Security Now Episode 857 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for Security Now. Steve Gibson is here. Yes, I'm back. Thank you, Jason, for filling in last week, we've got lots to talk about a vulnerability with Lennox's Saba that everybody's gonna wanna fix. It's a 9.9 on the Richter scale. We'll talk about living off the land. A, a way of exploiting commonly present operating system utilities. There's quite a long list. You might be curious to find out what that is, and then C's gonna take a look at the application required of all Olympians. My 2022 turns out it's a nightmare of security flaws all coming up next on Security Now. Podcasts you love from people you trust. This is TWiT.
Leo Laporte (00:00:49):
This is Security Now with Steve Gibson episode 857 recorded Tuesday, February 8th, 2022. The Inept Panda. This episode of Security Now, now is brought to you by express VPN. Your data is your business. Protect it with express VPN. Visit express vpn.com/Security Now to get three extra months of express VPN protection for free and by Arons, avoid downtime, data loss, and security breaches at a lower cost with Acronis cyber protect. Go to go.Acronis.com/twit-two. To get a 30-day trial to modernize your cyber security and backup with an integrated cyber protection and by privacy.com privacy lets you buy things online using virtual cards and it of having to use your real ones, protecting your financial identity on the internet. Right now, new customers will automatically get $5 to spend on their first purchase. Go to privacy.com/Security Now to sign up it's time for security now to show we cover the latest security news with Mr. Steve Gibson, he explains it all to us. Hello, Steve,
Steve Gibson (00:02:05):
You are back. I am back a week off and
Leo Laporte (00:02:10):
Jason, it was really only two days off. It just happened to hit on Tuesday and Wednesday, but Jason, thank you for filling in. Jason Howell I appreciate it. Yep. And I hear, I miss some important stuff. It's why you gotta listen to every show.
Steve Gibson (00:02:24):
Maybe you, as I was saying before you, you did, you were on vacation when Tom and I did the, what has become a significant podcast to explain from just soup to nuts how the, the Bitcoin blockchain works. And so that turned out to be an important one to have seen this one in the last week's episode with, with, with Jason explaining how Google's topics functions we can wait to see if, if it ends up getting any traction, if not, well, it was an interesting podcast. We talked about flock and that didn't end up being the system. So yeah, exactly. They're just throwing stuff against the wall at this point. So yeah, this, the, the, the, this one, I mean, this is really different. This is, this looks like they're seeing the, all the back pressure, which is mounting against tracking, and they're saying, okay, you know, we're gonna have to get on the anti tracking bandwagon period.
Steve Gibson (00:03:31):
It's gonna have to happen. So they're, they're, they've, they've got a really nice proposal, which demonstrates they were listening to everyth. Everyone was saying about flock and taking it seriously. So anyway, we'll see, but what is on the agenda? Cause I am here. So now you can talk about the good stuff. Glad to have you you're right. This is episode 857 for patch Tuesday of February. That is the eighth. So we'll be talking about it's aftermath next week. This week we're gonna take a look at law enforcement and cyber defense recommendations regarding safe conduct in Beijing for the, the 2022 Olympic winter games. We're gonna take a look and they had some interesting things to say. I mean, nothing shocking, but still it's interesting. What, like sort of like what's begun to emerge around the Olympics every year. We're gonna take a look at a serious CVSs rated 9.9 vulnerability affecting Lennox's use of soba and at some interesting details of so-called living off the land exploitation of commonly present operating system, utilities will examine Microsoft's most recent approach to application packaging and well which was triggered by their recent wholesale ING of its primary feature.
Steve Gibson (00:05:08):
Whoops. And we're also gonna celebrate a welcome change in Microsoft's policy, a significant policy, which has been 20 years coming. I'm gonna share a brief pre-announcement of a new forthcoming GRC, quickie, freeware utility. I think everyone's gonna get a kick out of it. I'm sure I'll be finished with it. I already like released it for testing after less than a day, but it's something that I'm become convinced that ought to be done. And then we're gonna wrap up with the title of the podcast, the inept Panda taking a close look at what's called my 2022. That's the iOS and Android application, which all attendees of the Beijing Olympics yeah. Are required to install, carry and use citizen lab reverse engineered the app. And dear we will be looking then at how the podcast got its name today, the inept Panda. Oh
Leo Laporte (00:06:24):
Boy, I can't wait. I can't wait. That's gonna be very, very interesting. But before we do all that, Steve, do you mind if we and we'll get to the picture of the week next, but yep. I think a little opportunity here to talk about our favorite VPN express VPN there are certain times when for a variety of reasons, a VPN, a virtual private, network's a good idea. The three big, the big three are of course security, especially if you're on an open wifi access point there's privacy, which is more and more of an issue these days, and then eliminating geographic restrictions, being able to appear anywhere in the world. And I think that kind of goes hand in hand with not using your own IP address for a lot of your internet transactions and a VPN can do that, but really important to remember that, yes, you're solving those problems locally, but you are really just kicking the can down the road because the VPN provider now has access to all of that stuff.
Leo Laporte (00:07:26):
So you've gotta trust the VPN provider and that's why it's really important to choose a good one. And that's why we recommend express VPN a free VPN providers incentive to, to pay for their service, not cheap for them to run that VPN, if it's a good one by spying on you, frankly, by showing ads. In fact, we even know VPN providers that will inject ads that didn't already exist into your browser traffic that's nuts. Perhaps you've noticed that your internet service provider is subsidizing their fees by selling information off that they know about you. That's another example of, you know, whoever's got that, you know, whoever has the DNS, whoever's got the, you know, the IP address, whoever has watches the traffic that's who could do that. That's why you gotta go with express VPN. They are, and they still are this day monitored on a regular basis by independent third parties.
Leo Laporte (00:08:23):
I think they use Pricewaterhouse Cooper. They vet the privacy policy, make sure that's being adhered to, they look at the technologies they're using, especially express VPN's trusted server technology. I love it that they did this. They went the extra mile to write a VPN server that runs Ram only, and his sandbox cannot write to the hard drive just to reassure you that there's no way they could log your VPN traffic. There's no way they could keep track of what you're doing. In fact, when you press that big button in the express VPN software, which runs everywhere, even on routers when you join that server, it spins up an instance of the, of the trusted server just for you and your session. And then when you leave, it goes away and, there is literally no trace of you. We know that not just because of price Waterhouse Cooper, because I say so, but because it is not unusual, especially in countries where they don't like what people do on the internet for them to do no knock warrants and seize the express VPN servers, hoping to find information about express VPN customers and without, and you can look at the news stories without an exception.
Leo Laporte (00:09:32):
They find nothing it's worth list to them. And that's why you use express VPN. They create a secure tunnel. As you know, between you and the internet. Everything you do online is encrypted. It's going through their secure server. So your ISP can't see what you're doing, but also when you go do a Google search, they don't see your IP address. They see an express VPN server. That's all they see for your phone, for your computer, for your smart TVs, where I think you really need that privacy for your tablets, even for your router express, VPN can protect you and your family. It's easy to use you open the app, you tap the button and you're safe. You're secure, you're private. I love express. VPN's the only VPN I use. And it's the one I recommend your data is your business. So protect it and express vpn.com/security.
Leo Laporte (00:10:23):
Now visit expressvpn.com/Security Now three extra months free. When you buy a year package, that's a great deal, less than seven bucks a month. And you may say, well, I can get it for free. Again. You wanna pay 'em you wanna give 'em enough money so that they're not incentive to, to make money some other way. And so that they also have the money to build out their servers, to have the infrastructure express VPN so fast. You can watch HD video it's you won't even know you're on it. That's why it's worth the seven bucks a month express vpn.com/Security Now with a for support and the security now show they know security.
Steve Gibson (00:11:01):
Definitely what you'd wanna use in Beijing, if you had an opportunity,
Leo Laporte (00:11:04):
Holy cow. Yeah. To, to connect to it. Oh my gosh. All right. Picture the week time.
Steve Gibson (00:11:10):
So this is one that's a little difficult to describe. It's so wonderful that I would commend our listeners to grab the first page of the show notes and just to take a look at it. So it, it came as is I didn't add the headline or anything, but it, it it's the headline, the title is first rule of programming, colon. If it works, touch it. And what we're seeing here is a, is a, like a drain pipe coming down off of the side of a building, which, and, and, and it's a little, I'm a little curious about how this could have ever worked, because it looks like there's an elbow missing, which would've converted the pipe to sort of downward well sort of sideways pointing out to downward to, to finish pouring in through the rest of the pipe anyway, but it doesn't look like could have ever been quite that way.
Steve Gibson (00:12:14):
So again, it's not clear what the history is here, but the point is that we have a stream of water flowing out of this drain a and, you know, sort of following a, a ballistic curve toward the ground. Well, it's, as a consequence of the way this, this drain pipe is broken, it's completely overshooting the, the, the opening that it you'd like to have it going to like, like completely yet. It is, it is where it would be striking the pipe on the ground where, where this, you know, arcing flow of water would be striking the pipe, someone, the, the, you know, the programmer in this case, or, or the programmer equivalent has chipped open the pipe so that the stream of water is by perfectly going in to a jagged hole in the pipe, but it's accomplishing its mission and sure is works. Don't disconnect it. As they say, if it works, don't touch it. First world of rule of programming. It's like, is it working? Yes. Okay. Fine. Okay. Don't, don't touch it anybody.
