Security Now Episode 864 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security now, birthday boy, Steve Gibson is here and we have lots to talk about as always the second Chrome zero day vulnerability of 2022. We'll talk a little bit about the challenges presented to ISPs in Ukraine and the war there and Kaspersky labs by the FCC, but should you stop using it? It's all coming up next on security. Now, Podcasts you love

... (00:00:30):
From people you trust.

Leo Laporte (00:00:33):
This is, this is security. Now with Steve Gibson episode 864 recorded Tuesday, March 29th, 2022. Targeted exploitation. This episode of security now is brought to you by Grammarly. Get through those emails and your work quicker by keeping it concise, confident, and effective with Grammarly. Go to grammarly.com/securitynow to sign up for a free count. And when you're ready to upgrade to Grammarly premium, get 20% off and by NetFoundry, make the security of the network entirely irrelevant by isolating your applications and data with open source embedded zero trust. Grab your free swag and free tier now by going to netfoundry.io/twit. And by World Wide Technology and Fortinet. When was the last time your company updated your security strategy are your business assets protected, WWT, combined strategy and execution to secure your organization and drive business outcomes. Visit wwt.com/twit to get started. It's time for security now with the star of the show.

Leo Laporte / Steve Gibson (00:01:49):
Steve Gibson. Hello, Steve. Hello, my friend. Well, we're wrapping up the first quarter of March. This is security now episode 864 for, for March 29th. And I am now 67 years old. A big thank you for all of the very thoughtful birthday wishes last week. Congrat congratulations. I forgot to say happy birthday. Yeah, all all were appreciated. I don't feel any different I think maybe when I hit seven zero, that all that may have of an effect, but still everything still works and I got lots of energy, so that's good. We're gonna talk about targeted exploitation because Google has just suffered its second of the year, zero day vulnerability. And which is what we'll start talking about here in a minute. And it issued an out of cycle, you know, you know, you know, everyone wants to call an emergency patch, but you know, browser update okay.

Leo Laporte / Steve Gibson (00:02:54):
And better sooner than later. But the, the first zero day vulnerability, we now have thanks to a report published by their tag, their threat analysis group and a complete readout on what was going on with the first zero day and its use in targeted expert. So, you know, we've, we've talked about it. We've talked about how, eh, it's not really that big a deal, but the opportunity to really take a look at exactly what one of these is I thought was too good to pass up. So we're gonna start off looking at Chrome's second, zero day vulnerability of the year, which by the way, makes it in better shape than it was this time. Last year. We then spent some time with an interview of the chief technical officer of one of Ukraine's largest ISPs. And we're gonna learn about the challenges that he's facing as he, you know, works to keep the internet available, but for only some of the people who are in country we also have JavaScript's most popular package manager N PM that we were just talking about once again, under attack, oh, and Honda tells worried reporters that they have no plans to address the consequences of a new glaring security vulnerability affecting five recent years of their Honda civics design.

Leo Laporte / Steve Gibson (00:04:28):
We can judge for ourselves. The FCC has classified Casper ski lab as a national security threat, and also add which we're gonna talk about and also adds a, a bunch of Chinese telecom companies and services to that list as well. Then after addressing one piece of use after free listener feedback, as I said, we're gonna take a detailed look at the consequences of chromes of Chrome's first zero day of the year, which they patched mid-February and the attacks, which north Korean backed groups launched using it in some detail. So I think a great podcast for our listeners. We have a fun picture of the week and, and then we'll get into it. Nice, nice. I wanna welcome a sponsor we've had for some time through the, I think this might be their first time in security. Now, if not Grammarly, I wanted to make a special point of mentioning them because they are one of a number of Ukraine based software companies.

Leo Laporte / Steve Gibson (00:05:35):
And you know, now's the time to show some support there. If you have Grammarly, you'll notice there's a message that per provides resources so that you can donate to the people of Ukraine. They suspended service to Russia and bell Russ right away. And they even have donated, I love this eight years of net revenues in Russia to Ukraine support. So there's taking all the money they made in Russia for the last eight years. I think it's more than four, $5 million and giving it to organizations and funds supporting the people of Ukraine. I love that. I, and I actually love the product, right? So this is not in their ad, by the way, they don't wanna make a big deal out of it, but I'm doing it. It's more of a news story. Now I'll do the ad, but I just really think these guys are great.

