you can say, for example, I would, for example, say what were the articles that I wrote back in 2015 where I talk about this smart home product? Because I was doing that at the time it looked back at my documents and helped me find those things. And then I could say help me break down a summary of what my thoughts were at the time right, but here's where it gets wild. Steve is just recently.

Notebook LM released a new sort of feature of this where you feed it your documents and it makes a podcast conversation of the documents that you give it. So it has two people that are voices that are completely AI generated having a conversation about specific documents AI generated having a conversation about specific documents and there was an app developer on I want to say it was Mastodon and I'm sorry I don't have the links to this right at the top because I didn't know I was going to be talking about this but basically this developer wanted to see what would happen if they fed it some weird stuff and so just gave it like 35 documents or maybe even was more than that. They were all just named patent one, patent two, patent three, patent four and just had binary in it, all zeros and ones and there was a somewhat compelling fake conversation taking place between these two ai voices about these patent documents that weren't real mind-blowing stuff like so, like like the the perfect example of an ai hallucination yes, just completely made up out of whole cloth.

Yes, you know stuff that sounded absolutely convincing because there were these little interruptions, like we're doing here, where I'm kind of going, yes, and you know, making sounds. It was doing that too, and so it was chilling. It was honestly chilling, but at the same time it was hilarious because it felt like an SNL parody almost, and I was feeling a lot of emotions all at once. So I'm sure that you were feeling a little bit of that when this came up, because it's like what are we building here?

1:34:13 - Steve Gibson
feeling a little bit of that when this came up, because it's like what are we building here?

Well, and, and what you just described about google lm and the idea that that it can look at your document, archive your, your historical document, archive and and be really and be like bring search tool, mean entirely new meaning to the term search. This, this is why Microsoft is so desperate to get recall into everyone's Windows machine. They want Windows to be taking a snapshot of everyone's screens every couple seconds, understanding and saving, archiving what's there for exactly the same purpose. So future Windows users who do not object to the concept of having I mean the privacy implications of having their machine and Microsoft to some degree having access to the entire, you know, having access to the entire unredacted contents of all the screens that have been on their machine for years they're some point and recall would have taken pictures of them, but everything else that you did with your computer, you want it to be highly confidential, to be just between you and your computer, but one could imagine the power that it would have, and it is think terrifying.

1:35:55 - Mikah Sargent
Can you imagine um credit card companies getting some sort of proprietary uh score from your behavior that is uh generated by and I know I'm going a little out there, but at the same time we've seen with health insurance companies and auto insurance companies who have those little dongles, or you get an apple watch from them and then you have to send it your stats and then over time it can reduce your bill.

Imagine that same thing applied where your social credit is generated based on how you're on. Think of it like. Can you imagine a corporation that has cybersecurity insurance and it uses a score generated by recall to see how risky your employee's behavior is on all of your company-owned devices? Right there, that could mean, you know, 10,000 fewer dollars paid every year because your employees are properly trained and the behavior plays out. And then you know the the in between. The company that's doing the recall part can say we're not going to give the company exact information. We've generated a proprietary score that says they're 98 out of 100, um mouse uh icons. You know what I mean, whatever their score happens to be. 98 out of 100 mice icons you know what I mean, whatever their score happens to be. That's interesting stuff.

1:37:18 - Steve Gibson
Well, and we've seen and covered on this podcast instances where cars are now feeding back their driver's driving habit data. That's right. Yes, and it's infecting their insurance rates. Yep, yep.

1:37:31 - Mikah Sargent
I remember you talking about that, so this is not far-fetched.

1:37:33 - Steve Gibson
No, we know that there will be tremendous pressure to obtain this information, and Microsoft is all about generating revenue.

1:37:45 - Mikah Sargent
Yeah, it's a company, folks, it's all about the money now, and we are the product. Yes, yes indeed, yes indeed. Do you have another? Break, let's take our final break. It's all about the money now and we are the product.

1:37:54 - Steve Gibson
Yes, yes, indeed, yes, indeed. Okay, do you have another break? Let's take our final break, and then we're going to talk about password manager injection attacks. Oh joy, just how safe are our?

