Security Now Episode 851 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
Hello, everybody. Leo Laporte here. Steve Gibson is not. We put a fire in the fireplace where he normally sits because Steve gets the week off. He doesn't like it when he gets a week off, but we made him take a week off so we could cover the best of 2021, the best episodes, the best memories, the best fun jokes. Well, maybe not so many of those from Security Now next.

New Speaker (00:00:30):
Podcasts you love from people you trust. This is TWiT.

Leo Laporte (00:00:37):
This is Security Now with Steve Gibson. Episode 851 for Tuesday, December 28th, 2021. The best of 2021. This episode of Security Now is brought to you by ZipRecruiter. Several industries are projected to grow in 2022. If you own a business in one of these growing industries and you need to hire well, let me tell you, go to ZipRecruiter. They find qualified candidates for your job. Fast. Try ZipRecruiter free today at Security Now, normally this is the time when Steve would give you the Vulcan salute. I'm gonna give it to you for you. Steve Gibson, really the hero of the hour when it comes to security. And was this a year or was this a year topped off at, at the beginning by a massive security flaw. Thanks to Microsoft capped off at the end, by the worst security flaw in 10 years and sprinkled throughout with security flaws of all kinds. Let's kick things off with the way the year kicked off with solar winds,

Steve Gibson (00:01:47):
Solar winds attack details, continue to emerge. As we know, digital attack forensics take takes time. And most of it requires very careful reverse engineering of code, which has been carefully designed to thwart exactly that kind of analysis. So it's not just like, you know, random script kitty code. That's like, you know, Python source where you just look at it and go, oh, this is what it does. You know, this, especially in the case of the solar wind threat actors, we know, and we're gonna know a lot more in a minute about how incredibly good they were at their craft. So they designed their stuff to make it very difficult to figure out what it was doing. So we would exp to be learning more about this largest known attack in history over time. And indeed last Wednesday, the 20th in a joint posting by the Microsoft 365 defender research team, their threat intelligence center.

Steve Gibson (00:03:02):
That's the the S T I C that we often talk about and the Microsoft cyber defense operations center, that's a new one that the C doc C D O C. We learned a great deal more for what it's worth. It's all only more worrisome. Microsoft's joint disclosure was titled deep dive into the solar gate. Second stage activation from sunburst to teardrop to raindrop. And Microsoft begins their quite lengthy disclosure to, with a summary of what everyone knows. And then, but quickly adds some new detail, which is interesting. They said more than a month into the discovery of solar gate investigations continue to unearth new details. That prove it is one of the most sophisticated and protracted intrusion attempts of the decade. Our continued analysis of threat data shows that the attackers behind Salate are skilled campaign operators who carefully planned and executed the attack remaining elusive while maintaining persistence.

Steve Gibson (00:04:18):
These attackers appear of be knowledgeable about operation security and performing malicious activity with minimal footprint in this blog, we'll share new information to help better understand how the attack transpired our goal is to continue empowering the defender community by helping to increase their ability to hunt for the earliest artifacts of compromise and protect their networks from this threat, they said we've per we've published our in depth analysis of a solar gate backdoor malware also referred to as sunburst by fire eye. The compromised DLL that was deployed on networks as part of solar winds products that allowed attackers to gain backdoor access to affected devices. We've also detailed the hands on keyboard techniques that attackers employed on compromised endpoint using a powerful second stage payload. One of several custom cobalt strike loaders, including the loader dubbed teardrop by fire eye and a variant named raindrop by Semantec one missing link in the complex solar attack chain is the handover from the solar gate DLL back door to the cobalt strike loader our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection.

Steve Gibson (00:06:10):
This blog provides details about this handover based on a limited number cases where this process has been observed to occur to uncover these cases. We use the powerful cross domain optics of Microsoft 365 defender to gain visibility across the entire attack chain in one complete and consolidated view. We'll also share our deep dive into additional hands on keyboard techniques that the attackers used during initial reconnaissance data collection and exfiltration, which complement the broader TTPs from similar investigative blogs, such as those from fire eye and Balo. And so I'm gonna skip over a lot of that nitty gritty because it's, it's, it's interesting for anyone who's interested and I've got the link in the show notes, but here's the cool bit that is understandable. They said an attack timeline that solar winds disclosed in a recent blog showed that a fully functional solar gate DLL back door was compiled at the end of February, 2020.

Steve Gibson (00:07:26):
Okay. So early in 2020 last year and distributed to systems sometime in late March, the same blog also said that the attackers and this is this, I did not know removed the solar gate backdoor code from solar winds build environment in June of 2020. They said, considering this timeline and the fact that the solar gate backdoor was designed to stay dormant for at least two weeks, we approximate that the attackers spent a month or so in selecting victims and preparing unique cobalt strike implants as well as command and control infrastructure. This approximation means that real hands on keyboard activity, most likely arted as early as may, the removal of the back door generation function and the compromised code from, from solar winds, binaries in June could indicate that by this time the attackers had reached a sufficient number of interesting targets and their objectives shifted from deployment and activation of the back door.

Steve Gibson (00:08:49):
So called stage one to being operational on selected victim networks, continuing the attack with hands on keyboard activity, using the cobalt strike implants. So as I said again, that was news to me. I assumed that the solar winds build and update delivery system had remained infected, but not the case as Microsoft observed. It didn't need to keep offering infected DLLs once all of the major targets had already updated and received the infection, essentially they'd, they'd already gotten out over the course of what, six months to, well, March, April, may, June, so maybe four months. And then again, in, in observing the highest level of care, they removed the source of the infection so that the solar winds DLL would then be clean and further would, would remove it from the systems that had, that had previously received it and had already moved into from stage one into stage two.

Steve Gibson (00:10:09):
So, you know, an act of deliberately eliminating the, at tracks of how this all happened. So one of the coolest things Microsoft found was the way the original solar winds infection created this arms length execution path in such a way that the original infection stood a maximum chance of remaining undetected, even if its downstream consequences were detected. Remember that the, that the moment it was discovered the moment that it was discovered that a signed solar winds DLL the root source of the infection that would have brought down the entire operation. And as we know, that is what eventually happened at fire eye, but the OB was successful for a very long time. So here's how Microsoft explains what they found. They said we spent countless hours investigating Microsoft defender, telemetry, and other signals from potential patient zero machines running the backdoored version of solar winds DLL.

Steve Gibson (00:11:34):
Most of these machines communicated with the initial randomly generated DNS domain. Remember that it was blah, blah, blah dot AV SV They said, but without significant activity. However, we saw limited cases in may and June where the initial DNS network communication was closely followed by network activity on port 4 43 HTTPS to other legitimate looking domains on these handful of machines. We performed deep inspection of telemetry. We know that the solar gate back door only activates for certain victim profiles. And when this happens, the executing process, usually layer host creates two files on the victim disc, a VB script, typically named after existing services or folders to blend into legitimate activities on the machine. And a second stage DL L implant, which is a custom cobalt strike loader, typically compiled uniquely per machine and written into a legitimate looking subfolder underneath sea and slash windows.

Steve Gibson (00:13:10):
So, as in other words, they on a, on a per, on a per infection target, they created a, a VB script that was U uniquely named to, to, to be like, like to fit in to what was going on on that particular machine and custom wrote and compiled a unique, they called it the cobalt strike loader again for that machine. So one of the things this did was it meant you could not compare infected systems. You wouldn't find any obvious indications of compromise that were the same because they were essentially doing per target customization. Microsoft said, at this point, the attackers are ready to activate the cobalt strike implant. However, the attackers apparently deem the powerful solar winds back door valuable to lose in case of discovery. So they tried to separate the cobalt strike loaders execution from the solar winds process, as much as possible.