Leo Laporte / Steve Gibson (00:06:23):
I've used Grammarly forever. At first, I was like, I was one of those people who said, oh, I have, I don't need a grammar checker. I have, I have, I can write. As soon as I started using Grammarly, I realized it's much more than a grammar. Checker name implies. It's a grammar checker. No, no, it's a really, it's a writing tool that is there to help you communicate more effectively. And you know what? I don't care how good a writer you are. Everybody needs a, a good editor. Somebody looking over their shoulder, the free and premium features of Grammarly can save you time, give you the confidence of knowing your writing is professional. It's as I said, free to download very easy to integrate into your daily life. They have browser extensions. There's an app. You can even run Grammarly right from their website.

Leo Laporte / Steve Gibson (00:07:07):
If you have a paragraph, in fact, this's a great way to, to check out Grammarly is take some text and paste it into the Grammarly webpage, see what they suggest. It works right in Gmail, so, and look more efficiently. But the thing about grammar Lee, I love and, and Lisa's always, she is a big Grammarly user, cuz Lisa is a, a, you know, classic chief executive, my wife and our CEO, where she's, she's got a lot to do. She's very busy. And sometimes her emails are very short, sweet to the point, which I admire, you know, one line do this, fix this. Grammarly will say, you know, you might wanna say, please, you might wanna soften that. And she's always grateful. She always says to me, oh yeah I guess that was a little BR and it's much appreciated. That's their tone detector.

Leo Laporte / Steve Gibson (00:07:55):
By the way, you can use this for free in the free version of grand Marley helps you say what you mean in an appropriate tone, depending on how it's being used. So that your message isn't misinterpreted, you know, a lot of times, because text doesn't communicate the way the nuances, the way face to face expression does. It takes us a little while to get used to the idea that maybe people wouldn't understand that's our sense of humor or whatever. There's a premium tone adjustments too. They go even farther to ensure you're being clear and assertive in your emails. That's not something Lisa has a problem with. It is something I have a problem with where it says you can, you know, you might wanna make this a little more clear, a little more pointed. You can persuade your audience with a confident, polished tone.

Leo Laporte / Steve Gibson (00:08:38):
It sometimes for instance will say that that's a little OBL maybe a more decisive phrase would be better and then gives you the phrase and with one click, boom it's in and you're done offers great word choices. If especially if you re overuse a word and it, you know, it learns and it says, you know, you say that a lot. I have a word I use way too much called AC. I use actually actually, and it's just, it's a terrible word. And thank you, Grammarly like any good editor says you might wanna not use that this time. There's a full sentence rewrite part of premium that helps you effectively convey your ideas. Avoid miscommunications, avoid those law long run on sentences, rewriting them to be more clear more to the point. They have clarity suggestions. They'll tell you what reading grade you're you're you're writing for.

Leo Laporte / Steve Gibson (00:09:25):
And by the way, all of this is tuneable depending on what you're doing. If you're writing a tweet, that's a different process than writing an email than writing an essay, a report and grammar Lees stands that and chooses the right terminology. It's just wonderful to have being more concise, more confident, more effective, more professional Grammarly right now, if you go to grammarly.com/security, now you can sign up for that free account. Get a lot of the benefits that way. If you're ready to upgrade what you say, you know, if you say this is really working for me, you'll get 20% off just cuz you're listening security now. So make sure you go to grammarly.com/securitynow for that 20% off. So they know you saw it here. It helps Steve G R a M M a R L Y. There's no EAN Grammarly, grammarly.com/securitynow. And you know, I think maybe we'll change the little or third to be golden blue for the Ukraine colors cuz they are really they're, they're a company I really support, I believe in them.

Leo Laporte / Steve Gibson (00:10:25):
And I like what they're doing. Grammarly.Com/Security. Now picture of the week. So this is, I got a kick out of this one. We have some techy guy you can see, he doesn't really have a pocket protector, but he's at least got a pen stuck in his pocket and he's, he's standing in front of his boss' desk and he he's reporting. He says, our devices are now 100% secure and the boss looks up for his notes and says, how did you do that? And the employee says, I turned them all off. Yeah, here gap. Em. That's the best way. That's it? Or just gap, gap, em, gap em, gap gap, plug the gap them. Yeah, just, just, just pull out the cord and just weather the storm. So as I mentioned, we have a high severity, zero day vulnerability update for Chrome. Last Friday, Google pushed an out of cycle security update to address what they considered to be a high severity vulnerability.