Steve Gibson (00:13:36):
Okay. So last Tuesday, the you know, up upstream by a few days of the beginning of Beijing's 20, 22 Olympic games, the us FBI warned that visitors to this year's pick games being hosted, which are, you know, being hosted in, in Beijing would be well advised to leave any fancy electronics at home, grab an inexpensive burner. They, the FBI literally said, get a burner phone. You know, I'm sure they know about burner phones, cuz guys use 'em a lot in this case. We're not bad guys. We're just people who don't wanna have, you know, our high end smartphones totally taken over. Anyway, the FBI says, well, advised to leave any fancy electronics at home, grab a inexpensive burner phone that can be broken into pieces once you've returned to your local airport. In other words, the advice about traveling to China, wow, is similar to the traditional advice we've often discussed for attending the annual black hat and DEFCON conferences in Las Vegas, which can be distilled to be afraid, be very afraid. Wow.
Steve Gibson (00:14:57):
So the, the FBI didn't mention any specific threats, but they didn't need to because it's become understood that malicious cyber and this is I'm quoting them. Malicious cyber actors could use a broad range of cyber activities to disrupt these events. There's a tremendous amount of malicious cyber activity occurring. Unfortunately now during the Olympics recall that the Tokyo summer Olympics was a similar mess with athletes and attendees, personal phones being targeted. The games TV broadcasts were disrupted and the personal data of volunteers and ticket purchasers for the Tokyo Olympics were leaked online. You know, the Olympics are high profile and this makes everything happening there. Unfortunately, a target after Tokyo's 20, 20 summer games in a bit of a public relations puff piece NTT corporation, which was responsible for providing the cyber protection services for the grain games wrote, they said, quote, the total number of, of security events that were blocked during the games, including unauthorized communications to the official website was 450 million.
Steve Gibson (00:16:23):
What, okay. NTT added that quote, none were successful. None of these 450 million attacks we're successful due to cybersecurity measures in place. Okay. Now who knows what they're counting as, you know, a security event, you know, maybe packets because 450, really, it's not possible that there were actually 450 million separate cyber intrusions or intrusion attempts or whatever that we've seen this before. Right? Where, where a number is like ridiculously high because they're, you know, quoting any random packet that like was rejected by the firewall or something. So, okay. You know, on the other hand, no one doubt that the games were and will be a site of intense cyber rivalry. And it's looking like you know, we're in for that, given the early warnings that had been seen, the FBI said that during the summer, those summer 2020 games, while there were no major your cyber disruptions, the most popular attack methods were malware, email spoofing, phishing, and the use of fake websites and streaming services designed to look like official Olympic service providers.
Steve Gibson (00:17:48):
And actually the fact that they're talking about fake websites will see by the end of the podcast is significant because unfortunately, visitors won't be protected from that. Although they'll think they are being. And the FBI reminded us that during the earlier 2018 winter Olympics in south cyber actors associated with Russia were very active and launched the Olympic destroyer as it was known attack that interfered with the games, opening ceremony, those attacks were enabled through a spear fishing campaign and, and also malicious mobile apps as we'll see the mobile app in this case, I think is not malicious, just very poorly written. Okay. So as for taking a throwaway burner phone and leaving your personal phones and PC at home, the FBI warned of potential threats associated with mobile apps developed by untrusted vendors. The, and our CSA said that referred, you know, quoted the FBI, said the FBI urges all athletes to keep their personal cell phone at home and use a temporary phone while attending the events, the download and use of applications, including those required to participate or in country could increase the opportunity for cyber actors to steal personal information, install, tracking tools, malicious code, or malware.
Steve Gibson (00:19:20):
And of course it's not only our phones, right? Anything that's wireless, especially, you know, I mean, I would be very circumspect about plugging anything, anything either, but Bluetooth and wifi can be suspect. The first step is to take the threat seriously. It deserves to be taken seriously in the normal world. Like, you know, just normal life. The, the actual likelihood of any individual being targeted is probably vanishingly small. As we say, you know, we don't wanna over hype things because there are times when you really do need to pay attention, but we've seen, and you and I have talked about it, Leo, the, those maps of cell towers in air quotes in Las Vegas weeks before comparing them to during the black hat convention, it would be funny to see how many new fake cell towers had suddenly appeared during black hat. If it weren't so frightening.
Steve Gibson (00:20:25):
And of course, you know, those fake towers will be happy to feel your connection. They don't care who you are. You're an opportunity, whoever you are. And the same has been true during each of the recent Olympic games. And it's sure to be so again, this year, especially in China, so, you know, this week's podcast has titled the inept Panda because we're gonna take a look at what citizen lab found when they deeply reverse engineered China's official. And interestingly must use app for the 20, 22 winter games. But again, that's far from the only worry during the games. Okay. So maybe this podcast will get to some people who maybe saved from, you know, just by, you know, again, raise your shields, be, be really careful, turn off any stuff you don't need, turn off Bluetooth, turn off wifi. If you don't, they need it.
Steve Gibson (00:21:27):
You know, don't, you know, I, I would say, you know, free internet is something you wanna wanna be very careful about. So we have a, a serious CVSs, 9.9 remote code execution, vulnerability in Samba, and it impacts at least red hat, Susi and Ubuntu. Linuxes running Samba prior to version 4.1, 3.17. That's just been patched by its maintainers. So that one is safe. 4.1, 3.17 also patched were the other the other release flows 4.1 4.12 and 4.1 5.5. Everyone using Samba is being urged to update to one of those three. So, and you probably know if you are, because it's not something that's running in Linux typically by default, as far as I know, I, I know that it's not running in free BS. D I think if you and have file shares, you're using though, it's likely that you're using Samba, right?
Steve Gibson (00:22:44):
Ye well, so would Linux assume that file shares be sharing with windows? Because of course that's, Sam's origin. I mean, there's others, there's SIFs and there's apples, right. System. Well, SIS SIFs was just an early version of, of SBA. So yeah. SBA is S is an open version of SMB the correct land manage, in fact that's yeah, exactly. S Samba got its name from SMB, you know, add an a after the first S and another one at the end. So SMB turns into SOMBA and of course, SMB is stands for server message blocks, which is the filing printer sharing protocol originally designed by Microsoft back in, as you said, the landman era, you know, it was the original file and printer sharing protocol. And unfortunately, I mean, it's good that it's still with us, but that does mean that it's old and creaky and probably brings along a bunch of legacy baggage and probably an embodiment of legacy thinking.
Steve Gibson (00:23:54):
I mean, that's really, what's in a lot of these older protocols is just the way they were doing things back then. It, I, you know, I mean, this predated the inner internet, right? This was coax. And, you know, when, when a network interface was, you know, the card was like $1,500 for, you know, like per workstation. So, I mean, it was a whole different world. Today SMB is in its third generat and it's, it is what windows still uses. I have it running on all of my Unix machines, since, as you said, Leo, it is so convenient to be able to use SMB, to attach a Unix file system or Linux to windows, file Explorer, a and browse around in the nice windows, gooey and edit configuration files in a convenient windows editor all as if it was a local drive.
Steve Gibson (00:24:55):
But as I said, SMB is an old and complex protocol with security added as an afterthought. So you will never find it or any other overly complex protocol exposed to the public internet by any of my servers. And I have said many times in the past, nobody wants to have file and printer sharing open on the internet. You know, mistakes are just too easy to make. And today we have another biggie in this case, the exploitation of this critical vulnerability would allow attackers to gain remote code execution with root privileges on any Linux servers offering this, or like, you know, systems, if, if you've got a, a Saba D and running, then you're serving that protocol, right? So any Lin Linux machines offering the protocol, the ability to execute remote code as a root user, as we know, means that an attacker would be able to read, modify write, delete any files on the system, enumerate its users, install malware, you know, crypto miners, ransomware, and also pivot to gain access deeper into a corporate network.
Steve Gibson (00:26:17):
So this bug is being tracked as CVE 20 21 44, 1 42. So it got its it's got numbered last year. It's specifically an out of bounds, heap read, write vulnerability appearing in the VFS. That's the virtual file system module, which is called VFS underscore fruit or just fruit for short. And we'll see where it got us name in a second. The vulnerability was used and disclosed by a pair of researchers from star labs during Theone to own Austin, 2021 competition, which we covered last year after of the event, researchers from trend micros ZDI who host the poem to own. They took a look at it more closely and discovered additional variance of the vulnerability and our old friend orange SI of Devor. Remember, he's the one who started at all of last year's exchange server debacle by showing Microsoft the first of what turned out to be a great many problems in, you know, exchange servers code.
Steve Gibson (00:27:33):
Anyway, he had, I assuming it's a, he had independently reported this problem directly to thes maintainers. So rates a 9.9, which we know is, you know, it's not a 10.0, but it's really close because it's one of those no authentication needed exploits, which can provide full root remote access. If you happen to have this, this VFS fruit module running. Okay. So what about that? The fruit module obtained its name due to the famous fruit named company whose clients it, yes. It was created to converse with yes, that's right. The fruit module that chips with Saba is designed to provide interoperability between SBA and Netta. Talk with Netta talk, being an open source implementation of the AFP, apple filing protocol, which is used to converse with Macs clients. So when every things in place and working, it allows Unix like systems apples to serve as file servers for apple devices.