Steve Gibson (00:14:29):
Their hope is that even if they lose the cobalt strike implant due to discovery and detection, the compromised solar winds binary, and the supply chain attack that preceded, it will not be exposed. The attackers achieved this by having the solar winds process create an image file execution options. That's I F E O debugger registry value for the process DLL host dot XE. And I'll just insert an aside here. This is a known and official way of causing windows to attach a debugger to a process at startup. If, if, if you, if you wanna put a, a given windows process under debugging sometimes it's not enough to attach the debugger after the process is already initialized. You like, like there, there may be initialization code. That is where the problem is. So you need windows to start the debugging, like from the moment it, the, the process goes into Ram.

Steve Gibson (00:15:43):
The way you do that is by using one of this image file execution options debugger registry file values, which causes windows to automatically load something into that process of space. This of course can also be used for malicious purposes. So, so the, the solar winds process first created one of these entries, which would for the DLL host dot XE that execution process triggers a launch of w script XE, which is configured to run that VB script file, which has been dropped earlier and had been waiting. The VB script in turn runs the run DLL 32 dot XE, which activates the cobalt strike DLL using a clean parent child process tree, which is completely disconnected from the solar winds process. So essentially by using this, this sanctioned windows hook in the registry to cause the DLL host to invoke w script dot XE, the there was a complete separation of these two events, meaning that anybody who did discover the cobalt strike D L L and the way it got executed would only see that it had that, that it, it was tied to this debugging.

Steve Gibson (00:17:22):
Oh, and once it runs, it removes the, I F E O value from the registry to also clean that up. So you can't even figure out how thing got started if, if you look at it after it's running. So anyway, their, their full posting, as I mentioned, is super long and wonderfully detailed for anyone wanting to really get down into the nitty gritty, but in the section, additional attacker tactics, anti forensic behavior, and operational security, Microsoft nicely summarizes some more detail to give us a more complete sense for the frightening skill and trade craft that the designers of this attack deployed. They said, and as mentioned, the attackers behind solar gate are skillful and methodic operators who follow operations security, best practices to minimize traces, stay under the radar and avoid detection during our indepth analysis of the attackers tactics, techniques, and procedure TTPs seem through the lens of Microsoft 365 defenders telemetry.

Steve Gibson (00:18:35):
We observed a few techniques that are worth disclosing to help other defenders better respond to this incident and use hunting tools like Microsoft 365 defender advance hunting or Azure Sentinel queries to search for, for potential traces of past activity. Some examples of why these attackers stand out for their operational OPSEC methodology and anti forensic behavior are listed below, and they have six or five first methodic avoidance of shared indicators for each compromised host as discussed in the previous section. Each cobalt strike DLL implant was prepared to be unique per machine and avoided at any call overlap and reuse of folder. Name, file, name, export function names. Tho those are internal to the DLL command and control domain and IP HTTP requests, timestamp file, metadata config, and processes launched. They said this extreme level of variance was also applied to non executable entities, such as WMI, persistence, filter, name, WMI filter, query passwords used for seven zip archives and names of output log files.

Steve Gibson (00:20:10):
I mean, so what we're looking looking at is an absolute lack of laziness. I mean, true discipline for every single entity that they infected. They said applying this level of permutations for each individual compromised machine is an incredible effort. Normally not seeing with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat Intel between victims second camouflage and blending into the environment tools and binaries used by the attackers. For example, ad find, you know, active, direct, refined legit tool were always renamed and placed in folders that mimicked existing programs and file already present on a machine. This blending was not just used for files, but for other elements, for example, WMI persistent filters were created with names and queries matching other scripts present in affected organizations. <Laugh> this is just, just stunning third before running intensive and continued hands on keyboard activity.

Steve Gibson (00:21:33):
The attackers took care of disabling event logging using audit Paul of audit policy and Reen enabling it afterward in a similar way before running the noisy network, enumeration activities such as repeated NS lookup and L DAP queries, the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall wall rules were also methodically removed after the network reconnaissance was completed. I hope this is terrifying everybody. This is just it's terrifying me. Lateral movement activities were never executed without preparation to increase the likelihood that their activities remain undetected. The attackers first enumerated, remote processes and services running on the target host and decided to move laterally only after disabling certain security services. And finally, they said, we believe that the attackers used time stomping to change time stamps of artifacts, and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.

Steve Gibson (00:23:05):
So I like time stomping. I'm gonna keep that then my backpack by time stopping. Yes. Stepping back to take stock stock in all that we have learned any sane InfoSec technologist would be right to be seriously worried. My feeling is that as damaging as these attacks were individually and on their own, it's almost more worrisome that it, it's almost more worrisome outcome for the attackers is for us to have obtained this much greater appreciation for their skill and their dedication to detail. You know, it, I mean, it, it has without questioned sobered up and, and heightened the, the level of attention that, that the defender industry now realizes it needs to deploy. And remember, none of us should forget for a moment that were it not for the fact that they targeted fire eye and that their presence eventually tripped some monitoring alarms that the attackers were unaware of. Because as we've just seen, if they knew about it, they would've either aborted or they would've disabled those monitoring alarms, something tripped them up. If that had not happened, this would all still be ongoing right now. Wow. And Leo, on that happy note, let's take our, so,

Leo Laporte (00:24:49):
You know, and it's funny because there's not a lot of reporting anymore on this. It's kind of, you know, taking the backseat

Steve Gibson (00:24:55):
Old news. Well, but

Leo Laporte (00:24:55):
Also I think part of the problem is it doesn't feel like there's much we can do about it. It's like, yeah, they're in there. What do you wanna do about it? <Laugh>, you know, it's like, it's, it's like the, the is done.

Steve Gibson (00:25:10):
Yeah. The good news is I think that, that this level, I mean, so for Microsoft to post this, like, I'm

Leo Laporte (00:25:19):
Glad they're paying attention there. Yeah.

Steve Gibson (00:25:21):
Yes. There's a, you know it's any companies, for example, who thought, oh, you know we're busy. I mean yeah. Who isn't, we don't have enough money. Yeah. Who does you know, we don't want to like deeply invest in internal you know network monitoring surveillance. Well, yeah. Think about that again, folks. Yeah. You know, re reconsider the cost of not doing that. You need an intrusion de you know, detection system that can, you know, spot something that is doing this and you need to hide it. That's the other thing we've learned, you know, the, the, the fact that it's possible for the, for the bad guys to see machines and then remotely enumerate their running processes. You know, a, a lot has been learned. I think that's key. I agree, Leo that on, on the general public level, it's like, oh, well the, maybe the Russians hacked us. What's for lunch. Yeah. 

Leo Laporte (00:26:31):
I hope we're doing the same. <Laugh> back

Steve Gibson (00:26:33):
To them on our internal level, you know, the, this has to have really sobered up. Oh yeah.

Leo Laporte (00:26:43):
The, the defense industry and it should, and yeah. Yes. And I have to say, and probably somewhat due to this I noticed Biden has been starting to appoint people to cyber security roles and really beefing up cyber security and picking some, I think some good people, knowledgeable people, not just figureheads to do it. So I think that's, you know, that's the other side of it is that you're gonna see, I hope you're gonna see the us government be very proactive about this. They can yeah. Appointing people who are anti cybersecurity. That's not cyber a good idea. Security that's nots less a good idea. Yeah. What do potato chips have to do with security? Well, we'll talk about that in just a little bit, but first a word from our sponsor. Hey, we love ZipRecruiter. So thrilled to ZipRecruiter would sponsor the holiday episode of this show.