1:38:04 - Mikah Sargent
passwords. Oh boy, all right, all right. This episode of Security Now brought to you by Vanta. Brought to you by Vanta. Whether you're starting or you're scaling your company's security program, demonstrating top-notch security practices and establishing trust, it's more important than ever. Vanta automates compliance for SOC 2, iso 27001, and more, saving you time and money while helping you build customer trust. Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. More than 7,000 global companies, like Atlassian, flow, health and Quora use Vanta to manage risk and prove security in real time. So get $1,000 off Vanta when you go to vantacom slash security now. That's V-A-N-T-A dot com slash security now for $1,000 off, and we thank Vanta for sponsoring this week's episode of Security Now.

1:39:11 - Steve Gibson
Okay, so today's exploration topic began with my receipt, a week ago, of a note which read Hi Steve, my name is Ben. I'm a former Ben Gurion University student and long-time listener of Security. Now you covered a few studies of mine in the past, including Lamp Phone speech, recovery from light bulbs, video-based cryptanalysis, key recovery from a power LED and Morse 2, the AI worm, and were led by Andre from Cornell Tech. We revealed attacks against end-to-end encrypted applications, demonstrating the recovery of encrypted confidential data from backups of two messaging apps, whatsapp and Signal, and 10 password managers LastPass, dashlane, zoho, vault, 1password, npass, roboform Keeper, nordpass, protonpass and KeyPassXC. We named these attacks Injection Attacks and the papers were published on Usenix, sec24 and Security and Privacy 24. Attached are the links I believe that your audience will find interesting, as once again, they prove that, while end-to-end encryption is the best approach for applications, the devil is in the implementation. Now, of course, I had seen from Ben's note envelope that his full name was Ben Nassi, which I recognized immediately since, as he noted, we've covered all of his work and exploitation discoveries through the years. So, needless to say, I was interested in what new mischief Ben and his fellow security researchers had gotten themselves up to now, five or six researchers, depending on which paper led by Cornell University's Andre Fabrega from Cornell University and Cornell Tech, collaborated on two papers. One was titled Injection Attacks Against End-to-End Encrypted Applications and the other was titled Exploiting Leakage in Password Managers via Injection Attacks. To get us started on our understanding of what they've done, I'm going to share the abstract from the paper about password manager injection attacks. It's pretty brief and it says this work explores injection attacks against password managers.

In this setting, the adversary only controls their own application client, which they use to inject chosen payloads to a victim's client via, for example, sharing credentials with them, observations of some form of protected state, such as encrypted vault exports or the network traffic received by the application servers. From this the adversary is able to obtain confidential information. We uncover a series of general design patterns in popular password managers that lead to vulnerabilities allowing an adversary to efficiently recover passwords, urls, usernames and attachments. We developed general attack templates to exploit these design patterns and experimentally showcase their practical efficacy via analysis of 10 distinct password manager applications. We disclosed our findings to these vendors, many of which deployed mitigations. Okay, so that's interesting.

When they use the term injection, they're referring to providing an unwitting target some information that the target will cause to be stored in their own instance. With the password manager's cloud backup, they're able to learn as much as the user's secret username, passwords, urls and attachments. So we need to learn more about that. But I'll first note that the second paper does something somewhat similar with end-to-end messaging, specifically WhatsApp and Signal. In the case of messaging, an attacker sends messages to a targeted user.

Assuming that the attacker is somehow able to obtain and observe the targeted user's encrypted cloud backup, the researchers were able to demonstrate their ability to determine whether the target had received specific attachments or, for example, which of two messages the target had previously received. Now, clever as these researchers are, I came away feeling, I guess, better rather than worse about the safety of WhatsApp and Signal. My feeling was like okay, wow, if that's the most intrusion that these guys were able to achieve, given their obviously serious skills, then that says a lot about how good these apps are. But that said, since the goal is true zero leakage of any kind I would not be surprised to learn that the app vendors had added something like length fuzzing to the things being stored, specifically to thwart the leakage that these guys were able to induce, so the research was definitely useful.

1:45:14 - Mikah Sargent
So, in other words, what you're saying is because they did this, even though it didn't give much information, it was still worth doing because it resulted in the vendors making changes to even make this small vulnerability even less likely to be effective.

1:45:28 - Steve Gibson
Exactly, yeah, certainly the goal is zero leakage. Certainly the goal is zero leakage and we often quote Bruce Schneier. Bruce said and I love this attacks never get worse, they only ever get better. Meaning you know. I mean it's obvious in retrospect how you know an attack. You know attackers are getting more clever. They're never getting dumber or less clever, so the attacks only ever improve. So we start with like, ok, this doesn't seem very bad, but still.