Steve Gibson (00:28:55):
Once a session is established S M B D, which is the SM B demon allows an unauthenticated user to set extended file attributes and therein lies the problem. It is in the ability to write extended file attributes to over the apple filing protocol enabled by the VFS fruit module that allow the, there is a heap overflow, which allows you to then perform a buffer overflow and leverage that into execution. So as always the right solution is to update immediately to one of the releases that has been repaired. If the fruit Mo module is not being used, then there's no vulnerability. You don't have anything to worry about if it's present, but not actively needed. It can be removed from the SMB configuration and the soba demon restarted in order to, to get rid of it. So you, you don't want it running if you have to have it, if you have to use it, first of all, I dunno why it would ever be exposed to the public internet, but you know, things happen.
Steve Gibson (00:30:14):
You definitely wanna update Samba. There's, there's no question. This thing will be instrumented weaponized, and people will start scanning for it immediately living off the land. This is this my favorite term, really when bad guys gain some source of presence on a system, no matter how that may initially have happened, they then typically need some means of doing something right. Once they're there either they need to arrange to obtain the tools they will need from some remote hosting server, or they need to use and abuse. What's already present where they are. The, the term, which I said, I really love that the security industry has coined for the latter is known as living off the land, meaning using what use, what you got wherever you are cleverly reusing an environment crop of utilities to get up to some mischief.
Steve Gibson (00:31:27):
The living off the land phrase has been shortened to LOL and thus these already present. Yeah, I know. I know. And thus, these already present binaries when used in this fashion are known as LOL and phrased and written as a single word. The obvious advantage to reusing a system's existing LOL bins for nefarious purposes is that they're already there. They're trusted by the system. They probably have the rights that they need and they're approved for use by whatever anti malware might be watching over the environment, you know, trying to see what mischief is going on. So, you know, going out and grabbing something remotely, incurs the risk of tripping an alarm when something new is pulled across the environment's network. And in tightly locked down, environments application white listing might prevent an OS from running code that hasn't been signed with a valid digital certificate in such environments.
Steve Gibson (00:32:38):
LOL bins that have already been approved for use are often able to, for example, open and run untrusted and unsigned utilities, you know, they're trusted. So the presumption is anybody using them as trusted. And so they should have greater rights. I recently encountered, and I now assembled by the security firm upticks, which is spelled U P T Y C S upticks of the most commonly used LOL bins, actually the top five which they have seen employed to, to further subvert each of the top five for windows, top five, five for Linux and the top five for Mac OS in windows, the well known reg server 32 XE, and the run DLL 32 XE utilities recently experienced spiking levels of abuse with both being used extensively by the QAT and the iced ID backdoor malware over the course of the last year.
Steve Gibson (00:33:50):
Similarly bizarres that might seem the Loki and agent Tesla spyware samples have been caught, exploiting a vulnerability in Microsoft's equation, editor E Q N E D T3 two dot XE. And of course the more power Microsoft has added to power shell over time. The more ways bad guys are finding to abuse it. So upticks top five, LOL bins for Microsoft for I'm sorry, for windows in order of descending popularity, our number one top is power shell, because boy, if you get ahold of that, you could do a lot of damage. Then we have Ms. HTA, reg server 32 U M I C, and that equation editor. So now we have power shell being a nearly perfect tool for adversaries looking to compromise a system. It provides them with access to various windows features, which can be abused for downloading payloads, disabling, Microsoft defender and firewalls executing file is malware out of ramp and so on.
Steve Gibson (00:35:07):
So yeah, you, you really want to keep PowerShell out of the bad guy's hands. If possible, Ms. HTA is the windows utility that executes Microsoft's HTML applications with the file extend, you know, HTA or JavaScript and VB script files, adversaries are able to leverage Ms. S HTA XE for proxy execution that is execution on their behalf of malicious HTA files, JavaScript and VB script, the infamous trick bot malware, which we'll be hearing a lot about this hour often used as a first stage loader for ransomware and other payloads has been leveraging Ms. HTA for the past year. So it is an active exploitation reg server 32 num is in third place, a windows built in utility. Anyone who's done like series worth windows has probably been asked to like use reg server 32 to a DLL with the system that then makes it available globally for other things to use.
Steve Gibson (00:36:25):
Anyway, it's a built in utility that can be used to register and unregister service DLLs adversaries are able to abuse it to download scripts, hosted on remote servers and execute it in memory, both the dry deck and trip bot malware families have used reg 32 to facilitate their infection routines, w M I C is part of the windows management instrumentation. You know, the w M I system w M I C is a command and executive for WMI like power shell. It's quite powerful and has comprehensive features that provide a handy set of capabilities for accessing local or remote windows system components. Once again, the Drydex malware leverages WMI E to execute run 32 run run DLL 32 in the execution phase of its attack life cycle. But adversaries may also abuse w M I C to, and I always wanna say K E Y M O U S E, but me too, to achieve execution discovery and lateral movement inside of networks.
Steve Gibson (00:37:44):
And as I mentioned that again, really odd, I think it was only 5% in their, in their top five, but was it made it into the top five Microsoft's equation, editor EQ and E D T 32 Xi. It turns out that it is being used by agent Tesla and the Loki malware to execute their arbitrary code. So there's a flaw in there somewhere that they're able to leverage. And of course, it's not just windows that has plenty of LOL bins we're on the Linux side, upticks top five, LOL bins are chatter w get set F a Cron tab and RM, which I gotta kick out of the is chatter function. CA as in change attribute CA C H a T T R in Linux is used to set and unset file attributes adversaries use this for changing the permissions of the system files or to make their dropped files imutable to prevent user from users from deleting them.
Steve Gibson (00:39:03):
The self propagating kin sing malware uses this change attribute to change the permissions of SSH keys and password files in the defense Eva phase of its attack life cycle Lennox's w get function is, or command is so handy that I always have a windows binary of it available for my own command line use. It's just too handy to be without unfortunately, the bad guys agree. They use it as I do as a no nonsense means for quickly downloading files from across the internet malware families, like the MI eye botnet use w get extensively to download the second stage of its malware. Linuxes set F ACL ACL as an access control list is used as you'd expect to set, modify, or remove the access control lists, which are used to control access to regular files and directories. Once again, the kin sing malware, that seems to be all about per missions uses set F ACL F ACL to set executable permission on, on bin ch mod in the Eva, in the defensive EVAs phase, if it's attack life cycle.
Steve Gibson (00:40:32):
And I wondering, I didn't dig into it any deeper at, you know, ch mod certainly already has its executable bit set, cuz it's a, it's a command. So maybe, maybe the normal ch mod, the real one resides in a different executable directory, not UN not underneath slash bin. And this thing is putting it is naming itself, ch mod and sticking itself under slash bin, and then using set F ACL to turn on the executable permission bit in order to be runable. And of course the ever handy set it and forget Itron tab easily opens Theron table for editing the list of tasks to be scheduled, to run at specified times and intervals on the system. You know, it's very much like windows scheduler, it's sort of the same thing. Many a malware has arranged to come back from the dead through the clever manipulation of Chron tabs time, delayed command execution in particular cryptocurrency minors have been seen accessing Chron Chron entries to delete already installed Chron jobs, meaning get rid of the, and to install new crime jobs, to keep themselves running.
Steve Gibson (00:41:58):
And nothing says, erase your own footsteps. Like RM Linux is short and sweet file removal, command, many malware families, including the mirror eye and, and gait. I T botnets as well as many cryptocurrency mins depend upon RM to self destruct and delete their tracks. And of course the most classic of all hacker tricks is to delete the log files which Linux and Unix systems are famous for creating. And the Mac go S is not without its handy tools being abused by malware uptick lists the max top five, LOL bins as open SSL curl S Q L light kill all and F unzip being the original SS and TLS development and testing platform, which we've talked about often open SSL is literally the Swiss army knife of security and certificate management and manipulation. I had the occasion to use it just the other day on one of my free BSD Unix servers.
Steve Gibson (00:43:12):
The, the new one that I was setting up to host our GitLab instance, I needed to check that the new certificate chain I had installed was working correctly. I didn't feel comfortable placing GRCs wild card certificate on a new and not yet trusted server. If that were to ever get loose, that certificate, it would allow someone, anyone to spoof any grc.com sub domain not good. So instead I asked DigiCert to make a certificate that would only be valid for the domain dev.grc.com. There's nothing else like and SSL for dumping and diagnosing secure connection setup. Unfortunately like any powerful tool. It can be just as powerful when in the hands of thumb malicious on Macco S the Slayer malware often leverages open SSL in conjunction with base 64, using both to encode deco and decode malware, and also to encrypt malware to hide it from detection.
Steve Gibson (00:44:27):
We've talked about the clever abuse of the curl command several times in the past being a longstanding command line tool used for transferring data, using various network protocols. And that's really where it shines. Curl is much like w get, although w get being short for web get has more of a web orientation and is able to do things like follow redirection change chains, which is beyond curl that said curl is insanely more versatile with its protocol support. It can be used to obtain data from servers that are offering the, the D I C T file protocols FTP FTPs of course, for, for, for SSL or TLS gopher gopher S HTTP HTT, PS IMAP IMAP, S L D L D S MQ T T pop three P pop three S RTMP RTPs RTS, P S P S FTP, SMB, SMB, SMTP, SM TPS Telenet or FTP.