Leo Laporte (00:27:35):
It makes a lot of sense, because I think 20, 22 is gonna be a big year for hiring. People are gonna be coming back to work. Companies are gonna be reopening several industries projected to grow in 2022. I think it's gonna be a, a, an incredible year. A couple of the areas zip recruiter has pinpointed as being hot sustainability. I think that's pretty obvious new eco-friendly products and services cropping up. You know, what's gonna be big in 2022 pet services, pet services, more training, walking, and feeding services for all those pets people adopted during COVID fitness were going back to the gym. And for many people you know, non-traditional workout studios like kickboxing and Pilates are taken off. I have a friend who owns a couple of body rocks. They're hiring digital events and conferences. They're back the CES it's back. So there's gonna be a lot of work planning and hosting online events and in person events in the 2022 home improvement, those of us who are stuck at I've been doing a lot of home improvement.

Leo Laporte (00:28:47):
In fact, I have to tell you, it's been really hard to get, to find people to come in handyman contractors. That's a big growth area. If you work for, or you own a business in one of these growing industries or a whole lot of other industries, it may well be that you are hiring and you need to hire fast while there's only one place to go. That's zip recruiter right now, you could try it free at, why is ZipRecruiter better? Oh, I can go on and on because we use it. We love it. For one thing once you post ZipRecruiter, your job listing goes wide more than a hundred job listing websites, social networks. You're more likely to reach the right person for that job than anywhere else. Ziprecruiter also makes it easy because instead of flooding your inbox with emails or your phone with messages, ZipRecruiter handles it all internally, and they're easy to use interface where they reformat all the resumes to make.

Leo Laporte (00:29:48):
'Em Easy to read. And then there's one thing ZipRecruiter does. That makes a huge difference. Ziprecruiter, when you post a listing and ZipRecruiter searches through all the resumes, they have access to find candidates that are right for your job. You get the list, you send them an invite. History shows that when people get invited to apply for a job, they're much more likely to apply. This has really made a difference. It means people who use ZipRecruiter on average will get qualified candidates. When the first day, in fact for us, it's been within hours of posting that listing. That is exactly what you want. Ain't nobody got time to spend weeks hiring, get it done fast. Ziprecruiter's the number one rated hiring site in the US based on G2 ratings. And again, you can try ZipRecruiter for free. If your business is booming,, S E C U R I T Y N O W. Please use that address. So they know you saw it here. And, and thank you ZipRecruiter for supporting us all these years. We look forward to a great 2022 together now, back to the best of security now who would've thought <laugh>,

Leo Laporte (00:31:13):
But potato chips <laugh> would be involved in security. This is another one of those classic. What could put, possibly go wrong moments. Listen,

Steve Gibson (00:31:25):
This you're just not gonna believe. And before adding this to today's show, I had to like really drill down and verify that it was true and not an April fooled posting. Oh, dear. It appears to be a hundred percent legitimate. And I learned this from bleeping computer. Who's very good about vetting their stories. It is a Chrome browser web extension called crispy subtitles from lays. What?

Leo Laporte (00:32:02):
Yes. Lays potato

Steve Gibson (00:32:02):
Chips lays potato chips. After this browser extension has been installed. <Laugh> it's any time you are watching a YouTube video. Yeah. And the Sy the system's AI trained microphone detects the sound of crispy chips being eaten. You YouTube captions will be automatically enabled to allow anyone including yourself to be able to obtain the videos, dialogue information over the sound of the crunch, noisy chips being crunched that's hysterical. Yes. That's hysterical Abrams at bleeping. Computer explained that to make it easier to watch YouTube videos, the creative agency, happiness Sagon partnered with Frito lay to create the lays CR be subtitles browser extension that automatically enables YouTube captions. When it detects you are eating chips. Lawrence says that to achieve this happiness Sago trained an AI algorithm using 178 hours of recordings of people eating chips from all over the world. <Laugh> he? Furthermore, he said that bleeping computer used the extension and was pleasantly surprised by how the extension immediately enabled YouTube captions.

Steve Gibson (00:33:37):
When their microphone picked the noisy sound of chips being eaten <laugh> he added that they had performed some tests with other food groups, including peanuts, carrots, and cereal, while peanuts and carrots were not noisy enough or crunchy enough eating cereal also enabled captions in their tests. See what would trigger the extension. He concluded your results may vary depending upon how noisy you eat. Your food's hysterical. That hysterical just, wow, like really is this true? This is if, if it were good, the end of it's just good marketing, it's marketing, you know? Yeah. I don't think wonderful many people once solid <laugh> it's not malicious, right? I mean, it's just, no, no, it far as we know, it's a legitimate app from Frito lay to advertising. Like now you can mu and crunch that's and not worry about having to turn the volume up or bothering anybody else.

Steve Gibson (00:34:37):
You'll just get captions. That's I mean, really this Leo, this is why we have computer technologies. This was what it was all meant to do. Dan Kaminski cut a wide swath through the computer industry. He was a prolific tweeter and a real character and personality. He and I were last together. We followed each other on stage during digit certs first security conference. And Dan peppered me with some questions about squirrel back then. And I was able to satisfy his, his many salient questions. He, he was probably first on the map for this podcast when he realized in doing some, just some research that he was always up to that the transactions, which the, in all of the DNS servers throughout the industry were using had way too little entropy, their, their port numbers for the queries they were generating were often sequential.

Steve Gibson (00:35:53):
So they were marching through the port space. And often the transaction IDs, which are, is a 16 bit number that is used to associate queries with the replies when they come back. Those were also sometimes a fixed, well, they weren't a fixed number. Ports were sometimes fixed, but they, the transaction IDs might just be an increment encounter. And what and realized was that the lack of query entropy being emitted by DNS servers allowed replies to be spoofed. You could ask a DNS server yourself something and see where its counters were. And then in due somebody else to ask it a question and provide a spoofed reply before the real reply would get back. And because you knew where the counters were, you were able to with high accuracy get a spoof to be accepted as legitimate. And that then, you know, because, because the DNS runs over U UDP, there is no TCP handshake to validate IPS.

Steve Gibson (00:37:06):
So you're able to completely spoof the replies. So what this meant was if the world were to, to realize that as Dan had privately it would be a catastrophe. So Dan privately got in touch with all the purveyors of the various DNS servers. They all recognized what he had and privately all of the servers were updated. And a, an industrywide reveal was coordinated in order to maximize the, the probability of getting all this fixed with that before the bad guys had a chance to abuse it. So and of course, because I recognized this was a problem, and we, we covered it on the podcast. We owe Dan the existence of my DNS PO ability service, which I created in honor of his discovery, which allowed in you know, individuals to go to the, to GRCs DNS, ability I arranged to, to, to cause by my, by setting on my own DNS.

Steve Gibson (00:38:19):
So I pseudo to S servers. I could cause a, a visitor to my site's DNS to tr to use me as its resolver. And then I collected all the queries that I was inducing through that webpage and, and analyze the nature of the queries coming from the, the DNS servers that they're U that the user is using anyway. Dan has a large following I think what is it? I had it here in my notes somewhere 93, 0 94 300 followers on Twitter. He, as I said, he's a prolific Twitter Twitter. He joined Twitter in 2007, since then he has posted 130,000 tweets. Now, if we, if we assume an average tweet rate over 14 years, that's 9285.71 tweets per year. Wow. Or an average of 25.4, two tweets or commented retweets per day. That's amazing. So if you were following Dan, you, you knew what he was thinking and doing.

