Security Now Episode 863 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show. 

Leo Laporte (00:00:00):
It's time for Security Now, Steve Gibson is here. There's a new sheriff in town, a new us law requiring cyber crime reporting. We'll take a look at that. A surprise supply chain sabotage from one of the developers and maintainers of node JS and a new way to spoof sign in dialogues. It's called old browser in browser and it's scary. Plus Steve will take a deep dive into a common source of security flaws called the use after free bug. It's all coming up next on Security Now podcasts you love

... (00:00:37):
From people you trust

Leo Laporte (00:00:39):
This is TWiT. This is Security Now with Steve Gibson episode 863 recorded Tuesday, March 22nd, 2022 use. After free. This episode of security now is brought to you by Barracuda. Barracuda has identified 13 types of email threats and out cyber criminals. Use them every day. Fishing conversation hacking ransomware. Plus 10 more tricks. Cyber criminals use to steal money from your company or personal information from your employees and customers. Get your free ebook at barracuda.com/securitynow and buy Melissa. The US postal service process is more than 98,000 address changes every day. Make sure your customer contact data is up to date. Try Melissa's APIs in the developer portal. It's easy to log on, sign up and start playing in the API sandbox. 24 7 get started today with 1000 records, clean for free at melissa.com/twit and by PlexTrac the proactive security management platform that helps you focus on winning the right security battles with PlexTrac, you'll streamline the full workflow from reporting to remediation.

Leo Laporte & Steve Gibson (00:01:58):
Visit plextrac.com/twit and claim your free month. It's time for Security Now the show we cover your security, your privacy, everything you need to know about staying safe online with this cat right here, Steve Gibson, GRC. He's doing the now. I know why you love Bobba verse, by the way, it's a it's star Trek focus. There's a lot of trick jokes in there. There is actually in fact, you, you won't know it. I don't remember if it's in the third book or the fourth, but there's actually that as they, there there's this thing they, that he calls how would I say it re replicative replicative rift where yes, where even though he is replicating himself, each one is slightly different, which you, you know, it's like, why is a computer gonna have that? But it's a required, you know, it's an AI, it's an AI.

Leo Laporte & Steve Gibson (00:02:57):
Well, and you need it. That's right. Otherwise they'd all be the same. And exactly. So it it's a required plot vehicle for him in order to get different bobs as all these bobs keep replicating. So what happens is over time, there are some though, and of course, you're right. Star Trek. He is a theme through the, well, one of the Bob series names himself Riker. Yeah. Oh yes. Bob number two. Yeah. Yes. And in fact, and, and he, he later drops Riker and just switches to will, will, but still it's it's that connection. Yeah. But then what happens is they, as things go on, they start involving themselves with other cultures. I mean, not in a bad way, like to help out these other intelligent sentient aliens, who they find, they violate the prime directive. Yes. There is a, and there is a group that forms that are all up in arms about this, and they literally get labeled starlet.

Leo Laporte & Steve Gibson (00:03:57):
They I'm, I'm just finishing the first book cuz you, you shamed me last week saying if I read it yet and I hadn't started it, it re and, and I love it. It reminds me so much of Mar of the Martian and project hail Mary in the, in the, the, these attitude of the narrator. Of course, I'm listening to Ray Porter's and narration. It's the same guy. So he's got that same kind of funny attitude and in the science writing and the problem solving it is, it is another Andy Weir, Andy Weir too. He's really good. It's called the Baba verse. First one's called, we are Legion by I can't remember the guy's name something E I know his middle name is E well, and in fact, I was just thinking about this yesterday. There's a, there's a, a, you know, there's no spoilers here, but there's a there's a moment where there's a problem that's being solved and they're needing to, to rotate their passwords and update their keys.

Leo Laporte & Steve Gibson (00:05:00):
And I'm, I'm like, I mean, that's what the guy is talking about. I know, I love it. I wonder, no, no wonder our listeners love this stuff. Yeah. Dennis E. Taylor and Dennis Taylor. They're great. I have to say, and I've only read the first one, but so far I'm really, really, yeah. Enjoying you. Won't be let you won't be let down. Yeah. Yeah. So today we are at, at three to 2222, and there wasn't any big, I mean, there's like a lot going on of course, because we still have all of this tension globally. But a number of our listeners have written with questions about use after free. We've talked about this vulnerability, how it continue used to keep being a problem. And when I saw that, you know, after like looking at everything that I wanted to talk about this week, there wasn't anything that was clearly topical.

Leo Laporte & Steve Gibson (00:05:54):
I thought, well, I'm just gonna, you know, spend some time digging a little bit deeper into this issue of memory management in our contemporary computer systems to, to answer sort of as a group, a lot of these questions that we've had. So I title today's podcast use after free. Just because it's the way we're gonna wrap things up, but first we're gonna take a look at the USS new cyber crime reporting law, which finally did get passed and signed into law last week. We're gonna examine the most tweeted to me thing of the week, which was a very worrisome software supply chain sabotage, but, and even more worrisome than one instance is that it turns out this is looking like a trend and it is concerning. We're gonna look at the browser in the browser exploit a new way to spoof sign in dialogues, to capture authentication credent and examined the way micro tick, or as I originally called them, micro routers are being used by the trick bot botnet to obscure their command and control servers.

Leo Laporte & Steve Gibson (00:07:12):
We've got a, a infinite loop bug of great concern, which has been by our friend tabs Ory at, at Google in open SSL, which is what makes it a big concern, time to update and C wants or walks us through their forensic analysis of a Russian state sponsored attack on an N O a non-government organization. We then take a look at the windows vulnerability that refuses to be resolved and will finish. As I said, by spending a bit more time than we have so far to looking more closely at why use after free flaws continue to be so challenging. And we, we also, for those who are coders, we have a terrific picture of the week. So it's kind of relevant too. Hey, there's also a news story that I wanna point you to and let you chew over it before we talk again, of course, you spent many years working on squirrel, a better way of doing passwords.

Leo Laporte & Steve Gibson (00:08:17):
I don't know if you saw this, but at the pH Fido Alliance has said, oh, we think we now know how to enter a password, worse passwordless world. They say, I'll just quote a little bit of it. The passwordless phyto standard already relies on a device biome trick scanners to authenticate you locally, without any of your data, traveling over the internet to a web server validation, the main concept Fido believes will ultimately solve the new device issue. Cuz of course, switching and adding devices is, is, becomes the problem is to implement a Fido credential manager. This sounds a little bit familiar, which is somewhat similar to a built-in password manager instead of literally storing passwords. This mechanism will store cryptographic keys that can sync between devices in our guarded, by your devices, biometric or passcode lock. I think yours is a little better to be honest, but I, but I, my, yeah, my only needs one and it synthesizes them on the fly based on where you are.

Leo Laporte & Steve Gibson (00:09:25):
Right. As we know. So the problem is Fido is, you know, apple and Microsoft and Google and you're just you and yep. And you have not seen me spend any more time after I spent seven years solving the problem. I dropped it like a hot rock and switched to spin, right. Because I, I solved a problem if the world wants it great. Otherwise fine. Somebody should write to phyto and say, it's been solved. Take a look. Cuz cuz you, you address exact thing. They're talking about the portability of these keys and you address it. And I think in a better way than, than they're talking. Yeah. And you know, all kinds of little edge cases like users telling the website, oh, you know, I, I lost my key, please. You know, let me use something else. Well that that's an obvious exploit for spoofing.

Leo Laporte & Steve Gibson (00:10:15):
And so with all you can set a little check box that says, please don't ever listen to those requests. And so, I mean, this is, and you know, and if you lose your credentials, how you can get them back, how you're able to obsolete, lost credentials. I mean, you know, I just, I did solve it once. Yeah. And there it is. So meanwhile, I'm having a lot of fun making great progress with spin. Right. Good. We'll hear more about that in just a second. And get our picture of the week as well. Steve Gibson and security now, but first a word from our sponsor. They make the show possible Barracuda. They also do a lot more than that. They protect companies, including ours from all sorts threats, including I think in many ways, the number one threat for Phish anyway, email and a recent email trend survey.

Leo Laporte & Steve Gibson (00:11:05):
43% of respondents told Barracuda they'd been victims. 43% had been victims of a spear phishing attack. That's terrifying. In fact, only to 23% said they have dedicated spear fishing protection. So I, I, I think it's time to start looking at how you keep your email secure for your company for your clients. Barracuda has identified 13 types of email threats and how cyber criminals use 'em every day. They're right there on the front line. So they fishing conversation hacking of course, ransomware and 10 more tricks. Cyber criminals used to steal money from your company to steal personal information from your employees and customers to steal your source code. If you're Microsoft, the question is, are you protected against all 13 types? Email cyber crimes is becoming more sophisticated. Attacks are more difficult to prevent they're using social engineering. And of course they prey on victims with fear and urgency to get them to act, you know, without thinking social engineering attacks, including spear phishing and business, email compromise cost businesses, an average of $130,000 per incident.

Leo Laporte & Steve Gibson (00:12:19):
A lot of, lot of people it's costing millions. And of course it's always tied to, you know, things that scare people and current events when the demand for COVID tests increased the start of the year Barracuda researchers saw of course an increase in COVID 19 test related Phish attacks, 521% increase between October of 2021 and January of 20 22, 520 1% increase. As more and more people are interested in crypto, the opportunity for attacks becomes ripe. Of course, with the price of Bitcoin being what it is. I it's, it's gone down, Steve, don't worry. It's gone down. Barracuda research found that impersonation attacks grew 192% when Bitcoin went up and there's something valuable there we wanted in 2020, the internet crime compliance center, IC three received 19,369 business email com wise email account compromise complaints with adjusted losses of over 1.8 billion billion. It's not enough just to secure your email at the gateway.

