Security Now Episode 855 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show. 

Leo Laporte (00:00:00):
It's time for Security Now, Steve Gibson is here. Lots to talk about. We're gonna have briefly touch on Log4J and the background noise, no big, severe place that we know of yet, but I guess that's only a matter of time. A look at the insurance industry's pushback against ransomware coverage, the EU major bug bounty funding for a lot of open source projects. And then Steve's gonna look at a net USB flaw that involved a fairly simple programming error. You might wanna listen, so you don't make the same mistake. It's all coming up next on Security Now,

New Speaker (00:00:35):
Podcasts you love from people you trust. This is TWiT.

Leo Laporte (00:00:39):
This is Security Now with Steve Gibson episode 855 recorded Tuesday, January 25th, 2022. Inside the net USB hack Security Now is brought to you by Plex, the premier cybersecurity reporting and workflow management platform that helps you focus on winning the right security battles with Plex track. You'll streamline the full workflow from reporting to remediation. Visit Plex track.com/TWiT and claim your free month and by privacy.com. Privacy lets you buy things online using virtual cards instead of having to use your real ones, protecting your financial identity on the internet right now, new customers will automatically get $5 to spend on their first purchase. Go to privacy.com/Security Now to sign up today and buy Melissa, the us postal service is more than 98,000 address changes every day is your customer contact data up to date, try Melissa's APIs in the developer portal. It's easy to log on, sign up and start playing in the API sandbox. 24 7 get started today with 1000 records cleaned for free at Melissa. The.Com/TWiT. Yes, once again, it's time for Security Now you've been waiting all week for this guy right here. Steve Gibson, grc.com. Hello Steve.

Steve Gibson (00:02:16):
Hey buddy. Great to be with you for the last podcast of January. Where did the month go? Wow. Next next one will be February 1st. We're gonna have one of those earliest possible second Tuesdays of the month. Two weeks from today, it'll be the eighth for another Patch Tuesday adventure. They

Leo Laporte (00:02:37):
Come so fast don't they? Oh my, I know. Seems like you just had one.

Steve Gibson (00:02:41):
They just keep giving so much joy to the world. So this is Security Now episode 8 55 for the 25th of January titled inside the net USB hack. And you asked me before we began recording, is this the first time we've talked about net USB and it's funny that you should ask because in my doing some additional digging, I realized there had been a previous event with exactly the same kernel driver in Linux modems. And we titled a podcast. I think it was number 508 net USB. So indeed this has been an ongoing problem. I mean, it's been quiet for a long time, but okay. The details of what the coder did is so interesting and it's not super crazy, like, you know, no, one's gonna be able to understand this. And I, and I just thought, you know, when I, when I dug into it a little bit more, I thought, okay, I just have to share this with our listeners because it's a, it's a perfect example of, of how a mistake can get made that, that you can look at the code, everything looks fine, the structure, the design, perfect.

Steve Gibson (00:04:11):
But due to a little side effect, which <laugh> you know, I mean there were some things they could have done that would've prevented this from happening, but, but it's just, it's textbook classic mistake. And I thought, okay, wait, I know that's just perfect for the podcast. Good, good, good, good. We're gonna get to that. But first we're gonna briefly touch on the ongoing I would call it log for Jay background noise at this point now. No, not nothing cataclysmic happened in the last week, but there's little percolating. We're also gonna look at the result of the insurance industries, pushback against ransomware their insurance coverage of ransomware. It's what we've been expecting. And also the resulting sort of changing cyber U's landscape that is emerging as a result. We're gonna look at another WordPress add-on problem and a supply chain attack on a very popular add-on WordPress provider.

Steve Gibson (00:05:15):
We're also wondering as a result of this, whether WordPress still makes sense in the aren't day and age in 2020. I am gonna question you on that because these add-ons aren't official WordPress add-ons they're so third party add-ons aren't they correct, but WordPress is built to be you know, to, to, to support and add on architecture. The idea is that they deliberately, the WordPress people deliberately keep it rather feature sparse because the whole idea is to encourage an add on ecosystem. And, and I think that's the crux of the problem. I, you know, you know, it, it was oh three, it began 19 years ago and it may have made sense back then. I don't think that that model works in today's world anyway. Well, we'll talk about that. We've also got the EU quite welcome major bug bounty funding that they just announced last week.

Steve Gibson (00:06:15):
Casper skis discovery of a very difficult to well root out U E F I you'd really call it a boot kit rather than a root kit. They found something that's interesting also we've got we, I, as I look through my, my recent TWiTtter transactions, there were some interesting questions and some topics to justed by our listeners. And then we're gonna have a really interesting and, and really if, if people pay attention, everybody will understand this and kind of have this cool like aha moment where we really take a, a classic look inside a, a, a hack and that, you know, that something that the, the designer of the net USB code missed, and it's probably been in there forever

Leo Laporte (00:07:07):
On can't wait, always enjoy that. Know what not to do. In other words, <laugh> yeah. Great. We will get to the the heart of the subject in our picture of the week, which is a fun one coming up in just a bit, but first to word from our sponsor, the purple teaming platform, you know, the name Plex track, right? Plex track, the premier cyber security reporting and workflow management program. If you're ready to gain the benefits of purple teaming, but have no clue how to get started. Maybe you're working to mature your security posture, but you're struggling to optimize efficiency and facilitate collaboration within your team. Well, we, we got a good solution for you. Plex track. It's a powerful, but easy to use cyber security platform that centralizes all your assessments, all your pen, test reports, all your audit findings, all your vulnerability tracking makes it easy to do all of that, and then makes it even easier to collaborate with the blue team to fix all of these problems.

Leo Laporte (00:08:14):
Plex track transforms the risk management life cycle, allowing security teams to generate better reports, faster to aggregate and visualize analytics. The boss loves those pictures. They just love pictures and collaborate on remediation in real time. Cuz after all, what good is it to find a problem? If you can't fix it, the Plex track platform addresses pain points across the spectrum of security team workflows and roles. I can't tell you all of it when there's not enough time in the day, but I give you a couple of 'em. This is the reports modules one, it's the easiest way. And that's important to report security findings easy, cuz you don't wanna spend all day typing like wo TZ and Barney Miller just typing away with your findings. When you can template it, you can make it quick. You can embed code samples and screenshots. You can even add videos to any finding, which a lot of times is, is the best way to communicate an issue, show it the failure happening and like that port findings for 'em all your major scanning tools, no matter what you use.

Leo Laporte (00:09:17):
And then you can export it all into custom templates with a click of a button. So easy to use. You might even make different versions. One for the blue team, one for the C levels, one for the board, that kind of thing, the runbooks module it could facilitate your tabletop exercises, your red team engagements, breach and attack simulation. It's great for purple teaming activities to improve communication and collaboration, Plex, track upgrades, your program's capabilities by making the most of every team member and every tool. Of course the analytics module can help you visualize your security posture so you can quickly assess and prioritize. And that's a nice thing, not only for a, a more effective workflow, but also for explaining and sharing what's going on with, with everybody and all the stakeholders map risks to frameworks like Mir attack to create a risk register.

Leo Laporte (00:10:08):
Things like that. Enterprise security teams can use Plex track to streamline the pen desks, to help automate security assessments, ands response reports and much more keeping you and your team red or blue focused on getting the real security work done with Plex track. You gain precious time back in teams day. You're not in the weeds trying to get all this stuff reported, logged and, and, and you know, written up. It also improves more employee more. I'll be honest with you cuz no one enjoy enjoys that. Get more done, be more efficient, be happier Plex track enterprise customer Jacobs engineering gave us a great quote. He said deploying Plex track allowed our team to cut the reporting cycle by 65%. That's a lot less time spent typing a lot more time. Fixing book, good demo today. See how much time Plex track can save your team tri Plex track free for one month.

Leo Laporte (00:11:03):
Nice. See how it could improve the effectiveness and the efficiency of your security team. They want it. You want it go to Plex track.com/TWiT claim. Your free month Plex track P L E X T R a c.com/t I T P E XT rac.com/TWiT. And we thank Plex track so much for supporting Security Now I love it when these security companies support this show, cause it means, you know, they, they, they, they support what we're doing here, Steve, and and understand this is a great way to reach security profess. So we're glad to have you pluck strike. It's a, win-win win all round. Let's do a picture.