Steve Gibson (00:45:44):
In other words, pretty much anything you can imagine you're able to use curl against and a interest to the bad guys of fortunately curl is designed to work without user interaction. So it's perfect for malicious scripting and remote unattended use. So curl remains the go-to command for many users and scripts on Macco S it's also a favorite of the Blore malware, which leverages curl to download payloads while it's busy setting up shop on a new machine sq light. I was sort of surprised to see that that was number three for Mac OS of, of the top LOL bins. Of course, SQL light is a transactional SQL database engine, president Mac OS, and increasingly in other OSS as well. I've got it on a bunch of mine. For example, I, I, I guess I'm using Postgres on the, on the on the new free BSD machine, but anyway it's often used to create databases that can be transported across machines, the Mac OES, again, Banglore malware uses sq light to retrieve the history of downloaded files from the internet in the ex-filtration phase of its attack life cycle.
Steve Gibson (00:47:08):
And actually they probably mean the, the history of, of exfiltrated like uploaded files. Fourth on the list for Mac OS is kill all a hand utility also found on many Unix and Unix like systems. I, I use it when news reading clients connect to GRCs news group server in typical Unix style, a new instance of a single client server is forked for each connected client. So you end up with just a gazillion little processes, you know, all running each one, talking to one persistent user of the news group server. And there have been many times when I have needed everyone to obtain an updated copy of some filter code, which requires all instances of this client, you know, typically hundreds of them because people tend to leave their news readers running to be restarted and reloaded. The only way to do that short of rebooting the server would be, you know, well, and when rebooting the server would be overkill is to simply use Unixes kill all command to terminate.
Steve Gibson (00:48:27):
Those hundreds of fork process says all at once, naturally this nice command can often be to nefarious use and Mac O's Slayer malware uses kill all to kill the running scripts terminal window. After its bash script activity has been completed and a little bit of a Kamika maneuver. And finally, the max F unzip utility fifth of the top five is able to extract the contents of zip and G zip files directly to output from archives or other piped input. Slayer also uses it with with also with the head and tail commands to extract a malicious binary with a password. So living off the land, indeed all of those very handy commands are right there on our systems, which saves the bad guys from needing to bring them with. And as I noted at the start, it's also far more stealthy to simply use. What's already there.
Leo Laporte (00:49:33):
I'm gonna have you stop from you're familiar with all of those. Yeah. Oh yeah. And I have it all running all the time. By the way, I love your pronunciation. When you said SQLite, I thought, wait a minute. And cuz I've always said SQLite, but then I found an interview with a creator of it and he says it's pronounced like the sq. So anyway
Steve Gibson (00:49:57):
Okay. As your turn to tell us about our second sponsor
Leo Laporte (00:50:01):
That I can do, I should have been doing that all along. All right. We'll take a break. L O L and we'll come back with just a bit, I want to tell you about his company. You already know about, you know, about Acronis. We talk about Acronis all the time, a great set of tools, but they have a tool I did not know about. And I wanna tell you about I've learned about it now. I'm gonna tell you about it. Aron's cyber protect. It's the only solution that natively integrates cybersecurity, data protection and management to protect endpoint systems and data, their integration and automation provide unmatched protection, increasing productivity while decreasing your total cost of ownership. And it's all available in flexible deployment options so that you can have the way you one and how way you need it.
Leo Laporte (00:50:47):
Next generation cyber security includes advanced AI based behavioral detection for zero day attack prevention. That's really the big issue these days. Isn't it reliable, backup and recovery. Of course, Kronos is well known for both its full image and file level backup disaster recovery and metadata collection for six security forensics. That's an interesting use. You know, we always talk about when you're doing forensics preserving the original and a Kros is known for its imaging, integrated protection management includes URL, filtering something very basic vulnerability assessments, patch management, very important, remote management, all integrated, all automated, all part of a Kros cyber protect, minimize incidents, improve your productivity, eliminate complexity. The traditional stack of endpoint protection products often is not integrated. It's just a bunch of tools kind of thrown willy-nilly at you. Which means more time for management. You gotta maintain a bunch of different licenses, install updates for a bunch of different products, patches.
Leo Laporte (00:51:53):
Then you have to make sure it's compatible after each update. And you've gotta manage multiple policies with a completely hodgepodge variety of user interfaces, not with a Cronus because Acronis cyber protect is one agent, one management interface, one license that does it all eliminates all that complexity, all the risks associated with non-integrated solutions. You'll also minimize incidents over traditional antivirus and backup solutions. They can't protect often against modern cyber threats with a, a Coronas cyber protect, which is an AI based threat detection engine. It can actually that get this leverage, backup data, to improve detection rates and avoid false positives. That's another reason why you integrate these two together, your backup solution and your threat protection solution. You'll also increase productivity, obviously a complex kind of onesy two Z stack of endpoint solution requires a lot more time to learn to support you don't get any of the benefit we just talked about with integration.
Leo Laporte (00:52:56):
You don't get automation across the line of products when you're using Acronis you're unifying multiple protection technology to one solution, which means better reliability, less time to learn, to deploy and to maintain with a Cronus cyber protect. You get one integrated solution that delivers complete protection from today's threats, letting you streamline management, cut unnecessary administrative time and lower total cost of ownership. Those are all good things. Avoid downtime, avoid data loss, avoid security breaches, and do it at a lower cost with a Chronus cyber protect. It's a name, you know, with a product that just solves a multitude of issues. Go to go.arons.com/twit-two, go dot Arons, a R O N I S go.arons.com/. And it's really important. You do TWiT dash two so that they know you came from us. You'll get a 30 day trial too, to modernize your cybersecurity and backup with integrated cyber protection from the leader, Acronis, Acronis cyber tech go.arons.com/twit-two. Say it with me, go.aros.com/twti-two. The hard thanks Acronis for all. You've done over these many years and thanks, especially for supporting Steve and security
Steve Gibson (00:54:24):
Now, and now we know how to pronounce it, which I'm so excited about. I asked
Leo Laporte (00:54:30):
I've always said Arons, but you know, you know, no Arons, you know, so I asked yeah, they said Arons. Nice.
Steve Gibson (00:54:38):
Okay. So in one of those situations, which just BES the question, what could it possibly go wrong? Microsoft decided some time ago that it was old fashioned for users to have to first download an installer package, then install it. Wouldn't it be so much better to just let users install a new program directly from any website? Just by clicking on a link, like I said, what could possibly, what could possibly go possibly go wrong? And as if an answer to that question, Microsoft has now completely disabled that handy dandy facility after some very popular malware was overheard to comment, Hey, this is great. For the past three months, the hard to get rid of emote gang with their trick bot, I told you, we've been hearing about trick bot a lot. And the bizarre loader malware has been using an this new and very convenient protocol to deploy malware on users, systems Microsoft's page describing M S I X, which is what this is called.
Steve Gibson (00:56:03):
Ms. I X explains that Ms. I X is a windows app package format. It's actually four package formats that provides a modern packaging experience to us, cuz that's what you want in your packaging is a modern experience to all windows apps, the Ms I X package format preserves the functionality of existing app packages and or install files. In addition to enabling new modern packaging. We're talking about software packaging and deployment features to win 32 w P F and windows form apps. Ms. I X enables enterprises to stay current and ensure their applications are always up to date. Right. You know, because no one wants an old version of trick Bott. Anyway, it allows it pros and developers to deliver a user-centric solution while still reducing the cost of ownership of applications by reducing the need to repackage. So what, okay. Okay. To give us a better sense for what's going on here, I'll share a Microsoft's three key feature bullet points, first reliability, the Ms.
Steve Gibson (00:57:26):
I X or Ms. I X provides a reliable install boasting. They say a 99.96% success rate over millions of installs with a guaranteed uninstall. Well that's handy for malware network network bandwidth optimization. Ms. I X decreases the impact to network bandwidth through downloading only. And this is what they say, the 64 K block as if we're supposed to note what that means, but okay, this is done by leveraging the app X block map dot XML file contained in the Ms. I X app package. And, and they have a reference later to that in the article Ms. I X, they said is designed for modern systems and the cloud and the third point disc space optimizations with Ms. I X, there is no duplication of files, a across apps and windows manages the shared files across apps. The apps are still independent of each other.
Steve Gibson (00:58:41):
So updates will not impact other apps that share the file. A clean uninstall is guaranteed. Even if the platform manages shared files across apps. And you know, if that sounds really familiar it's because they tried this once before with something called DLLs, what a mess that turned out to be, oh yeah. Still Lord turned out. It's still, I know. Well, in fact, that that, that whole X S or S SX folder they have now that they, the it's, they call it, you know, windows side by side SX S it's huge. And basically what they did was they said, okay, that was a bad idea, those DLLs. So now we're just gonna give every app its own set so that no one, you know, like they, they just completely abandoned that whole, whole idea, but I suppose their institutional memory has been lost since all the folks who did that to us have since left Microsoft.
Steve Gibson (00:59:52):
So we're gonna go through this all over again. In any event, Microsoft apparently realized that their traditional app installing system was inherently introducing a great deal of bloat and redundancy. And of course, now we have the cloud. So rather than downloading a big blob that the OSS app installer will then open look around in, you know, dig around through, read and deal with let's make that remote, let's create a new protocol that allows that bloated and redundancy filled app install, package to remain in the cloud all and remote servers. So now the use of a special scheme, you know, like HTTPS, you know, as a scheme, the use of a special scheme and file extension will establish an interactive session to the cloud that allows the installer running the windows client to first download only the installation manifest and then decide based upon what it already has only which additional components of the entire package it subsequently needs to ask for.