1:46:16 - Mikah Sargent
This is the step one.

1:46:18 - Steve Gibson
Exactly. It's like the first step in a new vulnerability is that it crashes the system. The next step is it no longer crashes it. You take it over. Yeah, so OK, but the password manager leakages, from what we've seen so far, appear to be somewhat more dire. So let's take a closer look at them.

These researchers set the stage in their introduction of that paper by writing password based authentication suffers from well-known pitfalls. That is just password based, you know. Password authentication using username and password on a website, they said, such is the fact that users tend to choose passwords that can be easily guessed by attackers. Password managers are often cited as the default solution to this problem, as users can offload to them the complexities thank God of password generation, storage and retrieval. Indeed, password managers have enjoyed a notable rise in popularity, placing them among the most ubiquitous of security-oriented tools. I can't imagine that anybody listening to this podcast is not an avid password manager user at this point. So they wrote password managers have benefited from academic attention, which has helped understand and improve their security along various dimensions.

The attacks uncovered by prior work broadly fall under two general threat models. Broadly fall under two general threat models. First are attacks that use a client-side resource controlled by the adversary, such as a malicious website visited by the client, a rogue application in the victim's device or the client's own Wi-Fi network. Second are adversaries that somehow acquire a copy of a user's encrypted vault and exploit leakage from unencrypted vault metadata or by offline cracking attacks of a user's master password. State-of-the-art password managers are therefore designed to resist both kinds of threats and notably use slow cryptographic hashing to prevent cracking attacks for well-chosen master passwords. In this work we consider a new kind of threat model in which an adversary one controls their own application client, meaning their own password manager, through which they can send chosen payloads to the victim, for example via the password sharing feature now found in most modern password managers, and two can observe some form of encrypted state and associated metadata, such as the user's encrypted vault, backups or network requests received by the application servers.

Borrowing terminology from prior work in other domains, we refer to attacks in this threat model as injection attacks. The core idea behind injection attacks, they wrote, is that the adversary can use injections to trigger subtle interactions in the application logic between their data and target victim data, for example, other passwords used by the target which are reflected in their observations of ciphertext, for example, inspecting their lengths and metadata in a way that allows recovered sensitive information. We argue that this threat model is increasingly important as password managers become more complex and feature-rich In other words, you know more ways for things to go wrong. Because it's like oh, let's add this, what could possibly go wrong, they said, which provides new avenues for injection mechanisms and vulnerable cross-user interactions. To understand whether this threat model is a practical concern or not, we performed a security analysis of 10 popular password managers that support sharing LastPass, dashlane, zoho, fault 1Password, npass, roboform, keeper, nordpass, protonpass and KeePassXC. Together, these reportedly account for over 30% of all password manager users. And okay, that's shocked me. That seems low, I thought so too.

1:51:01 - Mikah Sargent
Yeah, where are the rest of them?

1:51:03 - Steve Gibson
Yeah, I mean LastPass, though they had that trouble. I thought they were a huge percentage of the total password manager.

1:51:13 - Mikah Sargent
Maybe they're Chrome Install base Is that where everybody's got their passwords is Chrome.

1:51:18 - Steve Gibson
Got me, but that 30%-.

1:51:21 - Mikah Sargent
And Apple keychain, I guess would be the common place.

1:51:25 - Steve Gibson
So they said, we uncover a series of exploitable vulnerabilities that implicate all of the password managers investigated. Our first class of attacks exploits the fact that a common feature of password managers is for clients to periodically log outside the device. Various metrics about the health of a user's vault, such as the number of duplicate passwords, oh good we show those are outside of the vault.

1:51:59 - Mikah Sargent
That's great Love to hear that.

1:52:01 - Steve Gibson
Uh-huh, yeah, and so there's an example right of like what you know. We're obviously done with the problem of storing usernames and passwords. What new features can we add? How can we further enhance this? And that's where we start getting into trouble, as we'll see. So they explain.