Steve Gibson (00:11:44):
<Laugh> our picture of the week should strike

Leo Laporte (00:11:47):
Fear in the heart of,

Steve Gibson (00:11:50):
Of kids who have probably done this. And at on another level coders who have, have done this. What, what we're looking at is a large container with a divider, separating it into two halves on one half, we have it filled with mins and on the other half is with co Coca-Cola. And, and so then there's a hand reaching down from off screen, getting ready to lift and remove this divider, which is currently thankfully separating the Mintos from the Coca-Cola because we know what happens when you pull that divider out and Coca-Cola is able to mix with mementos. You get an explosion <laugh> and so this picture is titled when you're gonna merge two branches after a long time, it's a get joke. Thank you. It's a get joke exactly for those who have not messed with source level control. One of the things that can happen is with source code a project with, with multiple files and, and such is you can, you can, you know, fork the source into like in, in, into a separate branch and, and then independent work on various aspects of the code.

Steve Gibson (00:13:17):
But there are times when you may want to merge the, the different changes back into a, a single branch, essentially back into a single set of files. Well, the, the, the software to do this has been, you know, maturing over time and it, it basically, it does what you'd expect it would do. It looks at, at, at like it given two different files, it looks at both files and like follows them along and waits until it sees that wait, one of the files has changed in a certain way compared to the other, and then it, it, so it like notices there's been a change and then it looks, it continues looking down until it sort of like finds where they resynchronize again. And so it's able to identify the location where, you know, like which region of the source code is different from the other.

Steve Gibson (00:14:20):
And then all things being <laugh> correct. Smash the button and you hold your breath and you smash 'em back together again the beauty of GIS, you can always get back to the the previous set up. Thank God. But exactly. You're able to roll back in time. Yeah. But anyway, so the, but, but the idea is if there were not many changes between the files being merged, your, your chances of creating a sane recombination are, are pretty good. But, and this says, when you are gonna merge two branches after a long time, <laugh>, they're big differences. Yeah. Lots of differences have occurred. It's like, ah, I don't know if we're gonna, oh. Especially if you get conflicting differences of same region between the two pieces. I was like, okay, now what are you gonna do? A lot of text

Leo Laporte (00:15:14):
On the screen. Let's put it that way. A relatable fountain of mementos do, you're kind of new to source code version control. This is, this is since you set up that GI lab, how you liking

Steve Gibson (00:15:26):
It. Well, I'm not using it for that at all. Oh oh,

Leo Laporte (00:15:30):
<Laugh> just for, just for bug

Steve Gibson (00:15:31):
Reporting. It's just for issue tracking. Yes. Yeah. Yeah. So I have long used a something called file back PC, which has no longer been produced. It, it, I mean, it's good. Of course. Yeah. Because it's still works and I mean, it's back on almost from the Doss days. It is, it, it's got a very sophisticated set of, of like incremental backup management, where, where as I'm just working on my source code, not thinking about it across multiple files, it's watching me do that and making snap, taking snapshots of my work periodically as things change. And I mean, and I, and it is been super handy many times now what I'm doing is whenever I'm releasing a, a, a, a, a public build of spin, right. I have a, just a batch file that zips all my source into an arc ki and sort of, you know, like saves it at that point.

Steve Gibson (00:16:36):
And that way, if somebody later says, Hey, you know, everything was working until this version, I'm able to go, oh, and, you know, go back and take a look at, at what, what it was. I also have a really cool windows utility beyond compare, which is a side by side, very smart windows based source comparison tool that that I use often when I'm like trying to understand, you know, what the differences are, but, but, but between two different files. So <affirmative> anyway and I, I'm using sync, I've talked to a lot about sync.com. They do like absolute version tracking. Like every single time I save my source creates a checkpoint@sync.com for that file. So, and again, I've, it's come in handy where I've, I've wanted to roll back and grab a, a particular point in time. Sync.Com has them all.

Steve Gibson (00:17:42):
So I, I become a big fan of that. And in fact, I'm not using the file back PC any longer because sync.com just, you know, does everything and is also backing it up to the cloud and encrypting it and so forth. And it gives me multiple site access too. So I'm able to get it from both locations. So, yeah, I turn on versioning and sync too, cuz that is a nice feature. Yeah. Even not for coding. Yeah. <affirmative> yeah. Okay. So some log for Jay news, I didn't wanna skip over anything important regarding log for Jay this week. And the good news is there was no clear log for Jay related disasters reported during the past week. There was plenty of, you know, log for Jay stirring. However, Microsoft reported that the solar wins, we re remember them from last year, their serve you servers were under a log for J attack in a failed attempt at leveraging their support of the L DAP protocol.

Steve Gibson (00:18:46):
As a consequence of the details, it wasn't action really possible to exploit them, but the attacks failed. They still, they updated their serve servers just to like, you know, in the interest of <laugh> not being responsible for any more damage to the industry. And AAI reported seeing a tax aimed at the Zeig cells, net working gear in response Zeke cell has updated one of their products and posted. They said, Zeke cell is aware of remote code execution vulnerabilities in Apache log for J and confirms that among all its product lines, only net Atlas element management system, EMS, whatever that is is affected. They said users are advised to install the applicable updates for optimal protection. So Ze cell did have something that was needing patching and they've done that. So it's mostly, you know, just kinda like that during the week.

Steve Gibson (00:19:48):
No huge drama, just stirrings and rumblings and general indications of ongoing largely behind the scenes work by many you know, I mean, everyone is scrambling to remediate that surprising discovery is such a widespread vulnerability. The way the record, some things up was to write while news cycles move fast from topic to topic. The situation around the log for shell exploit has not changed since last month. And the vulnerability is still heavily targeted and abused by threat actors seeking to enter corporate networks. At the time of writing, there have been reports about threat such as ransomware gangs, nation, state, cyber espionage groups, crypto mining, gangs, initial access brokers, and DDoS botnets, all of which are now using the vulnerability in their operations. So, you know, all the usual suspects jumped on this thing quickly and all of their various operations acquired yet. Another means for remotely penetrating networks, you know, we've, we, we know what the shape of the patch curve looks like. I'm sure 90% of the problems that were publicly present are resolved by this time. It's been nearly two months since early December when this all began yet, there will be that remaining 10% probably never get patched. And I'm, I'm pretty sure there probably all well infested by this point.

Steve Gibson (00:21:31):
Okay. So who pays for ransomware attack recovery? I for, I just personally find the topic quite interesting since one of the targeting parameters, which we know from some dialogues that were shared. We know that the parameter used by attackers has been their victim's ability to pay, right. The whole point is getting paid. And so it doesn't make any sense to pay to attack somebody who has no money or, you know, who isn't gonna be able to pay. And since in the, the case of many public and private targets, their cyber insurance has been the actual source of ransomware payment and then post attack recovery funding. Insurance sort of is in this crosshairs back four years ago in June of 2017. And I remember we talked about this at the time Leo, the pharmaceutical giant Merck was hit by the not Petya ransomware in what was really a surprisingly devastating cyber attack four years ago.

Steve Gibson (00:22:44):
So that was before the current surge, but a and not Petya was one of the early ones. And the attack was apparently quite devastating with Merck claiming that the data on more than 40,000 Merck computers was destroyed at the time, Merck estimated the damage from this one attack at 1.4 billion, you know, like a quite sizable loss resulting from production outage cost to higher, it experts and cost of buying new equipment to replace apparently all affected systems. And as I said, we just discuss it at the time. And I remember you Leo, you know, wondering about the size of that number, you know, it's like, whoa, first of all, 40,000 computers, what are you gonna replace? Every single one? I mean, it sort of seemed like a, I don't wanna say a scam, but like they were, you know, gonna get a nice ride out of their insurance policy if they could.

Steve Gibson (00:23:53):
You know, and certainly it seems a bit steep. In any event, Merck was quite well insured carrying a 1.75, $5 billion quote, all risk insurance policy. It probably didn't say ransomware then cuz it was so uncommon. Right. It was just correct. Yeah. Correct. but there was some cyber coverage it included coverage for software related data loss events. So at that point to sort of generic Merck's insurer, ACE American, wasn't happy about the idea of paying out one, one point for yo you'd like all new computers, you'd like 40,000 new PCs. Is that, is that right? So they refused to cover the losses citing that the not Pecha attack was part of Russian hostilities against Ukraine. Yeah. I remember this. Yeah. Yeah. Uhhuh and as a result was the subject to the acts of war again in quotes that's that's is an exclusion clause in insurance policy contracts, the acts of war exclusion clause, which is standard boiler plate present in most, as I said, insurance contract.