Leo Laporte & Steve Gibson (00:13:25):
You've gotta, of course, leverage gateway security. That's why we use Barracuda to protect against traditional attacks viruses zero day ransomware spam and other three, but a targeted tech goes right through protection at the inbox level, including AI and machine learning is necessary to detect and stop. The most sophisticated threats and Barracuda is right there with you too. Get a free copy of Barracuda's report, 13 email threat types to know about right now. You'll see what the cyber criminals are up to, how they're getting more and more sophisticated every day and how you can build the best protection for your business, your data, your people with Barracuda, find out how the 13 email threat types work and what you can do about 'em and how Barracuda can provide complete email protection for your teams, your customers, and your reputation. It's free. And it's available right now at Barra kuda.com/security.

Leo Laporte & Steve Gibson (00:14:18):
Now your free ebook 13 email threat types to know about right now, Barracuda B a R R a C U D a.com/security now, and you know what? You should probably pass it around the organization too. I think let everybody know, Barracuda your journey secured. All right, Steve picture the week time. So this is just a fun one. It depicts the six stages of debugging, which as I said, most of us who have written code will understand the first stage is the, that can't happen stage, you know, I, we would call that denial denial, I guess. Yeah, yeah, exactly. Then, then the second one is that doesn't happen on my machine. It's like, wait a minute, you know, something wrong with your computer. It's all all good here. I can't do that. Yeah, that's right, exactly. Can't duplicate it. Then the next stage of as, as the, as the coder moves through this paid process is that shouldn't happen. And so stage three then when, when the coder has recognized, okay, well, I, I guess it is happening. We get to the fourth stage. Why does that happen? And then when that gets you know, realized and internalized, we get to the fifth stage of, oh, I see. In big letters. Oh, I see. Exactly. And then I loves stage six, which is like, I, I I've felt it before. It's like, how did that ever work?

Leo Laporte & Steve Gibson (00:16:00):
So true. So true. It's like my God, you know, how, how, how did it take until now to find that, but oh yeah, that's the nature of the process. Okay. So last Tuesday a one and a half trillion dollar government funding bill was signed into law that I think that gets us like keeps us ticking until September president Biden signed it. And we're talking about that because part of that, the, you know, part of what was packaged into that legislation is something we've touched on a few times when it had period periodically been discussed, but what was under consideration until now. And it was only under consideration became law that new law mandates that owners and operators of critical us infrastructure to be defined in a minute must report must report when their organization has been hacked. And if a ransomware payment has been made.

Leo Laporte & Steve Gibson (00:17:09):
So this so-called, it's called the strengthening Amer cybersecurity act of 2022. And unfortunately, no good acronym jumps out S a C a, I don't know, it's not very catchy anyway. It was attached to the spending bill which requires, as I said, critical infrastructure operators alert the Homeland security department's CSA, you know, the cybersecurity and infrastructure security agency within 72 hours, three days of a breach. And within one day 24 hours, if the organization makes a ransomware payment, this new legislation also grants CISA subpoena power, allowing it to compel testimony from any entities, which they believe have not reported a cyber incident or a ransomware payment. And what's interesting is that this move is a reversal in recent policy because it, this legislation was removed or as the legislators like to say stripped out of the recent annual defense policy bill, where it first tried to make it into law.

Leo Laporte & Steve Gibson (00:18:28):
And that was so a few months ago. So, you know, given this change of heart, one has to wonder whether the potential for attacks against us infrastructure, which is, would be secondary to the Ukraine, Russian conflict might be behind this change of heart. And by eyebrows rose, what was learning that this so-called strengthening strengthening American cybersecurity act passed the Senate unanimously. So no dissent at all. Yes. Wow. Let's do I know like when, when is the last thing something was unanimous in our us Senate recently? So, you know, again, you know, no skin off anyone's teeth, they're basically saying, you know, just, you know, notify us if something happens. So now CSA will have up to two years to publish a notice in the federal register on proposed rule making to implement the reporting effort, you know, nothing ever happens quickly. However, report on this has suggested that CSA might choose to move faster, thanks to the current heightened threat climate, the Senate's Homeland security committee chair, Gary Peters, who authored and championed the legislation along with Senator Rob Portman issued a, they a combined statement saying the quote, this historic new law will make major updates to our cybersecurity policy to ensure that for the first time ever every single critical infrastructure owner and operator in America is reporting cyber attacks and ransomware payments to the federal government.

Leo Laporte & Steve Gibson (00:20:10):
And additionally, Rob Portman, the panel's top Republican said the legislation will quote, give the national cyber director CSA and other appropriate agencies, broad visibility into the cyber attacks, taking place across our nation on a daily basis to enable a whole of government response mitigation and warning to critical infrastructure and others of ongoing imminent attacks. So, as I was, as I was researching this, I got to wondering, cuz it sort of seemed like a loophole to me, maybe what exactly constitutes critical us infrastructure. You know, we, we hear the tier, we hear the term all the time, but you know, who exactly would be required to report. So to answer the question I attempted to read, that was the, the mistake some of the actual legislation, I don't Reem, I recommend it because now I have even less idea how our government actually manages to work and more amazement that for the most part.

Leo Laporte & Steve Gibson (00:21:19):
It, you know, it kind of seems to, I did manage to track down presidential policy directive 21, section 2 42, that's right. Section 2,242, subsection B and under the heading there designated critical infrastructure sectors and sector specific agencies, it explains this directive identifies steam, critical infrastructure sectors and designates associated federal SSAS. Those are sector specific agencies of which DHS is almost always the, the, you know, their reporting to agency. The, the responsible agency, you know, like DOE has the department of energy. The do D has the, the department of defense obviously and, and so forth. But in general, DHS, the umbrella, they said, in some cases, co SSAS are designated where those departments share the roles and responsibilities of the SSA. The secretary of Homeland security shall periodically evaluate the need for and approve changes to critical infrastructure sectors and shall consult with the assistant to the president for Homeland security and counter terrorism before changing a critical infrastructure sector or a designated SSA for that actor, the sectors and SSAS are as follows.

Leo Laporte & Steve Gibson (00:22:47):
And as I said, this was, this was after like a lot of distillation and whittling it down because, oh my Lord, anyway, those 16 are chemical commercial facilities, communications, critical manufacturing, dams, defense, industrial base, emergency services, energy E financial services, food and agriculture, government facilities, healthcare and public health information, technology, nuclear reactors, materials, and waste and transportation systems, water and waste water systems. So anyway, I was curious in case anybody else is those are the 16. So the bottom line is reporting attacks and extortion payments is no longer optional. It will be the law and or it is now, although it looks like CSA has some, you know, ha has to get, like since they are the reporting, the, the, the reporting to agency, they've gotta, you know, figure out how to turn it into a sufficiently large bureaucracy. Okay. Winning this week's prize for the most listener reported incident was a very worrisome software supply chain event.

Leo Laporte & Steve Gibson (00:24:13):
I don't think it qualifies for being called an attack since it was an inside job. Consequently most of the tech press is using the term sabotage. N PM is the package manager we've discussed from time to time for today's number one most popular, most used and most in demand programming language, huh? Javascript N PM is the default package manager for JavaScripts super popular runtime environment, node JS, and a very prominent node module known as node hyphen IPC as in inter process communication which is commonly used for local and remote inner process communi, which has support for Linux Mac OS and windows is the subject here node I P C has over 1.1 million downloads per week, which puts it up at the high end of popularity in the context of Javas now not JavaScript Javas log for J incident and vulnerability.

Leo Laporte & Steve Gibson (00:25:33):
We were talking about code dependency trees. The idea being that one software library relies upon several others and they may rely upon others, cetera, creating this rapidly branch tree at which has the effect of creating a deep set of interdependencies. Liron ha Liron TA at sync S N or I don't know how you pronou it. S N Y K. I say, I, yeah, maybe I hope it's not snake. That'd be bad. Where do you work? I work at snake. It's like what on purpose deliberately. Okay. Anyway, he was the first to report their discovery of this problem. Le wrote, he said on March 15th, 2022 users of the popular view dot JS front end JavaScript framework started experiencing what can only be described as a supply chain attack impacting the NPM ecosystem. This was the result of the nested dependencies node. I P C and peace, not war being sabotaged as an act of protest by the maintainer of the node.

Leo Laporte & Steve Gibson (00:26:58):
I P C package. He said this security incident involves destructive acts of corrupting files on disc by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms. While this is an attack with protest driven motivations, it highlights a large issue facing the software supply chain that the transitive dependencies in your code can have a huge impact on your security. Okay. So the, the story, the story started back on March eight at which time N PM Tainer for this package, R I a evangelist is his handle. His real world name is Brandon Zaki Miller. He wrote some code and published an NPM package named peace, not war, presumably referring to the what's going on over new crane. And that package describes itself, quote, this code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression, threatens the world. Right now, this module will add a message of peace on your user's desktops, and it will only do it if it does not already exist just to be polite.

