Security Now Episode 862 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte & Steve Gibson (00:00:00):
It's time for security. Now, Steve Gibson is here. There's a lot to talk about a patch. Tuesday recap coming up, Invidia gets hacked and the hackers get a lot of data out of them. We'll talk about a U E F I firmware flaw and the patch that's being put out. And then a proposal from the European union. That's just quacked. It's all coming up next on security. Now,
... (00:00:27):
Podcasts you love from people you trust. This is TWiT.
Leo Laporte (00:00:40):
This is Security Now with Steve Gibson episode 862 recorded Tuesday, March 15th, 2022: QWACs on? Or QWACs off? Security now is brought to you by collide. Get endpoint management that puts the user first visit collide.com/twit. To learn more and activate a free 14 day trial today. No credit card required and by thanks, Canary detect attackers on your network while avoiding irritating, false alarms. Get the alerts that matter for 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter the code TWiT in the, how did you hear about a box and by new Relic, that next 9:00 PM call is waiting to happen. Get new Relic before it does, and you can get access to the whole new Relic platform and 100 gigabytes of data free every month forever. No credit card required when you sign up at new relic.com/security.
Leo Laporte & Steve Gibson (00:01:37):
Now it's time for security now. Yay. I look forward to this all week, our man of the hour, Mr. Steve Gibson, what are you laughing? It's true. Oh yeah. You look forward to a vacation all week. Well, I do that also, but no, this is a, this is easily the most informative show on the network. I mean, if you wanna know what's going on in security, you know which is really the, the, the tip of the, for Al computing these days, you gotta listen. I've, I've thought about that. Like, it was 17 and a half years ago that you said, Hey, you wanna do a podcast about security and, you know, and back then it was like, oh, well, okay, what's a podcast, but also and what security, I didn't know. We like have stuff to talk about for, oh yeah. 17 and half years.
Leo Laporte & Steve Gibson (00:02:24):
Yeah. And, and, you know, actually some of the topics this week were from last week, because I wanted to stay focused on the, you know, the consequences of, of what is going on in Russia with, with cybersecurity. And I've, I've got a few things that couldn't fit in this week, which we'll be talking about week. So yes, our cup run is over yeah. With security problems. So this is episode 862 for the middle of March. And I'm looking forward to next week, cuz that's gonna be 3 22, 22, but that's next week. This is 3 15 22. And of course we missed pie day the day after pie day four. Yeah. Yes. Yep. So this one, I, I titled it Q wax on or Q wax off and those old timers among us will know about wax on wax off. We're gonna briefly touch on last week's Tuesday, both for windows and Android which of course are the world's two most used operating systems and one for desktop, one for mobile.
Leo Laporte & Steve Gibson (00:03:27):
We look at a recent emergency update that Firefox received and also the need to keep an eye out for upcoming U E F I firmware updates for our various machines. A research firm plowed into a widely used SDK used by many firms. I'll enumerate them later to develop their own custom U E F I firmware. And as we've seen before, you know, you make a mistake in the, like the, the example code, everybody just copies it. So anyway, we got a lot of copy problems which need to get patched. And, but the point is that it really does undermine the guarantees that U E I is here to provide, to keeping things from getting into, from crawling into our operating systems before they've had a chance to get booted. Also Invidia has suffered a huge and quite embarrassing network breach with some consequences for them, proton male handled, I think their Russian customers correctly. So I just wanted to give them some props, but two to NoDa did also yak actually even better. The Linux kernel has been seeing some challenging times recently. So we're gonna talk about that. And Russia has started, has decided to start signing their own website certificates. And this is one of those, what could oh boy, possibly go wrong?
Leo Laporte & Steve Gibson (00:04:53):
Research was also just published to put some numbers to my constant WordPress grumbling about addons, the a, the, a lack of security in their add-ons. We now know exactly just how bad, and I guess, you know, if I could encourage people to just use the root WordPress install and, and like try not to embellish it with all the add-ons, that would be the, the takeaway from that. And finally, the European union legislators who brought us the GDPR and mandatory website, cookie notifications are added again, oh, Q with QAC. So we'll be talking about that. And we do have a fun picture of the week from one of our listeners. And as you say, QA, Aon, Q Aon, or Q Aon, what, what could they have done now? I'm trying to find it. But I, I remember seeing on Reddit, somebody wrote an app that ran in U E I, so I think it was Wordle or something.
Leo Laporte & Steve Gibson (00:05:56):
So you, I mean, cuz there's, I guess U F E I there's enough space in there. You can put an app in there and so he's got, he's got, so you boot your computer to Wordle apparently, I guess. I don't know why, why you'd wanna do that, but you know, hopefully you can then exit yes. Go back to yours regularly scheduled O I I'm presuming there's a menu. I would hope I would hope our show date brought to you by a company new to you. But I think our listeners might have heard of, if not, I'm glad to introduce you to coli. K O L I D E collide. It's a new take on endpoint management. The reason I love it. And I've been, I've been really watching them with interest is because if you, and you know, this, if you're an it, and in this modern B Y O D world you've got users with their own devices, their own endpoints, their own laptops, and they're doing their own thing.
Leo Laporte & Steve Gibson (00:06:46):
And they really it's a little hard for it. You either kind of, sometimes you have the, the choice of coming off as a, you know, just like a, the GPO coming in here saying no, don't you can't, you know, gluing the USB ports with crazy glue and stuff like that. Or you like the easygoing nice guy that everybody likes, except that your network is full of holes. There's a middle way to do this and it's collide. And it's so nice. And this is in contrast to, you know, the old school MDM tools locking down, you know, people's devices without even, you know, talking to 'em or thinking about what their needs are or even educating 'em collide really about education. It's built by security practitioners, people like you, who in the past saw how hated MDM was, how disruptive it was for their end users.
Leo Laporte & Steve Gibson (00:07:36):
Often frustrating. 'em So much that they, the worst thing possible they'd switch to their personal devices. And then, you know, there's no protection at all and they wouldn't tell anyone just really not a good solution. Collide is very different instead of locking down a device. And I've seen some examples of this lately. It's so cool. Collide takes a user focused approach. So let's say somebody turns off two factor on on one of your, a company devices. You can actually communicate them. Kaly does this through slack. I I've seen the slack messages that say, Hey, I see you just turned off two factors. This is all automated. You know, there's a reason we turn it on blah, blah. Maybe this will make it easier for you after Clyde set up device security turns from that, you know, black and white thing to a dynamic conversation that starts with the end users installing the agent, the collide agent on their own.
Leo Laporte & Steve Gibson (00:08:29):
So you, they get by in right from the beginning through a guided process that happens right inside their first slack message. So you're onboarding a new employee or you're setting up collide for the first time. They get a slack message. Hey, welcome. Great to have you on the team. Now let's take some steps to protect you and, and you walk through it from there, Calli regularly, send employees recommendations. Anytime the device is in an insecure state, things like, you know, the screen lock, not being set up properly. So, you know, so that you walk away from your computer and people can still use it to even more complicated, maybe even more nuanced issues like asking people to secure two factor backup codes that just happen to be sitting in the download folder and blame text and is talking directly to employees. Collide is educating them about the company's policies and how to keep their devices secure.
Leo Laporte & Steve Gibson (00:09:20):
Using real examples, not theoretical scenarios. It's brilliant. It works on Linux, Mac and windows devices. It's cross platform. It's real endpoint management, but it puts users. First. If you're using slack, you gotta have collide. It's just a great way to get all of your users on, on the same team, protecting the company, protecting the network, protecting themselves, get endpoint management that puts the user first collide, K O L I D E collide.com/to, to learn more. You can activate a free 14 day trial right now, no hard required. I think everybody I've talked to who uses collide and I've seen lots of examples online now just loves it. And the users love it. And the most important thing they do it, they protect their systems. They protect you because they're part of the team. K L I D E collide.com/twit. Give it a try right now.
Leo Laporte & Steve Gibson (00:10:16):
It's this is the right way to do it. Collide.Com/twit picture the week time, Mr. G. So, okay. This is a one off or a one of a kind one of our listeners was inspired by the question that I answered the other day about how one would detect a, B G P hijack, where a, an illicit cert was obtained on the fly immediately after the hijack, in order to impersonate a website, excuse me. And of course, the way is, as I said to check the certificate's fingerprint, because the fingerprint is something that, that cannot be copied. It cannot be duplicated by someone who's spoofing it. So a fraudulent certificate with the same domain name for a, you know, affecting the, the same site, have a different fingerprint. So this enterprising individual took the current certificate fingerprints of his most important sites and created a label like for a coffee mug.
Leo Laporte & Steve Gibson (00:11:36):
So we have a, we have a, we have a coffee mug and vice white ceramic coffee mug around, which is wrapped this label. And the, the, the headline says, honey, you've left thumbprints all over my cup. And, and so he's got the, the, the certificate thumbprint for the, the bank of Tampa. Where do you imagine he lives fidelity investments, TD Ameritrade, PNC financial services, synchrony financial, the bank of America MasterCard. And as a, you know, as the nod to me, Gibson research corporation, I love it. I love it. And, and what, what, as, as I was looking at it, I was saying, Ooh, August 25th, 22 is when my cert expires. Of course, you know, notice that nobody's, that's good to know. Nobody's cert is expiring long from now. And of course we know why, because they only get a year long ones anymore.