Steve Gibson (00:25:20):
So Merck sued ACE American in November of 2019. Our arguing in court that the attack was not an official state action. Hence the acts of war clause should not apply. Merck's attorneys argued that the exclusion clause contained language that limited the acts of war to official government agencies and did not specifically mention cyber related events. And as a result, the act of war exclusion clause should not apply to their customer. Okay. this popped back into the news last week after a court in New Jersey with what seemed rather clear cut language in the agreement ruling in favor of Merck. Mm judge Thomas J. Walsh wrote in an opinion, justifying his ruling. He said, given the plain meaning of the language in the exclusion together with the foregoing examination of the applicable case law, the court UN hesitatingly finds that the exclusion does not apply. The judge argued that despite knowing that cyber attacks can be acts of war American or ACE American did not move to update the language in, in its exclusion clauses. He said, quote, certainly they had the ability to do so. Having failed to change the policy language, Merck had every right to anticipate that the exclusion policy applied only to traditional forms of warfare.

Steve Gibson (00:27:16):
So that set some, some additional case law. And although, you know, the case wasn't mainstream news, the insurance industry has been watching it closely and, and it has had a large impact and has been having a large impact on the cyber insurance business with several major insurers, updating the language of their acts of war, exclusion, clauses the latest being loyal, which updated their language just a few days before the court's ruling. So the Merck case is attention grabbing due to the amount of money involved. Certainly. but there have been a great many lower profile lawsuits brought by ransomware victims in the last couple years. And those can cases have also largely been one. The insurance companies are not happy and they're responding, which brings us to another thing I want to talk about the rising cost of cyber insurance. The suburban school cooperative insurance program, SSC E I P is an insurance pool designed to allow school districts to join together sort of in a collective bargaining way to negotiate better insurance rates and lower management fees.

Steve Gibson (00:28:41):
One of the school districts participating in this co-op program is Bloomington school district 87 in Chicago, Illinois, that school district recently published its cyber insurance renewal details, which caught some of the tech press's eye. They reported that their cost jumped in one year from what it had been $6,661 in 2021 to $22,229 for twenty twenty two, three hundred and thirty 4% of the previous year. And in fact, the cooperative was apparently fortunate to even get that in their memo. The district noted the quote in light of events that have negatively impacted the cyber insurance market. S S C I P was unable to initially find the required coverage for the group. After a small delay, the cooperative was ultimately able to secure and ensure willing to accept the risks of the pool. MCI soft recently published a summary of ransomware to hacks in 2021. I mean, that's just a report baking to be written.

Steve Gibson (00:30:05):
Wouldn't be very difficult, right? I mean know just <laugh> there's playback this podcast for the year of 2021. They wrote predictably 2021 was largely a replay of the previous two years with the us sector. Again, experiencing a barrage of financially motivated ransomware attacks. The attacks impacted a total of twenty three hundred and twenty three local governments schools and healthcare providers. The breakdown was for was 77 state municipal governments and agencies, 1043 schools and 1,203 healthcare healthcare providers. An interesting bit of the memo published by district 87, talking about their cyber insurance coverage indicated that the district participating in the cooperative insurance policy would be required to do more than just make their payment premiums or premium payments to qualify for this coverage. The districts would also be required to fully implement multifactor authentication for all logins across all of their accounts. And interestingly until that was done, the insurance coverage limits would remain low.

Steve Gibson (00:31:34):
So the insurer is saying, okay, here's the price. We're not gonna like give you full coverage. And until you can assert that you have taken the steps of implementing multifactor login authentication for every login you have once that's done. And they're expecting to be able to do that by the end of March, then you get the full coverage that you're paying for, which I thought was interesting. As we know in the log for J world, adding multifactor authentication to logins, won't help, right? Since the bad guys are crawling in through the back door, rather than guessing the authentication protecting the front door, but adding multifactor authentication where it's been absent, which was probably everywhere would certainly remove the lowest hanging fruit. And, you know, I would, I would argue that certainly provides significant protection overall though, as we've, you know, expected to see the cost of cyber in cyber insurance coverage is predictably increasing significantly across the board for anyone who needs it. Yikes.

Steve Gibson (00:32:53):
And we have to talk about and this leads us to some discussion again about WordPress. The guys at word fence have uncover another very critical. This one's a CVSs of 8.3 flaw in a WordPress addon named WP HTML mail WP H TM L mail is an email temp split designer used for designing custom email. Unfortunately its use is currently exposing more than 20,000 WordPress sites that use it to malicious code injection fishing scams, and more, the root of the problem is a faulty configuration. Well, which is putting it kindly in the rest API routes used to update the template and change settings. There is, I say, it's putting it kindly because there is no authentication at all, required to access the rest API endpoint, consequently, any user, I mean like anyone on the internet has access to execute the rest API endpoint to save or retrieve an email's theme settings.

Steve Gibson (00:34:15):
This would allow the injection of malicious JavaScript into the, into the mail template that would ex that would execute anytime a site admin access, the a, the HTML mail editor. Okay. So threat actors could add new users with admin credentials, inject back doors, implement site redirects and use legit Toit site templates to send phishing emails among many other things. Basically a complete site takeover word fence said that combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site. This means that there's a high chance that unauthenticated attackers could gain a high chance, could gain administrative user access on sites, running the vulnerable version of the plugin when successfully exploited, as I said, the plugin is installed on more than 20,000 sites and is compatible with other plugins run by WordPress with large followings, like the eCommerce platform, WooCommerce online form builder, ninja forms and community builder, plugin, buddy press word fence noted in their disclosure.

Steve Gibson (00:35:39):
We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.1 at the time of this publication and for what it's worth. This latest disclosure comes just a week after the firm known as risk based security published their findings, that the number of WordPress plugin vulnerabilities exploded by triple digits in 2021. And you know, all of our listeners know it's a, I it's a constant topic here just because this is such a problem. And as we mentioned just last week, remember three different WordPress plugins, all written by the same author were reported with the same bug exposing 84,000 sites running eCommerce add-ons to full site takeovers. So is anyone here noticing a worrisome trend with WordPress? I I'm certain that the developers of these plugins have the best of intentions, but as we're gonna see in detail at the end of today's podcast, writing secure code is super, surprisingly difficult.

Steve Gibson (00:37:00):
Now I don't excuse somebody who doesn't even add authentication to the rest API used for configuring his plugin and the templates that it uses. That's inexcusable. I mean, that's just so like no security whatsoever. And, and the problem is most developers stop their work. The moment their code starts to work, but that often means that the security of that code as a vital aspect of it is barely if ever considered. Okay. So on top of all that we have at a supply chain attack on a popular WordPress add-on provider, you know, it's bad enough when we're, when plug-in authors who are untrained in security, coding make mistakes. That's not good, but when deliberately malicious actors are able to get their malicious code into one widespread and popular add-ons things get much worse. In this case, threat actors were able to compromise 40 themes and 53 plugins, all belonging to access, press a developer of very popular WordPress add-ons, which are used by over sit down 360,000 active WordPress sites.

Steve Gibson (00:38:33):
There's like 800 and some thousand. So more than that, but this is more than a third of all WordPress sites used themes and plugins from access press. So yeah, the guys at jet pack who are professional, WordPress developers explained their discovery. They said, while investigating a compromised site, we discovered some malicious code in a theme by access press themes, a vendor with a large number of popular themes and plugins upon further investigation, we found that all the themes and most plugins from the vendor contained this suspicious code, but only if downloaded from their website, the same extensions were fine if downloaded or installed directly from the wordpress.org directory, meaning that they'd not been contaminated by this supply chain attack due to the way the extensions were compromised. They wrote, we suspected an external attacker had breached the website of access press in an attempt to use their extensions, to infect further sites.

Steve Gibson (00:39:49):
We contacted the vendor immediately, but@firstwedidnotreceivearesponseafterescalatingittothewordpress.org plugin team. Our suspicions were confirmed. Access press websites were breached in the first half of September, 2021. And every one of their extensions available for download on their site was injected with a back door. Once we had establi us a channel for communicating with the vendor, we shared our detailed findings with them. They immediately removed the offending extensions from their website. Most of the plugins have been updated. They concluded. So anyway, I won't take up any more of our time on this specifically, but I think that our constant extinction level event reports about WordPress oughta give us some pause. I

Leo Laporte (00:40:45):
Just wanna emphasize, they're not about WordPress. They're about WordPress plugins. Wordpress base code has always been secure.