Steve Gibson (01:01:20):
Okay. Kind of sounds like I know. I mean, I could see where, where, where they went with this idea, we got the cloud, let's not download a blob and only take a few pieces from it. Let's just, you know, get what the blob contains and then decide what more we want. And Microsoft really put a lot of time and effort into this, this Ms. IX S E K is open source. The whole thing, the whole definition and project is open source. And although it was designed for windows 10, it's not restricted to windows 10. There's an Ms. I X tech community, and lots of additional resources that initial app X block map dot XML package. The document that contains a list of the apps files along with indexes and cryptographic hashes for each block of data that's stored in the package. The block map file itself is verified and secured with a digital signature.
Steve Gibson (01:02:19):
When the package is signed, the block map file allows Ms. I X packages to be downloaded and validated incrementally and, and also works to support differential updates to the app files after they're installed. I mean, this thing has everything. Another file app X manifest dot X I ML is a package manifest document that contains the info. The system needs to deploy display and update an M S I X app. This info includes package identity package, dependencies, required capabilities, visual elements, and extensibility points, whatever. Or those are, maybe you now get points for extensibility. I don't know. There's also an entire file and registry, get this a file and registry virtualization layer, which provides a means for an application to declare that some set of its files and registry E should be visible to other apps. And those should persist after app uninstall. Other files and registry entries are not visible to other apps and are removed on uninstall.
Steve Gibson (01:03:35):
Wow. You know, complicated much. I mean, is it any wonder this whole system is getting kind of brittle and flaky feeling. Anyway, I mentioned there are four packaging formats. Those are reflected in the four file extensions.ms. IX, do Ms. IX bundle dot APPX and dot APPX bundle some of which you may have seen. I've seen them sometimes in PowerShell stuff that I've had to do. So a huge amount of industry has been invested in this for windows 10 and beyond. And Microsoft has just been forced to switch off the remote install, which was the entire point due to its continued abuse in late November last year, the operators of the emote malware botnet started abusing the remote Ms. Hyphen app installer scheme that that's the scheme, Ms. Hyen hyphen app installer links in a tax targeting users by sending emails, which Lord innocent victims to specially crafted websites.
Steve Gibson (01:04:49):
These sites would claim to contain important documents that recipients needed to view, but for which they needed to install, wait for it. A PDF F component, which was missing. This was often made more convincing by arranging to continue a preexisting email dialogue. And remember last year, when all this was happening, we were wondering how attackers might benefit from those multiple exchange vulnerabilities, which allowed them to obtain previous emails. Now we know they would make spoofing attacks far more convincing by picking up a dialogue where it left off. You know, of course the dialogue that was left off was with the real individual at the other end of the email conversation, not the bad guys. Anyway, the link provided for the PDF component would actually be an Ms hyphen app installer, colon slash slash scheme that claim to install an Adobe signed file. But in reality, it installed a version of trick bots bizarre loader malware, which is, you know, the beginning of the end for that system and probably everything it's hooked to.
Steve Gibson (01:06:14):
Now, of course, this fancy new app packagings system has everything signed with cryptographic signatures. You know, I mean like, you know, out the Wazu but that didn't stop. The emote gang. Microsoft was finally forced to completely disable this protocol. After all this work was when went in, do it because the gang found a way to spoof all those signatures in Ms. I X packaged files. Those signatures appeared to be to windows completely authentic. And I'll just note that it's it is unclear to me how anything like that could be spoof proof. I mean, how are signatures being verified? If third parties are able to sign their own packages and they must somehow be able to do that, then what prevents any third party from being malicious? Nothing anyway, without having dug into this anymore deeply, it appears that what happened is that Microsoft developed a technology that's too easy to use and abuse, and which cannot actually bely protected last year, they delivered a patch for this problem.
Steve Gibson (01:07:41):
Tracked is CVE 20 21, 40 3008 90 back in December as one of the 67 things they fixed at that time in December's patch Tuesday, except we now know they didn't actually fix it since attacks have continued to take place. And it would say seem to me that it's actually not feasible for them to fix it. So no more remote install, which means that all existing Ms. Hyphen app installer, colon slash slash links have just died worldwide. And enterprisewide everywhere. Microsoft wrote quote, if you utilize the Ms hyphen app installer protocol on your website, we recommend that you update the link to your removing Ms. Hyphen app installer, colon slash slash so that the Ms. I X package or app installer file will be downloaded instead onto its user's machine. Oh, just like in the old days, we recognize that this feature is critical for many enterprise organizations.
Steve Gibson (01:08:59):
We are looking into introducing a group policy that would allow it administrators to reenable the protocol and control usage of it within their organizations. In other words, it, he admins may eventually be able to reenable this for local app deployment, but it sure looks like its its use over the internet is likely gone for good. They've not said it's gone for good. A lot of the press coverage that didn't look at this as closely said, oh yeah it's been temporarily disabled as like okay, well, let's see if it comes back. Because again, as I said, I can't see the model which allows this to be done safely. You know, we apps are signed over time. They're, they're trusted by the, the, you know, those S gain trust and reputation by the various windows defender and other things that are looking at them.
Steve Gibson (01:10:03):
But the goal here is a targeted attack. The, the idea with a signature on an app is that it's gonna acquire a reputation. The publisher gets a reputation, which allows the Luer stuff to be trusted bad guys don't need that. You know, you know, they're able to, to do a, you know, like a single attack makes it worth any amount of overhead. And it looks like this is one of the weaknesses of this system. So anyway, I expect we're not gonna to see it again. We'll see, oh, soon internet sourced macros will not run. I had that in all caps in office apps. And then I had to double check my spelling of hallelujah.
Steve Gibson (01:11:00):
My God. Microsoft is slow to fix obvious problems, which hurts their users for how long has it been painfully obvious to everyone else that allowing macros to run in office documents received from the internet was a really bad idea. And I'll answer that question. There's never been a time when it wasn't painfully obvious the inherent danger has always been clear since the early two thousands. Microsoft has attempted to give unwiting users control over this by showing a mild and nonspecific security warning in a toolbar at the top of the document, it stated that some active content had, has been disabled alongside a button labeled enabled content. So, oh, it's been enable. It's been disabled. I guess I pressed the enabled content button to turn it back on again. Yes. How many people do you imagine clicked the button in order to get what they believed they needed?
Steve Gibson (01:12:14):
You know, what many got was a lot more than they bargained for yesterday in apparent reaction to a 20 years delayed epiphany. Microsoft suddenly announced that as a version 2203, starting with the current channel, the preview early, this April access, Excel, PowerPoint, VI and word would not. And I mean, not bold caps allow macros scripts to be enabled inside untrusted documents that have been downloaded over the internet. That's huge not being able to enable, not being able to enable rather than merely being warn and told essentially to click enable will make all the difference in thwarting spoofing attacks. Microsoft said that at a future date to be determined, they also plan to make this same change to office. LTSC, you know, the long term servicing channel office 20 21, 20 19, 20 and 2013. So, whereas before the bar said security warning with a yellow exclamation point, the new bar says security risk in all caps with a red X.
Steve Gibson (01:13:51):
And the further explanation Microsoft has blocked Mac grows from running because the source of this file is untrusted. And there ain't no, I trust it. There's a learn more button, which, you know, nobody wants to learn anything. So they're not, they're not gonna push that. It's like, oh, okay, well I guess I'll see what this does without those macros, whatever they are. Okay. So this will, without question, put a serious kink in the capabilities of malware gangs, who've been lying upon tricking users into enabling the execution of macro scripts as a way of permitting those scripts to install malware on their systems. So as I said, hallelujah, it's really gonna make a huge difference. And it's a bit odd to see Microsoft now confessing, how it's always been in their announcement. They wrote quote for years, yes, years, Microsoft office has shipped powerful automation capabilities called active content.
Steve Gibson (01:15:07):
The most common kind are macros. While we provided a notification bar to warn users about these macros users could still decide to enable the macros by clicking a button, bad actors, send macros in office files to end users who unknowingly enable them. You know, cuz there's a button there guys, cuz I should push it. Malicious payloads are delivered and the impact can be severe in yeah. Including malware compromised, identity, data loss and remote access. So Microsoft you're just figuring this out now. Okay. But I'm not gonna look at gift horse in the mouth bad or late than never. The logic tree gauntlet that macros will now need to run. Finally gives them the respect. Their power should have always commanded. I mean it's like this 1, 2, 3, 4, 5, like a seven stage. If where, you know, every, you gotta take every branch correctly. The, the in the start box, it says user opens file with VBA macros and M O T w attribute.
Steve Gibson (01:16:29):
Okay. What's M O T w. That stands for mark of the web, which is a flag Microsoft automatically tags files with when they've come from the internet. And I'm sure our listeners will have seen those popup warnings when windows is aware that a file they're about to execute from the internet. That's the mark of the web. You know, that's the side of the devil, the mark of the web. Now it also turns out that most of us have always been victims of the tyranny of the default since believe it or not. There's always been a group policy setting named block macros from running in office files from the internet, which enterprises have been able to turn on. But of course it's been off by default despite the fact that Microsoft says that they recommend enabling this policy, but are they gonna do it? No. Now they say that if you do your organization, won't be affected by this upcoming change in office's default behavior.