Leo Laporte & Steve Gibson (00:12:34):
Yeah. Consequently. Yeah. Yeah. So EV everybody's 22 and 23, but anyway, I just thought this was a kick because, you know, if you were going to the site and you were concerned that maybe you were not at the right place, you could just pick up your coffee cup, you know, check the, you know, use it as a reference for the proper thumbprint for the certificate. And then baby, you are, you know, you're talking with the right people. That's pretty funny. That's great. I always, I never do the whole number, but I look at the first four in the last four. And if they match, I figure good enough. Yeah. Yeah. You know, it is a hash. And so with any hash, the chances of let's see if the first four in the last four, that's gonna be on the order of 32 bits. So that's one in 4.3 billion.
Leo Laporte & Steve Gibson (00:13:15):
Good enough chance that, yeah. That's good enough. Yeah. Okay. So we had patch Tuesday last Tuesday and you know, the world's dominant and increasingly rudderless desktop operating system, you know, windows received fixes. Boy, I I'll tell you Leah listing to Paul and Mary Jo. It's just like, well, it's called windows weekly and that's w E a K L Y I, you know, it's kind of sad cuz if you, you know, if you have a show called windows weekly, you have to use windows, but yeah. You get the feeling that maybe they're thinking, I wish I didn't have to use windows. Well, it, it is, it is Mary Jo's word, right? Yeah. I mean, so she's, that's really her thing she has to, but you really, you really see Paul like kind of like, well, you too. I mean, you have to, because it's been right.
Leo Laporte & Steve Gibson (00:14:06):
It's a windows product. And so you have to use windows, but boy, Lennox just looks better and better as Microsoft keeps making these mistakes. And Leo, this is not in the news today for me, but they're now experimenting with ads. Oh, ads. Yeah. An Explorer to, yes. Yeah. I saw that. Oh. And it was just like, what stop, what you don't make enough money. Is that it? Is that the problem Microsoft? I know. And I just, you know, I'm talking to you on, on a brand new win 10 set and you know, I had to remove candy crush, soda saga. Oh yeah. It's like, what, why is that? This is in my start menu. Yeah. What is wrong with these people? Yeah. Yeah. Anyway had they, they fixed 70 Y yes. So I was just thinking the same thing I was thinking, you know, I mean, if anyone should be moving to Linux, it's, I, I should be moving to Linux.
Leo Laporte & Steve Gibson (00:15:00):
But there, I, I do, I do have many things that are windows only. And you know, for example, the, the next development platform I'll be switching to for spin right. Seven I'll be spin. I'll be running on a little custom 32 bit realtime operating system in order to get dual boot of, of U over U E I and bio so that it can run either way. Well, it supports remote debugging, which is the only way to debug, especially on a little turnkey, our toss, you know, it's not gonna have a full desktop environment, so I'll need to be reaching over to that machine to, and, and debugging on a separate machine. That's visual studio. That's what it supports. It doesn't support other, you know, Linux hosted environments. It's visual studio on windows specifically. Well, yeah. And you couldn't do a, if you're gonna do a security show, you have to be on the insecure operating system.
Leo Laporte & Steve Gibson (00:16:05):
So you can talk about it, I guess. Yeah. Yeah, yeah. And you can secure yourself, you know, you can get rid of candy crush soda. Oh, I'm it. It's no, it's not the security that I'm worried about. I'm Leo, I'm running on windows seven. It's, security's not a problem. It's just the annoying things they do. Yeah. And you know, Paul was complaining that he'd been writing a book for several years. His windows had been watching him writing this book yet when he searches, he uses the search for the books title, trying to find some documents relative to it that are like named that be, gets Bing results from the web. It's like what? It was like some steakhouse it's like long. Oh. Or I get, oh, he was writing about long haul, long he steakhouse Longhorn steakhouse was it's like, Hey, windows, there's files named Longhorn right in front of you.
Leo Laporte & Steve Gibson (00:16:57):
That's what I'm trying to have. You help me find no. How would you like your stake? Rare media. Rare. Yeah. Oh yeah. Anyway. It's so, yes, not for security, but we're gonna talk about security eventually here. Okay. So last week windows fixed 71 known flaws. Three of which had been publicly disclosed, none which were exploited, but of course, Microsoft calls these zero days because someone surprised them about them. Two of the three do, did have public disclosed exploits and their remote code execution. So again, you know, the advice is always gonna be update as soon as you can. 29 of them were remote code execution. 29 of the 71 were RRCs 25 elevation of privileges, six information disclosures, four denial of services, meaning that you can crash something and then you don't, it won't serve you. And then three, each security feature bypass, which is so generic, it's annoying security feature bypass.
Leo Laporte & Steve Gibson (00:18:09):
GE is, is isn't that everything. Anyway. And then we have spoofing vulnerabilities, three of those. And then, oh, on top of that, we did have 21 problems identified and fixed in Microsoft's chrom based edge browser. And I always kinda wonder, cuz we're not told if those are things Microsoft did to Edify it, or if those are in the chromium core and they're just, you know, fixed because everybody who usings chromium got those 21 things fixed. We don't, you know, it's not clear from what Microsoft is saying. So anyway, I trust everybody is patched their windows and gone through their update cycle. Last time it happened for me, I had to switch computers because it stopped being fast enough to to run zoom. I'm liking this one by the way. And the pictures really good are using the same camera or everything's the same.
Leo Laporte & Steve Gibson (00:19:03):
Yeah, same, same. It's really good. So higher. Well and quality I can even see. Yes. I could even see that the qual, the image quality higher and the refresh rate is better. So, so it was, it was bogging. That's all. It was just I'm sure. Old machine too slow I'm sure. Okay. Also, as I said, Android the most severe issues fixed there was a critical security vulnerability in Android's system component that could lead to remote code execution with no additional privileges needed and no user interaction. So, you know, those are the things that, that like the people who are trying to get into other people's phones in targeted attacks are trying to use. And of course Android is the, is the, the majority mobile platform on the globe. So update Android also as always just over a week ago, my Firefox browser jumped to update and restart itself.
Leo Laporte & Steve Gibson (00:20:04):
Like, you know, it just runs statically over on my left hand screen all the time and it's sort of my reference browser. And so it's rare that I see it say like, you know, waving at me, Hey Gibson just restart me. And so I did and that was to eliminate a pair of high impact zero day vulnerabilities, both of which it said we're being Mozilla said we're seen actively exploited in the wild. And that's a little bit of a rare thing for Firefox, you know, because it's a little bit of a rare browser, you know, increasingly rare these days, everybody's kind of gone chromium ized, but bless their hearts, not Mozilla. So there were two CVEs issued for these two zero days. I mean, these were like real zero days, right? They were found being actively exploited 20 22, 26, 4 85 and 4 86. They're both once again used after three flaws impacting the extensible style.
Leo Laporte & Steve Gibson (00:21:12):
Oh my goodness. Style sheet. Sorry. Style sheet. I like extensible style sheets. I don't, this is hard to say against them. Yeah. Extensible style sheet language transfer. Oh, Leo speak hard. Say, wait till we get to the Russian Kremlin gremlins. There's a tongue twitster. Oh boy. Oh, I the style sheet language transformations, X S LT parameter processing, and the web GPU easily said inter process communication. The IPC framework is this XSLT is an XML based language used for the conversion of XML documents into webpages or PDF docs which Firefox can do. And this web GPU is the emerge standard. That's expected to sub to supplant the current web GL JavaScript graphics library. Both of those had problems. In the case of this X S LT. It was found that the removal of an X, an X S L T parameter during could lead to an exploitable use after free flaw.
Leo Laporte & Steve Gibson (00:22:32):
And the problem is this could be done remotely. You know, and as for this use, after free as is often the case we were talking about this recently with dynamic memory management, a reference count is kept by the memory management system on behalf of the programmer so that they don't need to worry about it. And, you know, so that, you know, that that frees the programmer from needing to do any kind of reference counting manually. And it's a convenience that the so-called garbage collection is done in the background without the programmer needing to bother. But the only way the system knows it's safe to release and free an object that had been allocated is if, and when that objects reference count drops back to zero. So the, you know, the first time it's, it's, it's the, the first ins sense of a reference, or actually EV every instance of a reference increments, the reference count.
Leo Laporte & Steve Gibson (00:23:35):
And, and so once there are no more references in context, the garbage collector says, oh, okay, nobody else is using this. I'm gonna let it go. The problem is, this is, and it's cool, but it's one of those inherently brittle technologies, you know, it's great when everything works exactly right, but mistakes are very difficult to spot. And normally it's the kind of thing that needs to be seen happening, which is why these problems generically these use after free problems keep recurring. And I guess if, if our listeners wanted to explain the trouble to some non-techy they could say that use after free bugs, which can sometimes be exploited to corrupt data and execute an attacker's code arise from a confusion over which part of a program is responsible for freeing the memory. So, you know, that's sort of that that's in a nutshell, that's the problem.
Leo Laporte & Steve Gibson (00:24:40):
And again, modern languages doing more for their programmers behind the scenes, but when they make little mistakes, they can be leveraged. So the other use after free glitch, cuz these were both that was caused by an error when processing messages in the web GPUs interproces communication framework, a remote attacker could trick it, their victim into opening a specially crafted webpage trigger this use after free error and execute arbitrary code on the victim's system. And Don, as I mentioned, this XSLT vulnerability was exploitable in the same way, just opened the wrong webpage and BMO. So last week you would've wanted to be at Firefox 97.0 0.2, which is what it updated me to. But just now when I checked, it wanted me to restart, which I did, which moved me from 98 to 98.0 0.1 on the desktop. So you might wanna check if you're using Firefox to make sure that you're current, again, more, almost certainly targeted attacks.