Leo Laporte / Steve Gibson (00:11:35):
And you know, I'm glad they do because hurt people. It was being, you know, they're, they're using the traditional definition of zero day. Not Microsoft's weird one this meaning it is actually being exploited in the wild that is, they learned of it that way. And in fact, we'll, we'll find out about a little bit more about the way this happens at the end, at the end of this podcast. But when I was working with Chrome last night it was at 99.0 point 48, 40 82. But when I went to go look, it goes, oh I got something. And so it went from a 82 to 84. That's what this update required. And again, I'm, I'm always a little bemused by the fact that this was announced and made available on Friday. I used Chrome all on Saturday and on Sunday and earlier on Monday.

Leo Laporte / Steve Gibson (00:12:37):
And it wasn't until I went to look that it said, oh, I guess since you're looking, maybe I should give you the latest. So yeah. In March O on March 23rd, an anonymous researcher reported the bug and to their credit to Google's credit 48 hours later, they were pushing out a fix. The trouble was a type confusion vulnerability in Chrome's V8, JavaScript engine being tracked as CVE 20 22, 10 96. And as we know, the so-called type confusion error arise when some language atom, you know, a variable or some other object is accessed using a type that's incompatible with what it was originally initialized to be. And in languages, such as C and C plus plus, you know, which allow for powerful implicit use and explicit type overwriting or casting, as it's often called this can have serious consequences. I actually do it on purpose when I know what I'm doing.

Leo Laporte / Steve Gibson (00:13:44):
I may in, in, in assembly language, I'll declare something as a quad word and then deliberately address it into pieces as a high and a low double word. But, you know, so there are, there are uses for this kind of, you know, cast variable casting variable type casting over override, but you just have to know what you're doing, certainly in this, in these cases, these type confusion, errors are mistakes. So you know, it is, as I said, it's possible for that use for, for that to be used benignly and deliberately, but it can also be exploited by a malicious actor to perform as was the case here out of bounds memory access. And you know, and now when I, whenever I hear about something happening in Chrome's V8 engine, I'm wondering whether that cool idea that Microsoft has in edge of disabling, like the, the degree to which Chrome uses its V8 engine.

Leo Laporte / Steve Gibson (00:14:46):
Would've protected people from that. That would be interesting to know. Anyway, Google's acknowledged that it was, as they said, quote, aware that an exploit for CVE 20, 22, 10 96 exists in the wild, but as usual they offered no additional specifics because they figure why should they and as I mentioned so far, this year, things are going better for Chrome. We're nearing the end of the third month of 2022. And this is the last podcast of the first quarter. And Chrome has only been visited by two, zero days this year. There's this one, which is a, this type confusion error. And then the first one was not surprisingly, this may have been what kind of has had this term on our radar. Yes. A use after free, that was being exploited in Chrome's animation component and which they patch in the middle of February.

Leo Laporte / Steve Gibson (00:15:51):
So my sense is because these things generally are only being used in targeted attacks. Even I, it appears after patches are made available, that is, you know, we've thought, well, maybe once the world knows about it, they'll start it, you know, like using them on, on a wider scale. I, I just think that the window of opportunity is, is, you know, closes very quickly, not as quickly as I wish it would close, cuz it would be great if all Chrome browsers immediately updated themselves when they got the news, but this one affects windows, Mac, and Linux. And of course, if you're using any of the chromium based browsers edge, opera or Vivaldi, you'll want to apply those fixes similarly, as soon as those other chromium users offer one and we'll get back to this at the end of the podcast, taking a look at what Google tag team discovered about north Korea's successful use of Chrome's first zero day of the year, which was used from at least January 4th until it was spotted and then closed on the 14th, which says 42 days of active, targeted exploitation of that first problem.