We show how an adversary can leverage these benign-looking metrics to perform an efficient binary, search-based dictionary attack that recovers the target's saved passwords. Our attacks do not require the adversary to know additional information about the victim's saved credentials beforehand, for example URLs nor usernames. Five out of the ten applications are vulnerable to this attack. In most cases, the adversary must be a passive eavesdropper that observes these metrics directly, for example by having a persistent foothold in the application servers, while for one application, the attack is feasible by a passive network adversary that simply observes the HTTPS channels under which the end-to-end encrypted data is transmitted. We note that both eavesdropping and network adversaries are within scope for the threat models under which password managers are designed. Meaning they weren't supposed to be leaking this information. Meaning they weren't supposed to be leaking this information and the ubiquity of server-side breaches, combined with the difficulty of detecting such breaches, make it critical that password managers resist, that is, are resistant to such attacks, so we'll come back to that in a minute. They said our second class of attacks exploits another feature of password managers Clients often display a small identifying icon, such as a company logo, alongside each of a user's saved credentials.

Importantly, such icons are only fetched once per URL and subsequent credentials reuse the icons stored in the client. We show how this fact allows an adversary to perform an efficient dictionary attack on the URLs in a victim's vault. The attack always succeeds in our experiments and mounting it requires no additional assumptions about the victim's saved credentials. Six of our 10 case study applications are vulnerable to this attack and in all cases, exploitation only requires observations by a network adversary, meaning someone able to watch the user's network traffic, meaning someone able to watch the user's network traffic. And then, finally, we turn our attention, they said to adversaries that have an encrypted copy of the entire vault, such as compromising a local password-protected database file or backup of it.

In this case, we analyze the security of KDBX, which is a file format used by many password managers, notably KeePass and its derivatives. To optimize for storage, kdbx employs a variety of storage-saving techniques, such as file deduplication and compression. We show two attacks exploiting these features to recover URLs, usernames and attachment contents. Compression and deduplication have led to attacks against other systems before, but our work is the first to show that these types of vulnerabilities also arise in the context of password managers. Our attacks target features of the underlying file format itself and thus can show that its accuracy is sufficiently high to make it a practical threat.

A summary of our attacks follows. They exploit common design patterns found in password managers and, as such, other applications that employ these can be vulnerable to our attacks. Indeed, for each of our attacks, we describe a general template for it which is agnostic to lower-level application details, and it can be used to target any application that follows the relevant design pattern. More broadly, our findings uncover higher-level issues in password manager design, and we discuss the future work that will be required to provide generally applicable mitigations for injection attacks. Okay, so I want to clarify the nature of these attacks so that the vulnerabilities they found will make more sense. They identified three ways of attacking the security of today's password managers. The first class of attacks, which the researchers refer to as vault health logging, rely upon the newer features of application-wide metrics. These arise from the default, from the behavior exhibited by many password managers which compute various metrics, like, as the example they gave, the number of passwords their user has duplicated in their vault, which includes both personal and shared vault entries.

1:57:54 - Mikah Sargent
Would this also include, steve, the have-I-been-pwned integration that a lot of these password apps have? That tell you. Oh yes, your password is part of a vulnerability.

1:58:05 - Steve Gibson
Yes, that's another perfect example of a new feature that can inadvertently leak some metadata about what you've got in your vault. When these metrics are logged outside the device, such as by the application's cloud servers, an adversary and that means that logging is visible on your network, even if it's encrypted, it's still like the size of it is visible then an adversary can induce fluctuations in these metrics with so-called injections and observe how they are updated in the external location. So to carry out these attacks, in addition to having the ability to inject credentials, this attack requires the adversary to have access to the location where the metrics are logged. Okay, so some sort of foothold of some kind is required. So you know, some sort of foothold of some kind is required. So specifically, lastpass, dashlane, zoho, vault Keeper and NordPass are those five they mentioned before.

Those are all vulnerable to these Vault health logging attacks because those five offer these features. Those five offer these features. All of the password managers except Zoho Vault required that server-side foothold be present, and that's also effective against Zoho Vault. But Zoho Vault is additionally vulnerable to simpler passive network attacks, network attacks. Okay, so the Vault health attack can be used successfully against Zoho Vault only when passive networking or passive network eavesdropping is present. The second class of attacks is, I guess I would call it, and they refer to it as URL icon fetching, it apprises or actually what's interesting too, we've actually seen this in browser-based attacks, where people's web browsers were caching the fav icons of the sites they were visiting.

So, this is sort of like that. It arises from the fact that many password managers, as they said, display a graphical icon next to each credential identifying the website associated with it. This icon will only be fetched once from the application servers, and future entries for the same website reuse the image from a client-side cache. An adversary can use this to determine whether or not a target's password manager has previously obtained and cached a credential for that particular URL. If the attacker induces the target's password manager to get an icon, that means there was no previous entry for that website. In addition to having a means of updating the target's credentials, probably without credential sharing, this attack requires the attackers to be able to observe the HTTPS request traffic that leaves the victim's client or to have a foothold in the server from which the icons are fetched. So the researchers found that Dashlane, 1Password, Enpass, RoboForm, ProtonPass and NordPass were all vulnerable to disclosing their protected URLs through this passive network eavesdropping.