Leo Laporte & Steve Gibson (00:25:56):
Remember the so-called watering hole attacks where, where a something is done to lure a targeted victim to a website in order to get them compromised. So sort of a variation on, on, on fishing, but thus called a watering hole. Right. so anyway, Firefox we've talked a lot about the surprisingly daunting challenge of booting, a computer while maintaining true provable security, but this really should not be that surprising when you think about it, the reason computers have been such an incredible breakthrough and Bo for mankind is that they are so flexible. You know, it's a machine that follows instructions, the trouble arises because there's no way for it to know whose instructions it's following. It doesn't care. And it that, you know, it's limitless vulnerability rises from its incredible flexibility. And in security, we have this concept of a chain of trust where that chain is anchored by a root of trust.
Leo Laporte & Steve Gibson (00:27:16):
And this applies to booting up an operating system. If the operating system is signed by its publisher, any single bit that's changed will break the signature, which is just a, which is just a, my goodness, which is just a signed hash. So the theory is the systems firmware simply needs to load the code that's been signed and then verify the operating systems cryptographically secure signature before it turns control over to it doing that. We'll prevent anyone from modifying the operating systems code. You know, not one bit can be changed cuz the, the, the code gets hashed and signed and a bit will completely change the hash, which Leo is why you and I only check the first four digits first and last four digits. It's like impossible for the like majority of them to be changed. In fact, we know if you change one bit on average, half of the bits in the hash will be changed.
Leo Laporte & Steve Gibson (00:28:21):
So that's our strategy anyway, so the concept is good, but the question is if the U E I is performing that work, who's making sure that it's doing it right on one hand, having the systems start up firmware code being firm and not hard creates a vulnerability because that means it can be altered on the other hand, since we appear to be unable to get it right, if it's firm, it can at least be improved when problems with it are inevitably found as they have in this case been. So the good news is there are people who are focused upon improving the situation firmware at the beginning of last month, a group of researchers from the firmware protection company, Bly discovered a raft of critical vulnerabilities in the so-called inside H two O and that's I N S Y D E inside H two U E F I firmware.
Leo Laporte & Steve Gibson (00:29:29):
It is a cross vendor firmware used by many computer vendors, including Fujitsu, Intel AMD, Lenovo, Dell, Asus, HP, Siemens, Microsoft, and Acer. So like, right. That's like who doesn't use them. And so, and actually I think that's a good, I, that, that, that that's a good thing. Bly found 23 flaws in this inside H two oh U E F I firmware kit. Essentially, most of them occurring in the software's system management mode code, which provides the system-wide function such as power management and hardware control. Since the system management mode privileges inherently exceed those of the OS kernel, which it is responsible for booting, any security issues. There can have severe consequences for the vulnerable system. The flaws that were found in this inside H two oh firmware can collectively, and, you know, individually be used to invalidate. Many hardware are security features, including secure boot and Intel's boot guard to install permanent and persistent software that cannot be easily erased and to create back doors and back channel communications to steal sensitive data.
Leo Laporte & Steve Gibson (00:30:58):
You know, as, as we've talked about this whole, this baseboard processing now there's, there's a whole processor separate from the Intel chip that we stick in a socket when we decide, you know, which model that we want that runs the motherboard and all of its things. And it's very capable. So, as I said, there were 23 flaws found with three of them obtaining CVSs scores of 9.8. So this is in the, in the, you know, in the, the base band processing firmware by Lee's disclosure report explained that the root cause of the problem was found in, as I mentioned at the top of the show, the reference code with inside H two OHS firmware framework. In other words, as we've seen before, in other contexts, all the manufacturers derive their own firmware from insides, firmware, SDK reference code to develop their customized U I firmware.
Leo Laporte & Steve Gibson (00:32:01):
And, you know, that's certainly reasonable. They bought a license to do so. That's what they did. No reason to recreate the wheel. The chances are when you do, you're gonna make mistakes. So that's great. And so, frankly, I'd rather have everyone working from a common code base than each rolling their own since getting this exactly right, is crucially important. And when it's fixed for one it's fixed for all inside software has released firmware updates to fix all the security vulnerabilities that were identified by Bly. And they've published detailed bulletins to assign severity and descriptions for each flaw. So all of the people using their kit, hopefully there are engineers right now that have been like going, you know, working through this and working to update the firmware across all their products. Of course, we always have the problem them of, you know, this in, in the inside UFI stuff, having been around for a long time and products going out of support and no longer receiving far more updates.
Leo Laporte & Steve Gibson (00:33:09):
It's, you know, it's difficult to require everybody to support everything forever. So they're, you know, these are really bad and now they're becoming known. So being individually, individually customized firmware on a per product and per manufacturer basis, they all have to be created adopted, incorporated, you know, downloaded, installed every single vendor needs to do this. And that way, it's a little bit like the log for J mess where, you know, the, it, it is something core to many different products and, and publishers. So this is why I said to the top, we can expect to see important firmware updates coming from many of our hardware vendors. And I'm not suggesting that this will be a widespread attack or that, that will result. It's very likely that these would be used. You know, these, these are gonna be sophisticated, targeted attacks.
Leo Laporte & Steve Gibson (00:34:19):
You need to get onto the system first. Then these are being used to achieve persistence, you know, getting down into the firmware. So I, I did not look in detail to see what three of these things had a 9.8, but it is possible that this could be exploited remotely because there, there is a now management technology in some of these motherboards, which allows, you know, re remote over the network management of them. So that may be why they're at 9.8. Still just makes sense to keep your firm more updated. And then in addition to this on top of these 23 problems last week, HP disclosed an additional 16 high impact U E F I firmware vulnerabilities that binary had found, which affect multiple HP models. And HP is, you know, a user of inside also, and that included laptops, desktop computers, point of sales systems and edge computing tools.
Leo Laporte & Steve Gibson (00:35:26):
These flaws allow malware to survive hard driver placement and operating system reinstallation. So anyway, a long time ago, we talked about how root kits are able to hide in plain sight by doing something as simple as hooking and operating systems directory, listing API, to simply remove references to any of its own files from the list. You know, so you do a du or any of your programs do a, and they don't see any of the files that are sitting in the directory right in front of them. I remember it was, it was the Sony root kit that we talked about in back that's way, long time ago. And it's just unnerving just to imagine that something that simple, you know, I mean, it just, it shows how much we assume that our operating system is doing what expect and, and what it should, where in, in fact, as I said, because software is infinite, infinitely, flexible, it's so easy for it not to be working the way we want it to.
Leo Laporte & Steve Gibson (00:36:27):
So anyway, you know keep an eye on firmware updates and a huge thanks to Bly for digging in, to taking the time to dig into insides, U E F I offerings and you know, and help make our stuff better. This seems like U E F I be a really a good vector for attack because it's basically a mini operating system that runs before your system. So, and it's persistent as you point out it has a file system. Yeah. They can do anything. It's turning complete. I mean, it's a C it's written C and it's it's basically, if I were gonna be a bad guy, that would be the best place to put malware, cuz it would survive a, a reinstalling, everything wouldn't survive a yeah. But usually lives on the hard drive. Right. It would, would not survive a complete nuke of the hard drive.
Leo Laporte & Steve Gibson (00:37:19):
No, no it it's in the it's firmware. It's firmware. Yes. I, you know, for there's a U a I partition though on the drive that also contains code. Yes. And so, so that could be a problem. Although these guys specifically said this ISNT, this would, this would survive a hard driver placement. Oh, all right. So it is in the firmware. Wow. Yeah, yeah. Wow. Yeah. Nobody wants that. Yeah. Yeah. But what Leo they do want is they wanna know about the Canary. I know what they want. I, I know they, this is it. This is it. This is the thing you need for ultimate security of your network. You need a honey pot. I think we, you know, we talked about honey butts on the show practically since day one, I think we said was day two that we talked about the honey monkeys. The idea that you could put something on your network that doesn't doesn't look vulnerable, looks valuable, looks like something bad guy might want to attack, except it is not what it appears to be.
Leo Laporte & Steve Gibson (00:38:17):
Now it's a pretty sophisticated thing to create a HPO on your own. But look at this little appliance, you can just it's look, it's got a little ethernet Jack. You just plug it into the network. And now this, this device can look like almost anything to an attacker. Mine set up to look like a Sonology NAS, which means it has the login page. Exactly. Right. It has the Mac address. That would be a Sonology Mac address in no way. Is it, is it in any way, distinguishable from a real Sonology NAS, it could be a windows server, a Linux server. It could be a gate device. It could be almost anything you could put it on. The, you could put on your on your directory so that you know your active directory so that people, when they're searching, you know, look, here's the problem.
Leo Laporte & Steve Gibson (00:39:09):
Bad guys. Get on your network. And they don't announce here. I am. They don't set off ran. And where that day they hang out, they browse around. We see this more and more now just happen to Invidia. Yeah, they got the ransomware, but they also downloaded terabytes of data. First they browse around, they look around, they look for weak points. They look for where you back data so they can make sure that gets encrypted by the ransomware to on average, on average, bad guys, hang around in the network for 191 days before they're detected it on average a hundred. That's almost, that's more than six months, more than six months that your network has been penetrated and you don't know it. That's why you need something like this. This is an early warning system. It's well name. It's a Canary. It's your Canary in the coal mine.