Steve Gibson (00:40:52):
Yes, that that's exactly true. I think it's becoming clear that WordPress with its add-on ecosystem made a lot more sense when it was initially released 19 years ago, back in 2003 than it does today. And I agree with you Leo. There's no problem at all with WordPress itself. So

Leo Laporte (00:41:14):
Be careful about what extensions use, I guess. I mean, you know, the thing is totally dominant half a billion sites, right? Wordpress. I mean, it's the number by far. Number one, I think it's almost half of the web,

Steve Gibson (00:41:26):
So yes. It, it is a, it makes it a target for sure. It's 39 and a half percent of all internet websites. Yeah. That, so like 40% of the internet and as a CMS, you know, a content management system, 62% of all CMS is WordPress then. And the number two in a, like a distant third is Shopify I with 3.2%. So I, so I completely agree with you, Leah WordPress itself, the core is solid. Those guys are professional developers. The problem though, is that there's, there's this, I mean, they it's too easy

Leo Laporte (00:42:07):
Maybe to make that on. Maybe that's the problem

Steve Gibson (00:42:10):
That, and you know, cuz cuz I was running WordPress for a while, I, I had a blog there and what annoyed me was WordPress lacked really useful and important features. Right. And they know it, they don't add features to their core product because they believe, and, and I think this is historically true, but not safe today that they, I mean, they're trying to encourage an addon ecosystem. The problem is it's just PHP and anybody can create an add. It's just too easy.

Leo Laporte (00:42:43):
Yeah. Yes.

Steve Gibson (00:42:45):
And we know that security is really hard. Yeah. And so basically what we end up with is this, just this constant problem. I mean the word for fence guys who are, have made the, you know, who have staked out WordPress security, they're busy because they're, you know, everywhere they look there's like this catastrophic, you know, tens of thousands of sites vulnerable to some add-on that, that like, oh look how cool let's, you know, they're all free. And, and, but you know, they're, they're a security catastrophe.

Leo Laporte (00:43:17):
Yeah. They have, I, and I wonder how much they vet the plugins. I mean, you can get them from officially from word as you've pointed out wordpress.org. Yep. And I wonder how much security they, they do there. I mean, clearly

Steve Gibson (00:43:33):
They have no control over or what an, you know, any

Leo Laporte (00:43:36):
Third party can also. Yeah, yeah, yeah, yeah, yeah,

Steve Gibson (00:43:40):
Yeah. I'm going to take a sip of water. Indeed. Let's tell our listeners why we're here. Let's let's

Leo Laporte (00:43:48):
Let's do that. Shall we? Our show today brought to you by, and I know you like this idea cuz you were the first to even mention to me privacy.com burner credit cards for use in places where you maybe just don't want to use your official, you know, credit card number. For me, that's pretty much everywhere. <Laugh> I use privacy online every single time and I love it for that reason. Privacy C privacy.com is the website is a tool that makes it super easy to man manage your financial life online while keeping all your most important information secure. And I should say private. So here's how it works. It generates virtual credit card numbers masking your real bank information. When I set up a privacy card, you have two choices. When you create the card, you can make it a burner card can only be used once.

Leo Laporte (00:44:42):
That's it. Most of the time though, I do it. I make a merchant card. It's locked to the first person who uses that card thereafter. Only that merchant can use that card. So I have one for pretty much every online merchant. The beauty of that is when you, especially for subscriptions, when you don't want that credit card to be good anymore, you can just pause it. You can delete it. You'll see all the declines. So you'll know immediately if somebody's trying to use it, but ever works, unless it's it's that merchant, which is awesome. So you get to choose there's more options. Once you decide which kind you want merchant versus single use, you can choose a limit monthly, yearly, daily per charge, so you can make sure you're never overcharged. I use that with a phone company, for instance, so they don't have accidental, you know, craming charges on it.

Leo Laporte (00:45:35):
They'll let me know immediately great for subscriptions and recurring payments. The only kind of card I use, because it's so much easier just to pause the card than to, to go in and cancel. And a lot of times these companies make it really hard to cancel. And it's kind fun when you cancel something that you just couldn't cancel either way. So you pause the card, you get these <laugh> these emails from privacy saying they tried again. They tried again and it sometimes takes 'em a few months, but eventually they'll get the message you're not paying for this anymore. What a great way to catch a gym or some other subscription that you're not currently using? I wish I'd used privacy. When I joined that gym a few years go and they kept charging me months after I quit. Just pause your privacy card, no difficult customer service hoops to jump through privacy, just blocks the charges and lets you know, not only lets you know, if they try to charge, but if anybody tries to charge over the allotted amount, so you always within your budget they've got Chrome and Firefox extensions.

Leo Laporte (00:46:31):
So it's really easy. There's a privacy app on iPhone and Android. I often use that and oh, that's when I use it for card sharing. I love that. I've told this story before I wanted to buy mom dinner. So I sent her a credit card with privacy and I didn't, I didn't, you know, sometimes you maybe you've done this before you cut and paste the credit card number and the expiration date and the security number into a text message. Don't do that. That is a really bad idea. Privacy doesn't do that. You can actually share from within the app, you click the share button, enter an email address. Privacy handles the rest. They don't have to be a member. They just got the information. She put it in the I can't remember door dash for Ubers or something account. And then I dinner.

Leo Laporte (00:47:14):
In fact, I'm still buying her dinner, which is great. And if everybody decided I don't wanna buy mom dinner, I could stop it, but I'm always gonna buy you a dinner. Mom, don't worry. It's easy to figure out how much you've spent. You get a great account summary it's budgeting. You could filter by date. You can now tag all the cards. So it's very easy to sort the cards by type that's actually become more. I think they've added these features because people like me, I've been using privacy for years. I mean four or five years now since they started. And you, you know, I have hundreds of cards now, so it's nice to have a little bit of control, some tagging and filtering so I can see what card I want. And it's I just, I, to me, this is the right way to do it.

Leo Laporte (00:47:53):
Protect your financial identity online, use virtual cards. Whenever you shop online, go to privacy.com/Security Now when you sign up for an account using that address, new customers will automatically get $5 to spend on their first purchase. Privacy.Com/Security Now it's to me, this is just the you there, there's a lot of things you do to protect yourself. This one's the easiest, the best and they're various tiers. It's free. I actually pay for a higher level tier. I think it's 10 bucks a month, but I get cash back because of it, which always ends up being more than 10 bucks because I use it all the time. So check that out too. When you go there, privacy.com/Security Now we thank them so much for their support of Security Now and keeping us all private sane and on budget, Steve, back to you.

Steve Gibson (00:48:49):
So in a nice little bit of happy news, sort of following on what we were talking about last week about the, the need for providing more funding to do more of what we're already doing that European union has announced that it plans to fund some significant bug by programs. There are five open source projects that are heavily used by public services across the EU. Those are gonna receive bug bounty funding. Those five projects are Libre office, which as we know is a very good free open source alternative to Microsoft office with which it's often compared Mastodon which is the web-based system for hosting private social networks. And Leo, I know you talk about Mastodon. We have a

Leo Laporte (00:49:50):
Mastodon TWiT.social.

Steve Gibson (00:49:51):
Yep. Yeah. ODU, which is an enterprise E R P you know, enterprise resource planning application apparently very popular crypto. PADD an app for exchanging encrypted messages and Leos L E OS, which is a so which is software designed to help with drafting of legislation. So the bug bounty program will run throughout this year through 2022 on the integrity bug bounty platform. And the EU will provide a rewards pool of up to 200,000 euros, which is about 225,000 us dollars integrity whom we've never mentioned before describes itself as Europe's number one, ethical hacking and bug bounty platform. Their, I N T I G R I T i.com. So, you know, they're like hacker one they have more than 300 active programs, more than 40,000 researchers hunting bugs with them. And more than 3 million euros have been paid to do eight.

Steve Gibson (00:51:07):
So that's sort of the, the European equivalent bug hunters will be eligible to earn as much as 5,000 euros, about $5,600 for finding and reporting exceptional vulnerabilities and are entitled to a 20% bonus on top of whatever they're awarded for the vulnerability. If they provide a fix for it, along with their report, a and, you know, having covered the recent problems with Microsoft patching against proofs of concept rather than actually repairing the underlying problems. I think that this idea of also getting the fix from the same researcher who discovers the problem makes a great deal of sense, who better to understand the problem that they found than the researcher to suggest the proper way to fix it and like do it completely now to admittedly it's more feasible with open source project X than it is with closed source environment like windows. But I, I just think that's a very sane perk to offer, you know, and who wouldn't go for it.