Leo Laporte & Steve Gibson (00:28:42):
Okay. Now, first of all, it's interesting that Brandon writes that he'll only place his anti-war message on desktops that have not already received the message quote, just to be polite because what Brandon then does is anything but polite, his peace, not war package sat around for a week with hardly any downloads. Then he adds this peace, not war module as a dependency to one of his other very popular modules. He apparently he has 40 that he's maintaining in this case, he added it to the dependency of node, hyphen P C, which caused it to get sucked down 1.1 million times per week. Then apparently still getting even more amped up over the Russia, Ukraine conflict, and feeling that he has the power to be more proactive. Brandon added some deliberately base 64 obfuscated sabotage code to his node, hyphen IPC package, this updated release, added a function to check the IP address of the developers who were using node. I P C in their own projects. When an IP address geo located to either Russia or Belarus is found the new version wiped the file contents from the machine, replacing them with a heart emoji.

Leo Laporte & Steve Gibson (00:30:31):
Okay. Now, well, at least there's love involved. Well, there, there is obviously quite a lot that's wrong about that's. But on top of it just being plain wrong to take advantage of one's implicitly trusted position as a package maintainer to have one's package do something that it was clearly not sanctioned to do. Brandon's targets were being very poorly chosen. If we're to believe what we're told about the war, sentiments of the Russian population, it's the younger coders and developers who are more likely to be using Russian propaganda bypassing measures, and to have a much more Western view of what's actually happening over there. And along comes some idiot in the west who wipes out a sympathetic developer's files only because of where they are coding. And I should mention it's not in the show notes, but the EF F just went ballistic over this.

Leo Laporte & Steve Gibson (00:31:44):
I mean, whoa you know, and sad as all that is even more sadly, Brandon is not alone. The count of similarly recently altered software has risen to 21 incidents separately. Having been identified. I, as I looked through the list, it was in Russian. So I wasn't able to read the details, but I could see that the popular gooey toolkit QT was on the list up near the top actually. And another is ES five hyphen E X T, which provides code for the ECMA script, six scripting specification, a new dependency named post install JS, which the developer added on March 7th checks to see if the user's computer has a Russian IP address, in which case the code broadcasts a call for piece, whatever that is. So while not all of these changes are destructive, as Brandon's ended up evolving into, they are almost certainly not what those who are using them want or have every right to expect.

Leo Laporte & Steve Gibson (00:33:00):
Now, Brandon quickly removed his malicious changes after the very predictable outcry arose from other en enraged developers. But boy, you know, he has certainly not enhanced his credibility or reputation. And, you know, as I said, it does also point out what is probably a larger problem with the fact that we, we have, we, we we've ended up putting ourselves in a position where we are trusting in the Goodwill and the ongoing Goodwill and like the faltering behavior of lots of random developers whose software we're using. And we link it into a dependency tree and our code grabs it, no matter what it is, assuming that it's gonna stay what it was before. And of course we have no guarantee of that being the case. So, yikes. Next we're gonna talk about this browser and in a browser hack Leo, but I need to take a sip of water, so, okay.

Leo Laporte & Steve Gibson (00:34:12):
Preach. we are gonna take a break and talk about Melissa. The address expert. Well, Steve hydrates, you probably know this, but your contact list is pretty vital to your business. Being able to reach customers suppliers, being able to send out bills, catalogs. That's really important. Problem is people move. They move all all the time, all the time. Not only move, they change, email addresses, they even change names and phone numbers too. Melissa solves this problem by helping you ensure your business is successful and your customer information is up to date. In fact, that's why more than 10,000 be businesses know 'em as the address experts. They've been doing this for 37 years with a renewal rate of over 92%. Once you use Melissa, you know, you need Melissa. The typical ROI for Melissa customers is 25%. It really saves you money. So you don't mail catalogs two and three were catalogs.

Leo Laporte & Steve Gibson (00:35:22):
The same address or bill the wrong people. That kind of thing. Melissa said a record in 2021 last year, 30 billion north American address lookups 30 billion in one year. That's the most ever. And it just shows you how much more people need this than ever before. Melissa does more than just verifying addresses, addresses, emails, phone numbers, names, and you can do it in real time. They've got an API. You can use a software as a service. You could use it on prem. There's an FTP secure FTP server. You can file to get 'em to clean it up, download it again. They really wanna make it as flexible as possible. They even have an Android iOS app called the lookups app that will help you look up individual addresses easily. Make sure you've got it right. And you'll love if you are crafting software for data entry for customer service reps or for shop carts, you can, there's great API.

Leo Laporte & Steve Gibson (00:36:19):
And you can incorporate Melissa right into that software because really that's, that's where a lot of this errors go in is at the point of entry, right? 240 plus countries and territories right there at the point of entry can be verified, CR fixed. If you, if duplicate information, another, another big waste of time and money Melissa's global address verification service has data matching that'll eliminate clutter and duplicates and increase the accuracy of your database. You could do it as a batch. You could do it onesie two Z. You could do it as it's entered. It's also great shopping carts will like this for identity verification, which reduce is risk ensures. Compliance, keeps customers happy. You can add geocoding in this is popular, where it takes an address and gives you a longitude and latitude. You can remove up to 95% of bad email addresses from your database replace 'em with good ones.

Leo Laporte & Steve Gibson (00:37:13):
Melissa's pretty amazing. And of course you're giving them important stuff. So they want reassure you. They are absolutely committed to your data. Security to privacy, completely compliant. They're SOC two HIPAA GDPR compliant. So you can use 'em with confidence. And by the way, they don't just say that they undergo continuous third party security audits to make sure they're living up to their promise to you. Keep your in information, absolutely secure and private Melissa's industry, leading products and services and power improved business communications, more profitable customer relationships give you a competitive advantage. And if you sign up for a service level agreement, you'll love the 24 7 world famous Melissa support, warm for friendly, helpful. They just go above and beyond. In fact, they're often acknowledged for this second year in a row. Now they've been named at the data quality magic quadrant by Gartner G two S 2022 report and G2 crowd ranks Melissa, as a leader in both address verification and data quality software.

Leo Laporte & Steve Gibson (00:38:18):
So I think, I hope he, you understand the need to keep your customer data up to date, and I hope you understand Melissa's the place to do it. You can even try Melissa's APIs. If you want to, they've got a developer portal. You can log on, sign up, start playing in the sandbox for free 24 7. In fact, you can, you they'll they'll, they'll go through 1000 records for free, so you can pump some stuff at 'em and they'll clean it up automatically for free Melissa M E L I SS a melissa.com/twit. We thank them so much for supporting Security Now thank you for supporting security now by using that address. So they know you saw it here, melissa.com/twit. Sometimes it, it is confusing. I understand sometimes advertisers want you to put Security Now, sometimes we, we try to convince advertisers, just use TWI. So it's the same and, and you'll know who, you know, based on when your ad runs, who saw it when, so thank you, Melissa.

Leo Laporte & Steve Gibson (00:39:15):
They're gonna make it easy for for you just melissa.com/twit, but they'll know that you saw it here back to Steve Gibson and more security as I start to describe this latest attack. I have to conclude that the bad guys really do have an advantage. You know, the they're able to sit back and steeple their fingers with a far away look in their eyes. Exactly while they endlessly cook up one sneaky way after another to bend the technology, we've innocently given them to their dastardly purposes today, we had the latest attack concept. That's been named browser in the browser. It's, you know, it could have been done before, but it just occurred to a pen testing guy. It's a novel new form of Phish attack, which was designed and documented by a pen tester who goes by the handle, Mr. Docs. it's obvious once you see it, but it would not be obvious to a user who were to encounter it when they're expecting to see it.

Leo Laporte & Steve Gibson (00:40:27):
It's able to perfectly and convincingly simulate the popup browser window that we're all encountering more and more often with read of those third party, you know, single sign on options, embedded on websites. You know, the sign in with Google or Facebook or apple or Microsoft, whatever. I got two screenshots side by side, which this guy produced demonstrating that there's no way to tell them apart, you know, with page rendering, which allows JavaScript, CSS and HTML to perfectly recreate the appearance of a legitimate sign in with whomever popup dialogue, you know, an innocent user has no idea. And Mr. Doc notes, that one of the things that this attack so effective is that the spoofed dialogue clearly and prominently displays the exactly correct domain name, the verification of which we've been drilling into our users for years, you know, saying, make sure you're at the right site, double check the URL for any typos or lookalike characters.

Leo Laporte & Steve Gibson (00:41:41):
You know, don't be fooled. Well, you know, then along comes this perfect replica of a third party sign-in dialogue that accepts their innocently entered username and pass word. And because the JavaScript just printed a fake URL at the top of the dialogue, which is where they're expecting. Oh, I see. You know, it's, it's easy. I mean, I understand it's easy to duplicate the login screen. That's just, it's all open it's JavaScript and HTML. I get it. So instead of where the O puts the URL, you just put a graphic. Yep. That looks the same. And how would you know, unless you clicked it, I guess if you clicked it, you might not be able to click the padlock for instance, I don't know. Oh, that's really interesting. Why isn't it? I mean, and again, of course, you know, easy, you, you click on, you know, log, you know, sign in with Facebook up, this thing pops and you think, oh, I mean you're expecting it.

Leo Laporte & Steve Gibson (00:42:41):
And so you may be doing due diligence. You go, okay, wait, F a C E B O k.com. Yep. That's Facebook at. Nope. Oh, so you know, and Leo, just because Mr was yeah. Mr. Docs. I couldn't remember. It was Dr. Docs or not. Mr. Docs docs would be better, but I guess he, Dr. Docs would get his degree anyway, Mr. Doc. Yeah. Yeah. To avoid any unnecessary duplication of effort. Mr. Has thoughtfully provided attacker ready? Easy to use downloadable templates. It even has dark mode. That's right. You got, you got your dark mode. You got your light mode, you got your Chrome on windows or Macco S whatever you need, just get it from GitHub. Yeah. So you can't really just say, look at the URL anymore. Nope. I do wonder though what had happened. I guess you could write some JavaScript that if you clicked the padlock, you'd get something else, but probably another little thing that's missing.