Steve Gibson (01:17:49):
Hopefully, you know, our it admin listeners are already ahead of the curve. They turn that on. Nothing to see here. The good news is across all of office back to 2013, starting in April, this will be turned on. Yay. And again, I know how many times have we talked about, you know, you know, Excel, macros, PowerPoint, macros, you know, macros in any of this office stuff, word of course, you know, doing bad stuff. And it's funny because you know, it, the, the thing you, the, the document that you receive it will, the bad guys will have set it up so that the page you're reading knows macros are turned off. So it says, oh in order to, you know, view the rest of this content, press that nice little button up there in the upper. Right. And then we'll be able to get going here.
Steve Gibson (01:18:48):
And of course people go, oh, and press it and earn then they're in trouble. So, and, and you, look, you seem fascinated by that chart, Leo. I, I also zoomed in and, and read it carefully. Yeah. Because I mean, it's, you know it is like if is document from a trusted location? Yes. Okay. Macro's enabled no next is macro digitally signed and trusted publisher on the PC? Yes. Okay. Fine. Macro's enabled no, eh, next cloud P you know, cloud policy to block and I mean then so on and so on and so on. So yes, this is just, it's wonderful that this kind of power is being managed the way it should have been because so many people have been hurt.
Steve Gibson (01:19:41):
Okay. For many months, I guess, unsurprisingly, I've been ignoring a continual stream of questions as skiing weather. And hopefully when I would be offering never 11 and Leo, I still remember the first time you heard the, the name never 10. Yeah. I, you almost fell off your ball. I'd love that you got a big kick out of that. Never 10 anyway you know, never tends become a bit famous. I think it has three and a half million downloads, something like that. Wow. and at the moment, none of my own systems qualify to move to windows 11. Actually I turns out I just found a laptop that I, that I, that I have that does. But we know that this whole qualifying for windows 11 is a moving and totally arbitrary limitation. Microsoft allows virtual machines to install windows 11 without any complaint over any processor.
Steve Gibson (01:20:50):
And without any TPM windows 11 can run on anything. There's even a registry key. Remember allow the, the, the registry CRE key, which Microsoft created is named allow upgrades with unsupported T M or CPU it's in there. So we're currently playing a game titled we'd like to sell you some new hardware. So we're gonna dangle windows 11 in front of you and hope you bite. But it's windows 11 that bites, at least as it's currently of being offered, I'm not being overly curmudgeonly about this. I listen to Paul and Mary Jo, both past windows enthusiasts every week, scratching their heads and bemoaning in bewilderment. What Microsoft is thinking with all of this, you know, they just there's like, it's just pretty funny. Don't watch like a Paul, just like, holy Leo.
Steve Gibson (01:21:52):
I dunno. You know, and he is now he's like entertaining himself with Android and iOS and things. Cuz like I think windows is getting wearing a little thin anyway, as for windows 11, I think Microsoft is bound to eventually want all of, to move there. Lord knows they were willing to do battle to get everyone moved up to 10. So I predict that they'll eventually discover that windows 11 is stable everywhere. What do you know? And they're gonna want us all to move there, but I really don't want that. I don't wanna go there until they put back a bunch of the features that they've taken away from windows 10, which I like. So I realized that I wanted a never 11 app for my own use. And Lori certainly feels similarly. She doesn't want anything to change. Either looking around the net last week, I saw a huge S there are group policy editor suggestions, which of course home users can't use cuz they don't have group policy editor.
Steve Gibson (01:22:58):
There's a wide variety of and many weird registry, edit instructions, always accompanied by the obligatory cautions about the danger of editing the registry. And there are even sites instructing people to completely disable windows update, which we know is bad advice. It turns out that at the beginning of last September, Microsoft published an optional update, KB 551 0 1, which adds to windows update the explicit ability to tell windows, update, to target a specific addition of windows and to remain there and maybe to target a specific, a specific version of windows. That's still to be to determined. Anyway, it is of course not enabled by default, but is documented and honored. So last Thursday evening I sent Mary Jo a note asking whether she knew whether the enterprise editions of windows would be subject to Microsoft's windows 10 to 11 upgrade Mary Jo replied the next morning that she assumed not, but that she would place a formal request with Microsoft to ask.
Steve Gibson (01:24:13):
Of course I was curious just to know whether it should be excluded or not. So I worked on it last Friday and by the end of the evening, I posted a test release of never 11 for GRCs news group gang to play with. Again, you know, I only did this cuz I knew it. Wasn't gonna pull me away from spin right for long. And I had it done in less than a day. Since then I've been refining my ideas for what I want it to be. I have an idea for something a bit more generic with a different yet still fun and memorable name, but I have a few more experiments to run first. I'm stealing time from Spinrite. Which I want to be working on. And so this will be a quickie, but I think it's important enough and will help enough people that it's worth a couple of days. So I'll get it wrapped up and published shortly and I should have something new, fun and useful to announce next week.
Leo Laporte (01:25:07):
Good, nice. I'm excited. Would you like to take a Leo? Yes. I thought our last break. I detected a hesitancy to move on.
Steve Gibson (01:25:15):
You. You, you did indeed. I'm gonna wet my whistle. And then we're gonna talk about the inept Panda.
Leo Laporte (01:25:22):
Oh I can't wait. Can't wait. Well, let's talk about privacy.com. I just used, I was using privacy com.com during this show coming to think of it. Privacy.Com lets you create either burner credit cards that are used once or merchant locked credit cards that can only be used by one person, the person who uses it first and then that's it forever. I was sharing a credit card. So I created it@privacy.com. I set a limit. That's one of the other things you can do. You could set monthly yearly per charge limits, set a limit. And then I said, I wanna share it. And I shared it out to a family member who need a credit card for a particular purchase all in the knowledge that this will not be, could not be misused, which is awesome. Privacy makes basically burner credit cards one time or single merchant use credit cards, it masks and doing so it masks your real information.
Leo Laporte (01:26:23):
So privacy is a good name for this. You can use it anywhere. The other thing I love about privacy.com is using it for subscriptions and recurring payments this way you're never accidentally billed twice or upgraded to another service without your consent. You can set a spending limit with a service as I did with this card I just created. So they can't go over that. They can't overcharge you. You can catch a gym or another subscription that you're not currently using that is still doing a re recurring charge. I mentioned that cuz that's exactly what happened to me. And I had used a regular credit card. This was some time ago and I wasn't able to recover that because they said, well, you should have canceled it when in the first three months, I didn't notice. Now I know it. In fact, one of the great things about privacy, it's easy to press pause on a privacy card on anything you don't want to continue.
Leo Laporte (01:27:11):
So instead of having to jump through complex or intentionally difficult customer service hoops and weird dark patterns, privacy just blocks the charges and you can say, yeah, I'm done with you. You're not getting any more. My money. They'll all also notify you. If a charge is refused, whether because it's the over the allotted amount or somebody tried to use it with a different merchant. This is really, really good stuff. I love privacy.com. They've got a Chrome and Firefox extension. So you can auto fill if you want. It makes it very easy with one click. I love the sharing thing. This is actually the first time I've I've had to use it. I didn't wanna text a credit card number. That's obviously a bad idea. So you, you create a card on privacy.com as I did I named the card. I said, who it's going to, and then there's a share button and I share it.
Leo Laporte (01:28:03):
And then they, you give them your, the email address. They mail it and they don't have to have an account, but they now get access to the card in a secure fashion, which is really, really great. The account summaries are fantastic. They've just added a summary page, which means it's easy to budget. You can filter by date. You can tag every purchase or every card that way you can easily sort your cards by category. And then under views. You're gonna see all the cards you've made. This is actually something they recently added and I think they needed to because those of us who are privacy customers and I have been for many years now have hundreds of cards. I just create every time I'm gonna buy something online, I create a new card. It's just the easiest way to do it.
Leo Laporte (01:28:46):
I love it. Protect your financial identity online, protect your privacy, make life easier with subscriptions and recurring payments. Virtual cards from privacy.com. Now there's a lot more. I want you to go to the website to find out all the details, including a paid membership, which I use. I think it's 10 bucks a month, but you get 1% back, which more than at least the way I use it more than makes up for it. In fact, I make a little money back on that privacy.com/Security Now all the details are there. And as a new customer, you automatically get $5 to spend on your first purchase. Big fan been using these guys long time, privacy.com/Security Now check it out, go sign up today. Make sure you say that security now part cuz that's that way we know they'll know that you saw it here. Privacy.Com/Security Now Steve ado, let's let's find out about the Panda.
Steve Gibson (01:29:41):
Oh boy. The curious agenda. I think the best way for me to begin will be to introduce citizen lab, the group who have carefully examined the smartphone app that everyone and I mean everyone attending the Beijing 2022 winter Olympics is required to install and use. We've spoken of citizen lab. Many times in the past as their work has popped up in the security space from time to time. They're an interdisciplinary laboratory based at the monk school of global affairs and public policy at the university of Toronto in Canada, their focus is research development and high level strategic policy and legal engagement at the intersection of information and communication technologies, human rights and global security. So they seem to be well named. They explain that they use a mixed method approach to research combining practices from political science law, computer science and area studies with research, which includes investigating digital espionage against civil society, documenting internet filtering and other technologies and practices that impact freedom of expression, online, analyze privacy security and information controls for popular applications and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities.