Steve Gibson (00:52:17):
If you found the problem, you can certainly like, okay, Hey guys, you know, this should have been declared as a, as a, as a long instead of an inch, you know, kind of thing. So, I mean, not, <laugh> not hard to figure you that one out this new program was announced last week and it's sponsored by the European commission opensource program office E C O S P O, which is pretty new. It was founded two years ago in 2020. It's the successor two one that we talked about before FAA, the EU FAA was the free and open source software auditing project EU F O S S a. And that's through that was the organization through which the EU EU had previously funded two other bug bounty program initiatives for open source software first in 2017. And then in 2018, back in 2017, the EU funded bug reports for VLC player, my own preferred standalone video player and in 2018, this EU FAA group sponsored bug reports for 14 projects, seven zip Apache Kafka, Apache Tomcat, digital signature services, Droople file Zillow, flex TL, a new C library, keypas midpoint notepad plus plus putty the symphony PHP framework all and again, the VLC media player.

Steve Gibson (00:53:57):
And WSO two. So they've done lots of good stuff in the past and it looks like they're gonna continue to be funding things that they see of being necessary and of interest. Oh, and I should mention that the same program also funded security audits for the Apache H T T P D web server and keypas the password manager. So a huge yay to all of this, it would be great to see more of this you know, same thing and more in coming years. And as I said last week, the industry I think is already doing many things that make a great deal of sense. We just need more of what we're already doing. And some of that needs some money. So tip of the hat to the EU, and it would be, be great if the, if the us white house and admin would, would, would arrange to do something to provide similar funding.

Steve Gibson (00:54:56):
<Laugh> in the fun name of the week. We have moon bounce. It's the name given to a, an EFI boot kit, U E F I was designed from the beginning deliberately to be a secure and securable boot platform you know, foundation for NextGen firmware for other boards. But unfortunately every day it's looking less and less like it's gonna meet that mark last Thursday, researchers at Casper ski labs disclose their discovery have yet another novel U E F I boot kit, which can infect a computer's U E F I firmware. Okay. So what makes moon bounce as Casper ski named it special is that unlike some previous pre boot malware, this one doesn't hide inside the hard drives EFI system partition the so-called E P that's where most I malware tucks itself, instead it arranges to infect the, the so-called SPI memory that's found on the motherboard.

Steve Gibson (00:56:20):
SPI is the serial peripheral interface. And it's in fact, it's the way you could have a, a flash memory, which is this little itty bitty chip with, with like six leads on it. You just need to give it power and serial data and clock, and it's it's able to do the rest. So, you know, you'd hardly even know it was there. And that gets loaded into the chip at boot time in order to provide the processor that's running on the baseboard it's firmware. So consequently, as a consequence of the fact that it's actually in this little flash chip, unlike other boot kits, defenders who are trying to prevent this stuff from get them, cannot shake this one off by reinstalling the operating system, or even by replacing the hard drive. This pernicious boot kit will continue to remain on the infected device until the mother board's S P memory is re flashed to clean it out, or the motherboards replaced.

Steve Gibson (00:57:22):
And according to Casper ski moon bounce is not even the first U E F I boot kit. They've seen that is able to infect and live inside SPI memory. It's actually the third, there was the first one was known as Lojas L O J a X, and then the second was mosaic regressor and sad. All indications are that U E F I boot kits are proliferating recent months have uncover something known as E specter, E S P E C T R E E S P of course, as in E I system partition. So that's one that does live on the hard drive in the E P partition and fin spot also has a U E F I boot kit. And there are others cast perky commented in their report that what was once considered unachievable following the rollout of the U E F I standard, meaning, you know, it was unachievable to infect the E I firmware.

Steve Gibson (00:58:27):
That's now becoming the norm as opposed to the exception. Oh, and I also almost forgot to mention that that moon bounce has been directly attributed. That is the creation of it. And actually the deployment where it was found to the Chinese government state sponsored hacking group a P T 41. So that's where that bad guy came from. It's the good news is it's not being seen like sprayed or in some, anything that anybody's downloading it is it is being used in very highly targeted attacks. So there, in this case, there is some specific entity that, that, that, that Chinese government, or some branch of the government, whoever controls a P T 41 said, we need to get inside these people. And probably some research was done to find out, you know, what kind of hardware they're using. And then something was designed specifically to get into that hardware.

Steve Gibson (00:59:33):
On the other hand, we know that these things always start off a little more generically than they wind up. I mean, they start off much more specifically in the beginning and then tend to become more generic over time, just as U E F I boot kits are no longer like a shock to anyone it's like, oh yeah. Okay. What are we gonna call this one? <Laugh> about moon bounce. No, one's done that yet. It's like, okay. Okay. So feedback from our listeners I got a note asking the, which I saw this morning I said, morning, Steve, what do you use to run PF sense on I'm looking at switching to that from a unify security gateway. Okay. So we, we know that I run and like PF sense. The, the, actually it's sitting up above me. It was right next to the cable modem, which I rebooted our listeners don't know, but we had a glitch at, at just before we began recording the podcast.

Steve Gibson (01:00:38):
My net dropped offline and I had to restart the cable modem right next to it is a little net gate SG 1100. And I'm always conscious of the fact that those are my initials. There's no relation net gate SG 1100. It is a cute little prepackaged hundred and $89, three interface router, which comes pre-loaded with PF sense. So you get it from net gate, I've got a link of the show notes, or just put N E T G a.com into Google, and you'll find it it's got a w port, a land port and an option port and it does everything you could want because it's got PF sense in there. One thing to be aware of with these little routers is that it's one thing for them to say, oh, we've got gig E ports, right? We've got gig ethernet ports, but it matters how much processor is in there.

Steve Gibson (01:01:42):
The original little box was the SG 1000, which was had much less switching power than the SG 1100. So this is the upgraded version. They rate its routing capability at 880 megabits per second firewall which you know, is gonna slow it down. Cause it's gonna have to do some inspecting and, and filtering that brings the it's routing to eight to 656 megabits per second. And it's able to host an IP sec VPN at 74.2 megabits per second. So respectable performance. I have I think I, I pay Cox for 300 megabits downstream. And so, you know, this little box, if I run a, any kind of a speed test on my network, you know, I'm seeing that fully delivered bandwidth, which means it's getting all the way through the router down to my machine, the, I have a different device in my other location though, that I just kind of wanted to put on the map for people, cuz I like it a lot.

Steve Gibson (01:02:52):
It's from a company called protectively, P R O T E C T L I and it's protectively.com, P R O T E C tli.com. Basically the, their business is to produce little turnkey boxes, not pre-loaded with software, but very software agnostic. They talk about there, there is actually a full of PF sense called OPN sense. And it runs Linux and it runs a bunch of third party packages. You can get it in two, four and six port models. And, and I should just mention, I, I skipped over the fact that that three ports is the key because as we've talked about before you, if, unless your wifi access point or wifi router supports isolated guest networks, then you need to provide that yourself. Or if you wanna have a WID isolated guest network as, as, as is possible, then you need a third interface, not just a switch on your router, you need three separate interfaces, so you can give them different firewall rules.

Steve Gibson (01:04:14):
So anyway, protectively has two, four and six port models, and you're also able to prick to, to pick the, the, the, the speed of the processor, the amount of Ram, the amount of storage. Basically, it's a little, it's a little bare bones as it's called, you know, it's got the processor, but then you provide the Ram and mass storage or you can get it for them or, or from them little fan, less box that is just perfect for making internet appliances. So anyway that's how I'm running net gate or running PF sense rather net gate here and a protectee box at my other location. <Laugh> and just following up on our discussion last week, Leo about refilling soda stream cans Peter crocker, he was listening to our conversation. He said the big tanks need to be tested every five years in a hydrostatic test.

Steve Gibson (01:05:13):
Mm. He said, basically, a requirement of any pressure cylinder, like welding gas, scuba tank or CO2, he said, then they stamp it with a new date. Most places he says, send it away for the test. And he said, in terms of filling the big tanks, they need to be cold and filled slowly. So often, not a service. You wait for, hence some exchanging if you want it right away. And I did mention that it, it, it, one of the things that I noticed when, when my big tank was last refilled is it was on my mind cuz it was only a couple weeks ago is he opened the tap and expelled the CO2. Now you might at first think, whoa, wait a minute. You know, he's wasting gas, right? Is like, let let letting it out. No he's running a, like the basis of an air conditioner, he's expanding the gas, which is pulling heat out of the cylinder and it ends up cooling it off, which is exactly as Pete says, the way you want to refill it.