Steve Gibson (00:39:42):
And he was also quite literate. He pinned a tweet of his from January 16th, 2018 to the top of his feed. He wrote this, I'm increasingly thinking that every functioning system has two forms. The abstraction that outsiders are led to believe, and the reality that insiders actually, and carefully operate you don't incrementally learn as system. You eventually unlearn its necessary lies. <Laugh> that's really good. So, and I think it it's absolutely right, absolutely. Just really, really good stuff. He had a site, Dan, which was his personal blog and he hasn't blogged in about four years, but that he, his, his last blog I'll just share a couple paragraphs from it. He wrote cryptographically secure, pseudo random number generators, right? We've talked about them a lot, a lot. CS P R N GS. He says R interesting, given a relatively small amount of data, just 128 bits is fine.

Steve Gibson (00:41:01):
They generate an effectively unlimited stream of bits, completely indistinguishable from the ephemeral quantum noise of the universe. The output is as deterministic as the digits of pie, but no degree of scientific analysis, no amount of sample data will ever allow a model to form for what bits will come next in a way CS P R N GS represent the most practical demonstration of girdle's first incompleteness theorem, which states that for a sufficiently complex system, there can be things that are true about it that can never be proven within the rules of that system. Science is literally the art of compressing, vast amounts of experimentally derived output on the nature of things to a beautiful series of rules that explains it. But as much as we can model things from their output with math, math, math can create things. We can never model. There can be a thing that is true.

Steve Gibson (00:42:21):
There are hidden variables in every CS, P R N G, but we would never know. And so an interesting question emerges if a CS P R R N G is indistinguishable from the quantum noise of the universe, how would we know if the quantum noise of the universe was not itself? Uhoh a CS P R N G. Oh, <laugh> oh, there's an infinite number of ways to construc a random number generator. What if nature tried its luck and made one more? Would we know, would it be any good? So anyway, we have lost, that's a beautiful thing, a critical thinker among us who may made all manner of contributions to security and the internet. And he was working on some weird JavaScript stuff that I never really tracked. But we have, and I wanted to play it into the podcast so that it is captured a minute and 45 second video, which he and his young niece produced 13 years ago niece, Sarah following black hat, 2008, which was where this, the DNS problem was first revealed. So here's, and this is fun cuz his niece is Preco and, and, and following a script that he produced, but it's, they made a really fun minute and minute and 45 seconds.

Speaker 3 (00:44:04):
I'm security researcher, Dan Kaminski. And I'm here today with my niece, Sarah. Hi everybody. Hey Sarah. So Sarah here has an important message for all of you. Thanks your Dean. This is so important. And so cool. Well what's DNS, sir. Well, uncle Dan, I think you should know be that as it may. Why don't you tell the people about their little bit about it? Well, DNS is a dumb nickname system. It tells my computer, where are the internet? All my favorite websites are, is there something wrong with DNS? It'll be okay. Everyone got together a while back to make sure everything would work out. Oh, everybody even ISC the makers of bind and Microsoft and Cisco and Nama and Nama. You mean Noma? Totally NA, but that's really cool. So, so what should everyone do, sir? Well, this is really geeky stuff, but most people should get automatic updates and be okay.

Speaker 3 (00:44:56):
Well, who might not? Well, there might be some servers that don't get automatic updates because they're really important and people want to keep an eye on them. Oh. So we should ask those people to take a look. Totally. Oh, well when should they look right now? Duh. When do they have to fix it by? Well, the attack is pretty weird, but people will probably figure it out after a month. They'll give you an exact date. August 6th, 2008, August 6th, August 6th. All right. Then how's there any way for the non geeks to make sure they're safe only if you build from a website. Hmm. I'll get right on that. You better? Well, thanks Sarah. And there you have it. Kids talk to your parents about their DNS. I'll be glad you did. <Laugh> all right. That's wrap. Okay. Thanks cousin, Dan. And thank you, Maddie. That

Leo Laporte (00:45:47):
Is so sweet. Oh, I'm sure they miss him. And of course his friends, Steve wrote something in assembly to do that. So it was okay. He didn't have to, he didn't have to do that. Wow.

Steve Gibson (00:46:00):
Wow. Yeah. Very cool. He'll also Def con has announced on their Twitter feed that they're having an online Memorial for Dan on Sunday, May 2nd on there on the DEFCON discord channel Nice. So nice. They tweeted, come share your favorite stories and join us in celebrating the life of a hacker whose life elevated the whole community.

Leo Laporte (00:46:28):
Wow, good. Yep. Thank you for doing that, Steve. Yeah, of course we, his name comes up all the time on our shows. Yeah. Yeah. He'll be

Steve Gibson (00:46:39):
Missed. Yeah. Good guy. Yeah. And for what it's worth Dan I only shared the top of that really cool posting. He gets really into it. So, you know, if you're wondering maybe if in fact we are in the matrix Dan may give you some pause. Of course, I don't know how long the site will be up. Hopefully it'll stay so two weeks ago, shortly before Apple's big spring loaded product announcement event. The Soden group, which is behind the re ransomware began publicly leaking Apple's proprietary designs for its forthcoming Mac laptops. The, the group's so-called happy blog <laugh> as it calls itself stated in order not to wait for the upcoming apple presentations today, we, the re group will provide data on the upcoming releases of the company. So beloved by many Tim cook can say, thank you, quant. From our side, a lot of time has been devoted to solving this problem. Well, okay. So Quanta is quant. Computer is a Taiwanese company that assembles a number of apple laptops and other consumer devices. I know they're watched as well. And I'm you, I'm sure you, Leo are more tuned up on this than I am since you, you get to talk to your Mac folks. Yeah. They do the

Leo Laporte (00:48:12):
Laptops, I think. Is there a yeah.

Steve Gibson (00:48:14):
Yeah. so when quant initially refused to negotiate with the re group quant quant computer is the, is the, is a large supplier, not only for apple, but for others in some of the news coverage, I saw that they said think book but, or ThinkPad, but I wasn't sure that that one might have been a typo or maybe they actually are doing like construction for Lenovo. Don't know. But anyway, it was quant computer that was actually compromised by the re ransomware. It

Leo Laporte (00:48:53):
All 10 top PC companies in the world use QA. So yeah. That's all of them including Lenova

Steve Gibson (00:49:00):
<Laugh> yeah, yeah, exactly. Wow. So you know, and that's not the company, well, it is the company that you would want to get inside if you were a ransomware gang. Yeah. And of course apple would be particularly sensitive to the disclosure. We know how like concerned they are, oh, over leaks. So they would be cons you know, particularly concerned over this disclosure. The ransom demand was initially posted just hours before Apple's event. And the hackers said that they would release more documents every day. Adding, we recommend that apple buy back the available data by May 1st and a similar extortion attempt from the same group aimed at Acer demanded 50 million in for deleting Acers files. And I saw the same number, 50 million was like the opening extortion level also for the, the apple stuff. Hmm. So groups throughout the internet began grabbing and analyzing the details from the leaks.

Steve Gibson (00:50:13):
And they, the, you know, this stuff looked authentic and there's no reason to believe it wouldn't be, they noted some differences with the current models on sale. A new version of the MacBook pro was shown without the touch bar. And it appeared that maybe H DMI ports might be staging a comeback along with SD card readers. So yeah, it, this, you know, this early release was providing details that apple would've rather <laugh> been releasing themselves. What we know of re from the past is that they are tough negotiators who do not make idle threats. Of course, they don't want to acquire a reputation for not doing what they say they're gonna do, or people will stop, you know, start ignoring them. So they're also not known for being soft or for backing down. So something must be going on on, because last week, the RAL gang removed apples, schematics drawings and other data from their data leak site after first warning Quanta that they would leak drawings for the new iPad and the new apple logos, which I thought was interesting. I was like, what, who apple logos? So anyway, maybe apple said, okay, look, you know, quant, well, you know, we need to stop this. It did get

Leo Laporte (00:51:37):
Quiet. They only released two S schematics that I saw.