Leo Laporte / Steve Gibson (00:17:18):
So and, and I'm gonna also gonna talk a little bit about the, the, the benefit of raising Chrome's protection to its maximum setting. Even though it comes at some cost of privacy. I imagine for many users it'll be worth doing okay. Prior to Russia's invasion of Ukraine, local officials warned that Russia might try to cut Ukraine's U Ukraine off from the internet. But even as Russian tanks were rolling into the country on February 24th, subsequent attacks to many people's surprise, didn't have a, a significant effect on the country's internet. Most of Ukraine citizens were able to who remain online and following up on our recent report of Elon Musk, activating Starlink internet service over and throughout Ukraine and then providing, and what was described as a truckload of satellite uplink stations. Some were questioning whether that would be, it turns out he has follow through to deliver not only thousands, more uplink stations, but now also solar battery systems I guess an offshoot from his work with Tesla stuff.

Leo Laporte / Steve Gibson (00:18:41):
So the Starling systems were financed by unnamed private sources, but we, we know the also both France and Poland contributed to the financing of Starlink to help Ukraine's connectivity. But as for Ukraine's traditional land-based infrastructure analysts argue that Russian military may not be attacking that infrastructure because it needs the Ukrainian internet itself to stay connected, to gather intelligence. Others say that Ukraine has managed to build a resilient infrastructure maintained by local ISPs. And that's also what the CTO of UK R telecom which a major, a major provider of both mobile and broadband internet in the country said shortly before U R K telecom suffered a massive cyber attack that dramatically curtailed at service. It it's just coming out of it a day or two ago. It, it was a Dedos attack that grew in strength over time. And I thought that the timing was interesting that he was boasting about how they're not having any problems and then wham, and, you know, even I learned the hard way that there's no upside whatsoever to bragging about not being DDOSed don't mention it were that way.

Leo Laporte / Steve Gibson (00:20:12):
You, you didn't wanna talk about it. You didn't do anything about it. You just kind of kept it quiet. Right? Well, and it, what I realized was, you know, you and I did a number of podcasts where I'd look up and go, oh, well, you know, GRCs off the net again. Right. Oops. it wasn't until I took down those pages, which I originally had up that were detailing my own adventures with DDoS attacks, even though I wasn't bragging in them really. I mean, I was just like talk, talking about, you know, this is what they are when I remove those from my site, the attacks finally stopped. Like I said, no upside to saying, oh, you know, you know, come get me. No don't because they keyed the trolls is the is the rule, right? So anyway, you are a K telecom was originally a state owned company, which controlled the country's telecommunications market.

Leo Laporte / Steve Gibson (00:21:08):
And at that time it was maybe a little employee heavy 24,000 employees, which relied on old and obsolete telecom technology nine years ago in 2013, the company was acquired by Ukraine's richest person. Looks like, I would say I would pronounce his name. Renet OV by 2021, the company had cut its bureaucratically oversized employee count in half and had at, by 2021, 203,000 internet broadband users bring in a total of 33 million in annual revenue. So a nice size ISP operating in Ukraine during the invasion. Ukraine has worked to cut off Russian invaders from their use of their infrastructure for communication, while at the same time, keeping stable internet available for those who hide in bomb shelters, study online in their basements, or want to ask their friends and relatives in the occupy territories. Probably the most important question, which looks like you'd pronounce it. Y T, which is Ukrainian for how are anyway, the company CTO noted.

Leo Laporte / Steve Gibson (00:22:32):
This is the second war. Since Russia's 2014 invasion of Eastern Ukraine. He said, we learned a lot at the time, but this war is different. People are more United in an online interview that he conducted with the record the which that CTO joined via Starlink. He explained how his workers are repairing internet infrastructure in the occupied territories and keeping Ukraine online, even amidst ongoing assaults by the Russian Miller. So the record posted a Q and a from which I've excerpted the most interesting pieces for our audience. The record asked can Russia cut Ukraine off from the internet? And the CTO said, no. First of all, Ukraine has a dispersed in net infrastructure, which means that key national providers in including U R K telecom can use various routes to provide internet access. You know, and in other words, as our listeners would know, gotta love autonomous packet routing with redundant and richly interconnected links.

Leo Laporte / Steve Gibson (00:23:50):
Anyway, he continued Ukraine has a variety of internet service providers across the country that manage their infrastructure independently or in collaboration with others. We also have the resources and people to repair damaged infras and protect the work of our networks from the, the working of our networks from enemies. He said, U R K telecom, for example, employs 12,000 Ukrainians of whom nearly 6,500. So a little over half are doing technical work. He said our journal channels to the global internet cross Ukraine's Western border. So we're not connected with Russia, which is in the east he's had in order to completely cut Ukraine off from the internet. Russia must destroy all of the infrastructure in Ukraine, both civilian and telecommunications, the Russia mil here. He has neither the resources nor the skills he claims to do so. And now, of course, as we know, thanks to Starlink, it might be even a little more tricky to, to cut people off because there's a lot of, of uplink now to the Starlink.