Steve Gibson (01:06:21):
So when I, when I was talking about, you know, one of my tips for refilling the soda stream canisters as what we do is keep them frozen until I screw them onto the big tank. And then, and then refill, similarly, you'd like to have any tank receiving CO2, be as cold as it can get it. So they do what they can to to cool off the recipient tank by actually by blowing the CO2 out of it, which brings this temperature way down. Paul Walker, he said, Hey Steve, have you considered updating shields up? So it can sta scan the full port range at once. Just been listening to episode 8 54, where you talk about port 2, 0, 0 5. If we could scan the entire range, it might help preempt things like this. And Paul I completely agree. I remember, and Leo, you and I were talking about this at the time.

Steve Gibson (01:07:26):
Remember I used to be connected to the internet by a pair of T1 S yeah. You know, was when it was cool. You wow. That was like, whoa, you, you got T ones. Hey the problem was the, they were, what was it? 1.5, four megabits. I think mm-hmm, <affirmative>, mm-hmm <affirmative> each. So I had them paired so I could get like a little over three megabits of total upstream, I guess they were symmetric. So it was, it was bidirectional at yeah, they, they went, it was 1.5, four megabits in both directions and, and geo RRC was here, you know, like in this room that I'm talking from right now, that is our, the, our the GRC server was, you know, sitting on a table to my side with a ups next to it. You know, those were the days, those were the days.

Steve Gibson (01:08:16):
Problem three, Megan was <laugh> that's right. The problem was I was worried about saturating my own bandwidth with TCP sin packets, because if I couldn't get them out, then they wouldn't bounce off of far ends IP, whatever it was, router or, or machine or whatever, and then get, get Sy acts back to me to sense that ports were open. So, so the point is I, I could be producing false positive or, or false positive closes that is, you know, not seeing a Sy a return if, if the problem was at my end, rather than at their end. So I deliberately, I did a couple things. I deliberately limited the number of ports that I was scanning, and I throttled them out that, so they wouldn't be bunched up. Anyway, the point is that was, then I've got lots more bandwidth now you know, I'm at level three, I've got a big fat pipe connecting my systems.

Steve Gibson (01:09:29):
So I absolutely could do that. The only thing I am lacking <laugh> famously is the time to do it. But if at some point in the future, I get to a point where spin ride is essentially done. Once again, although we know I've got a lot of work to do before I get to that point, it'll, it'll, I'll get there. When that, when I get there, one of the things I would love to do is basically do a, you know, a comprehensive port scan every single port at a given IP, it might take a while. But I agree it would be really useful to be able to do that. And you know, I, I need to do that. I also need to update everything to I P V six. You know, I get a lot of requests, DNS benchmark to be running I P V six, not just I P V four.

Steve Gibson (01:10:21):
So that's still the most downloaded thing we've got is that, that benchmark like 3000 downloads a day like endlessly. So, and lastly Dylan, Anthony said, according to the author of curl, it's not an RCE, so you're not the only one who couldn't figure out why Microsoft categorized it as such last week. Remember, I, I was talking about the, those, those, the, the patch Tuesday, there were two open source projects Le live archive and curl, and Microsoft had them both categorized as remote code execution. And I said, no, you know, I could see a man in the middle attack, cuz this thing was about the clue of using start TLS to, to bring up a a secure connection when you are creating a curl link to an email server that wouldn't be initially secure. And it just seemed like, nah, I couldn't see how that was a remote code execution. And indeed it isn't one on that note, Leo, let's take our final break and then we're gonna really have some fun digging into the detailed operation of the mistake that was made that has put so many routers in trouble.

Leo Laporte (01:11:45):
Can't wait net USB coming up. But first to word from Melissa, the man expert, the address experts did, you know, nearly 36 million address changes were processed by the postal service in 2020, that's a huge chunk of customers. And if some of them are on your mailing list, you could be missing them completely. That's Melissa's job. They're the address experts. They make sure your data is current and accurate. Melissa is experienced and independent. They've been doing this for 35 years. That's why 10,000 businesses know them as the address experts. It's also why their renewal rate is 92%. That's pretty amazing. Might have something to do with a 25% average ROI for Melissa customers. What can you do with Melissa? Whether you can by addresses of course, but also emails, phone numbers, names. You can even do it in real time. They've got a great API.

Leo Laporte (01:12:41):
You could build it into your existing customer service software into your shopping carts. Melissa's global address verification service works is over 240 plus countries and territories that's that's mind boggling. And if you're tired of duplicate customer information, Melissa's data matching helps eliminate clutter and duplicates, and that saves you time and money and also keeps from annoying your customers from getting multiple mailings. They can do a lot of things. Batch address, cleansing process, and entire address list for accuracy and completeness. You can do identity. This is actually good for security among other things, reduce risk, ensure compliance, keep customers happy. Geocoding enrichments is kind of amazing. You can take that address and convert it into latitude and longitude, I guess for drone deliveries, I'm not, I don't know. Email verification helps you remove up to 95% of bad email addresses from your database and they can deliver Melissa's address service in a variety of ways to suit whatever your needs or budget there.

Leo Laporte (01:13:47):
You can have it OnPrem. You can use a web service. They even have a secure FTP site. You can upload and download from there's software as a service delivery. They have an new lookups app that's on iOS and Google lookups, plural we'll search addresses names and more. And you can do that right at your fingertips on your phone. And if you're using Melissa, you will be very happy to know. And your customers will too, that Melissa continually undergoes independent security audits to reinforce their commitment to data security, to privacy, to compliance their SOC two compliant, HIPAA GDPR, great support sign up for that service level agreement. Melissa's global support center offers 24 7 world renowned support by the way, speaking of support, there's still in communities and qualifying essential workers as COVID continues. Your organization could qualify for six months of free service apply online@melissa.com a Hardy congratulations to Melissa for the second year in a row. They've been named data quality magic quadrant by Gartner. Make sure your customer contact data is up to date. Try Melissa's APIs in the developer portal. It's easy to log on, sign in, start playing in the API sandbox 24 7, and you can get started today with 1000 records, clean for free. Go to melissa.com/to E L I S S a melissa.com/TWiT. We thank them so much for their support of Security Now, and now net bus, net USB, not net bus. I transposed

Steve Gibson (01:15:22):
It net us USPA USBA. So I did some more examination of the net USB hack, which reported a Lee, as we know, affects many millions of internet connected routers. Last week, when we first talked about it, I skipped over the techy details because there was so much else to talk about rather than just the nitty gritty of the attacks, actual mechanics, but after spending some time looking into what went wrong with the code, I realized that not only would a full explanation of the flaw be well within our listener's ability to grasp, but that it would serve as another very valuable example of precisely the way things go wrong with software and internet security. So what better thing to talk about on this podcast? One thing I should note is that this flaw is incredibly widespread. The tiny list of router vendors that I shared last week from the guys who found this flaw should not provide anyone with any solace.

Steve Gibson (01:16:33):
If you has a USB connection port, you really do need to make absolutely certain that it's not listening on its wan interface, port 2, 0 5. And as, as you said, Leo, at the top of the show, your, your memory was exactly right. This is not the first time that K codes technology, the Taiwanese developer and licenser of the net USB technology has had trouble. This Security Now podcast episode 5 0 9 recorded May 26th, the 2015, nearly seven years ago <laugh> was titled the net USB bug. You know, it should have been part one because here we are again and that bug was a big E two. And perhaps because I don't know, maybe cuz we're all seven years less jaded than by the endless parade of vulnerabilities that we've been subjected to than we are today. There was more attention paid to the breadth and scope of the trouble than there seems to be.

Steve Gibson (01:17:46):
Now. it feels to me as though maybe today's tech press, you know, got one headline page out of the story, then went back to wondering what NFTs are and you know what they should <laugh> have to say about them that earlier vulnerability, which was found in the same net USB kernel module as the current one discovered by a group called S E C consult at the time they wrote net USB suffers from a remotely exploitable kernel stack buffer overflow because of insufficient input validation and overly long computer name can be to overflow a computer name. I know Leo. I know <laugh> okay. Can being used to overflow the computer name, Ker stack, buffer this results in memory corruption, which can be turned into arbitrary, remote code execution. Furthermore, a more detailed summary of this advisory has been published at our blog. And then I've, I've got the link for anyone who's curious.

Steve Gibson (01:18:59):
So yeah insufficient input validation when you don't look at how long the name is and you just stick it in the buffer. I don't know why anybody named their computer more than five letters. No, it just doesn't seems sensible too much to type <laugh>. And at the time these guys provided a benign proof of concept, which simply crashed the targeted router in their disclosure under vulnerable and tested versions. They wrote, they said the vulnerability has been verified exist in most recent firmware versions of the following devices, TP link TL w D R 4,300 V one. And the TP link w R 1 0 4 3 N D V two and the net year wonder 4,500, just those three. But then they added that they had identified net USB as being present in the most recent firmware version of the following products noted. Well, noting that the list they were providing was not necessarily compete.