Leo Laporte & Steve Gibson (00:40:00):
So when the bad guys get on the network, they're looking for things like documents. They can exfiltrate, you know, they want payroll information. They're looking to file service file shares. They'll try default passwords against network devices and web services. They'll scan for open services on the network. They're gonna find the Canary, but they're not gonna know it's a Canary. It could be a, a router. It could be a switch. It could pretend to be a, a Linux box. You can light it up like a Christmas tree, turn on all the services or be a little cany. Only turn on a couple of services, right? The minute an attacker attacks, the Canary lets you know, and you know, somebody's in the system. Boom. In fact, you can even create with this little files, they call 'em Canary tokens that you could sprinkle around the system PDFs and, and document files.
Leo Laporte & Steve Gibson (00:40:50):
I have some PDFs. I have some Excel, XLS files, some spreadsheet files that say things like employee, payroll, roll information, things like that. They look, they look valuable, but as soon as they double click 'em they try to open, 'em download, 'em touch 'em in any way. Boom, I'm gonna get a notification of the canaries are great. They'll notify you in any way you want. And you, and by the way, you get an actionable alert. You don't get a thousand alerts. You get an actionable alert, email, text message. You can set up, you can, you get a console when you get your canaries, you can use slack. It supports web hooks. So it supports anything that supports web hooks CIS log, it supports there's an API. If you wanna write your own custom software. So you really, you can find, you know, you you'll get notified. However, works best for your workflow. Canary was created by some interesting people.
Leo Laporte & Steve Gibson (00:41:44):
People who've made their business training companies and militaries and governments, how to break into networks and they've taken knowledge, the experience they have and they've put it in the Canary. You'll find the canaries deployed all over the world. It's really you know, all security is layered. There's no one silver bullet. We know that, but boy, if you don't have this, you don't have some, this is real intrusion detection and very affordable. I'll give you a example, go to canary.tools/twit. If you wanted five canaries, now, some banks will have hundreds. Big, you know, big networks might have thousands. You might have half dozen. If you wanted, let's say five canaries, 7,500 bucks per year, you get your own hosted console. You get upgrades, you support, you get maintenance for that whole year. You sit on your Canary, you break it, you step on it.
Leo Laporte & Steve Gibson (00:42:39):
It gets melted, whatever. They'll send you a new one. That's part of the deal. And actually I'm gonna make you an even better deal. If you use the word TWiT in the, how did you hear about a boxer? Get 10% off that price forever for life. And, and, and course I understand. I mean, you don't know these guys, so they offer a very good two month money back guarantee for a full refund, 60 days, plenty of time to try it, you know, see what happens. This thing is awesome. This everybody should have canaries on their network, canary.tools/twit. If you wanna know more about people who use canaries and love them, they've collated a bunch of tweets from people at canary.tools/love. But for, to, if you, if you're ready to buy canary.tools/twit, don't forget the offer code TWiT and the, how did you hear about a box 10% off for the life of your canaries canary.tools/twit.
Leo Laporte & Steve Gibson (00:43:38):
This is peace of mind. This is such a great idea. We thank 'em for their ongoing longtime supportive security. Now they're big believers back to Steve. So Envidia suffered a serious net work breach last month. The hacker extortion group by the name of lapus lap, S U S then with an extra dollar sign appended to the end claims to have exfiltrated and all evidences. They probably did about a terabyte of Invidia's very proprietary data during the attack. They extorted them Invidia said go away. So they began leaking Invidia's data online. As I said, after Invidia refused to negotiate on February 23rd emails and NTLM, you know, NT land manager, you know, windows, password hashes for 71,335 Invidia employees were leaked on the internet. Now this was a bit puzzling since Envidia currently has only 18,975 employees. But the hackers claim to have had deep total access to Invidia's system where they said they roamed around for about a week.
Leo Laporte & Steve Gibson (00:45:09):
And so the presumption has been the leak credentials include, you know, deep past employee files as well, which would explain the, the high count. Then four days later on February 27th, that hacking group lap us claimed it had been, you know, digging around for a week. And for some reason made a point of clearly stating that they are not state sponsored and that they are not into politics at all in caps on the, at all. So, you know, such as the world we're in today, Troy hunts have I been PO site now has the leaked data and noted that many of the hashes are being cracked and circulating within the hacking community. So I'm sure that Envidia is, you know, has already, you know, made sure that all of their employees have changed their passwords because otherwise that would even be worse.
Leo Laporte & Steve Gibson (00:46:14):
Lapses also stole. I mean, apparently they just got everything. Think about it. I mean, we, we just glibly talk about a terabyte here, a terabyte there, but that is a, that is a tr a trillion bites, a thousand billion bites of data. So it's probably everyth and among the, everything was some Nvidia expired driver signing certificates. And what's confusing to me is that the reports are, and they've been confirmed by, you know, many outlets. They, these expired driver signing certificates were immediately put to use signing malware components in order to get them past antivirus and windows, own driver signing protections so expired. What's not, at all clear to me is why windows would load any driver signed with an expired certificate. But apparently it's doing that. You know, code signing works differently from TLS, you know, web server certificate signing. The reason for the difference is that servers and clients, web servers and clients are by definition, always online and talking to each other and servers are thus, always able to present a certificate that's current valid.
Leo Laporte & Steve Gibson (00:47:49):
So that's what we force them to do, but that's not the case with code, right? A driver might be signed 10 years ago. And the certificate with which it was signed will have long since expired, you know, that, that particular certificate. So we will want drivers to be valid in the future, even if a machine is not online. It, you know, so there's no like online OCS P style verification. And the point is, was the certificate valid when it was signed. So that's what we did. We solved this problem by chain changing the requirement, the validity requirement for code signing. We require that code is signed by a certificate that is valid at the time the code was signed. But that means that we need to know when the code was signed. And that information is incorporated by hiring co-signing of the certificate by a valid certificate authority, which offers a timestamping service.
Leo Laporte & Steve Gibson (00:49:00):
So at the time the code assigned the signing computer obtains, a certified timestamp from a timestamping service, which is all bundled in to the final signature. You know, so it's sort of like having an online notary saying, yes, here I am. I'm, I'm asserting that this is the current date and time that all of this is happening. So this attest to the time that the signing was done now, bleeping computer showed the digital signatures property page of a piece of malware signed with NVIS expired cert. It shows that there was no timestamp included. And in fact, you don't need to include a timestamp. It's like what, you know, that is to say the act of signing doesn't require a timestamp, but the, the entity trusting the signature is supposed to require it. I mean, that's the whole point, but all I can guess is that for the sake of comp had ability, Microsoft doesn't enforce timestamping for at least some uses.
Leo Laporte & Steve Gibson (00:50:18):
And some apparently includes kernel drivers because that's what was being signed by these expired envious certificates. You know, they've immediately been blacklisted. There are now, you know, we, we will not trust anything signed with these expired certs, but boy, you know, it took somebody using them maliciously to make that happen. Which to me just seems crazy. But anyway, that seems to be what's going on. And also on March 1st, the lapses group demanded that Invidia open source, their proprietary drivers for windows, Mac, and Linux. In the, I have a picture in the show of their ransom demand. They on dated March 1st, it says after evaluate, this is lapses talking the bad guys after evaluating our position. And Invidia's, we decided to add one more requirement. We request that Invidia commits to in all caps, completely open source and then a brand and distribute under a false license, closed brands.
Leo Laporte & Steve Gibson (00:51:37):
They're GPU drivers for windows, makos and Linux from now on and forever. If this request is not met all on Friday, we will release the, and now we have in caps, complete Silicon graphics and computer chip set files for all recent Nvidia GPS, including the RTX 30, 90 ti and upcoming revisions ex point. And they say, of course, this includes all files with extensions, such as V VX and VG and more. And so they finish. So Invidia, the choice is yours. Either one officially make current and all your drivers for all cards, open source while keeping the verlo and chip set trade secrets. Well, they said secret or not make the drivers open source, making us right there, being made to release the entire Silicon on chip files so that everyone not only knows your driver's secrets, but also your most closely guarded trade secrets for graphics and computer chip sets too.
Leo Laporte & Steve Gibson (00:53:02):
You have until Friday you decide, oh Lord, I know now this do V dot VX and.vg file extensions are for verlo, which is the hardware description language. You know, the HDL used to model electronic systems. It's the most commonly used in the design and manufacturer of integrated circuits. And it has become an industry standard standardized as I E E standard 1364. This means that these guys have the designs of NVIDIA's chips, which yes, Envidia certainly in 10 ended to be, you know, kept inside. And you know, while at first this seems a bit breathtaking. It's unclear what real value those would be. I mean, maybe there's proprietary stuff that could be reverse engineered out of them, but no, or reputable Foundry is gonna make Invidia, clone chips. You know, they'd be litigated into non-existence for one thing. And well, I was thinking about this, maybe Russia would, except that Russia doesn't have the process technology to make any state of the art chips.