Leo Laporte & Steve Gibson (00:43:49):
Yeah. It's good. Yeah. Yeah. Because the attacker has control of the window, so it do whatever you want. I mean, it's, it's a fake URL, so yeah. Fake, fake the click on the padlock. Yeah. And, and actually you'll be, since we were talking about squirrel, this already occurred to us back then, and a lot of attention was given to designing a popup dialogue that could not be spoofed in this fashion. So again, we we did a lot of work at the time. But yeah. Wow. I just, you know, look what we've done to poor users. It's just, I'm sorry. I'm sorry. You know, no wonder your mom says Leo how do I dot.do what's going on by the way? And of course you, I know you're not reading the Bobo verse. You're not listening to it on as an audio book, you're reading it, but Ray Porter reading, it does all the voices. He does Homer, not a great Homer, but he doesn't no kidding. Yeah. Oh, so, so there's a, he's a, he's doing a lot of good voices in there. It's pretty funny. He does. Wow. Colonel Butterworth. He does perfectly.

Leo Laporte & Steve Gibson (00:45:07):
It's very funny. Anyway. Sorry. Didn't mean to distract. Yeah. This is crazy. You I don't, how, what do we tell people now? You know, we always said, make sure it's the right URL. You have to manually enter it, but that's not gonna work for an authentication window. No. And well, look at that, look at the stuff that follows it. It's like I used to joke, I, I had a, a, one of my best friends was a lot older than I he has since passed, but his name was Gary. He was, I used to joke that the, the, the, the windows what is that key? We type in the, the, the five groups of five. The, I forgot what you call that anyway. The serial number, you mean? Yeah, yeah, yeah. The, and you had to type it in the license, the license key.

Leo Laporte & Steve Gibson (00:45:54):
I used to joke that it was the equivalent of copyright protection, terrible. Cause he was, he was never able to get it. Right. Remember we, he had that in. That was crazy. He'd be looking at it going okay. J Q five P P. Yeah. And I'd go, Gary. No, that that's an eight. Oh yeah. But anyway, you know, look at URLs, URLs used to be, they were supposed to be meaningful. Now they've got these grids in them. That's just gibberish. So yeah. You can't ask a user to type that. Yeah. They, they, they never get logged in. They just go away. So, wow. Okay. Last Wednesday, Microsoft blogged under the title uncovering trick bots use of I O T devices in command and controlled infrastructure. Microsoft considers tic consumer routers to be I O T devices. That's, you know, how they lump them. And I suppose since they lack a keyboard or display and they're, you know, by definition connected to the internet, they qualify as internet of things.

Leo Laporte & Steve Gibson (00:47:04):
So Microsoft offered an interesting forensic writeup, which I'll share the best bit of they begin with a bit of history. They said, trick bought a sophisticated Trojan that has evolved significantly since its discovery in 2016 has continually expanded its capabilities. And even with disruption efforts and news of its infrastructure going offline, it is managed to remain one of the most persistent threats in recent years, the malware's modular nature has allowed it to be, to be increasingly adaptable to different networks, environments, and devices. In addition, it is grown to include plugins access as a service back doors for other malware like re ransomware and mining capabilities. A significant part of its evolution also includes making its attacks and infrastructure more durable. And that's where we're headed here against detection, including continuously improving its persistence capabilities, evading researchers and reverse engineering and finding new ways to maintain the stability of its command and control framework.

Leo Laporte & Steve Gibson (00:48:21):
This continuous evolution has seen trick bot expand its reach from computers to internet of things. Devices such as routers with the malware, updating its command and controlled infrastructure to utilize micro tick devices and modules. Micro tick routers are widely used around the world across different industries by using micro tick routers as proxy servers, its command and control servers and redirecting the traffic through non-standard ports. Trick bot adds another persistence layer that helps malicious IPS evade detection by standard security systems, meaning that a a security system might be banning connections to a known malicious IP. So no problem. Let's bounce. Let's have trick bot bounce, its traffic through some random micro tick router. That's not gonna be banned. And then it will send its traffic on to the command control server, thus serving as a proxy. Okay. So when Microsoft says that micro tick routers are being used as command and control proxies using non-standard ports, they mean that once they've managed to crawl inside, they, the bad guys inside a micro tick router and we'll ex discuss exactly how that happens in a minute, they set up a proxy server or actually the equivalent it's actually just persistent Nat that's listening on one or more non-standard ports for incoming command and control queries from instances of trick bot out in the field.

Leo Laporte & Steve Gibson (00:50:11):
This provide the attackers with much more isolation and resilience than if all instances of trick bot were phoning home directly. Now we've all seen the movies where tracing the traffic is thwarted by having it bouncing around among various intermediaries in widely geographically spread jurisdictions. And also assuming that there's a sufficient available inventory of vulnerable micro tick devices. And we'll talk about that a minute. Apparently that's not, that's not a problem. Having different instances of deployed trick bots, connecting to widely dispersed micro tick proxies makes finding the actual command and control servers much more difficult and it makes the trick bot botnet much more difficult to take down. Okay. So Microsoft said the Microsoft defend for IOT research team has recently discovered the exact method through which micro tick devices are used in trick box command and control infrastructure. In this blog, we'll share our analysis of the method and provide insights on how attackers gain access micro tick devices and use compromised IOT devices, meaning these micro tick boxes in trick bot trick bot attacks.

Leo Laporte & Steve Gibson (00:51:36):
This analysis has enabled us to develop a forensic tool to identify trick bot related compromise and other suspicious indicators on micro tick devices. We publish this tool to help customers ensure these IOT devices are not susceptible to these attacks. We're also sharing recommend steps for detecting and remediating compromise. If found as well as general prevention steps to protect against future tax. Now I'm not gonna go into all that because you know, it's to sort down on the weeds and only applies to people who have these routers. And if you've got a micro tick router, just update it, make sure it's running the latest firmware and that you're not using default passwords because there are three ways. Microsoft has detected attackers gaining an initial foothold on these micro tick routers. They will first attempt to gain access using default micro tick passwords. It turns out that the old lesson has still not been learned and that micro ticks design wrongly provides for remote access under default credentials, which is just hard to believe in this day and age, as we know, default credentials, if any must exist, should never also be allowed to be used to enable remote authentication from the wan interface, any user wishing to enable when side remote admin maybe after first passing a sanity test.

Leo Laporte & Steve Gibson (00:53:17):
Why, well, why do you wanna do this? Are you really sure? It's really not a good idea. Anyway, should be required to create non default credentials, not doing this, not requiring. This is incredibly poor security design in this day and age. Well really ever, but now H how do you excuse it? Okay. So Microsoft said it will that they, these bad guys will first try using the default credentials. If that fails, then a brute force credential so-called BR credential stuffing attack is, is, is attempted Microsoft wrote that they have seen attackers using unique passwords that were probably harvested from other possibly related micro tick devices. You know, Hey, you know, it's worth a shot. Why not? And then believe it or not. And oh yeah, I know we all believe it by exploiting CVE, 2018, 14,847, a well known and law long since patched four year old vulnerability, which will succeed on devices, still running router OS versions older than 6.42.

Leo Laporte & Steve Gibson (00:54:38):
There's another way in this vulnerability, which we covered back when it was news at the time four years ago, gives an attacker the ability to read arbitrary files from a remote micro tick router, specifically a handy file such as user dot, which contains the passwords. And once in they then change is the routers password to retain control since any such router is probably long forgotten. That is to say a router that hasn't had its firm more updated in four years is long forgotten, probably tucked away in some dark corner or a closet with a sign on the door, which reads don't mess with anything in here. It's unlikely that anyone will be inconvenienced by having their routers password unilaterally changed by some remote hacker, let alone having it commande for use as a botnet command and control proxy. The attackers then use the handy dandy micro tick command that redirects traffic between two external ports on the router, thus enabling and establishing a line of communication between trick bot infected systems and trick bots, command and control, or perhaps another indirect link in the command and control chain.

Leo Laporte & Steve Gibson (00:56:12):
If they want to be more fancy like in the movies, micro tick has a router OS containing very powerful SS H accessible IP firewall and Nat stacks. It's this unique remotely accessible static Nat capability that makes micro tick routers so useful as unattended communications proxies. Microsoft says that they monitored a trick bot infected device connecting to a micro tick router over port 4 49, after which the micro tick router connected to a trick bot net command and control server over port 80, and as for today's inventory of micro tick routers, a relatively recent report by eclipse published. This last December found that hundreds of thousands of micro tick routers are still vulnerable to remote exploitation, despite patches having been available for them for years. And because these devices feature unusually powerful hardware, which is why they're so popular. They're seen as high value targets back in early December of last year, 2021 when covering this report from eclipse, our friends over at bleeping computer reached out to micro tick for comment about the sad state of their otherwise.