And the third and final class of attacks only affects KeePassXC, that is among the top 10 that were tested. This arises from KeePassXC's storage file system. Keepassxc uses this system to decrease the size of its encrypted vault. Now the problem is the presence of data compression, and this is something we've talked about before in secure storage, which is used, obviously, to reduce the storage, redundancy can be used to reveal the data that's already been stored in the compressed store. The size of the storage will increase when unique, new information is stored, but if something is added that already exists in the storage, the compression that's present will keep the total storage from increasing.

2:02:51 - Mikah Sargent
So you can use that as a means you can infer exactly.

2:02:56 - Steve Gibson
You're able to infer what was there, based on whether it now occupies as much space additional space as the new information would have required.

2:03:08 - Mikah Sargent
So isn't that a cool side channel that is so cool and so clever, these clever, clever people.

2:03:14 - Steve Gibson
Yeah, so you know, it's a side channel that we've talked about in the past. It's necessary to be very careful about compressing secret data before it's encrypted, because this side channel can be used to leak information about the content of the secret data by inference. And we know that post-encryption compression is never used, because it's not possible to compress encrypted information, since anything that's been properly encrypted is indistinguishable from completely random noise, and completely random noise is, by definition, incompressible.

2:03:56 - Mikah Sargent
You know, I needed that, steve, because I always the logic to me there never quite lined up in terms of how in the world can I take a thing that exists in this digital space? Why is it not already as small as it can possibly be? Why does compression work at all? So the way that you've just described it there helps me to get why compression even works in the first place, because if you do see those patterns, then you can use those patterns to help make it smaller. I just thought, yeah, why isn't the JPEG even smaller? Why can I take some JPEGs, put them into a zip and the zip is smaller? And now I understand.

2:04:48 - Steve Gibson
Right that the two researchers who are at IBM, lemple and Ziv, created something and their initials are LZ LZ Compressor, and that's the compression used in Zip and a lot of the early compressors. Basically, as you're feeding data in, the compressor is storing the history of the data that is seen and as new data comes in, it looks in the diction in this buffer of past stuff that it has seen uncompressed and it says, oh look, that was here. So instead of putting the in, it puts a pointer to where it is in the buffer, because a pointer is much shorter than the word. So normally when you're talking about something, the context of your conversation is reusing the same words over and over within a short period of time.

Ditto, ditto, ditto, ditto, Exactly Ditto ditto, ditto, ditto, and so it just aligns all that, and all it does is put little pointers to where it recently occurred, that's cool instead, instead of having to restore it.

It is super clever. They obtained a patent at the time, but patents only last 17 years, so it's you know, everyone's been able to to use it afterwards. Um, okay, so finally, finally, the last of the attacks, which is this compression attack. Keepassxc is vulnerable to this type of attack because it does exactly that by examining fluctuations in the size of KeePassXC's encrypted vault, after injecting no information, it's possible for an attacker to glean information about the vault's unknown contents To pull this off. In addition to injecting credentials, this attack requires the adversary to have persistent access to the victim's encrypted vault, either directly or by monitoring vault backups. In their work, the researchers demonstrated attacks against two mechanisms, both the compression and attachment deduplication. So if you gave it an attachment, you would see whether, if it expanded by the size of the attachment, you knew that it didn't already exist. If it didn't expand because the vault deduplicates, it was like aha that already exists somewhere. Again, it doesn't seem like a big problem, but you are leaking some information. So, after putting these 10 password managers through the ringer, they contacted each of the password manager's vendors to share their results ahead of taking this work public.

Here's what the researchers reported from that effort. They wrote. We reported our findings to the 10 vendors affected by our work, many of which proceeded to deploy mitigations. Lastpass adopted our suggested mitigation of separating vault health metrics between personal and shared credentials, which disables the injection channel. They released an initial implementation of this fix in version 4.129.0, removing shared folders from the Vault Health logs as these lead to the most severe variant of our attack.