Leo Laporte & Steve Gibson (00:54:22):
They're unable to do it. So video's designs will be of little use to them. Last year Invidia also came up with a technology known as light hash rate or L R, which reduces the value of its GPUs for cryptocurrency mining. Their aim is to make a very powerful graphic processor, but one which would not be very good at crypto mining in order that, you know, gamers can actually have a chance to buy some of these things rather than them all being sucked up by, by the crypto miners. And apparently this also annoyed the hackers who have said they want the hash rate limiters to be removed from the chips. So, you know, my feeling is mostly, this is a huge embarrassment for Envidia. And it is a perfect example of just how much damage can be done when all of a company's proprietary value takes electronic form as Envidia is, is, and thus can be downloaded, shared and unfortunately escape from their control. Wow, by the way, I just wanted to show you something that came up in the discord. I Stella, did you see this in crystal city, Virginia, instead of telling you when it's safe to cross the street, the, the walk signs in crystal city, Virginia are telling you, change your password, change your password, change your, I have to turn on the sound, but clearly somebody got
Speaker 2 (00:56:00):
Change, password Change
Leo Laporte & Steve Gibson (00:56:06):
Password, clearly somebody that's brilliant. Somebody got into the system, and instead of being malicious, they just thought they'd have some fun, which I think is great. Yeah, I think it's actually wonderful. It's a little bit of a Rick roll. Exactly. I mentioned that I wanted to just give proton mail, which I know is a very popular email service among our listeners a, a bit of a thumbs up last week. You know, I grumbled about name chiefs unilateral, and I, I felt questionable decision to dishonor their previous prepaid commitments to their DNS domain registrants who were at the time given one week to find another DNS provider before their name, name reg resolution would be summarily terminated. I think proton male did the right thing. Thanks to bleeping computer who was able to who actually one of their, I, I think one of their employees is a proton male user who received a notification preemptive notification from proton male that said, dear proton, community mail, as you may have heard MasterCard visa, American express, PayPal, and numerous other financial institutions have announced that payments into and out of Russia will soon be cut off.
Leo Laporte & Steve Gibson (00:57:35):
And they said Perez, if this hasn't happened already, this means paying for your proton subscription with your payment method will likely soon be impossible. While many companies have announced that they will no longer serve Russian customers at proton. Our mission is to defend online freedom everywhere. We remain committed to serving the people of Russia for as long as possible, the present difficulties. However, take some time to resolve. If you are a proton subscriber, we suggest renewing your subscription or purchasing credits before all forms of payment are cut off in the coming days. We are committed to not cutting off any users in Russia for financial reasons, for as long as possible. During this difficult time, if you're able to use alternative payment methods, your support will ensure that we can continue to serve the Russian people in many years to come thank you again for supporting our mission best regards the proton team.
Leo Laporte & Steve Gibson (00:58:39):
And they also in this provided a list of alternative payment methods in including cryptocurrency that could be used by Russian users to renew their subscriptions. So, you know, I thought that was a, you know, although yes, it's a little self-serving they're saying, Hey, you know, pay in advance quickly for if you don't want services to be cut off. You know, that, that to me, that, you know, their heart was more in the right place than name cheap. I'll also however that separately for those based in Russia Belarus or Ukraine, another encrypted email provided to Denota has offered to renew subscriptions free of charge for users, unable to make payments in the, during the current situation. So, you know, some companies are doing the right thing.
Leo Laporte & Steve Gibson (00:59:30):
Linux has been having a rough time of it lately. The last year has seen this ever more popular server and desktop operat system hit with revelations of multiple high profile elevation or privilege vulnerabilities. There have been problems in Lennox's. I scuzzy subsystem in the kernel in the extended Berkeley packet filter. And as we talked about at the time in the policy kits, pull kit at PK exec component, and there have been two additional recent problems. The first bears, the unfortunate name, dirty pipe and was discovered by a guy named max Kellerman who discovered mostly by accident. Well, okay. Something happened by accident. His, his actual discovery was certainly not that, but this occur, this event was an accident. It was an important locally exploitable vulnerability, which was introduced into the Linux kernel at version 5.8 because the exploitation of the flaw allows overwriting data in arbitrary read only files.
Leo Laporte & Steve Gibson (01:00:51):
It could be put to some very creative and not generally beneficial use leading to privileged escalation because unprivileged processes could be able to inject code into root processes. So in some ways, this is reminiscent of the 2016 dirty cow Linux vulnerability though. This one is EV E even easier to exploit, but it does explain, although it doesn't this vulnerability's name, dirty pipe. So in Max's original posting he explains how this all began. And I'll just share the beginning of this cuz it was lengthy. He said it all started a year ago with a support ticket about corrupt files, a customer that the access logs they downloaded could not be decompressed. And indeed there was a corrupt log file on one of the log servers. It could be decompressed, but G reported a CRC error. He said, I could not explain why it was corrupt, but I assumed the a nightly split process had crashed and left a corrupt file behind.
Leo Laporte & Steve Gibson (01:02:09):
He says, I fixed the files. CRC manually closed the ticket and soon forgot about the problem. He said, months later, this happened again. And yet again, every time the files contents looked correct only the CRC at the end of the file was wrong. Now he said with several corrupt files, I was able to dig deeper and found a surprising kind corruption, a pattern emerged. Okay. So then max goes on, as I said, a great length to explain how this kept nagging at him until he finally had to sit down and get to the bottom of it after a great deal of analysis and experimentation, he finally figured out how to the file corruption bug to occur at will. That was the key. Max wrote all bugs become shallow once they can be reproduced. And of course that is, you know, that's any software developer's dream is to be able to reproduce the problem.
Leo Laporte & Steve Gibson (01:03:17):
You know, as I I've referred to mu other boards that I've been purchasing old mother boards off of eBay because you know, one of our, or, or several of the people testing spin, right. Will all have a really weird problem. And know, for example, just to, just to segue for a second, we've got one mother board, which will not run, been right from USB, but if you copy it to the hard drive, it'll run it from there. If you copy it to a Ram disk, it'll run it from there. But it, it actually won't execute it from the USB drive. Nobody else has this problem, but this one particular gigabyte motherboard has the problem. The I actually found an instruction that would not execute from USB. It's insane. But anyway as I said, if you could reproduce a problem, you can fix it.
Leo Laporte & Steve Gibson (01:04:13):
I did reproduce it and I did fix it even though I don't understand it, but now it works. Anyway, max then tracked it down to the bug which he located in the Linux kernel. He then checked Linux 5.1 0.0, which is the Debbie and bullseye build, which had the bug, but the bug was not present in the previous Linux 4.19 Debian's Buster. Those two releases were separated. I hope you're sitting down Leo. Those, those successive Linux releases were separated by 185,011 get commits. Wow. Oh baby. But you gets various tracking tools. He was able to locate the one commit Hmm. Made nearly two years ago on May 20th, 2020, which introduced this very subtle bug into the Linux kernel that change refactored Linux pipe, buffer code for anonymous pipe buffers changing the way the mergeable check is done for pipes and in doing so introduced an extremely subtle flaw.
Leo Laporte & Steve Gibson (01:05:36):
The, the vulnerability has been fixed in, in that one in Linux 5.10102 5 15 25 and 5 16 1. So that was what max found. The first of the two problems, then two research at Huawei discovered a vulnerability in Lennox's control group's feature, which allows attackers to escape containment, to escalate privileges and execute arbitrary commands on a host machine. Now Linux control groups or sea groups, as they're known, allow CIS admins to allocate computing resources such as memory, bandwidth, and such among whatever processes might run on a system. These sea groups provide fine grain control over allocating, prioritizing, denying, managing, and monitoring system resource horses. This means that sea groups can be a powerful tool for control and security within a system. And in fact, they're used by containers like Kubernetes, a feature known as the release agent file allows administrators to configure a release agent program am that would run upon the termination of a process in the C group.
Leo Laporte & Steve Gibson (01:07:04):
That meant that attackers who were capable of writing to the release agent file could exploit it to gain full admin privileges and Linux. Wasn't checking that the process setting the release agent file had admin privileges. So basically a very simple problem, which through a chain of complex features ended up being exploitable and all of this amounts in this case to a container scape. As I mentioned, for example, within a Kubernetes environment, which would provide attackers with access to other users containers in public cloud environments and were not finished with Linux yet yesterday, another just disclosed security flaw came to light. This one can be averaged by a local adversary to gain elevated privileges on vulnerable systems to execute arbitrary code, escape containers, or induce a kernel panic it's CVE 20 22, 25, 6 36 with an a CVSs 7.8. It impacts Linux kernel versions 5.4 through 5.6 point 10.
Leo Laporte & Steve Gibson (01:08:25):
It's the result of an out of bounds, right? In other words, a buffer overrun in the heap of the li of the kernel's net filter component, the flaw was discovered by a guy named Nick Gregory. Who's a researcher with capsule eight red hat explained that this flaw allows a local attacker with a user account on the system to gain access to out of bounds memory, leading to a system crash, or a privileged escalation threat. In addition to red hat, similar alerts were have been released by the maintainers of Debbie and Oracle Linux Susi and Ubuntu Lennox's net filter is a framework provided by the Linux kernel that enables various network related operations like packet filtering Nat and port translation. The problem results from incorrect handling of hardware offloading that could be weaponized by a local attacker to cause a denial of service or possibly execute arbitrary code.
Leo Laporte & Steve Gibson (01:09:32):
The idea of hardware offloading is that there are a number of things associated with sending a re sending and receiving network packets that are very simple to do such as calculating a packet payloads check sum. And so they're a waste of the processor's time. They are time consuming like you a check sum, you've got to do math on every single bite that's going down the pipe and then just, you know, and just dump the sum of them there. What happens is when you have a, a, a Nick, which indicates that it's able to, to automatically do check summing, then the sum off, or just skips that completely. And the, the Nick hardware itself P plugs the proper check sum into, to, to packet payload on its way out. So another example on the, of things coming on the way in is packet coalescing can be done in hardware to reduce the, the packet, count us, reducing the per packet processing that needs to be done.