Leo Laporte & Steve Gibson (00:57:47):
Very nice and quite powerful routers, updating micro tick replied, quote, the ECSM report deals with the same old vulnerabilities we have mentioned in our previous security blogs. Oh, as far as we, yes. Yep. This, this problem has been here since 2018. As far as we know, they said there are no new vulnerabilities in router OS. Furthermore router OS has been recently independently audited by several third parties. They all arrived at the same conclusion. Unfortunately, they wrote publishing updated firmware does not immediately protect the affected routers. We don't have an illegal back door to change the user's password and check their firewall or their configuration. These steps must be taken by the users themselves. We try our best to reach out to all users of router OS and remind them to do software updates, use secure passwords, check their firewall, to restrict remote access to unfamiliar parties and look for unusual scripts.

Leo Laporte & Steve Gibson (00:59:06):
Unfortunately, many users have never been in contact with micro tick and are not actively monitoring their devices. We cooperate with various institutions worldwide to look for other solutions as well. Meanwhile, they finish, we want to stress the importance of keeping your router OS installation up to date. Once again, that is the essential step to avoid all kinds of vulnerabilities. Yes. So true. Yes, it is absolutely true. And I suppose we, you, we might be more sympathetic if they didn't also apparently have a default password that allows users to log in remotely. This has been covered before, again and again, why are you bringing this up? Steve? We know that we don't know that it might have been changed in their recent later releases, but again, so what, what may have once started off as fiction in the movies is actually underway today. All of those, you know, hopping five times around the globe before finally connecting to the mother's ship. And it's like, oh, you know, we can't, we don't, we don't have access into all those other geographies. So, oh, well yet there are hundreds of thousands of these things out there right now, hundreds. Unbelievable. Amazing.

Leo Laporte & Steve Gibson (01:00:37):
Okay, this one's cool. You're gonna like this one, Leo and a new and moderately severe problem has been discovered in all supported versions of open SSL. Now it's officially been called a high severity problem, but since problems in open SSL can be so much worse than an infinitely loop. I think it's more likely of moderate severity. Nevertheless, especially in today's current climate with, you know, increased cyber hostilities. It does seem destined to be exploited because it is so powerful. So ubiquitous and so easy to explore. The reason is that any internet server or service running any internet protocol whose security is being provided by open SSL as most Unix Linux and a great many cloud based services are, you know, open SL is the default TLS connection provider for our Linuxes. For example, that any of those that has not just in the last week received update patches and been updated as many internet servers will not have been yet, which consumes a user provider certificate such as a client certificate can be taken down with a simple, deliberately crafted TLS handshake.

Leo Laporte & Steve Gibson (01:02:14):
The trouble was discovered and reported by Google's TAs orandi who reported his findings to the open SS SSL team on the 24th of February last month, the trouble TAs found and worked out with David Benjamin Chrome's TLS guy, is that a modular soft a modular square root function named BN underscore mod underscore S Q R T if provided with a maliciously crafted certificate to parse will enter an infinite loop, thus ping the processor at a hundred cent and permanently hanging that thread. The CVE writeup of this problem is interesting. It explains, it says the BN mod square root function, which computes a modular square root contains a bug that can cause it to Lu forever for non-prime Moi internally. This function is used when parsing certificates that contain elliptic curve, public keys in compressed form or elliptic curve parameters with a base point in coded in compressed form.

Leo Laporte & Steve Gibson (01:03:39):
It is PO to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate's signature, any process S that parses an externally supplied certificate may thus be subject to a denial of service attack. Okay. In other words, since the certificate signature is checked for validity after the exploitable parameters are processed, anyone can contr trivially create a certificate that will completely lock up anything that's using open SSL. Their description continues. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters, the, the vulnerable solutions the vulnerable situations include. And this is from the CVE writeup, TLS clients consuming server certificates, TLS servers, consuming client certificates, hosting providers, taking certificates or private keys from customers certificate authorities, parsing certificate requests from subscribers, anything else which parses ASN one elliptic curve parameters, and any other applications that use the BN mod square root, where the attacker can control the parameter values that are vulnerable to this DDoS or this dos issue in the, okay, in the earliest open SSL 1.0 0.2 version, the public key is not parsed during the initial parsing of the certificate, which makes it slightly harder to trigger the infinite loop.

Leo Laporte & Steve Gibson (01:05:46):
However, any operation which requires the public key from the certificate will trigger the infinite loop. In particular, the attacker can use a self certificate for example, to trigger the loop during verification of the certificate signature. So, so you gotta sign the certificate rather than not care about the signature big deal. The issue affects open SL versions, 1.0 0.2 1.1 0.1 and 3.0. It would is addressed in the release of 1.1 0.1 N and 3.0 0.2 on the 15th of March. So last week that was exactly a week ago last Tuesday. So it's fixed in open SL 3.0 0.2, which fixed the effect versions 3.0 0.0 and 3.0 0.1 and was fixed in open SL 1.1 0.1 N which affected everything. 1.1 0.1 up through 1.1 0.1 M. So again, note that open SL 1.0 0.2, which vulnerable has reached end of life and is not being actively supported.

Leo Laporte & Steve Gibson (01:07:04):
So users are advised if anybody still has 1.0 0.2 to upgrade to a new release branch as soon as possible, because this one is not gonna be fixed publicly. And note also that many critical infrastructure ish things routinely make use of certificate based mutual authentication, where each of the two endpoints provides an identity asserting and assuring certificate, as a means for securely establishing their identities to each other, you know, not just IP addresses, but you know, let's swap certs and you know, Leo, you and I were always talking about a, a cert being the right way to authenticate an SSH connection. So, you know, it's like that therefore, any such system with listening ports exposed to the public internet, despite administrators being sure that it will only connect to other endpoints, which provide the proper matching certificate or expected certificate are immediately vulnerable to being taken down by anyone else on the public internet.

Leo Laporte & Steve Gibson (01:08:17):
Not surprisingly, this is all generated a great deal of interest and GitHub has been buzzing and all the work has been done with someone else using the handle cat bro, 6 66, providing a working proof of concept certificate, which will take down any unpatched instance of open SSL that makes the mistake of accepting any such certificate. The hosting processor is pinned, as I said, at 100% utilization and nothing else gets done so far, there are no confirmed indications of, of this thing being exploited. But for this one, it's more you know, a matter of when not weather there was one report of the Italian cert posting that this had been seen in exploitation. But my guess is that was a mistake since that, you know, there was only one one off instance of, of that being alerted. So probably nothing to worry about.

Leo Laporte & Steve Gibson (01:09:23):
But again, you know, if you're using open SSL and your system will accept a cert from somebody you wanna make sure that you update it and this is only a week old. Okay, this is really cool. CSA alert, AA 22 dash 0 7 40 a I wanna share an interesting, this interesting CSA alert, which details a Russian state's supported attack upon an NGO an a non-governmental organization, because it contains some interesting and quite specific forensic detail from their investigation and may have some useful takeaways for some of our listeners. CIS alert is titled Russian state sponsored cyber actors, gain network access by exploiting default multifactor authentication protocols and print nightmare vulnerability. So CI's report opens with a summary. They said the federal bureau of investigation and cyber security infrastructure security C CSA are releasing this joint cyber security advisory to warn organizations that Russian states supported cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability.

Leo Laporte & Steve Gibson (01:10:56):
As early as may 21 Russian state sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-government organization, allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical windows print spooler vulnerability. Imagine that print nightmare to run arbitrary code with system privileges, Russian state sponsored cyber actors successfully exploited the vulnerable while targeting, excuse me, an NGO using Cisco's duo MFA, enabling access to cloud and email accounts for document exfiltration. This advisory provides observed tactics, techniques, and procedures, indicators of compromise, IOCs, and recommendations to protect against Russian state sponsored malicious cyber activity, FBI and CSA urge all organizations to apply the recommendations in the mitigation section of the advisory. Okay. So here are some of the interesting details of this attack, which were uncovered during its investigation. They said as early as may, 2021, the FBI observed Russian state sponsored cyber actors, gain access to an NGO, exploit a flaw in default MFA protocols and move laterally to the NGO's cloud environment.

Leo Laporte & Steve Gibson (01:12:34):
They said Russian state supported cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in meaning, you know, computer or I guess could have been handheld in the organization's dual MFA. The actors gained the credentials via brute force password guessing attack, allowing them access to a victim account with a simple predictable password. Okay. So they're calling it brute force, but apparently not much brute was needed or for that matter, if it was, you know, a predictable password. Okay. So now we're in the victim account had been unenrolled from duo due to a long period of inactivity, but it was not disabled inactive directory. As Duo's default configuration settings allow for re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements and obtain access to the victim network.

Leo Laporte & Steve Gibson (01:13:59):
Okay. Now, first of all, I'll just mention, cuz I don't mention it later. That's a bad default, right? But it's not the worst default as we'll see in a minute, but this says that if a, if an account is dormant and, and stops being supported, just using it again without any needing to do anything else brings duos support for multifactor authentication on that dormant account back to life, doesn't have to be that way. But as the default, they said using the compromised account, Russian state sponsored cyber actors performed privilege escalation via exploitation of the print nightmare, vulnerability to obtain administrator privileges. And again, this is another reminder, you know, it's, it's E easy to think of remote code execution attacks as being or remote code execution vulnerabilities as being really bad. But we keep seeing that that bad guys are able to get in as an unprivileged user.