Steve Gibson (01:31:17):
So, you know, not really the EF F but you know, sort of a Canadian TA on, on responsible citizenship on the internet. So they're perfect for the, this particular project perfectly positioned to be interested in understanding the detailed operation of the smartphone app that all 2022 Olympic athletes and attendees are and the press are being required to install and use. So they begin their report with a bit of background to set the stage. Here's what they said. It's certainly useful. They said the 20, 22 winter Olympic games in Beijing have generated significant controversy as early as February, 2021, over 180 human rights groups had called for governments to boycot the Olympics arguing that holding the games in Beijing will legitimize a team currently engaging in genocide against Weger people in China, some governments, including Canada, the United Kingdom, the United States have pledge to diplomatically.
Steve Gibson (01:32:29):
Boycot the games meaning that these countries will allow athletes to compete at the games, but will not send government delegates to attend the event. The international Olympic committee, the IOC, the organization responsible for organizing the games has been criticized for failing to uphold human rights. In December, 2021, the United States has representatives voted unanimously to condemn the IOC and stated that the IOC had violated, you know, and blah, blah, blah. So, you know, lots of political controversy associated, fortunately with something that could use a lot less of that skipping down, they explain internet platforms operating in China are legally required to control content communicated over their platforms or face penalties. Vague deficit missions of prohibited content are often called pocket crimes, referring to authorities, being able to deem any action as an offense, such crimes are utilized by the Chinese government to restrict political and religious expression over the internet chat and other realtime communications platforms operating in China, typically perform automated censorship using a block list of keywords.
Steve Gibson (01:33:46):
And we'll see why that is important in a minute in whose presence keywords, whose presence in a message will trigger its censorship. Previous work has found little consistency in what tent, different Chinese internet platforms, sensor. However, internet platforms are known to receive censorship directives from various government offices or officials. In this report, we analyze my 2022 an app required to be installed by all attendees to the 2022 Olympic games, including audience members, members of the press and competing athletes. The app is multipurpose implementing a wide range of functionality, including realtime chat, voice, audio chat file transfers as well as news and weather updates about the Olympic games. The app can also be used to submit required health customs information for those visiting China from abroad, which includes submitting passport details, demographic information, as well as travel and medical histories. So I have to say as I, you know, was plowing through this and being refreshed it just sort of seemed to me unfortunate that the Olympics are being held in Beijing, but that's where they are.
Steve Gibson (01:35:30):
Okay. So according to the Chinese government's official guide on the games, M Y 2022 was built by the Beijing organizing committee for the 2022 Olympics public records and app store information show that the app is owned by a state owned company called Beijing financial holdings group. This app, my I 2022 has a wide range of functionalities, including tourism recommendations, GPS navigation, and COVID 19 related health monitoring. One of the functions my 2022 includes is to collect a list of medical information for health monitor hearing, which includes users daily, self-report health status, COVID 19 vaccination status and COVID 19 lab test results. Now I was sure that the app would be supported on Android and I assumed it would also need to be on eye phone. So I pulled the app up in apples app store, the top two hits when searching for my 2022 were the app and another generically titled Olympics.
Steve Gibson (01:36:55):
And I, I put both screenshots in the of show notes, the official Chinese, my 2022 had 14 reviews and averaged two stars. Whereas the generic Olympics app had 39,000 reviews averaging just a TA of a full five stars, which if anyone's ever thought about that, you know, requires that everybody pretty much give it a four or a five star not to pull it way lower. You know, it looks like about 4.7, five out of five. Okay. So clearly my, my 2022 though, apparently you must have it and use it. It isn't really what people are getting aside about. I expect the reviews will flood in after the end of the games, right. You're not gonna review it poorly now. You're still in China. Oh, that's a good point. I I'm not, I'm just not your right Leo. I'm not used to big brother looking over my shoulder. It's yeah, really is creepy. I would, in fact, I
Leo Laporte (01:38:04):
Would put in a review and this says, this is fabulous. Five stars. Love
Steve Gibson (01:38:08):
Your CCP. Keep up the great work. Best thing I've used this year. Yeah. Yeah. Okay. So what do we know about the app that everyone is carrying around in their pockets for these next two weeks? Here's citizen labs, four point summary just to condense it. They said first point, my 2022, an app mandated for use by all attendees of the 2022 Olympic games in Beijing has a simple but devastating flaw. Oh boy. Where I know let's just start right off with the good news, a, a simple but devastating flaw. And remember what this thing is doing, right? I mean, it's like all of your health information, your COVID 19 status. You have to do, you check in with it every day and blah, blah, blah, and, and you know, chats and, you know, text and, and voice chats. Anyway, devastating flaw where encryption protecting users, voice, audio, and file transfers can be trivially side, stepped health, customs forms, which transmit passport details, demographic information and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users. What good POS. Yeah. Anyway, my 0.2, my 2022 is fairly straightforward about the types of data it collects from users in its public facing documents. However, as the app collects a range of highly sensitive medical information, it's unclear with whom or which organizations it shares this information. Well,
Leo Laporte (01:40:02):
That's the beauty of the CCP you don't need to ask. That's right. They're gonna take care of that
Steve Gibson (01:40:08):
For you. That's right. Hey, it's it's our country. Yeah. You're a visitor. They may to our
Leo Laporte (01:40:13):
Have different standards for privacy. In fact, I'm willing to bet they do in China. So, you know, we're, we're the, we're the crazy prize. We see
Steve Gibson (01:40:21):
People. I that's true. Although we'll, we'll see here that this thing even violates China's privacy guidelines that's so my, my 2022 fee includes features that allow users to report politically sensitive content. The app also includes a censorship keyword list, which while presently inactive targets a variety of political topics, including sensitive domestic issues, as well as references to Chinese government agencies while the vendor did not respond here's the we're getting into the meet. Now, the vendor did not respond to our security disclosure. We find that the apps security deficits may not only violate Google's unwanted software, a policy and apples app store guidelines, but also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress. Okay. So for domestic Chinese users, my 2022 collects personal information, including name national identification, number, phone number, email, address, profile, picture, and employment information, sharing it with the Beijing organizing committee for the 2022 Olympics for international users.
Steve Gibson (01:41:52):
The app collects a different set of personally identifiable information, including users, domestic sorry, users, demographic information, and passport information. I, you know, issue and expiration dates as well as the organization to which the individual belongs the official games. Playbook introduces my 2022 as a smartphone application for among other things, health monitoring, my 2022 outlines in its privacy policy that it collects and uses users daily self report health status. Oh, I'm feeling just fine. Thanks. No, no problems here. COVID 19 vaccination status and COVID 19 lab test results for such purposes while the official Olympics games, playbook outlines that personal data such as biographical information and health related data may be processed by a list of entities, including the Beijing 2022 organizing committee, Chinese authorities, including the Chinese national government, local authorities and other authorities in charge of health and safety protocols, the international Olympic committee, the international Paralympic committee and others involved in the implementation of the COVID 19 countermeasures.
Steve Gibson (01:43:27):
Okay. So like right. Anybody who wants it, my 2020 twos privacy policy itself did not specify with whom or with which organizations it would share users, medical and health related information. So could be anyone similar to other China based apps. Citizens lab had studied in the past my 2022 outlines several scenarios where it will disclose personal information without user consent, which include, but are not limited to national security matters. You know, and we know how broadly defined those can be, but public health incidents and criminal investigations, my 2020 two's privacy policy did not specify whether each disclosure will be conducted under a court order or which organizations would potentially receive information.
Steve Gibson (01:44:28):
Now here's, what's bizarre citizen lab examined version 2.0 0.0 of the iOS version of my 2022 and version 2.0 0.1 of the Android version of my 2022. As we know, verifying the authenticity of security certificates is one of the fundamental requirements of secure end to end encryption. In fact, without verifying the identity claim being made by whomever, you are connecting to a man in the middle or anyone spoofing the server at the other of the connection will be able to decrypt and see everything in plain text without authentication. Encryption is truly meaningless. Verifying certificate. Authenticity is so crucial that both the iOS and Android platforms of course build this into their APIs. In fact, it's difficult to imagine this not being done yet. Despite this citizen lab discovered that many of the certificates protecting the connection to the apps, critical backend services and servers were not being checked for authenticity.
Steve Gibson (01:46:03):
Although we don't know exactly what each server does, the names of those certificates, which are not being checked, seem quite important. We had 2022 do Beijing 22 do CN, also T Beijing 20 two.cn also Don go server dot Beijing, 22 dot E N app dot B C i.com.cn and health dot customs app.com. None of those being checked, the connections to those servers are using certificates. They are TLS encrypted, but the authenticity of the certificate being provided to the application by the remote server is never checked. It's difficult to imagine how this could be anything other than incre that incredibly sloppy coding. And again, that's why I just said the inept Panda rather than the malicious or the evil or the sneaky or something. I mean, it's just like what, and the biggest problem is that as I noted at the start of this podcast, the international Olympic games have become attacker central.