Leo Laporte & Steve Gibson (01:10:42):
So what's happened is over time as Nick's Nick hardware, you know network interface, controller hardware has become increasingly capable. The more and more duties have been pushed down to the hardware level to free the software from doing things that, or, you know, it's just, it's a waste of its time. Anyway, Nick Gregory, who discovered the problem explained, he said, despite being in code, dealing with hardware offload the, the flaw in net filter is reachable when targeting network devices that don't have offload functionality. For example, the local virtual interface. This can be turned into Ker return oriented programming, R O P local privilege, escalation and other things without too much difficulty as one of the values that's written out bounds is conveniently a pointer to a net device structure. Okay. So what does this mean? Does the spate of flaws suggest that Linux is becoming rickety?
Leo Laporte & Steve Gibson (01:11:50):
No, I think it a, an indication of it becoming increasingly complex, as we know, security and complexity are perpetually at odds with one another for security scrutiny is always a good thing at this point. It's the only thing I think that's saving us is like people, you know, like, you know, digging into U E I and finding problems and surfacing them and all of the all of the bug Boies that we have encouraging people to look closely at code. You know, we've seen that just making something open source doesn't auto magically bring more security, but I really do think in the long run, it feels like the right solution and that, you know, it's gonna be the, the, the approach that wins okay. Our web browsers and operating systems all collectively trust, any security certificate, such as a brand new web server TLS certificate.
Leo Laporte & Steve Gibson (01:13:02):
That's never been seen before because it's been signed by a certificate authority that is trusted globally by collectively all of our OSS and web browsers. But the reason they trust a never before seeing certificate is specifically, and only because the signer of the certificate has promised to and demonstrated its ability to restrict its issuance of certificates or signatures on certificates to entities whose identity it has confirmed. Within the guidelines set up by the CA browser forum several times during this podcast life we've discussed in instances of apparent mistakes, being innocently made flaws in certificate issuing systems, which were being exploited and also clear instances of deliberate certificate signing abuse. So everyone's a bit concerned over Russia's recent announcement of its creation of a new unvetted untested, and very likely rogue Russian certificate authority.
Leo Laporte & Steve Gibson (01:14:30):
However, its creation was probably inevitable because the sanctions imposed by Western companies and governments are preventing Russian web services from renewing their expiring TLS certificates. You know, you know, in absolute good faith, they would like to, but Western certificate authorities are, are banned through sanctions to do business with entities inside Russia. So what are they gonna do? We all know that browsers take a very dim view of websites, which offer them an expired certificate as proof of the or identity. So that won't work. So if web service providers who certificates are expiring are unable to purchase certificates from traditional certificate authorities, what choice do they have? No problem. Just pick up a certificate issued by your local authoritarian of which there are many choices.
Leo Laporte & Steve Gibson (01:15:38):
Exactly. None of whom are trusted. Now there's only one problem with doing that, which is that no mainstream web browser will accept any certificate randomly signed by Russia's new mint, minted CA that's just not gonna happen in this lifetime. Okay. There is an exception. Russia does have the Yex browser based in Russia, and it will now no surprise work with Russian ministry of digital development issued certificates. So Russian sites are instructing their visitors to please switch over to Yandex. But of course there is an alternative if someone wished to continue using Firefox or one of the several chromium based browsers in theory, they could do so by adding the Russian trusted root CA certificate to their browser's certificate root store. But just to be clear, that's the last thing that anyone outside of Russia in the west should consider doing nothing wood or will prevent Russian Kremlin gremlins from creating TLS certificates for any Western websites, thus allowing them to intercept spoof and alter such websites, network traffic, what will likely happen?
Leo Laporte & Steve Gibson (01:17:16):
And it's probably already in the works. If it's not already got the seal of approval stamped on it, is that chromium and Firefox maybe even iOS, if you're able to install certificate, it gets into iOS. I didn't look will specifically blacklist Russia's rogue root certificate so that no one using Firefox or chromium browsers or acromium browser could be hurt after mistakenly installing it into their browsers root stores. So for those using the Yandex browser in Russia, it's a workable solution for providing continuity of services during this time. But there's no conceivable way that any of our mainstream browsers are gonna trust any certificate signed by Russia's new certificate authority. Okay. Now, one last thing you may have thought that you were gonna escape this week without having to listen to me harp on WordPress. Oh, well we tried. No, no, almost made it was.
Leo Laporte & Steve Gibson (01:18:26):
I'm about to ask you about Bobba verse Leo, but first I I do promise it to at least keep this brief. And so as not to introduce any of my own well known bias, I'm gonna simply quote verbatim from just the top of bleeping computers coverage of a recently released report on WordPress security bleeping computer wrote, this is not me. This is them patch stack a leader in WordPress security and threat intelligence has released a white paper to present the state of WordPress security in 2021. And the report paints a dire picture, more spec, specifically 2021 has seen a growth of 150% in the reported vulnerabilities compared to the previous year, while 29% of the critical flaws in WordPress plugins never received a security update. This is alarm considering that WordPress is the world's most popular content management system used in 43.2% of all websites out there of all the reported flaws in 2021 only 0.58% were in word core 0.5, 8% with that's.
Leo Laporte & Steve Gibson (01:19:56):
That's probably one with the rest being in themes and plugins for the platform coming from various sources and different developers, notably 91.38% of these flaws are found in free plugins, whereas paid premium WordPress add-ons only accounted for 8.6, 2% of the total reflecting better code vetting and testing procedures. And I would argue professional coders rather than someone saying, Hey, I, I just created an add on it's free. Here you go. And I say, good luck to you. Yeah. Well, and again, it wasn't, it's not in the core, it's in the it's in these plugins and just be very, very careful, I guess, about what plugins you install. Yeah. It, and I would say, you know given that the vast majority are in the free plugins, if you want something, find something that looks, you know, pay for it. Exactly. Yeah. Look, you know, find something from a really reputable plugin provider.
Leo Laporte & Steve Gibson (01:21:01):
We actually had Matt Mullenweg, the creator for press on floss weekly last week. But I didn't, I didn't mention anything to him about that. Well, so I've been meeting for weeks Leo to ask you if you had continued listening to the Baba verse, I haven't even started, I have it. I bought it and I haven't even, you know, I have, I'm such a backlog of books that I haven't gotten into it and I keep thinking, oh, I'm gonna press play press. So you're how many books in are you? Well, the, the, the, the initial three were the trilogy, right? And so we have the fourth book and you know, I was a little skeptical because the reviews that I read were a little mixed about it. Huh. Now I understand what's going on. I mean, it was a grumpy person who didn't want anything to change.
Leo Laporte & Steve Gibson (01:21:50):
Basically. The first three books are, are a, a, a particular set of things, a style where we're looking at like this explosion of these. And I think I mentioned before, and this is not giving anything away because this is all it's like on, on the jacket cover. It's the it, a Bob is a human intellect that was transferred to a computer to create. What's known as a, a V Neman probe, which by definition is a probe, which goes out into space, go finds a new star system, harvests the raw materials with which to build more of itself. Oh boy. So replicates and then sends its copies of itself off in all directions. What could each with the same purpose possibly go wrong? So thus the Baba verse, right. We end up with a lot of 'em. Yeah. And so, so the, the original plot line of the first three jumps around among all of these different bobs.
Leo Laporte & Steve Gibson (01:22:53):
And I think I mentioned to, when I talked about it before that I had a hard time keeping track of, okay, which Bob is this? And so I just gave up, I just sort of kept reading into a new chapter and I go, okay, it's that Bob? So what's happened in book four is, is we, we focused on one particular interesting thing which has been found now, there are, there's this notion in sci-fi of mega structures. An example, a well known mega structure is the Dyson sphere, right, right. Where a, a, a society gets so advanced to the, and, and in fact, people who've like bothered to chart all this they're. They have like a, a nomenclature for different stages of advanced space faring civilizations. Well, at some particular stage, you become able to, to en globe your entire solar system in a Dyson sphere for the purpose of capturing the entire energy output of the sun, you know, of, of your local star.
Leo Laporte & Steve Gibson (01:24:00):
And of course, this actually was the plot for our, our, one of our very favorite pair of books that Peter Hamilton wrote Pandora's star at, at the very beginning of the book. And again, this doesn't give anything well, way Dudley an astronomer is, happens to be looking in a particular direction when a star winks off. And he's like, because, you know, stars don't wink off. They, they can have all, you know, we have a well known star life cycle that cosmologists understand, but turning off is not something that stars do. So anyway, that was the beginning of the story is, you know, what could cause a star to wink off? Well, the it's Dyson's fear was turned on is what happened. So anyway we need to hear about our last sponsor, and then we're gonna go into wax on, or wax off another wacky episode of security.
Leo Laporte & Steve Gibson (01:25:00):
Now, our show today brought to you by new Relic. If you are in charge of keeping the, the, what was the Hein law line line, the roads must roll. If you are in charge of keeping the roads rolling, you know, your worst nightmare is that middle of the night call saying the roads ever not rolling, your network is down or your software crash, or the, you know, the cloud providers disappeared into the ether. That's the worst, but actually it isn't, it's the second worst. It's the pen ultimate worst. The ultimate worst is you have no idea what's going on and you're trying to figure it out. And it's the middle of the night. You're blurry eye. You got your team working on this, your mind's racing, what could be wrong? Everybody's scrambling from tool to tool, just trying to get the information that you need to figure out what's broken so you can fix it.