Steve Gibson (00:51:41):
Right. and so what appears to have happened for reasons we can only get S is that Quanta finally responded to re and opened a dialogue as part of a private chat. And I think it was bleeping computer who posted some screenshots of that, which they got somehow RAL told Quanta that they hid the data leak page and was stop talking to reporters to allow negotiations, to continue and re stated that having started a dialogue with us, you can count on a good discount. And indeed, that does appear to be the Cape <laugh> yeah. Yeah. Hate to save 20% <laugh> oh, no, that's exactly what happens. So since the, the demand was updated, it now carries an expiration date of this coming Friday, May 7th, but it's been reduced from the initial request of 50 million down to the now much more seemingly affordable 20 million. See, I,

Leo Laporte (00:52:54):
I can't see apple paying a penny and Q shouldn't either, but at the same time, I also could see apple being very concerned. Yeah.

Steve Gibson (00:53:05):
I mean,

Leo Laporte (00:53:06):
Yeah, this is, if they're gonna announce in June,

Steve Gibson (00:53:09):
Very researchers have been quoted saying that this appears to be a, a pattern. The re gang apparently feels that forcing the opening of a dialogue, you know, with, with their victim is a crucial first step in getting paid. So what appears to be happening is that we're seeing a pattern of them deliberately establishing like a reputation for dramatically reducing their initial ransom demand upon the establishment of a dialogue. So this asking 50 and immediately dropping to 20, that's what people are now coming to expect. And of course, I guess this provides some incentive for a victim to establish contact in order to obtain, you know, the more real ransom demand. And also of course in the process serves to break the ice and a it's like, well, now, you know, of course we're all put in mind to that old joke about prostitution, you know, like, okay, well, we've, we've determined what you are now. We're just negotiating a price. So you know, this is the world we're in. And of course, we'll be talking about this take down task force here, or, or the, well, the ransomware task force shortly

Leo Laporte (00:54:30):
Boy, you could almost say that this was the year, the rise and fall of re I mean, fascinating to watch. And of course we covered that each step of the way on Security Now coming up, we'll talk caps. Actually they call all this the doom capture. <Laugh>

Leo Laporte (00:54:52):
I don't think it captured on to be honest.

Steve Gibson (00:54:55):
Okay, Leo, you're gonna want to go and see it and, and test your skill. It took me an embarrassing number of times to prove I was human SC slash eight 20. It is our shortcut of the week. I hate these captures. I just hate 'em. Well, this is the doom capture. It's a joke. It's

Leo Laporte (00:55:20):
My doom or your doom? My doom, huh?

Steve Gibson (00:55:24):
Okay. It's well, no, it is the game doom. Oh,

Leo Laporte (00:55:28):
Oh yes.

Steve Gibson (00:55:30):
<Laugh> <laugh>

Leo Laporte (00:55:32):
Okay. So kill four enemies. I think a computer could do this very easily. One, two. I mean really? How hard is this game over?

Steve Gibson (00:55:45):
Yeah, you didn't do it quick enough later. You

Leo Laporte (00:55:46):
Gotta do it fast. Computer could do it slowly. I see there. Whoa. Oh,

Steve Gibson (00:55:53):
I see. Now I like that. This tell, this tells me you really have been spending a lot of time shooting stuff. I spent a lot of time playing doom. <Laugh> it took me like 10 tries. What? To get that, to get that green check mark. 1, 1, 2.

Leo Laporte (00:56:07):
Oh, I see. The red progress bar is my time.

Steve Gibson (00:56:09):
I get it. Yeah, yeah,

Leo Laporte (00:56:11):
Yeah. You don't like this. I get

Steve Gibson (00:56:13):
It. I take, well, no, I just thought it, it was just, it, it, it occurred to the guy last Saturday morning. It's funny. He coded it by the end of the day. It made number one product of the day over on product hunt. Yeah.

Leo Laporte (00:56:27):
Yeah. It's just a little in bed. Look at that. Yeah. So simple. It just a cute,

Steve Gibson (00:56:31):
Just a cute little thing. So anyway, I just, I wanted to share it with our listeners. I thought I knew that a lot of we old timers would recognize that and, and get a kick out it. Oh, wait a

Leo Laporte (00:56:41):
Minute. I didn't have the sounds to turn. Oh yeah, yeah, yeah. Doom sound in this. Oh yes. Oh yeah. Let's see. Oh yeah, baby. But I don't mind cuz I got the doom sound effect. That's hysterical. I wonder how Carmac is at this. That's great. How fun is that? That's hysterical.

Steve Gibson (00:57:07):
Bloomberg reported on Friday that some of the fi well, some of the findings by Mandiant, which is the group within fire eye, who has been working with colonial pipeline to figure out how this happened as always attribution and posted tack forensics is difficult, but there's very strong evidence to support the theory that the attackers used a compromised VPN account password.

Leo Laporte (00:57:37):
Yep. It was just like the Florida water plant. They were all using the same password. Yep. And the, the account was no longer active, but it was still usable.

Steve Gibson (00:57:47):
Right. The, I know I complet

Leo Laporte (00:57:50):
Two factor ridiculous.

Steve Gibson (00:57:52):
The VPN login in question which lacked any multifactor authentication protection was not in use, but it had been left active as, and it was at the time of the attack. The account's password was discovered inside a batch of leaked passwords on the dark web. And you

Leo Laporte (00:58:12):
Know why that was, oh, go ahead. I'll let you finish the sentence. Yep.

Steve Gibson (00:58:15):
This suggests that an employee of the company may have reused that same password. Yes. On another account that was previously breached. So

Leo Laporte (00:58:24):
Colonial was not requiring password managers. They were letting PA employees set their own passwords monkey 1, 2, 3. Oh. I use it on everything. It's easy to remember. Unbelievable.

Steve Gibson (00:58:42):
Unbelievable. So the, the takeaways are a little late and it's always easy to admonish with. I told you SOS after the fact, but unused accounts should always be disabled authentication should require multiple factors. And I suppose that while I've never been a fan of forced password changing so long as the new passwords are unique and not shared, forcing a change might have prevented this entire mess. I was recently informed that my log on to the management portal for level three would be expiring since I had not logged into it in six months. Okay. That's annoying, but it's good policy. And for things that are mission critical, like remote VPN access into a corporate network, the pain is clearly worth the gain. So yeah. The, the, the one good thing that will arise from this, a attention, this is, this is not unwanted attention. This is good attention that the world is now paying to this because as we've often talked about the CIOs, the chief information offices have been running around the C-suite executives, screaming out, needing more, more, more, we need more budget, we need more closet space. We need, you know, whatever it is, you know, they're, they are resource constrained. You know, we need to replace this crap, which is 20 years old because we can't and the bosses, well, it works, don't it? It works <laugh>

Leo Laporte (01:00:24):
Until it doesn't.

Steve Gibson (01:00:25):
Yeah, exactly. It works until nothing suddenly does.