Leo Laporte & Steve Gibson (01:15:05):
You do not want them to be able to, to elevate that privilege to admin. Anyway, print nine nightmare made it possible. The actors also modified a domain controller file. Get this, see colon slash windows slash system 32 slash drivers slash cetera, slash hosts. If anyone who's familiar with the windows directory layout knows that that's where windows hosts file lives and it is still there and still effective to this day. And we may remember a little anecdote, but I got caught out when the, it was the credit card processing service backend that we use changed their IP address. And I had stuck their IP address in GRCs servers host file. And I couldn't figure out why isn't DNS like working well. I overwrote it in the hosts file as one can. Anyway, these guys modified a domain controller file. The domain controller's host file, thus redirecting duo multifactor authentication calls to local host instead of where it would normally go.

Leo Laporte & Steve Gibson (01:16:31):
The duo server, this chain range prevented the multifactor authentication service from contacting its server to validate MFA login. So it failed of course, right. And locked you out. It failed of course, this effectively disabled oh, multifactor authentication for active a main accounts because the default policy of duo for windows is to fail open, open. Ah, I remember Bruce Schneider talking about how many enterprise tools fail open, including firewalls Leo it's like we would not, we wouldn't wanna inconvenience anybody, especially not a Russian attacker. Yes, exactly. That would be an inconvenience. Slows them down. That's why I'm putting on my hoodie. I'm getting it. Wow. I know this is a real problem. Cause a lot of supposedly very secure places use duo. Okay. Yes, exactly. So, and then as if to apologize for mentioning this CSA added note, fail open can happen to any MFA implementation and is not exclusive to duo.

Leo Laporte & Steve Gibson (01:17:50):
Okay. But since the tyranny of the default is one of this podcast's core observations, I was curious about Cisco's default for their duo MFA and sure enough, in an FAQ over@duo.com in answer to the question, how can I configure the fail mode? Duo replies quote by default duo authentication for windows login will fail open and permit the windows log to continue. If it is unable to content act, the duo service, you can set the fail mode during installation to fail closed. Oh, by Des yes, during installation, but it's not the default. No, by deselecting the bypass duo authentication when offline box during installation. Okay. But this as if you're you're two factor authenticator, you don't have the code. That's fine. Go on in. It's so dumb. Exactly. It's now. And if, if an admin is installing this for the first time and you don't yet know it all well, so you're gonna leave all of the presumably recommended defaults alone, right. At least for the time being yeah. We've all been there. Right. So is there any reminder in the UI that that's the way it was set? No. Okay. But it's, it's easy to change that later, right? No. Since they're answering the question, how can I configure the fail mode? Meaning that presumably it's not obvious, thus needing to be answered in the products, FAQ duo, then proceeds to explain change the fail mode after installation use the registry editor, red dot XY. What?

Leo Laporte & Steve Gibson (01:20:03):
Oh, you can set it. Yeah. Yeah. We provide a key. We, we provide a key for that. Just dig down 12 layers in the registry. What? Oh my God. Admin privileges of course. To create or update, they say the following registry value. Okay. Wow. So not really the secure by operation that you'd expect from an addon multifactor authentication system whose entire purpose is to meaningfully increase the system security. Yes. After all, as you said, Leo, this system is now incon conveniencing everyone all the time, you know, by having it except the Russians who simply bypassed it vault by taking yeah. Strategic advantage of Duo's well known default fail, open policy. So I wanted to bring this up in case any of our listeners work with companies using Cisco's duo MFA, I do, it might be worth having, or it admin check out the current setting of that registry key.

Leo Laporte & Steve Gibson (01:21:13):
Anyway, I concluded a link to the fact item in question in the show notes. Anyway, CISA continues after effectively disabling multi-factor authentication, Russian state sponsored cyber actors were able to successfully authenticate to the victim's virtual private network as a non administrator user and make remote desktop protocol connections to windows, domain controllers. The actors ran con demands to obtain credentials for additional domain accounts. Then use the method described in the previous paragraph change the MFA configuration file and bypassed multifactor authentication for these newly created and compromised accounts. The actors leveraged most mostly turtle windows utilities already present. Remember living off the land within the victim network to perform this activity, using these compromised accounts without MFA enforced Russian state sponsored cyber actors were able to move laterally to the victim's cloud storage and email accounts and access desired content. And for those who aren't clear about the nature of NGOs, you know, the target of this attack, you know, they're typically benign nonprofit, explicitly unaffiliated with any particular government. You know, a few examples of NGOs would be peace international care, the world wildlife FA the fund and doctors without borders, CSA doesn't tell us which NGO was targeted in this instance, but you know, Russia knows, wow.

Leo Laporte & Steve Gibson (01:23:11):
Then we have the windows local privilege escalations speaking of local privilege, escalations that Microsoft seems unable to fix this is the believe it or not ongoing saga of a windows flaw that Microsoft paradoxically appears to be unable to fix since there's no obvious reason why this particular problem should be beyond them. One must conclude again, as we have been with increasing frequency lately that they just really don't care or that something has gone very wrong somewhere deep inside, this all begins way back last August of 2021 with an elevation of PED vulnerability in the windows user profile service back then it was tracked as CV E 20 21 34, 4 84. After having been discovered by a security researcher named Abdel Hamed NAI. And if his name seems familiar, it's because the problem he found just won't go away and we've been following and it's no, not a small problem.

Leo Laporte & Steve Gibson (01:24:27):
It's a, as I said, a local PED escalation, which allows unprivileged users like those pesky Rus who manage to gain access to then acquire valuable administrative privileges in windows 10 11, and the latest version of windows server. It has a CVSs of 7.8 and although exploits have been publicly disclosed thus by Microsoft's own definition, it's a zero day for them. No evidence has yet been found of his exploitation in the wild or any sincere or for that matter, any sincere attempt on Microsoft art to actually fix it. No discovery. It was originally said to be fixed as I noted as part of August, 2020 one's patch Tuesday, but NAII became curious after those patches were published and pushed out to see how Microsoft had fixed, what he had found, what he now found back then was that Microsoft had not fixed the problem. Instead. It was another one of those addressed the symptom, not the problem, pseudo fixes.

Leo Laporte & Steve Gibson (01:25:41):
So NAII presented another proof of concept, which bypassed Microsoft's non fix across all windows, desktop and server versions and spoiler alert that remains true today. It was at this point that our friends over at zero patch, the guys who create those wonderful little itty bitty micro patches, which fix problems that Microsoft hasn't yet or can't, or won't decided to release one of their own unofficial patches for all windows versions, making it free for all their registered users. Apparently not being in any huge cure. Hurry to fix this after their August fail. The first time they checked this off their fixed list. Microsoft finally responded to the second bypass in their January of this year, 2022 patch Tuesday. And they updated its CVE for some reason to 20 22, 21 9 19. Marking it again as fixed and again, believe it or not, it wasn't. And today still isn't once again, NAII found a way to bypass Microsoft second attempt and noted that this one was even worse than the first happily, that original micro patch still worked, but marches this just two weeks ago, update two weeks ago changed the DLL in question, which is prof as in profile P O F E X T dot DLL, which broke zero patchs micro patch.

Leo Laporte & Steve Gibson (01:27:24):
So not only did Microsoft's March update, still not resolve the problem, but it also removed the third party protection that zero patch users have been enjoying until then undented zero patch has updated its micro patch so that its users are once again protected while we presumably wait from Microsoft to yet again, try to actually fix the problem. And in one last bit of happy news users of windows, 10 additions, 18 0 3, 18 0 9 and 2004 have remained safely detected by zero patches, original patch. Since those windows editions have reached the end of their support life and were therefore spared from receiving Microsoft's update, which re-exposed everyone else to the problem.

Leo Laporte & Steve Gibson (01:28:24):
Yes. That's what makes the security industry and the, the computer industry. So interesting. I nonsense again and again. Wow. Leo. So I'm going to sip some water. You're going tell our listeners why we're here and then we're gonna talk about use after free and what, why it just keeps being such a problem. Good. I'm looking forward to that. It's gonna be interesting. We talk a lot about garbage collection. I imagine that will be involved in the subject. In fact, we get, we get the abbreviation GC, GC. I'm wearing a hoodie because I'm on the black team. I'm not on the red team. I'm not on the blue team. I'm on the hoodie team. I'm coming to get ya. That's why you need Plex Trek. The purple teaming platform. I guess we, we can't say black hat anymore. I'm a, I'm just a bad guy. Can we say that I'm a guy bad hoodie.

Leo Laporte & Steve Gibson (01:29:25):
Security now is brought to you by PlexTrac the proactive cyber security management platform. If you're ready for the benefits of purple teaming, but you don't know how to get started. This is the place to go. If you want to work to ensure your security posture, and you're struggling to optimize efficiency, to facilitate cooperation and collaboration within your team, I've got a great solution for you. Plextrac. It's the powerful, but easy to use. In fact, it makes your life easier cybersecurity platform. It centralizes all your security assessments, all your pen, test reports, your audit, fun findings, your vulnerability tracking. It transforms the risk management life cycle. It makes means security teams can generate better reports faster. If using templates among other things, you can even have drag and drop from your various testing apps. You can aggregate and visualize analytics and then comes time to go to the blue team and say, let's fix this thing.

Leo Laporte & Steve Gibson (01:30:24):
You can collaborate on remediation in the PlexTrac platform in real time. It's a, it's a, it's a collaborative platform and that's really the best way to solve these thorny security issues. The PlexTrac platform addresses pain points across the entire spectrum of security, workflows and roles. I'll give you a couple of them. There's many modules, but the, for example, the reports module I was mentioning, this is great because you can, you can put in code samples, you can put in screenshots, you can add videos here. I am standing in front of the server. It's broken. If you want, you can import findings from all of the age, your scanning tools, I'm being silly. You can't export to custom templates. So if you're doing something again and again, and you are aren't you with a click of a button that template pops up, you repopulate it I'm being silly, but honestly, all of those visual features really enhance your communication with stakeholders, your board, your CEO, your CSO, CIO, and communication is part of what what this is all about.