Leo Laporte & Steve Gibson (01:25:51):
And you wanna do all this before the CEO wakes up, but that's for sure. Well, that's why you need new Relic. They call it observability. According to new Relic, only half of all organizations are implementing observability for their networks and systems. And, and it's clear maintaining network observability has become an issue for a lot of companies around the world and about for the people in the middle of the night. So this is the whole purpose of new Relic. They were created actually back in the Ruby on rails days, they were originally a Ruby on rails tool, but now they've combined 16 different monitoring products for every possible configuration tools. You'd probably buy separately, but it's much better if they're all in one package, one software stack, one place. So you can see what's going on and fit exit fast. You'll get application monitoring, APM, unified monitoring for your apps and your microservices.
Leo Laporte & Steve Gibson (01:26:49):
You'll get Kubernetes observability with pixie, really nice to have. How about distributed tracing? You can see all your traces without management headaches, so you can find and fix issues fast. It's very easy. You see that's where that's where it stopped. It. Didn't get through network performance monitoring, stop guessing where performance issues start ditch data silos. You'll get a systemwide correlated view. And that's just four of the 16 tools. And more importantly, you can pinpoint issues right down to the line of code. So, you know, exactly not only why the problem happened, but how to fix it fast and get back to bed. And that's really what it's all about. That's why dev and ops teams at DoorDash use new Relic. Github uses new Relic. Epic games uses new Relic, more than 14,000 other companies. They all use new Relic to debug and improve the, their software.
Leo Laporte & Steve Gibson (01:27:45):
Whether you run a cloud native startup or a fortune 500 company just takes five minutes to set up new Relic in your environment. And here's the best part. You can do it all free forever. No credit card required that next 9:00 PM call is just waiting to happen. Access the entire new Relic platform and a hundred gigabytes of data free per month forever. You don't even have to give 'em a credit card, but you know why they do that, cuz they know you're gonna want more, more, more, we want more new Relic. So start, start free though at new relic.com/security. Now w R E L I c.com/security. Now you probably heard at the last conference you were at know, one of your colleagues said, boy, man, that new Relic saved our buns. You know, and you've heard this over and over. What have you been waiting for?
Leo Laporte & Steve Gibson (01:28:32):
New relic.com/security. Now it's the kind of monitoring the kind of observability every company should have. You should have, you shouldn't have to wake up at three in the morning, new relic.com/security. Now I thank of so much for their support of the security now show. All right, let's talk wax on wax off. Oh my Lord. Okay. So QAC stands for qualified website authentication certificates. Oh, of course. Let's have a good acronym. Shall we? Yep. Is this something that the European union has proposed to adopt in an amendment to article 45 of their framework for digital identity in this case, the digital identity of websites, not people what makes us way more interesting than watching paint dry or watching the slowly grinding wheels of bureaucracy is that the EU has been attempting to make this happen for the last six years, since 2016. And they still haven't given up.
Leo Laporte & Steve Gibson (01:29:41):
And after the most recent proposal by the EU, a group of 38 well-informed security and it academics and professionals, including the E F cosigned, an open letter to the EU EU regulators, warning that the enactment of this protocol to expose internet users to cyber crime. The open letter is titled global website security ecosystem at risk from EU digital identity frameworks, new website, authentication provisions. And the group starts off by saying, dear honor, member of the European parliament, dear member of T E L E working party. We, the undersigned are cybersecurity researchers, advocates, and practitioners. We write to you in our individual capacities to raise grave concerns regarding certain provisions of the legislative proposal for a European digital identity framework, the E I D a S revision and their impact on security on the web. Now the EU doesn't appear to be backing down about what they want and we've seen what a mess can be created when something like, like the GDPR and its cookie regulations are imposed upon the world.
Leo Laporte & Steve Gibson (01:31:08):
So I was very interested to understand what the EU has gotten themselves up to now. They've intruded into our lives by making us agree to every website's cookie usage. So what's coming next. I spent hours working to wrap my head around this. I read the arguments being made by both sides and all the references I could find I did. I did find a very strong and beautifully written explanation of the fundamental problem with what the EU wants to do, which I believe was probably, well, I know was written at least by last July. I think it was written by Google's Ryan Levy. At least he had a tweet which pointed to it for more information. But again, it was written last July and the EU still doesn't appear to get it. What the EU wants is something more than TLS certificates. They wanna have their own website authentication, essentially the ability to, to bind their own array of government validation and authentication, assertions to websites so that when an EU citizen is browsing the web and goes to a website, they want the user's browser to display a top of page banner stating that this website uses a QAC I'm I'm not kidding you.
Leo Laporte & Steve Gibson (01:32:46):
And then, because they realize, I saw an example of this in, in one of their slides, actually I have the slide, although it's so tiny in, in the show notes, it's difficult to see, but it, it like comes up in a banner at the top of the, and, and then it says Perens qualified website authentication certificate. Wow. and then a list of a few privacy and security assertions and a in this banner, which will have three tabs, a summary tab and NT QAC validate tab and a TLS validation. And there will be an, I got it. Button to dismiss the banner notification, please, please don't make us do this anyway. So what's going on here? How's this done? The website would serve some Javas. That is the, the website, the visitor that the user is visiting would serve some JavaScript, you know, who knows perhaps the same JavaScript that now makes us all agree to be cooked.
Leo Laporte & Steve Gibson (01:33:52):
This JavaScript makes a call to an external web service, which is tasked with producing a report, which will be returned for display to the user, the web service first retrieves, another blob known as the NT QAC from a well known default path on the website that the user is visiting. And we've talked about well known paths before, right where, you know, it's it's domain slash well hyphen known slash something where a, a, a client knows to, to ask for something from the server. So the, that blob contains a number of government provided security and other assertions about the site and hash of the website's TLS certificate. Now this is just a blob on a website. The web service needs to have the blob validated. So it queries an online validator in the next step to verify the authenticity of this particular NT QAC BL it, then hashes the original website's TLS certificate and compares it to the hash it expects.
Leo Laporte & Steve Gibson (01:35:11):
So that binds the TLS certificate to it. You presumably that's to prevent certificate forgery such as we, you know, have mentioned earlier in this show and also in that BGP routing hack the other day. Okay. So now it knows that it's associated with the proper TLS certificate. Next it processes this NT QAC attributes to produce a structured NT QAC validation report. And it then performs an on the fly validation against additional authoritative sources, which are not specified, but they're shown in the, in the diagram of how this all works. And when all that's done, the web service returns, the validated validation report to the waiting JavaScript, which then presents the banner to the EU citizen who will have become quickly trained to click. Okay, I got it. Just to get rid of the thing and exactly problem. Yes. You know, it's just, it's ridiculous.
Leo Laporte & Steve Gibson (01:36:24):
You know, maybe they could combine them with the okay to cookies button. So you don't have now have to press two things. One thing to get rid of the authentication from the government and another button to get rid of the cookies, which the government has made be posted. So what do we get in return for all this industry? We get what the EU apparently wants, which is its own governmentally controlled, separate from the TLS environment and community governmentally controlled facility for determining, controlling and displaying various privacy and security assertions about individual websites. The EU essentially wants to add a layer of their own input, much as they have with cookies. Thank you very much into the browsing experience of all of their citizenry. There are a number of problems with this, but as I said, these problems have been patiently, carefully articulated, articulately, and repeatedly laid out and explained for the last six years.
Leo Laporte & Steve Gibson (01:37:37):
So far to know avail now, okay. One biggie should stand out to everyone right off the bat. The web has been deliberately designed as a two party system, the user with their browser and whatever website they are visiting are the two parties it's me and you now, while it's true that in today's world, this pure two party system immediately collapses due to a website's voluntary and deliberate inclusion of third parties, which it brings in that's the, the site's choice to make. And we have been carefully chronicling all web browsers, moving toward ever greater and stronger isolation of any and all third parties. They're being siloed. They're being given their own CAEs. You know, they're, this is all this whole, you know, we're all together. One big happy cookie farm, that's all going away. So that controls tracking and profiling. The larger problem to me is that so, so there's that, there's a fact that this essentially codies codifies a, a formal third party presence involved in, in presenting all of this, all, you know, this web service, whatever it is, is like is like central headquarters for tracking of, of, of every user that goes to any of these sites.
Leo Laporte & Steve Gibson (01:39:16):
But the, the even bigger problem that occurred to me is what prevents a malicious website from simply displaying the same happy news QAC banner, and giving its intended victim, the all clear, oh man, you know, if the system is that easily spoofed, then what's the point. I mean, the whole thing seems, you know, absolutely nuts. The only way to prevent that would be to force it into the Chrome much, you know, the, the, the browser UI Chrome much as the certificate can be, you're able to view the certificate and that's not the webpage showing you that a assertion, that's the browser's, you know, unalterable Chrome, you know, it's UI that lets you see the certificate that it received. So, you know, the, the only way you could prevent casual spoofing is if the EU forced the design of the browsers to somehow display this crap.