Leo Laporte (01:00:28):
And this this was the it department was was hacked. So surely they should have done better. Again,

Steve Gibson (01:00:37):
The, the, the beauty of the press is that, you know, when the executives go home, their wives are now asking them mm-hmm <affirmative> honey you know, things that never occurred to them to ask, you know what's the budget for, you know, for your company security, because, you know, I would really hate if Mabel at the club, you know, were able, had scolded me for, you know, your company being attacked. So

Leo Laporte (01:01:07):
Plastic bags of gasoline in their drunk <laugh> exactly, which should never have to happen before you go into this next story about John McAfee. I do wanna tell people what you're about to hear might be triggering. If you're considering suicide, there is a national suicide prevention lifeline in the United States. You can call right now for free and get free, confidential support. If you're in distress, great crisis resources for you, or your loved ones is 1-800-273-TALK 1 802 7 3 8 2 5 5. And we just wanna be responsible since we're gonna talk about John McAfee

Steve Gibson (01:01:44):
Next that's good. And, and we know that COVID has been a, an extra stressor for people,

Leo Laporte (01:01:48):
Especially teenagers. I know of two teenagers who took the very poor choice because I think because of loneliness during COVID, so yeah, we're all going through it, but you don't have to go through it alone. And if you're not in the United States you can Google suicide prevention lifeline, and you'll be able to find one in your area. Good. I'm don't I'm don't we don't, we don't wanna lose you. We don't, we, you know, we want you to be around anyway. Yeah.

Steve Gibson (01:02:16):
I, I was, I was unhappy when I was younger and it's normal

Leo Laporte (01:02:20):
And that's the problem with suicide. It's a permanent solution to a temporary problem. You know, things do get better. I, I know. And but sometimes we, we just can't take it and don't, don't do it. Don't do it.

Steve Gibson (01:02:34):
So I wanted to note that last we John McAfee was found dead by hanging at the age of 75 in his jail cell, in Barcelona, Spain his extradition to the United States where he would've been facing a number of legal charges of willful tax of Eva had finally been approved by a court in Spain. And despite his earlier statements that he would never take his own life. And he said that foul play would definitely be involved if he ever appeared to have done. So everyone assumes that he changed his mind. And, and that, that must have been what happened. His attorney said that his nine months in prison had brought him to despair and attempts to revive him had failed. And as we all know John was a character and a half you know, with a life full of antics. I think that the first time we talked about him on this podcast was when he was being thought in connection. Of course he was famous, right. Because of McAfee and McAfee systems and McAfee AV. Yeah. I didn't realize he had some connection to zone alarm, which was a little horrifying.

Leo Laporte (01:03:51):
Yeah. For me, he, well, but back in the day, I think he was quite a bit more respectable. <Laugh> you know, he made a hundred million selling McAfee to Intel. Yeah. So he, he did quite well, but he squa as far as we know, he squandered almost all of it in kind of oddball

Steve Gibson (01:04:09):
Things. Well, and things went w weird too. I think the first time we talked about him was when he was being sought in connection with the murder of his neighbor guy by the name of Gregory fall F in Belize. Yes. He, he was his next door neighbor in Belize. His, this neighbor had been found dead shot in the back of his head with a nine millimeter. And, and prior to that, Gregory had previously confronted John after one of John's quite aggressive dogs had bitten someone in the area and the dogs were apparently known to get loose and run in wild packs, terrifying the community. So, you know, he was a source. Mcafee was of adventure and controversy. Adventure is a

Leo Laporte (01:04:56):
Good word for it. Yeah.

Steve Gibson (01:04:57):
Ugh. In his earlier years, he had worked at NASA Xerox and Lockheed Martin before launching the world's first commercial antivirus software in 87. And in fact, he and I interacted just once by phone. Well, that's what I was

Leo Laporte (01:05:14):
Curious if you had met him. Yeah.

Steve Gibson (01:05:16):
It was before his launch of McAfee AV after I had written a series of three columns in info world, which he was reading, which imagined with as much detail and accuracy as I could exactly how a theoretical software virus would behave. Oh, interesting. And, and I don't recall now how clear I made it that this was conjecture, but a quite animated John McAfee, who was unknown by the PC industry at the time phoned my office, wanting to compare notes and virus samples. He was sure that like an amazed to discover that I had viruses clearly,

Leo Laporte (01:06:07):
Because I had exactly described the behavior of the viruses he had. And he was very disappointed to learn and actually me some time to convince him and like talk him down. And, and I'm unsure that I ever really did. I, I think he just, he didn't really believe that my three column series about software viruses was entirely written from my imagination as a software developer, not as a virus discoverer. And anyway, I, I said, sorry, John. I I'm like really, really, really, I don't have any, I, you know, if I was, if I was a virus, this is what I, this is how I would behave. And he's like, really, oh, well, I, I thought we could, you know, I'd, I'd show you mine, if you showed me yours. Mm-Hmm <affirmative>. So, anyway, he, I, I saw some stories about him fairly aggressively calling people to get information or, or copies of viruses. He was working a Lockheed when he got a copy of the brain in the late eighties and started writing McAfee. But, you know, I think he wanted to write an antivirus, but he needed to understand what it was. He was blocking when he was preventing, did a good job. Actually, it worked

Steve Gibson (01:07:20):
Right. It's funny. You mentioned that Leo, because I was thinking the same thing this morning, like, okay, we know how they work now. So would it have been behavior based? It's hard to imagine it would've been like signature based cause well, what,

Leo Laporte (01:07:40):
There weren't any, there were four or something. Yeah.

Steve Gibson (01:07:42):
Right, exactly. Yeah, exactly. You know, you know? Yeah. So crazy.

Leo Laporte (01:07:48):
He probably was trying to come up with heuristics so that you could watch for a certain kind of behavior. That's, that's the ideal way to do it. Signatures plus heuristics, but

Steve Gibson (01:07:59):
I don't. Yeah. Yeah. And we didn't have an internet back then. So they had to live, they had to jump from floppy.

Leo Laporte (01:08:04):
You had to send them a floppy. Yeah. Yeah. <Laugh> Hey John, I got one it's on a floppy here. We,

Steve Gibson (01:08:10):
We didn't have USB. We didn't have thumb drives all. We had the only thing that was transportable was tokes. Right. And so the viruses such as they were, had to be very tiny. I think I remember that some of them lived in track zero because there were still, I think there was still cylinder alignment. So I think there was space on track zero after the boot sector. And so you'd have, there were like, there were, I, I, I remember boots sector viruses. I mean, they had to be that's that's right. Really, really small.

Leo Laporte (01:08:42):
So if you put, what you'd do is you put it on the boots sector of a floppy. If somebody booted that floppy, attempted to boot from that floppy, it would infect their system. This pretty hard drive hard drive, or did it have hard drive? Okay. Oh yeah. Jump to the hard drive.

Steve Gibson (01:08:54):
If they had a hard drive, Lori would go into Ram and then move on to any other, any other sloppy you used that they then stuck in that's right? Yeah.

Leo Laporte (01:09:03):
Did you now tell the truth? Did you expect to hear Steve Gibson's memories of John McAfee on the best of episode? Maybe you did, maybe you did on, we go with our best of holiday out of Security Now this is one very important. I took it seriously. In fact, as Steve is telling T-Mobile customers what to do, I was doing it. What

Steve Gibson (01:09:32):
The news from T-Mobile is all bad. Last week, T-Mobile confirmed their latest data breach, making it the fifth data breach in four years there, you know, they're gonna have to start explaining to someone like what their problem is. There were two previous attacks in 2020, you know, last year, one in 2019, and the first in 2018. But this most recent breach is the largest by far. And the numbers of affected customers keep growing. They like, as they keep digging into this, like, well, what, what happened? You know, first it was like, wait, we, we got breached who says, you know, they didn't know. <Laugh> literally until someone started selling the content, the dark web, the most recent update reveals that the cyber attack exposed over 54 million individuals data last weekend, a threat actor began selling the personal information claiming it was 100 million T-Mobile customers on a hacking forum for, he was asking six Bitcoin, which is about 280 K right now. Cuz as you commented recently, Leo Bitcoin is coming back. I think it was on Sunday. It's almost it's coming back. It's creeping back up again. And I'm I'm I'm moaning about the 50 that I just said. Eh

Leo Laporte (01:10:55):
Don't don't think about it. Steve. Don't think it's not a, so this is the text I got from T-Mobile unauthorized access to some of your personal data. We have no evidence. Of course there are morons, but we have no evidence that your debit credit card information was compromised, but we're gonna give

Steve Gibson (01:11:13):
You just in case three years of credit monitoring free. Okay. Thanks. Yeah. Yeah. Okay. So we'll talk about what users should do in a second. Yeah. Hopefully all of our listeners have, so this hacker claimed that the stolen database contains the data for approximately 100 million team of O customers. Now here's the bad part. This is not one of those. Well, yeah, they got the hashed password. No, the exposed data can include customers. IM S I I M E I. Oh, SI. What's IM S I, I know IM that's one of the other things. Okay. You know, they're big crypto, you know, like strings of not numbers, but you don't want anybody to have them cuz they could get up to mischief like clone your, your Sims and things, phone numbers, customer names, security, pins, social security numbers, driver's license numbers and date of birth and, and of course names.