Leo Laporte & Steve Gibson (01:31:28):
You'll love the runbooks module. If you're the red team, because you can use it to facilitate your tabletop exercises and your red team engagements. You could do breach and attack simulations. It's kind of like that big D and D book. You know, the dungeon master has with all of the rules in it, but it's automated. It's automatic. It'll also help you with your purple teaming activities. So your communication and collaboration is facilitated. It upgrades your program's capabilities by making the most of every team member, every tool. And this is really important, cuz I suspect we're really talking to the team members here on this show. It's gonna make your life better. Your life easier, easier to communicate, easier to get your job done, easier to get the fixes done. And that's really why you're there. Isn't it analytics module. You'll love this. It'll help you visualize your security posture.

Leo Laporte & Steve Gibson (01:32:14):
You can quickly assess and prioritize, which will help you go create a more effective workflow. You can map risks to frameworks like Mir attack to create a risk register. Really you're getting the idea that this is all about kind of facilitating and automating the stuff that you're doing day in, day out, eliminating the repetitive. So you can really focus on getting the job done. Enterprise security teams use flex track to streamline their pen tests and security assessments and incidents, response reports, and much more keeping the red and the blue teams focused on getting the real security work done with PlexTrac. You'll gain precious time back in your team's day and you'll improve employee morale. I'll give you an example. There's a lot of testimonials on the site, but this one from an enterprise cut customer Jacobs engineering, they said quote, deploying PlexTrac allowed our team to cut the reporting cycle by 65%.

Leo Laporte & Steve Gibson (01:33:07):
And I can guarantee you that 65% was busy work. It wasn't about getting the job done. It was about typing and by eliminating all of that T as time consuming work, you're more effect. If you're getting the job done, you're communicating better. You're collaborating better. I want you to book a demo today to see how much time PlexTrac can save your team, how much pain it can eliminate from your day to day life, try PlexTrac free for one month and see how it can improve the effectiveness and efficiency of your security team. And if I'm talking to the stakeholders and not the security team, don't worry, it's not gonna make their life easier. It's gonna make your life easier. They don't want, they don't care about you. It's gonna make your life easier. You're gonna like it. Simply go to Plex, track.com/twi P L E X, T R a C plextrac.com/twit.

Leo Laporte & Steve Gibson (01:33:57):
You probably heard about this. If you certainly heard me talking about it, get your free month, get your demo. You're gonna love it. I guarantee you P L E X T rac.com/t w I T. Use that address to let 'em know that you saw it here. Plextrac.Com/Twit. We thank PlexTrac so much for all they do for security teams, blue and red and purple across the board. And thank them for a support Steve's work. I'm pointing it the wrong way. You're not over there. Steve's work on security now. Well, you're truthfully in this studio. You're everywhere. You're on every monitor everywhere. Right? Let's talk about the garbage collection and yeah. Use after free, which sounds kind kind of sexy. Actually. I don't know what is, what is used after free? So today's nominal podcast. Topic was inspired by several pieces. As I mentioned at the top of recent listener feedback.

Leo Laporte & Steve Gibson (01:34:54):
And it was a tweet from Steven be Chester that finally caused me to decide to give this a bit more time. Steven tweeted, it would be good. If you could clarify your comments about use after free vulnerabilities in Firefox, he said Perez and similar ones in previous weeks, he said, you've said a few times that use after issues are being caused by memory management being done automatically by the language that implied to me, at least that the language that Firefox is written in is memory managed and causing the issues, which seem pretty unlikely to me after some further digging, it seems like the issue is actually with Firefox's automatic memory management that runs underneath the HTML CSS JavaScript stack. Okay. So first of all, if I didn't say it, I would've meant that memory management is being performed by the languages run time. And, but you could have a, and you could have a use after free, if you Malix something and deallocate it and then call it, you could do it to yourself.

Leo Laporte & Steve Gibson (01:36:03):
It doesn't have to be an automatic tool. That is exactly right. And in fact, I, I, I will get to that sort of non-automatic issue in a second, but, but the, the attacks that we see being leveraged are generally the implementation of JavaScript and JavaScript is famously a, a language with automatic you know, background garbage collection. And although, unfortunately we have a name collision here. We made it very clear long time ago that Java language and JavaScript have, you know, not nothing in common, right? But Java, the language is a perfect example, both because being a virtual machine based language, you know, there's the Java JVM it, it Java the language has a clear runtime environment. And because it's us for having a very powerful garbage collector in looking around for some examples I found a webpage titled how Java garbage collection works.

Leo Laporte & Steve Gibson (01:37:11):
And it starts off saying Java memory management with its built-in garbage collection is one of the languages finest achievements. It allows developers to create new objects without worrying explicitly about memory allocation and de allocation because the garbage collector automatically reclaims memory for reuse this enables faster development with less boiler plate code while eliminating memory leaks and other memory related problems. Then it says, at least in theory, ironically, Java garbage collection seems to work too well, creating and removing too many objects. Most memory management issues are solved, but often at the cost of creating serious performance problems, making garbage collection adaptable to all kinds of situations has led to a complex and hard to optimize system to wrap your head around garbage collection. You need first to understand how memory management works in a Java of virtual machine, and we're not gonna get into that because the rest of that page goes into a lengthy treatise on Java's memory management.

Leo Laporte & Steve Gibson (01:38:24):
You know, the task of sweeping out the garbage memory garbage has been the topic of a great many academic papers. And I've found to my, I guess, not surprised, but I thought it was interesting that Amazon lists two books dedicated solely to the subject. There's the garbage collection handbook, colon. Yes, the art of automatic memory management. And that says Perens applied algorithms and data structures. And then we have garbage collection, colon algorithms for automatic dynamic memory management. And I thought the back flap of that one was interesting. It says the memory storage requirements of complex programs are extremely difficult to manage lead by hand a single error. Like what you were talking about. Leo may lead to indeterminant and inexplicable program crashes often worse, worse. Yes. Very common. We're still. And in fact that's what you want actually is a crash.

Leo Laporte & Steve Gibson (01:39:30):
You wish it would crash. Yeah. That's yeah, exactly. Then, then, then you could begin to track it down. And the, the FLA says we're still failures are often unrepeatable. Oops. And may surface only long after the program has been delivered to the customer. Yeah. The eradication of memory errors typically consumes a substantial amount of development time. And yet the answer is relatively easy garbage collection removing the clutter of memory management from module interfaces, which then frees the programmer to concentrate on the problem at hand rather than low level bookkeeping details for this reason, most modern object oriented languages, such as small talk Eiffel, J Ava and Dylan. And of course, JavaScript are supported by garbage collection. Okay. You could tell how old this book is by the name, but those by those choices of languages. Okay, Dylan. Hello, Dylan. Small talk an Eiffel. Okay. Small talk, right?

Leo Laporte & Steve Gibson (01:40:31):
They are garbage collected. That's true. Yeah. Yeah. In fact, I think it was 19 it's ones maybe. Yeah, yeah. Yeah. Tell yeah. Says garbage collecting libraries are even available for such uncooperative languages as C and C plus plus this book considers how dynamic memory can be recycled automatically to guarantee error free memory management. There is an abundant, but disparate literature on the subject, largely confined to research papers. This book sets out to pool this experience in a single accessible and unified framework visit this book's companion website, which I'll be surprised of. It's still around for updates, revisions, online, GC resources, bibliography, and links to more GC sites. And speaking of the devil Dr. Dobb journal. Oh yeah. Reviewed the book. Oh yeah. Running the light without overbite. Oh yeah. That's right. Yep. They said whatever else Java has accomplished. It has finally brought garbage collection into the mainstream.

Leo Laporte & Steve Gibson (01:41:38):
The efficiency and correctness of garbage collection algorithms is hence forth, going to be of concern to hundreds of thousands of programmers. Those who really care about this could do no better than to start with garbage collection Al rhythms for automatic memory ma dynamic memory management. Wow. This the sort of comprehensive engineering manual that is so rare in computing just before we go too much farther. Just so people know why this is important. Almost always, when you're using doing a computer, let's say you're creating an array or you've got a database you're, you're gonna ally some memory to store this stuff in, operate on it. And then when you're done, deallocate it. If you don't, deallocate it eventually memory fills up, it's called a memory leak and you crash. So you've gotta, deallocate it. And there really only three different ways to do it. One the way Steve does it, which is he keeps track of it.

Leo Laporte & Steve Gibson (01:42:34):
And when he's done with it, he deallocates it. Right. You do it by hand cuz you're an assembly language. Yep. There is garbage collection, which is an automated process and can be done well or poorly that periodically on a timer goes through this system and says, are you using that? Do you need that? I'm like, okay, I'm gonna let it go. There's also what rust does, which I think some people think is more effective, just another kind of garbage collect, which is counting by reference. So it just counts up. How many times something uses it counts down when it's not being used. It, it releases it all three have problems. There's no perfect way to do this because if you deallocate something and then use it, that's a use after free bug. So it's not to garbage collection. I, you know, I think people would argue letting programmers do it is even worse.