Steve Gibson (01:20:16):
Okay. And everyone will thank me for not reading that list because there are truly too many for me to read. So I, I shortened the list for the podcast a but I wanted to give everyone, you know, a feel for it in the list was the D link D I R six 15 C, then 42 different Netgear router models, 40 different TP link models, 14 N net models and four Zeel routers. And they added that based on information embedded in K codes, drivers. They said, we believe the following vendors are affected all net, Amber technology, Amit Asante, Atlantis orga dig delink eTax NCO electronics. Ingen ETOP hard link Hawking IO gear level one long shine, net gear, PCI ProLink Cy com Ty a TP link trend net Western digital. And Zeel, <laugh> another words. This one company appears to have cornered the market on and they do claim to have patents on extending USB links across consumer wifi to router USB ports.

Steve Gibson (01:21:44):
And although that was seven years ago, there is no reason to believe that any router using USB extension today is not using K codes, troublesome technology. In fact, there is a, there's a project called USB slash IP, which D D w R T uses. It's the only one know of that is doing USB over IP and not using this K codes technology. So again, I mean, all of those companies just licensed the stuff from K codes and thus they all have this problem. S E consults original writeup provided a full disclosure, re like re you know, responsible disclosure timeline. And I looked at it, it would be charitable to say that K code's technology was unresponsive. That is the company when they, when S E C consult tried to contact them seven years ago and said, Hey guys Y you got a problem here with long computer names that is really bad silence.

Steve Gibson (01:22:59):
So S E consult finally disclosed what they had found to the cert coordination center back then, and directly to several of the major, most seriously affected router vendors. After speaking with some of the, a few of the gazillion vendors, they wrote, sometimes net USB can be disabled via the web interface, but at least on Netgear devices, this does not mitigate the vulnerability. Netgear told us that there is no work around available. The TCP port cannot be firewalled nor is there a way to disable the service on their devices. And of finally a as is inevitable more so today than seven years ago, a fully weaponized exploit was published and it's archived on GitHub. I, I, I grabbed a chunk of the boiler plate at the top of the, of the Python script. The author said, this is weaponized exploit for the net USB Ker vulnerability discovered by S E consult.

Steve Gibson (01:24:13):
I, he says the, this, the hacker author says I don't like lazy vendors. I've seen some dos POCs floating around for this bug, you know, meaning proof of concepts that just crashed the router. He says, and it's been almost five months. So let's kick it up a notch with an actual proof of concept that yields code execution. So anyway, a remotely exploitable kernel, vulnerability, exciting a and then he says, smack stack, meaning return oriented programming, decode stage spawn, user land process. Woo. He says, currently, this is, this is weaponized for one target device. He says the ones, the one I own, he said, I was planning on porting open w R T, but guides tracked by the net USB stuff in the default firmware image, in a way, the point was he was going to replace whatever device he had, which had the net USB vulnerability with O open w RT instead.

Steve Gibson (01:25:21):
And that would be good, but he got a little, you know, sidetrack. He said, oh, I'm gonna weaponize the net U USB bug before I removed the firmware from my hardware. Anyway it's there it's seven years old and here we are again today, that was then, but I think it provides some important context for today. I wanted to be certain that everyone understood that many, many more than five or six router vendors were involved. And that K code's technology has in the past been anything but helpful and responsible in the way they've acted. The guys who discovered today's problem understood that the only possible way to get all of the routers whose manufacturers had licensed the common net USB code updated would be to contact K codes technology. And as we know in the past, that hasn't turned out so well. Although the guys at Sentinel labs, the people who found what we're talking about today deliberately stopped short providing anything beyond a simple denial of service, proof of concept, you know, crash and re reboot the router.

Steve Gibson (01:26:38):
There is every reason in fact, much more in today's climate. There was seven years ago to expect that someone is gonna weaponize this exploit. If it hasn't already been done by the time we're recording today's podcast, it is, it is too pervasive. And it is, as we're gonna see too simple, there is just, there is nothing left of the imagination here. The Asus router that I use in my other location does not offer net USB functions. Asus never has. And even if it did, it's Daisy chained. As I mentioned behind another little router that, that pro the pro technically router running PF sense. So no ports on that Asus that the ACS might have opened. Would've been exposed to the internet. Anyway, I use PF sense you know, to perform port translation in order to get around some annoying Cox port filtering, which you know, they're doing for the benefit of normal people.

Steve Gibson (01:27:41):
Okay. So now that I have everyone's attention, let's take a look inside K code's technology to see what they messed up to initiate a connection with the router, any PC located on the land, initiates a TCP connection to the router, port to zero five, the router kernel service and server listening for those incoming connections should only be listening on the router land interface. But as we know from last week, the worst aspect of the flaw is that the net you USB service is bound to 0 0, 0, 0 on the TCP. I P stack giving it a presence on both the routers, land, and wan interfaces and us exposing it to the public internet. It would still be a problem to have this vulnerable service only on the land, since anyone on the land, like in an enterprise environment where you, maybe you don't trust everybody could potentially take over the router without authorization and authentication, but allowing it to happen with anyone anywhere meaning on the wan definitely takes it up a notch.

Steve Gibson (01:29:10):
Okay. So once the standard three-way TCP connection handshake has occurred, the PC wishing to have access to the USB devices, connected to the router, sends a signature plus 16 bites, 128 bits of what they term verify data. It appears that these 16 bites of so-called verify data serves as a connection nos to prevent, replay it to right. Just some RA, just it, the, the, the, the PC gets 16 bites, 128 bits of random stuff, and says, you know, this is how I'm gonna tag this conversation upon receiving the PC's signature with its verified data, the router AEs encrypts excuse me, the router AEs encrypts that verify data and returns it along with its own 16 bytes of random data. And, you know, the PC probably decrypts the, the AE EES encrypted verify data that it got from the, from the, that, that it sent and got from the client to verify that it matches. So basically each end, excuse me, each end sends the other, a large random nos, which they each en ripped and send back so that the other end can decrypt it and verify it. So they establish a, a replay proof verification of the two endpoints.

Steve Gibson (01:31:02):
Assuming that everything works it then gets ready to take the next step. They've exchanged this non data. The, the routers code then drops into having established this connection, a command parsing loop, a so-called wild loop to await the PC client's commands. So everything is being driven by information now being sent by the PC that has connected to the router. And of course, this could also be anybody anywhere on the internet in the case of this, this service being exposed on the wan <affirmative>. And I mentioned, this is a wild loop. There is probably a command that exits that loop that is so the, the, the loop will, will sit there accepting and processing commands from the, the, the client that is connected to the router until a, you know, a hangup command is received, which drops it out the loop and terminates the connection.

Steve Gibson (01:32:12):
Anyway, this loop waits for and receives a 16 bit come command word, which causes it to jump to a function which then further handles the needs of each specific command. So that's sort of a simple way of executing or implementing a, a command driven protocol. You, you have a, a, a, a two bite 16 bit command, which will, which the router will receive, and that causes it then to branch, you know, in some languages you would call it a switch function. It, it would take it, it, the command would cause it to call a, a, a specific subroutine to, to process the rest of that command. The research that Sentinel labs found a problem in the function whose 16 bit command is Hexa decimal 8 0 5 F. So the receipt of that 16 bits as the command word, 8 0 5 F branches, the code to a specific routine named software bus dispatch, normal EP message out.

Steve Gibson (01:33:29):
And it doesn't really matter what that does. That's not Jerma whatever it does fine. We don't need to know or care. So the client first sends that command. Then it sends four bites, which is of course, 32 bits to be the maximum number of bites to follow, which will be read from the client. And okay, that's clean since the client is declaring upfront the number of bites that it will be sending in this for bite 32 bit value. This allows the receiving server, the router to request an allocation of memory from the underlying operating system. Them basically it says, I need a buffer, which will be used to receive and hold up to that much data received from the client and whatever that function is doing. 17 bytes of additional, you know, we could just call it scratch pad work is apparently also required to process the command.

Steve Gibson (01:34:50):
So to the size of the memory allocation being requested, the function adds 17, so that an extra 17 bites of memory will be obtained from the operating system for the function to use that all seems great. Okay. So to recap, the client sends the hex command code 8 0 5 F is then followed by four bytes to indicate the amount of follow-on data that the client will be sending, and that the router should be ready to accept. And upon receiving those four bytes, it allocates memory to serve as a buffer into which to receive the client's data. And the server asks the operating system for that much plus 17 bites, more so that it has a little bit of extra memory to use for whatever it's doing. After that, the code calls a data receiving function, giving it a pointer to the buffer, which it's received from the operating systems allocation.