Leo Laporte & Steve Gibson (01:40:19):
And I mean, this is very, it's been in, in, in much of what I read. It's very much compared to the to, to the EV certs where, where the idea was to show some additional information that would be useful to the user. And we know what happened to that. You know, first they weren't green any longer and then they were just gone completely from the user interface. So the EF F in there never boring and always over the top sky is falling style, issued a press release on March 3rd. You know, I have the thing in the show notes, but I'm not gonna bore everybody with it. We've we've we've, as I, as I imagine reading this, I'm just thinking, okay, everyone knows, you know, it is all, you know, oh my God, this is gonna completely destroy the, all of the website and all of our security and the, you know, experts are urging the EU to amend the revised article 45 and so forth.
Leo Laporte & Steve Gibson (01:41:20):
But what they talk about actually in this letter is different because they're talking about the, the enforcing of other certificate authorities, who, which is not the system that I just read. So I thought what, well, it turns out that that wasn't explained in the slide deck that I found of which one of those slides is in the show notes. There is an entirely different system. The reason is there are actually three different proposed ways that this system could work. And the one the EF is all steamed up about is the worst of the three and which maybe why it wasn't put in the slides. It is a proposed single certificate solution in that solution. Various governments, various governments would each have their own root certificates added to our operating systems and browser root stores. And these governments would be able to issue TLS website certificates containing all of that additional, a information they desire.
Leo Laporte & Steve Gibson (01:42:39):
And this is, you know, the point in the podcast where in unison, we all ask what could possibly could wrong wrong. Yes. So the internet society has published an internet impact. Brief titled mandated browser are root certificates in the European unions, E I D a S regulation on the internet and skipping past a bunch of the intro. I'll just share three paragraphs. They said the European commission is currently, and this is the internet society like, you know, internet, society.org. So toned down from the, the EF F they said the European commission is currently evaluating this regulatory framework. It organized a public consultation in 2020 to collect feedback on drivers and barriers to the development and up take of trust services. And E I D you know, the electronic ID in Europe on this basis, the commission has proposed an amendment to the 2014 regulation to try to stimulate adoption of the framework and the availability of secure E I D schemes across the internal market among the changes in the new proposal are provisions around QAC that could have the effect of forcing browsers to include TSPs.
Leo Laporte & Steve Gibson (01:44:13):
Those are trusted service providers in the EU parlance. You know, we know them as certificate authorities authorized by national governments, into their root stores, without guaranteeing security parody, current best practices. In other words, it would require browsers to add these CAS to the list of trusted middlemen. Even if they do not meet industry standards or are recognized as a trusted party. They said, although the text of the proposal may seem uncontentious the high goals have upst stated technical consequ, I'm sorry, have unstated tech technical consequences, which we believe are unpalatable, regardless of which option is put into practice than they said for more information about our interpretation of the proposed revisions C anx a and I included anx a in the show notes, but I'm not gonna to go over it. Cuz basically it's what we talked about. So this ETSI core assumption is that browsers will validate in, in other, in other words, recognize a QAC by binding it to a TLS certificate for the domain.
Leo Laporte & Steve Gibson (01:45:32):
It is an intended to represent since TLS certificates themselves do not provide the level of authenticity. E I D a S wants to achieve. For example, they might just be a domain validation, a DV certificate like let's encrypt produces or like a non EV or might not even be organizational O V. They say, this means that Q a must be issued according to a separate set of processes and criteria for E I D a S compliant trust service providers. So at this point it is very unclear what's gonna happen. And I wouldn't worry about it, except that we're all now having to click a on. Yes. I agree about your GD cookies for every website we used. It's so outta control it is, does QX solve a problem that exists?
Leo Laporte & Steve Gibson (01:46:28):
I mean, isn't TLS sufficient. Yeah. They don't think so. They, they, they want, that's the problem they wanna solve. I don't understand. They want browser certificates to contain additional verified like identity ish, things like an actual name and an actual street address and an actual mean they want to tie it to identity. And so, you know, even that raises the hackles of a lot of people who are saying, wait a minute, you know, we want the web to continue to be able to offer some level of anonymity to protect people. And EU was saying, well, digital identity is important. And we want to, you know, push this down into the, the web browser. So people know, you know, more about the sites they're visiting.
Leo Laporte & Steve Gibson (01:47:25):
Yeah. Boy, I don't like this idea at all. And I, I, yes. And they're not giving, they're not giving up on it. Wow. It doesn't solve anything. And it introduces all sorts of security problems. Yes. It breaks things. And the worst thing I can imagine, and now more than ever, this should be obvious is to have countries have own certificate authorities that you have to adhere to. I mean, yeah. Sorry. that's not, that's just not, I'm sorry. That's terrible. Plus another banner, just what we want. I already, there are many pages now that have such long cookie banners. I literally can't ignore the banner. I have to click to, to get to the site. It comes up like, like, like half the page. Is there blocking you from doing anything? And by the way, Steve correct me if I'm wrong, but don't, they have to save a cookie to say that you've seen this banner and not show it again.
Leo Laporte & Steve Gibson (01:48:24):
Am I wrong? That's a cookie. So you could say, I don't want any cookies. You're gonna see that banner forever. The whole thing is just so broken and stupid. Yeah. Oh, wow. Yeah. And you know, on, on, on the coattails of GDPR, which has been, you know, a, a mess for, well, I'm, I'm in favor of some privacy protections. Yeah, for sure. And I, I think GDPR, if it weren't for GDPR there'd be none. So, okay. But the cookie thing is ridiculous in this sense, not merely ridiculous, but actively dangerous breaking is why you don't want politicians making a security or technology decision. Well, okay. So if they wanted to do some legislation, why not require that they do not track header. There you go. That, yeah. It's not hard. Just exactly. Just, you know, do some legislation and say, you know, let people say they don't want to be tracked.
Leo Laporte & Steve Gibson (01:49:27):
And if you see that you cannot track them and that's the law. Thank you very much. That would be easy. That would be simple. Instead we get this, I don't even, this is crazy. This is just, this is like somebody's fever dream and exactly what prevents other sites from spoofing it. Yeah. That's not, that'd it easy to put that up. Yeah. Just do a screenshot of one that you like and just show it silly, silly, silly, silly. I wish it were not like such a potential problem. I mean, like it could actually happen something that's chat, I'm saying, and maybe this makes sense. It's about taxation. Maybe that's possible. You know, they don't want anybody evading their taxation. Well on that screen, there was something about VAT. Yeah. I think it was that one, one of those authentication providers was there was some VA things interesting. Who knows? Huh? Anyway, once again, you know, if you didn't listen to this show, you wouldn't even know about this stuff. That's why you gotta listen. Yeah. You could actually sleep at night. Yeah.
Leo Laporte & Steve Gibson (01:50:38):
You'd you'd you'd dream. The dream of babies. You'd be so happy. No problems. All of our, my computer is secure. Everything's going want, I can go anywhere. I want to, I can click. I can click any link that I see, but what could possibly go wrong? Nothing. We do this show every Tuesday, right after Mac break weekly, one 30 Pacific, four 30 Eastern, 20, 30 UTC. You could stop by and watch us do it live at twit.tv/live. The IRC channel is always going, but of course it's most active when there's a live show on and that's IRC dot twitt TV members of club TWiT get their very own little clubhouse, our discord server, which isn't just for show conversations, conversations about everything. Stacy's book club is coming up a, a Paul throt fireside chat. We're gonna talk to Patrick Delehanty on Thursday. He's our engineer.
Leo Laporte & Steve Gibson (01:51:30):
If you're curious about the back end, he's got a great backend all of that in the discord server, how do you get in? Well, you join club TWiT seven bucks a month gets you ad free versions of all the shows access to the discord. Plus of course, the special TWiT plus feed with stuff that does not make it to the podcast like the analytic show and the GIZ and Stacy's book club go to twit.tv/club TWiT. And thank you very much to all of our club TWiT members for their support really helps us out. Steve's got a copy of this show. He's actually two unique versions of this show. He's got a 16 kilobit audio file for the very bandwidth impaired folks. Plus Elaine, Ferris's amazing transcription. So you can read along as you listen@grc.com while you're there, pick up a copy of spin, right?
Leo Laporte & Steve Gibson (01:52:19):
That's Steve's bread and butter. That's what keeps the boat afloat. It's the world's best mass storage, maintenance and recovery utility spin, right. Six is the current version. Six one is in progress us in process, and you can participate in the development as well as get a free copy. If you buy right now, grc.com the website for us for the show, we have 64 kilobit audio and we have video is twit.tv/sn twit.tv/sn. There's a YouTube channel dedicated to security. Now that makes it easy to share. If you know, you want your boss to see something or something like that, or your co coworkers or colleagues or buddies, just to send a share link from a YouTube, that's a good way to do it. You can also subscribe on your favorite podcast player and get it automatically every Tuesday evening, as soon as it's available.
Leo Laporte & Steve Gibson (01:53:09):
If you do that, please leave us a five star review. Let the world know about this, the best, the one, the only security, the original. Now the original says 2005 baby now in it's eight 17th year of education, Azure vacation. Thank you, my friend, have a great week. We'll see you next time on security now Rado. Hey, I'm Rod Pile editor of ad as magazine and each week I'm joined by Tariq. Malik the editor in chief over at space.com in our new this week in space podcast, every Friday Tariq. And I take a deep dive into the stories that define the new space age what's NASA up to when will Americans, once again set foot on the moon. And how about those samples in the perseverance Rover? When are those coming home? What the heck is Elon must have done now, in addition to all the latest and greatest and space exploration will take an occasional look at bits of space flight history that you probably never heard of and all with an eye towards having a good time along the way. Check us out in your favorite podcast. Catcher
... (01:54:12):
Security.
... (01:54:13):
Now.