Leo Laporte & Steve Gibson (01:43:23):
So yeah. In fact, yes, I, I, I, I mentioned in my notes, I said it could certainly be that in a non-automatic language like C one thread or process manually ease some memory that another threat or process later attempts to use in that case, the culprit is clearly a coding error. Either the memory should not have been freed when it was, or the coding or the code attempting to still refer to it later should have known not to attempt to do so, or is in an instance, we, we referred to recently, there was no actual error in the code at all, but there was a dangling pointer left around, which pointed to some previously freed memory. The original code was not gonna refer to that pointer, but I clever hacker figured out how to exploit it. Oh. To their advantage. So you could have written a perfect code.

Leo Laporte & Steve Gibson (01:44:22):
Yes. Release some memory and then the bad guy modifies your code and attacks you. Oh, that's devious. Yes. So, you know, what we see is that the term use after free is a bit of a catchall you know, more than we'd like it to be, you know, it's a bit like when Microsoft describes a vulnerability by saying that it allowed a security restriction to be bypassed, like what? Huh. Well, we, you know, yeah, yeah. We're not really sure, but yeah. Did seemed bad. So probably cuz it allowed a security restriction to be bypassed, but for what it's worth, th this issue is a big deal. You know, it's been the sole topic of many computer science, PhD, dissertations, you know, there are people with, you know, doctor in their name because they wrote something, you know, they invented some new twist on garbage collection.

Leo Laporte & Steve Gibson (01:45:18):
I mean, so, you know, and you know, my in scrolling down through a lot of this stuff, Leo, you know, I saw simple examples, right? Where many languages allow you to use a block structure where you'll open curly braces and do a bunch of stuff and then close curly braces. And the the presumption is that that block is self-contained. So if inside those curly braces, you were to just say, you know, a equals something or other, then the presumption is when you close the curly brace, as you, you, you, you implicitly declared. And first used the variable a within the curly brace that leaving the curly brace that a is so called it's out of scope, scope as scope variables, almost all modern languages do that. Yeah. Yes. And again, super handy. Super convenient. Yeah. But just need the language to know that, oh, he's not, you know, we're no, we're no longer responsible for, for talking about a and if you do, it's the program, it's an error.

Leo Laporte & Steve Gibson (01:46:23):
Well, and the compiler or the interpreter's gonna go a A's undefined, what are you doing? Yeah. I don't know what that is now. Yeah. Yeah. All the reason I'm defensive is GC is cuz every language I use has garbage collection. It's hard to find a language these days except for sea and rust and you know, assembly well, and, and in, I'm not sure where we are today, but there was a time when languages like the, the, the, the operation of Graham would suddenly stall for no apparent reason it's cuz the garbage collector had kicked in. That's like busy. Yeah. Yes. You get these periodic pauses while it's right. Going through this little robots going around, looking gunny garbage for me, it's that guy with a little white mustache and on a wheel he's got one wheel. Yeah. And he is got a little broom and he is like, you know, sweeping a along.

Leo Laporte & Steve Gibson (01:47:14):
Yeah. I love this subject. Keep going. This is good stuff. This is also some ways the history of computing really. Yeah. You know, as our li as our old time listeners know, we had a lot of fun back in the early days of the podcast talking about, yeah, I love it, how this all happened and, and the whole history of computing. So anyway, all I want was that it is one of the reasons where I'm, that our listeners are sometime confused is that use after free is not just one thing. It doesn't have one. Cause it doesn't one environment, you know, I've, I've had people say, Hey, you know, static languages don't have the problem. Yes, they do dynamic languages. Don't have the problem. Yes they do. Again, it is, it's like saying, oh, you know, this vulnerability is a security bypass.

Leo Laporte & Steve Gibson (01:48:07):
Okay. Well, and so using after free just sort of is, is more generic than we would like, but it, it, so it serves as a catchall for a large, a large set of environments where hacker was somehow able to reference memory in a way that wasn't intended. And so we'd just kind of call that used after free and don't is the second part of that. And more specific details would be nice. Yeah. If, if we had them, I never even thought about that. But of course, if there, if a bag guy could write code that, that I do access memory that had been deallocated your code could be perfect, but the bad guy was able to modify that code. That's yes. And, and, and what off, what can happen is that if, if you've deallocated to some code and then it's been reused, then the old pointer used to point to something in a different contact.

Leo Laporte & Steve Gibson (01:49:12):
Now it points to its new contents, which the attacker may have just managed to load. Right. So I used to software is hard. I used to play within love language called force that it was all in the state, the, the, the, the right only language. Yes. You, you can, you can, you can not read that language, but all, but you, you didn't really, I guess you could, as I remember allocate memory, but the idea was it's a stack based language everything's on the stack, but you could still overrun the stack. So even there sure. And you know, and for example, in, in C local variables are on the sta, right? Because our, our, our computer instructions provide a very nice stack pointer, a a actually it's a frame pointer reference, right. Because this stack might still be moving around. This is this part of the stack here.

Leo Laporte & Steve Gibson (01:50:09):
Yeah, yeah, exactly, exactly. And so when you exit from the routine, you, you, you so-called pop the stack, which, which just disposes of all of those temporary references. So this stuff is fascinating. People will end up getting into programming, often end up into getting, writing their own interpreters, compilers languages, because it is so interesting. And we, we've also seen the phenomenon. If you give somebody a, an object or in a language, which inherently allows you to create meta language, right. To describe the problem domain, you can end up spending all your time. Coming up were the coolest way to start getting ready to actually write some code. That's kind of like fourth too. That's why it's re it's read only cuz you write your own vocabulary. So you're writing in the language. You understand nobody else does. And absolutely. That's the big thing of lisp and in the schemes of languages, I love is writing a domain specific language and you're right.

Leo Laporte & Steve Gibson (01:51:12):
You can spend your entire day doing that and not solving the problem, getting really ready to actually I am. So I am, I've got this cool vocabulary, Steve Gibson so much fun. It's really great to have somebody who has roots in the past, understands the present and can contextualize what's going on. That's what this guy does. So well every Tuesday right here, one 30 Pacific, four 30 Eastern, 20, 30 UTC. If you wanna watch it live, live.twi.tv people are watching live often head over to our IRC. Yes, we run an I server. Well, our community does@ircdottwi.tv. You could chat live there. People are members of club TWI also have their own place to chat our club, TWI discord, which is a place going 24 7. In fact, we have a great coding section in there. We're we're talking about this kind of stuff all the time.

Leo Laporte & Steve Gibson (01:52:07):
If you are not a member of club TWI, I wanna invite you join. It helps the network keep shows on that are, are maybe not necessarily self supporting. As an example, that's where we do the untitled Linux show dict Bartos GIZ is there Stacy Higginbotham's book club. You also get ad free versions of all the show. So if you don't like ads, you don't want to be tracked. I completely we understand, but that's how we subsidize ourselves. So you could do it for seven bucks a month, no more ads. That's all less than a couple of Starbucks coffees, unless you get one of those big frappuccinos. And that's just one of them. Seven bucks a month go to twi.tv/club TWI from our information about club to it and all the benefits. Patrick Delehanty just did his fireside chat in the club that's available online and the TWI plus feed.

Leo Laporte & Steve Gibson (01:52:54):
We have Stacy's book club this week. Next week, Paul throt is gonna do a fireside chat. So in fact, I really want you to get you to do a, a well, whatever want, but a VI you've already done one, but I think a vitamin D show for the club would be awesome. Twi.Tv/Club TWI. If you wanna get copies of the show, there's two places you can go. Of course, our site twi.tv/sn. Steve's got 'em too. He fact, he has two unique formats. He's got the 64 kilo audio, just like we do, but he also has a 16 kilobit version for people who just don't want a big file for the bandwidth impaired. He also has transcripts written by the great Elaine Ferris. She writes it all down so you can read along as you're listening or even just read instead of listening or in the most useful thing, search the transcripts to find the part of the show that you're into.

Leo Laporte & Steve Gibson (01:53:46):
And, and that goes, do you have, you don't have transcripts for all the shows. You just have it from yeah, we, we went back, went back and did it, did it from day one. Wow. Wow. That's really nice. Thank you. That's all@grc.com while you're there, by the way, you might wanna check out spin, right? That's Steve's day job, his bread and butter the world's best mass storage, recovery and maintenance utility. You can pick up a copy of 6.0 right now, you'll get a free copy of 6.1. When it comes out. If you buy today, you'll also get to participate in the development of six one. Steve's working very hard on that. It's imminent grc.com plus lots of free stuff like shields up and so forth and in control, which I plugged on the radio show this weekend, cause somebody said, I don't, I never wanna use windows 11.

Leo Laporte & Steve Gibson (01:54:35):
I said, well, I've got a perfect program for you. Be InControl. I guess that's all I need to say except thank you again, Steve, for doing such a great job and we'll see you next time on security always, right? Oh, I, what is, it'll be the one more, we got one more episode this month. Cuz we got a normal size month. We started at on the first of the month. So yeah, on the 29th spring is here the spring edition ITO. Bye. 

Rod Pyle (01:55:01)
Hey I'm Rod Pyle, editor of ad as magazine and each week I'm joined by Tariq Malik, the editor-in-chief over at space.com in our new This Week in Space podcast. Every Friday Tariq and I take a deep dive into the stories that define the new space age. What's is NASA up to when will Americans once again set foot on the moon. And how about those samples in the perseverance Rover? When are those coming home? What the heck is Elon must done now in addition to all the latest and greatest and space exploration, take an occasional look at bits of space flight history that you probably never heard of and all with an eye towards having a good time along the way. Check us out on your favorite podcast catcher.

... (01:55:39):
Security

... (01:55:40):
Now.