Steve Gibson (01:36:02):
And the number of bites that the client said would be forthcoming to fill that buffer the data receive function will receive data from the client, placing that data into the buffer. That's been pre-allocated to contain it until the specified of bytes of data has been received. Once the expected count of data is received, the data received function will return to its caller with the buffer filled with the expected data and those 17 extra bytes at the end for the command processor to use, okay, this is all perfectly reasonable code. You could stare at that code all day long and find nothing to criticize. There's no way for the sender to overflow the receiving buffer since the sender pre declares, the number of bites that it will be sent. And that's all that the data receive function will accept after it's got that many. It, you know, it says, okay, done and returns to its caller upon receiving the four byte data size and allocation of that amount.

Steve Gibson (01:37:18):
Plus 17 extra bytes is, is from the operating system upon the successful allocation of a buffer to hold the incoming data. The data receive function is told how many bites to accept and it does. So what's the problem. What is it that the clever researchers at Sentinel labs found as we know the sending client specifies its bite count as a four bite 32 bit integer. So it's reasonable to store that bite count in a four bite 30 integer, the authors correctly declare the integer. That is the original authors of the code, declare the integer as unsigned because a bite count should logically be unsigned, right? You can't have a negative bite count that doesn't make any sense. So that's fine. The problem arises when those 17 extra bites are added to the memory allocation, the largest value that a 32 bit unsigned integer can represent is that old familiar, you know, number just shy of 4.3 billion, you know, like same as the, a number of I P V four IP addresses and, you know, two to the 32 minus one, that's the largest number that will fit in 32 bits.

Steve Gibson (01:38:48):
So what happens if a malicious client connects to this routers port 2, 0, 0, 0 5 properly negotiates a handshake then sends it that van, that vulnerable command code 8 0 5 F to tell it, you know, which command it wants to execute. And for the count of the bites, it's going to send it declares that max some value of 4.3 billion in binary, that's all ones, the largest number that can be represented in 32 bits. So, okay. The command processing code needs to allocate a buffer from the operating system to contain that many bites of data <affirmative> as before it adds 17 to accommodate its small bit of extra scratch pad working memory. But now adding 17 to a 32 bit value that is already as large as it can possibly be, will cause the addition to overflow and the value to wrap back around to make that clear. If we were to add one to the 32 bit value, that's all ones the count would wrap around as it's called back to zero, but we add 17.

Steve Gibson (01:40:21):
So the count will wrap around to 16. And that 16 is the number of bites. This code then asks the operating system to allocate for us to hold the data that the client is about to send. So the operating system does that it allocates 16 bites, which it's, which is what we told it. We wanted, we receive a pointer to a 16 bite buffer, which will then hand to the data, receive function, asking it to please receive the original bite count of 4.3 billion bites of client data, which it dutifully begins to do. And what we have is a textbook perfect classic buffer overflow, where the client has absolute and total control over the contents that fills, and then overflows the tiny 16 bites of data buffer without any additional work that will immediately crash the router probably causing it to reboot. But with the addition of some skilled hacking, it's quite clear that many, many millions of consumer routers are exposed to a very critical and extremely exploitable remote code execution attack, where the attacker is readily able to supply the code that they want to send.

Steve Gibson (01:42:07):
Just, I mean, just a perfect example of a, a simple to make mistake, nothing looked wrong about it, that the logic of the flow was well thought out. Let's provide the bite count up front, we'll get that, that many bites plus a little bit extra that we need from the operating system. We'll hand that bite count to the receive function that will only receive up to that many. So the buffer can't overflow, once it's got that many, it'll come back to us and we'll do whatever we want to with it. The problem of course, is that they hit a wraparound and 16 bytes were allocated rather than the amount declared plus 17.

Steve Gibson (01:42:58):
So there are several points of failure evidenced in the design of the code for one thing, though, we don't know what command 8 0 5 F does. It does seem quite unlikely that telling it that it's about to receive 4.3 billion bites of data would be unreasonable. Yeah, no kidding. <Laugh> you know, it's like what get ready? You're kissing gigs. <Laugh>. So for all we know the most that would ever really normally be sent, you know, is some packet of something, right? Maybe a few K a few K bys at a time. Obviously the routers gotta have memory to hold it, you know, to allocate a buffer for it. So it's not gonna be big yet that command performs, no sanity checking of any kind of that, of what that forthcoming bites size is. If it was a 4.3 billion, fine, come on, bring it on. We've often talked about this problem, which affects the designers of interpreters.

Steve Gibson (01:44:06):
They assume as the designers of this, that we're looking at now must have that only a valid client would ever be connecting to their server after all. They probably wrote the other end, you know, the drivers in the PC that are gonna be connecting to their server. So, you know, they never bothered to place any sanity checking limit. Its, you know, even like really high end, like this could never happen. Like so abort this or anything, you know, they just accept whatever the client will send. If the machine had been 64 bits rather than 32 bits adding 17 to a maximum four bite value would not have wrapped around. And the operating system would've been asked to allocate 4.3 gig of Ram plus 17 bites, which it would surely have bucked at failed the allocation request and thus protected the router from any attack. But our little consumer routers are using inexpensive 32 bit MIPS chips. So 32 bits is gonna wrap around back to zero. And then some, as a consequence of this pervasive bug, we can expect that a lot of damage will be done to users whose routers have aged out of their service life or who have manufacturers or users who are not paying attention to what's going on. Fortunately, everyone here is

Leo Laporte (01:45:41):
Okay, well there you go. Sanitize your inputs kids. So I guess that's always the motto.

Steve Gibson (01:45:49):
Oh well or yes. Yeah, exactly. Sanitize. Anything you accept yes. From, from, so from an untrusted source or any source. Yeah. Anybody connecting to you over TCP is like, okay, we

Leo Laporte (01:46:00):
Don't who that is. Yeah, that's right. Yeah. Yep. Somebody said you should be a professor <laugh> you teach, you teach very well. I agree. You want you wanna share this with your friends? Tell 'em it's called Security Now and you can get it in many places. We'll start with Steve site, grc.com. He has 16 kilo audio versions, 64 kilo audio versions. He's got transcripts too, which emerge a couple of days after the show. That's a great way to read along as you listened or to search and find a part that you're particularly interested in. Say wanted to find the last net bus exploit. You could net USB, sorry. You could find that by doing a little search he also has spin, spin spin. Right? I wanted to say spin. Right? I mix spin right. And shields up. He's got shields in right shields.

Leo Laporte (01:46:50):
Right? He's got shields up, which is free. Then spin up and spin up. <Laugh> spin. Right? Which is the world's finest mass storage, maintenance and recovery utility spin, right. Is his bread and butter. So go over there and buy a copy. It's not expensive given what you get and if you buy it now you will get a free upgrade to version six one, which is in process. You get to participate in the development of it and all that too. Grc.Com. You can leave feedback at grc.com/feedback or better yet go to his TWiTtter. His DMS are open he's at SG GRC. That's another good way to leaving pictures and suggestions, questions and so forth. We have the show on our website as well. Twitt TV slash SN. We've got 64 kilo audio. We also have video of the show. You can download those.

Leo Laporte (01:47:41):
There's a YouTube channel dedicated to the show. You can also subscribe in your favorite podcasts client and automatically get every, every version as soon as it's sent out. Now people sometimes ask, well, I want all the shows all 855 of 'em. We're not gonna put 855 shows in an RSS feed. It would, it would be more than 4.3 billion bites. It would be big. So we just put the most recent 10 shows. If you want more than that, you can get 'em from Steve. It, you can get 'em from our site. Both of us have every show since episode one available for download there. And there are people of written scripts and so forth that will automatically get them. But you know, I'll leave that as exercise for the reader. Thank you, Steve. We'll see you next Tuesday. About one 30 Pacific, four 30 Eastern 2130 UTC February 1st, February 1st. Thanks buddy. Bye.

Jason Howell (01:48:37):
Have you ever read a tech news story and thought to yourself, man, I would love to talk to the person who wrote this to find out more information. Well, that's exactly what Micah Sergeant and I, Jason Howell do each and every week on tech news weekly, we read the, that matter to us. We reach out to the people, making a break in the tech news and we invite them on to tell their story and you can find it at TWiTt TV. Look for tech news weekly, every Thursday.