Steve Gibson (01:12:10):
Right? So in other words, the keys to the, the identity theft kingdom. Yeah. The database was said to have been stolen approximately three weeks ago, apparently when T-Mobile was on vacation and contains customer data dating back as far as 2004 in an interview with the hacker, which Lawrence Abrams of bleeping computer he's he's the bleeping computers, founder Lawrence Abrams had this interview reported that the hacker said their entire I M E I history database, going back to 2004 was stolen. You know? So that's all of the, of the, basically the serial numbers of all the T-Mobile phones that they've had accounts for since oh four. Okay. And that was what a, a year before the podcast. So 18 years of data that's been stolen after the data first went up for sale T-Mobile are confirmed. Oh, some of our servers have been hacked <laugh> what do you know and began investigating what customer data had been exposed last Tuesday on August 17th.

Steve Gibson (01:13:27):
T-Mobile T-Mobile first said that the personal information of 48.6 million individuals exposed during the attack, they later updated that to include an additional 6 million customers. Oh, 6 million more or prospective customers who are also affected by the attack. You don't even have to have like, you know, sign on a dotted line. No, you just open a conversation with T-Mobile and your, and your history. So T-Mobile also confirmed that the attackers stole their customers. I M S I and I M E I numbers that was confirmed. Okay. So here's a breakdown, 13.1 million current T-Mobile postpaid customer accounts, as opposed to, you know, distinct from prepaid. So 13.1 million current T-Mobile postpaid customer accounts that included first and last names. Date of birth, social security number, and driver's license slash ID information bad, bad T-Mobile bad, 40 million former or prospective T-Mobile customers, including first and last names. Date of birth, social security number and driver's license slash ID information.

Steve Gibson (01:14:54):
Okay. So a total of 53.1 with all of that basically game over 667,000 accounts of former T-Mobile customers, exposing customer names, phone numbers, addresses, and dates of birth were compromised 850,000 active T-Mobile prepaid customer names, phone numbers, and account pins were exposed. So even if you're prepaid, you're still hosted. And finally, 52,000 names related to current Metro by T-Mobile accounts may have been included. So yeah, count yourself in. Okay. So identity theft is one of those things that can really screw up one's life. You need to prove that it wasn't you who applied for and received credit under your name. When the other person provided, you know, the other person you're proving, you know, some other mysterious, we don't know who other person provided all of the personal information that only you are presumed to have. Mm. So, you know, such credence in immediately run up massive charges under your name using and destroying your credit.

Steve Gibson (01:16:22):
There are tons of horror stories about the mess. This has caused for people. I mean, it's ruined lives and what's needed to apply for credit in someone else's exactly the data that has just been exposed for tens of millions of T-Mobile customers. Because guess what? That's what you provided to get credit from T-Mobile they said, oh yeah, this is what we know about people that caught that convinced us to give them credit. Let's L let's have it all sold on the dark web <laugh> okay. So this is why the absolutely number one best advice. I have the advice I give to anyone and everyone is to simply run with permanent locks on your accounts at all, three of the credit reporting, bureaus, Experian, TransUnion, and Equifax. I've had all three locked for me. Since I first have talked about this ago, during one of these identity theft events, this is easily done for someone who is not routinely applying for credit in O Leo, those of us who have thinning hair, it's easier

Leo Laporte (01:17:42):
For us. Yeah. It's easier for us. Yeah. If you're getting credit cards, you have to unfreeze. If you're getting a car, you have to unfreeze. And

Steve Gibson (01:17:49):
Because you have to let those creditors check your

Leo Laporte (01:17:52):
Credit. And by the way, you have to give them your social security number, your drivers, all of this stuff that you, this is why T-Mobile has it. Cuz they run credit checks exactly. Before you can get a, a prepaid phone exactly. Or postpaid

Steve Gibson (01:18:05):
Phone. Yeah. And unfortunately they don't wipe it. Obviously they just keep it.

Leo Laporte (01:18:10):
Why not? That's right.

Steve Gibson (01:18:12):
Yeah. I mean, we certainly wouldn't

Leo Laporte (01:18:13):
Wanna secure it

Steve Gibson (01:18:13):
Or anything. Cloud cloud storage is so cheap. It maybe that'll be useful. Okay. It's the good news is it has recently become easier for those who do need to occasionally unfreeze their credit worthiness more importantly

Leo Laporte (01:18:29):
Free thanks to federal inter intervention. Yes. It used to be expensive.

Steve Gibson (01:18:36):
A couple of years ago, I realized that I was losing money by not using an Amazon branded credit card for my many purchases through Amazon, since they were providing a couple, the points of discount for purchases made through their own card. Why would I not take advantage of that? So I had the occasion to need to lift the locks on my credit. What I discovered was that all three of the agencies now offer a convenient, free 10 day unlock with automatic relock. So I told them all to start the 10 day counter, I applied for the Amazon card, qualified through whichever one of the three agencies, Amazon queried, and then all of them were automatically re locked. So it makes it so practical, you know, with accounts locked this way, no would be creditor is able to query for my credit and thus would no creditor would allow a thief to open a credit account under my name. So I'll just say it again. If you have not done it, if you are not continually needing for some reason to have creditors accessing your credit with those big three firms, then why not lock those agencies down it's trivial to do. And it buys a lot of peace of mind

Leo Laporte (01:20:15):
Doing it right now. And it's free now as, as, as we said to freeze and unfreeze. Yeah. Yep. So there's a fraud alert and there's a credit freeze. The credit freeze is what you want. Fraud alert actually have to have fraud force

Steve Gibson (01:20:28):
There. There's a freeze and there's a lock. Tho unfortunately the jargon can be confusing. You, the freeze is temporary, the lock is permanent. Oh. So the lock, the lock is what you want. Okay. So I'm glad you brought it up because the, you, you do need to read through that and, and look at what it is that they're doing. Mine are just permanently locked lock. And the other cool thing is I, when I was just looking at it yesterday, I'd forgotten that there are now iOS apps that allow you after verifying you are who you are to use the app to unlock your credit on a, on a transient temporary bay. So it really becomes quite a practical thing to do again, everybody in my opinion. And I mean, unless you're, you know, newlyweds buying all kinds of stuff and, you know, cars and homes and things just lock that stuff down you wanna protect your credit and, and not have, have it destroyed by somebody. I mean, look at all this mess that, that T-Mobile is just created for people. Oh, we're gonna give you a three free year. Oh, who

Leo Laporte (01:21:37):
For call people. Geez, great.

Steve Gibson (01:21:41):
In the doghouse, huh? This week is proton mail. And I know a lot of our listeners are proton male users. I've got, I might know my Twitter feed is full of people saying, Hey, talk about proton mail. Steve, tell us how wonderful it is and I'm using it. I think it's great. So, okay. This what's really cool,

Leo Laporte (01:22:03):
Everybody. And I'm indicate now email is inherently insecure period. Yes.