Leo Laporte / Steve Gibson (00:25:02):
So Starlink network, the record, a asked can Russia and troops use the Ukrainian internet. He answered. They can, if they steal mobile phones from Ukrainian citizens and connect to Ukrainian telecommunication networks, he said, we know about these cases, but they are hard to track. And of course he's put putting the best face on it possible. In other words, yes, of course, Russians are taking civilian handsets and using them for their own purposes. So anyway, he said, if, if the Russians managed to seize our fixed internet infrastructure, we block the equipment. So they can't use it during the war. All Ukrainian internet at providers are working closely with our military and intelligence services to avoid such incidents. And he said, note that there's also a very reasonable theory that Russians need Ukrainian internet services for their own purposes, either communication or intelligence gathering like eaves dropping on calls.

Leo Laporte / Steve Gibson (00:26:09):
And interestingly to secure his own conversation with Ukrainians allies, you the Ukrainian president Zelinsky uses a secure sat phone that the us gave Ukrainian the Ukrainian government a month before the invasion. So they ready. And he has a secure means of getting, you know, of, of communicating with ally. So Ukrainian officials also said that Russia's own cellular handsets and networking equipment do not work properly in Ukraine, encouraging its soldiers to therefore steal mobile phones from ordinary Ukrainians. It's also possible that Russia is trying to avoid ruining the telecommunications infrastructure that it hopes it would need and be able to use if it manages to take the country. Although anyone who's been keeping up with the news knows that the possibility of that happening is dwindling now by the day it was noted that when Russian troops destroyed several three G cell towers in car Keve, they could no longer use their own encrypted phones that communicate via that network.

Leo Laporte / Steve Gibson (00:27:20):
Whoop. And it turns out that rebuilding infrastructure from scratch is difficult when Russia had illegally annexed the crimee peninsula in 2014, the Kremlin needed about three years to regain full control of that region's mobile infrastructure. So, you know, it makes sense that they would be preserving it. If they that they'll, you know, they'll be needing it shortly. They probably learned some hard lessons from Caria. The record asks, how accessible is you are, is UK telecoms internet in Ukraine now. And the CTO said as a March 21st or 25th, rather UK R telecom of coms, internet coverage stayed up to 84% of pre-war levels. He said, major disruptions happen in the occupied territories where there's no electricity or where the internet infrastructure, including fiber optic underground cables were damaged during the attacks. He said, our workers make heroic efforts to provide internet access.

Leo Laporte / Steve Gibson (00:28:27):
Even in besieged cities, they go to the frontline a few times a day while some of them live in their cars because they have to work around the clock. We know what's what it's like to provide internet during a war. He said, we learned it in 2014. So we to protect our workers from unnecessary danger. Oh, he said also during the COVID 19 pandemic, we learned to control and manage our networks remotely. Even from our home offices, we have network monitoring centers throughout Ukraine, which provide realtime data on the work of each node station equipment, commun patients, channels, and quality of service. It's almost impossible. He said to find these centers because they're distributed across the country and work through the cloud.

Leo Laporte / Steve Gibson (00:29:17):
And the last question how do competing internet providers work during the war? And he said before the war in this market was fierce, but now Ukrainian operators work as a team, not as rivals. We exchange information on resources and help each other repair damaged infrastructure. And the New York times reported that some Ukrainian providers had been preparing ahead of the crisis by deliberately establishing, fail, safe links with each other and setting up new backup network centers. The work of all operators as coordinated by a special department of date communication and information protection service, strong cooperation with foreign telecom operators also helps Ukraine to remain connected with the outside world. In the first days of the war, KR telecom reported that it had lost about 30% of their external internet channels due to damage infrastructure, but they now have 130% of pre-work capacity. So they've built up to even more than they had before. So anyway, that was, I thought some interesting feedback from the CTO of one of Ukraine's primary ISPs, who's working hard to keep Ukrainian citizens connected while at the same time doing what they can to keep Russia and they're attacking and occupying forces from using the same internet connectivity to further the Kremlin's goals.