Removing individually shared credentials from the logs is more technically challenging and individual credentials lead to a less practical version of our attack and thus has been deferred to later in their roadmap less practical version of our attack and thus has been deferred to later in their roadmap. Their projection is to release this fix by the end of the year, which would complete a full mitigation of our attack. Zoho Vault plans to adopt a similar fix by implementing an option to separately compute Vault health metrics on personal passwords as a version 4.0. Dashlane Okay, whatever that means. Fact that their vault health metrics are only logged once per day. Their tight sharing limits significantly affect the practicality and runtime of the attack. In other words, they're updating so seldom already that it would really slow things down.

2:09:47 - Mikah Sargent
Yeah, watching constantly.

2:09:49 - Steve Gibson
Right. In addition, the resource limits on their web application and extensions prevent an adversary from sharing an unlimited number of credentials with a victim, which increases the runtime of the attack even more. As part of their disclosure, they informed us that incorporating shared passwords is a core feature of their Vault health metrics and thus removing shared passwords would represent a notable disruption to this feature. So they don't want to stop doing that. Whereas LastPass said yeah, we just took it out. Then, to address our URL icon fetching attack, dashlane implemented a new feature as of version 6.2415 that allows users to turn off fetching credential icons, which disables the side channel for both an eavesdropping and network adversary and thus provides a full mitigation to our attack. To address our attack, even when URL icons are turned on, they additionally migrated their icon fetch request is included in the traffic sent to this top-level endpoint due to the high amount of noise from other requests sent to the endpoint. In other words, it used to be that the URLs were being pulled from their own domain, and so they said oh, no problem, we'll just add them to an existing domain which is under heavy use already. Https encrypted. They just won't be able to determine. They'll just give up and go away, even though it wasn't that bad an attack anyway, they wrote. Nordpass also adopted our suggested mitigation of separating vault health metrics between personal and shared credentials, which disables the injection channel and is thus a full mitigation to our attack injection channel and is thus a full mitigation to our attack. This fix is planned to be deployed by the end of August 2024, and I guess that's already happened then. Then, to address our URL icon fetching attack, nordpass added a feature to disable URL icons by default, which provides a mechanism to disable the injection side channel. This fix is planned to be deployed before the end of 2024. In addition, they're currently exploring more robust mitigations for this attack to protect users even when URL icons are turned.

On our attack on attachment deduplication, keepassxc adopted our suggested mitigation of deduplicating files separately for every shared folder, which disables the injection side channel. Then, to address our compression-based attacks, they modified their file format by every time the database is saved, picking a random length between 24 and 512 bytes, generating a random array of this length and including this in a custom data field for their file format. We note that this is only a partial mitigation. Basically, what that is is that's fuzzing. It's fuzzing the length, so that there is no direct correlation between lengths any longer. So they said that we note that this is only a partial mitigation, as an adversary can potentially use statistical techniques to bypass the noise.

Eh, okay, but not really. This, however, would require a significantly higher number of injections. Both fixes were promptly implemented by the KeePassXC team and have since rolled out as part of version 2.1. Npaths already provide support for turning off URL icons, which is off by default, thank you, and thus users who disable URL icons are not vulnerable to our attack. As a first step towards more mitigations, n-pas added an option for organization admins to control this setting via an organization-level policy. They've decided not to deploy mitigations at this time to address the attack, even when URL icons are turned on. 1password, a sponsor of the show, as noted earlier, already provides support for turning off URL icons.

2:14:47 - Mikah Sargent
Which I'm doing right now. I did not know this, so I'm turning that off.

2:14:52 - Steve Gibson
And thus users who disable URL icons are not vulnerable to our attack. However, 1password decided not to deploy additional mitigations to address the attack at this time, even when URL icons are turned on. Similarly, protonpass already provides support for turning off URL icons, and thus users who disable URL icons are not vulnerable to our attack. We shared suggestions for how to address this attack even when URL icons are turned on, but do not have details on their plans to deploy these. Lastly, keeper consists.

Keeper considers our attack on their system a very low severity issue and I can't really argue with that, and opted not to deploy mitig. Duplicate passwords displayed in the admin console would represent a notable disruption to a feature of the business product. Okay, so where does this leave us? I agree with Ben Nassi that this is an interesting and potentially important work, but it's clearly of more interest theoretically than practically as a true threat. It's really out there on the fringe. Extremely motivated attacker might somehow arrange to set themselves up in a position to pull off one of these attacks against a specific high-value target, but I would say it is safe to say that none of us listening to this have anything to worry about, even before these obscure holes were plugged.