Steve Gibson (01:22:08):
Don't kill yourself. What's cool. Is they got caught and I've got it in the show notes, changing their website. So they boast on their website, secure email based in Switzerland. But that statements meaning was changed last week. I, I just scrolled down through their and oh boy, it looks wonderful. The hacker news, you made fun of it when

Leo Laporte (01:22:41):
It came out because you mentioned the Swiss server in the mountain

Steve Gibson (01:22:45):
<Laugh> yes. Remember that? Yes. Yeah. So the hacker news writes the, that quote on its website, proton mail advertises that quote, no personal information is required to create your secure email account. By default, we do not keep any IP logs, which can be linked to your anonymous email account. Your privacy comes first from them from the hacker news. But when I just went to that page and searched for bits of that assertion, that statement it had apparently been removed. I wonder why could it perhaps be because it was recently discovered that proton male had provided location information to Swiss authorities, which directly led to the arrest of one or more of the users of their supposedly Swiss identity protecting service. Yeah. That might have been a factor. The hacker news captured a before screenshot, a proton male's homepage, right at the, it lists its main feature categories as Swiss privacy end to end encryption and anonymous email.

Steve Gibson (01:24:18):
But it doesn't say that today their homepage has been changed today. The top line still begin ends with Swiss privacy and end to end encryption <laugh>. But now the third item is your data, your rules, where it previously said anonymous email. Now I give them some serious props for fessing up and apparent thinking, okay. We, we really can't make that anonymous email claim anymore. Can we, you know, that had to hurt. Cause I know these guys' heart is in the right place. I feel bad for the French climate activist who believed them and is now a jail. Yep. Proton male acknowledged that it had received a quote legally binding order from the Swiss federal department of justice related to a collective called youth for climate, which it was again, quote, obligated, a two come apply with compelling it to hand over the IP address and all information it had related to the type of device used by the group to access the proton mail account.

Steve Gibson (01:25:41):
Hmm. That's probably not the nature of the protection that those users of to male believed they were receiving after reading proton, male's original, quite powerful and compelling privacy expounding homepage, which as I've noted no longer exists. So despite its no IP logging claims the company acknowledged that while it's illegal for the company to comply with requests from non Swiss law enforcement authorities, it will be required to do so. If Swiss agencies agree to assist foreign services such as Euro poll to in, in Euro polls investigations in part of a lengthy response posted on Reddit, the company, there was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place. And this was also the final determination of the federal department of justice was does legal review of the case put simply proton male will not only have to comply with Swiss government orders.

Steve Gibson (01:27:13):
It will be forced to hand over relevant data. When individuals use the service to engage in activities that are deemed illegal in the country. This includes monitoring its user's IP addresses, proton males, founder and CEO, Andy Y tweeted quote proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we are required by Swiss law to answer requests from Swiss authorities. It's deplorable he's this is his tweet. It's deplorable. That legal tools for serious crimes are being used in this way. But by law we must comply with Swiss criminal investigations. This is, I obviously not done by default, but only if legally forced. Now I

Leo Laporte (01:28:11):
Have to say, and I have to say that seems to me disingenuous because they were saying we don't log IP addresses. We don't preserve that in for information. If they had received an, a, a warrant for information, they didn't have, they wouldn't have to hand it over. So they were misrepresenting what they were doing

Steve Gibson (01:28:38):
Well, unless the warrant said start logging. Yeah. Yes, exactly.

Leo Laporte (01:28:45):
Now at that Swiss law requires they notify the subject. Oh, so that's again, another question mark. At that point, they're supposed to tell the subject, we are now monitoring your logging. Did they do that? You know, this is never <laugh> and this is independent of whether they're encrypting email or not. Yeah,

Steve Gibson (01:29:07):
Yeah, yeah. Of course. They're encrypting absolutely end to end. We believe that end to, and

Leo Laporte (01:29:12):
If the other person is gonna do it with you, I mean, right. You know, you, you can't send an encrypted email across the public internet. You can only send a link saying there's an encrypted file for you. You can, or, you know, you can come unencrypted, something like that. Sure. Because Gmail know how proton mail works, Gmail wouldn't know what to do with

Steve Gibson (01:29:34):
It. What I'm wondering. You know, because I mean, you know, they're loudly talking about the, his service, you know, the entire reason people use proton mail is to get the protection that they'll, they used to claim anonymous email. So I mean, it does seem to me like maybe their technology's not working right. But that their hearts in the right place you know, I, their business is to offer this to the, the degree they can absolute privacy, but you know, they're certainly correct in, in explaining that if they have the ability to comply with such requests, they must bylaw do so. Yeah. Same with apples.

Leo Laporte (01:30:23):
Same with everybody else.

Steve Gibson (01:30:24):
Yes, exactly. Yeah, exactly. Where I'm going with this. Leo, what I wonder is whether it wouldn't be possible for them to design a system where it's just not possible for them to comply no matter how much they might be forced to, again, for example, to the point you just made we've conjectured here, that one possible motivation for apples, quite unpopular plan to compare photo signatures against a known photo signature database before uploading new photos to iCloud might actually be so that they could further lock down iCloud as they have their other end to end encrypted systems. You know, in other words, you know, make it impossible for them to comply, to, to such a request and where there's a will. There's a way. So, you know, proton male users who are concerned about the visibility of their IP addresses, I think should also take the trouble to route their access through the, to network, to obtain additional.

Steve Gibson (01:31:43):
And since email is not real time communications anyway, routing email through tour, which adds significant communications latency on its own, cuz you've gotta bounce through all these nodes that have onion wrappers unwrap to me, that makes a lot of sense. But presumably that isn't something that these guys thought they had to do because they were being told that their IP address was not being logged. You know, who, you know, we don't know the details or whether they were told they, you know, forced to start logging or whether maybe they actually were logging and deleting them, you know, quietly keeping a log, but never intending to publish it. Or maybe they understood that they did have an obligation to comply to with Swiss law. And we're actually logging. Yeah, don't we, we don't know.

Leo Laporte (01:32:40):
Wow. This has been quite a year, isn't it? Hasn't it. I I hope things are better on, on the one hand next year. On the other hand we have so much fun on Security Now talking about how bad things are. I don't want that to end either. Steve is committed. He's gonna do a whole nother year of security. Now in fact, several years still to come. I, I think honestly, this is one of those shows you just have to listen to every weekend. I thank all of you who do I know some of you are listening, thanks to your company, buying a membership and club TWI. That makes me even happier club TWIs been a great success this year. If you're not already a member, a free versions of all, all the shows, access to our discord server, which is so great round the clock.

Leo Laporte (01:33:25):
And of course the TWiT plus feed, including our untitled Linox show Stacey HIBAs book club, many special guests, actually Mike ELGAN and Amira ELGAN coming up thanks to our new community manager amp Pruit. He's put together a number of spec, special events for us in the month of January. Mike and Amira. I think Jeff Jarvis joins us in January too. Actually. We're getting booked up all of those exclusive for club TWI members to find out more or to join for your company. We love the corporate memberships. Just go to TWI to find out more. Thanks to all of you who listen. All of you who chat with us and discord with us. This is just a great show, but really, I guess number one, I gotta thank Steve Gibson. He works very hard to put this show together every week and he is the master, the master he's back next Tuesday January 4th, a brand new Security Now. Do you think there'll be any security flaws to talk about? Hmm. I wonder, we'll see you then. Bye. Bye

Speaker 4 (01:34:34):
Security now.

All Transcripts posts