Steve Gibson (01:47:31):
And this failing to authenticate has been all over the news since citizens lab reported this publicly exactly three weeks ago today. So it's not as if the bad guys a don't care or B don't know, they both care and know adding support for the idea that this was just incredibly sloppy coding rather than deliberate subterfuge is the additional observation that some sensitive data was also being transmitted without any S L encryption or any security of any kind at all. Citizen lab found that the, my 2022 app transmits non-encrypted data to T dot Beijing 22 CN on port 80 99. These transmissions contain sensitive metadata relating to messages, including the names of messages, senders and receivers and their user account or user account identifiers data can be read by any passive eaves dropper, such as someone in range of an unsecured wifi access point, someone operating wifi hotspot, an internet service provider or other telecommunications company.
Steve Gibson (01:48:56):
It just it's in the clear in plain text now being responsible and just hoping to be able to get these important oversize oversights fixed before the game began, citizens lab privately disclosed their findings, you know, being responsible to the Beijing organizing committee for the 2022 Olympic and Paralympic winter games. Back at the beginning of December on the third of 2021, December 3rd, the disclosure indicated that there would be a deadline of 15 days to substantively respond to the disclosure and 45 days to fix the issues because the clock was ticking, right? The games are now, and let's remember that none of this is rocket science. It had to have simply been an oversight. So it would presumably take whomever had written that code, you know, and somehow fail to verify those server certificates off authenticities, you know, a lazy afternoon to add that to the existing code base.
Steve Gibson (01:50:12):
But after waiting a month and a half as of three weeks ago, on January 18th, citizen lab had received no response of any kind to their Des disclosure. So as they said, they would, they went public with their findings. And the result of that was the quite predictable massive curfuffle when all of this was picked up by the tech and other secondary press the day before citizens labs, deadline driven on January 17th, update version 2.0 0.5 of the iOS version of my 2022 appeared in the apple app store, thinking that it might have been the awaited update, which fixed the problems and that the apps authors were just not much for chit chat citizens lab promptly examined the update application. Not only had none of the known and documented and previously reported problems been resolved, but the app had introduced a new feature called green health code whose data transmissions were also vulnerable to interception and spoofing because although encrypted, they also failed to verify the authenticity of the server's certificate.
Steve Gibson (01:51:43):
The green health code feature asks for travel document information and medical history information, similar to the information they had already found to be insecurely transmitted by the app's vulnerable customs health declaration feature. And on the censorship side, according to my 2020 twos description in, in the, in apples app store, the app implements a wide range of communication functionalities, including as we said, real time chat news feeds and file transfers. In previous studies, citizens lab found the presence of censorship and surveillance keyword lists in different Chinese communication apps that provide similar services bundled with the Android version of my 2022. They discovered a file named illegal words dot text, which contains a list of twenty four hundred and forty two keywords generally considered politically sensitive in China. However, despite its inclusion in the app's package, they were unable to locate any functionality where those keywords were actually used to perform censorship.
Steve Gibson (01:53:04):
People who built this app seem to be so clueless that they may have simply forgotten to engage the word filtering function. If indeed there were, there was any, we built it in, but we didn't turn it on. Yeah. So it's like, oh, we're sorry. You know, it's in there. But whoops, unbelievable call. So it's unclear whether this keyword list is entirely inactive. And if so, whether the list is inactive intentionally, however, the app contains code functions designed to apply this list toward censorship. Although at present those functions do not appear to ever be called anywhere. So who knows, we'll never know a spokesman for the international Olympic committee justified the apps, security issues, Leo. He explained this. Hmm. Apparently however, without understanding them at all, by saying that due to the co COVID 19 pandemic, where did that originate? Oh, nevermind. Due to the COVID 19 pandemic special measures that like, that's what it said special measures needed to be put in place.
Steve Gibson (01:54:23):
That's it? What this individual also defended the, yeah, he misunderstood the criticism obviously. Yeah. Yeah. By saying that the, it received approval from the Google play store and the app store. Well, that's a point good point. Well, okay then fine. And adding insult to injury as if they hadn't already been clue us enough. The IOC said a closed loop management system has been implemented. This is the IOC, the international Olympic committee, a closed loop management system has been implemented. The, my 2022 app supports the function for health monitoring. It is designed to keep games related personnel safe within the closed loop environment.
Steve Gibson (01:55:19):
Yeah. They're responding to the wrong question. Yeah. So I cannot imagine having to, having to install such an app on my phone in order to attend our world's Olympic games anywhere. What's the risk, what's the chief risk you think? So, okay. So with an app, so, okay. Apple's very good about containment as we know. I mean, they're, they, they go to great lengths to, to contain an app. On the other hand, we know that they're not perfect. Android has more problems with cross app con contamination. And, you know, there are things like, you know, hooking the keyboard, looking the camera, you know, turning the device into spyware. We know, for example, that Pegasus has no problem doing that on, you know, like time after time after time on iOS or Android. So I just, you know, the, the advice would be what we started off talking about, you know, what the FBI recommended, leave your apple and Android stuff, leave your fancy phones home, Joe, go to the drug store and grab off a J hook, you know, a, a $40 burner phone and just take that so that you can take pictures and, and, you know, create memories and, and text your family and so forth.
Steve Gibson (01:56:40):
Just, just, just don't bring, I mean, it it's very much like the same advice about, you know, being super careful when you're in Las Vegas, right. During, during black hat, you know, I wouldn't bring my laptop. I'd just like, no, no, I'll just bring oh Chromebook and, you know, and, and do the, the, the, the expung button or whatever it's called on
Leo Laporte (01:57:00):
The Chromebook and do any, don't do anything private on that phone because it's kind, you all potentially stolen yes. In transit.
Steve Gibson (01:57:07):
So, and, and, you know, stick it in an RF bag, maybe, you know, and don't let the camera see anything sensitive. I mean, really just, you know, cons consider that, you know, your hotel room is bugged and your devices are bugged.
Leo Laporte (01:57:19):
It's ay device. Really? Yeah. But the, the worst thing is it's not ay device just for the Chinese communist party. It's ay device for anybody who wants to use it.
Steve Gibson (01:57:32):
Yes. And the, the Olympics have proven to be a, you know, a target rich environment. I mean, there's, there's a lot of attention being put into hacking people there it's, you know, it's like a, a, a more global version of black hat. And I'm gonna guess
Leo Laporte (01:57:49):
Though, that the athletes there have other things in their mind, and they're probably not considering OPSEC at this point. One would hope that the people who manage the teams and who are, you know, taking care of these people would say, look are, are saying
Steve Gibson (01:58:03):
You don't do not. Don't, you know, you don't wanna your country. Yeah. So, you know, you know, leave your phone in, in, you know, in the hotel room. Right.
Leo Laporte (01:58:12):
Steve, you've done it again another great week. I'm sorry. I missed last week, but Hey, the good news is you can't miss a week because we record them all and you can listen to him at any time. Steve is at grc.com. That's where you'll find Spinrite. His bread and butter, the world's best mass storage, maintenance, and recovery utility. Also lots of free stuff like you know soon, never 11 plus. I mean, what, what is the timeframe for never 11 you think, oh, it'll be like, it's not hard. It's pretty easy. I've already published the first release and it's it's up and running. So it's there. All right. Yeah. Shields up, all that other great stuff. You can leave em, a message there at grc.com/feedback. And of course, you'll find 16 kilobit audio versions of this show for the band. We it's impaired 64.
Leo Laporte (01:59:01):
Kilobit from those with two years, there also is a copy of a human written transcription. It takes a couple of days to get up there, but that's very handy if you like to read along as you listen or to find stuff to do searches it's all there. Grc.Com. We have the show on our website as well, audio and video at, to TWiTTV. S N of course, there's a YouTube channel dedicated to the video. You can watch it there at any time, or that's a good way to share it too, with other people. If you see a thing that, you know, you want other people to know about, maybe you've got a friend in the Olympics, you might want to just take that part of it and share it. Youtube has that show. And then there's the podcast route. We a podcast out of it.
Leo Laporte (01:59:42):
So you can always subscribe in your favorite cut podcast player. You'll get it automatically each week, which is nice. Please. If your podcast player allows reviews, leave us a five star review because we want everyone to listen to Security Now, this is a must listen, not just for security professionals, but for anybody interested in security and privacy online, we will be back next Tuesday, one 30 Pacific, four 30 Eastern, 2130 UTC. You can watch us do it. Live, live.Twit.tv. You can chat live at IRC dot TWiT TV. And if you are a member of club TWI, you can chat in the discord as well, which is there's a discord channel for every show, but there's also all sorts of other topics. And including cryptocurrency coding, science fiction, it's a great place to hang out. There's unique shows that we don't release to the public, like, like our untitled Lennox show Stacy's book club interviews with people like Steve, those appear on the TWiTplus feed. And of course you get ad free versions of all the shows, which he thought would be the reason people would subscribe, but that's is one of many benefits. More information club. Twitis at twit.tv/club, TWiTseven bucks a month. There's corporate memberships as well. Steve have a great week. We'll see you next time. Thank my friend. See you for 8 58 next week, 8, 8 58. Wow, bye. Here, getting there. Bye.
Ant Pruitt (02:01:06):
Did you spend a lot of money on your brand new smartphone? And then you look at the pictures on Facebook and Instagram, and you're like, what in the world happened to that photo? Yes, you have. I know it happens to all of us. Well, you need to check out my show hands on photography, where I'm going to walk you through simple tips and tricks that are gonna help make you get the most out of your smartphone camera or your DSLR or mirrorless, whatever you have. And those shots are gonna look so much better. I promise you, so make sure you tune into twit.tv/hop for hands on photography to find out more
VO (02:01:44):
Security Now.