So the reason I chose to share these attacks on this podcast is for what we learned from them about the true challenges that are associated with truly protecting secret information. It's so easy for a salesman to boast oh don't worry, it's all military-grade, encrypted, and guess what? We're using a bazillion-bit key, so no one will ever possibly crack that Right. But the lesson taught by these injection attacks is that no one ever needs to crack that bazillion-bit key. The reason the password managers jumped to modify and improve their systems when they were informed of these subtle issues is that subtle issues may be all that's needed to infer the data that's being protected by those bazillion-bit keys.

Any mature and fully informed understanding needs to appreciate that encrypting something is far from being the end of the task. The encryption is only the start. The encryption is only the start. 20 years ago, there was a general lack of understanding of the who are implementing these systems, and we have all benefited. So for anyone who may be interested in digging deeper, I've included the links to both of these research papers at the end of the show notes and that's it One question that I have for you, because if I don't ask it, the chat room will riot.

2:18:57 - Mikah Sargent
Do you feel it was an omission that Bitwarden, also a sponsor on the network in the past, was not included as part of these, or do you think that Bitwarden was not affected? That's a great question.

2:19:11 - Steve Gibson
I absolutely wonder that, why they didn't include Bitwarden in their 10. I got the sense that from reading between the lines that some of these are more enterprise-oriented solutions. I understand, and so not, that Bitwarden can't be used and shouldn't be used in an enterprise, but that may have skewed their choice for some reason. But it's a good question and what anyone could infer is that if Bitwarden is being used to pull icons from URLs, we don't know that that's a vulnerability, but it is a side channel that all of these password managers have turned off or don't have turned on by default. So it's really a good question. I have no idea why Bitwarden was not there.

2:20:05 - Mikah Sargent
Well, folks, if you can believe it, that brings us to the end of this episode of Security. Now, of course, this show records live every Tuesday, 4.30 pm Eastern, 1.30 pm Pacific or more like 2 pm Pacific usually, and you can find the show notes for the show, well, in multiple places. One of those is twittv slash sn, but of course Steve puts together the fantastic show notes every week. Heading over to GRCcom will get you access to lots of great things, including, of course, spinrite, as well as access to lower bit versions of the show. But what's great as well is you get human written transcripts of the show, always very, very good. Ai has yet to catch up there, maybe one day, but as it stands, those human transcripts are just delicious. Thank you, elaine, for doing those every week and anything I'm failing to mention there, steve, I think that's it.

2:21:15 - Steve Gibson
You know anyone who wants to send feedback to me. Once you've joined GRC's email system, you don't have to subscribe to newsletters if you don't want to receive a weekly summary of the podcast. Although people are just raving, our listeners are raving about getting the podcast notes every week. So you just go to GRCcom Up at the top is a little mail envelope and you click there. We need to just have you register your email address from which you'll be sending me email, and then it's securitynowatgrccom. It comes right to me and this whole email system is really turning out to be a wonderful thing, so I'll be spending lots more time on it in the future.

2:22:02 - Mikah Sargent
Awesome. I should also mention that you can join the club at twittv slash club twit for just $7 a month. When you join the club, you gain access to some pretty awesome things, including every single one of our shows ad free, including this very show. You also gain access to some pretty awesome things, including every single one of our shows ad-free, including this very show. You also gain access to the TwitPlus bonus feed that has extra content you won't find anywhere else behind the scenes before the show. After the show, special Club Twit events get published there.

Access to the members-only Discord server where you can shout at me to ask Steve questions, which I will sometimes do but most of the time not do. But we thank you for being members of the club. As if that wasn't enough, you'll also gain access to the video versions of the shows that we publish for the club, including iOS Today Untitled Linux Show, hands on Mac, hands on Windows, and all of that is available for just $7 a month. So we'd love to have you there. Twittv slash club twit. I will be back, I'm sure, at some point in the future to co-host the show, but it has been an absolute pleasure joining you these past couple of weeks. Leo will be back soon and I thank all of you out there for listening. And, steve, I thank you for all the work that you do on the show every week. Thanks so much.

2:23:16 - Steve Gibson
Micah, the pleasure has been mine and we'll encourage Leo to continue traveling.

2:23:22 - Mikah Sargent
Indeed. Indeed, all righty To many more episodes of Security. Now, thanks, buddy, bye-bye, bye-bye security now.

All Transcripts posts