Leo Laporte / Steve Gibson (00:30:55):
Once again, NPM is under attack analysts at the DevOps SU curity firm, JRO whom we've written about and talked about a number of times recently blogged about their discovery of 218 malicious packages targeting the Azure, the Microsoft Azure NPM scope, hope NPM, as we noted last week is the node JS package manager for JavaScript J frog's analysts immediately notified the NPM maintainers who removed the offending packages 218 that they had found J frogs automated analyzed began alerting them to a set of packages that grew from an initial count of 50 to over 200, the unknown threat actors used typo squatting. And it's it's, I'm not sure that I would use that term. That's what the tech press was. What, what was reporting Alex, explain in a minute, but, but essentially a name, a naming duplication attack by attempting to trick victims, into using packages that have the same name as legitimate ones package you're a packages are able to reuse the same due to NPM scoping, which I'll explain in a second, J frog said after manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire at Azure NPM scope by an attacker who employed an automatic script to create accounts and upload malicious packages that covered the entirety of the at Azure scope.

Leo Laporte / Steve Gibson (00:32:56):
Currently they wrote, observed malicious payload being carried by these packages are personally identifiable information, you know, PII Steelers. The attackers seemed to target all NPM developers that use any of the packages under the Azure scope with a typo squatting tack. In addition to the a Azure scope, a few packages from the Azure hyphen rest, Azure, hyphen tests, Azure hyphen tools and cattle C a DL hyphen Lang scopes were also targeted since the set of legitimate packages is downloaded tens of millions of times per week. There's a high chance that some developers will be successfully fooled by the typo squatting attack. Okay, so the NPM documentation explains scoping as follows. They said, when you sign up for an PM user account or create an organization, you are granted a scope that matches your user or organization name. So, you know, at Azure, for example, you can use this scope as a name space for related packages.

Leo Laporte / Steve Gibson (00:34:19):
A scope allows you to create a package with the same name as a package created by another user or organization without conflict. So for example, you could, and you, whereas you might have a package with a common name like loader, if, if it was named at Azure dot loader, that would explicitly make the at Azure instance of loader separate from all other NPM packages that might have, you know, and the name of loader, excuse me. So when listed it as a dependent in a package, do a package dot Jason file, scoped packages are preceded by their scope name. The scope name is everything between the at sign and the slash oh, so it's a slash not a dot. So it'd be at Azure slash loader, for example. Okay. So the individuals behind the attack sought to obscure the fact that the packages all came from the same author by using randomly generated names, to create unique users for each uploaded malicious package, J frog also noted that the attacker sought to specifically go after machines and developers running from internal Microsoft Azure networks.

Leo Laporte / Steve Gibson (00:35:53):
They wrote, we suspect that this payload was either intended for initial reconnaissance on vulnerable targets. For example, before sending a more substantial payload or as a bug bounty hunting attempt against Azure users and possibly Microsoft developers, JRO also suggested that developers make sure their installed packages are the legitimate ones by checking that their name starts with the, at as scope. In other words, don't be lazy about that. Any results that don't start with an at Azure scope may have been affected successfully by this attack. In other words, from a, from a developer standpoint, any developer who may have not been explicitly scoping their package dependencies with the, at Azure in order to specify, you know, reusing my example, you know, the at Azure loader package may have invert, certainly picked up one of these 218 mildly malicious, non scoped, same named packages instead. So the attack was the use of same named non scoped packages.

Leo Laporte / Steve Gibson (00:37:16):
And JRO found that there were about 50 downloads per package that is per 218 of these package, meaning that while none were downloaded in huge numbers, the non scoped attack was somewhat effective. And it would've been much worse if Jay frog hadn't picked up on it so quickly. So cool that they've got some automated analyzers that are apparently like looking at everything that is added to the NPM repository and immediately said, Hey, wait a minute. These things have the same name as some ad Azure things that could be a problem as for how to avoid this sort of supply chain in dependency attack. The J Frogg researcher said the developers should use automatic package filtering as part of a secure software curation process. They said, quote, what's alarming about this attack is this is a package that is downloaded tens of millions of times each week.

Leo Laporte / Steve Gibson (00:38:20):
Meaning there is a high chance. Many developers will be fooled. As we know from having talked about it before typo squatting was originally coined the term typo squatting originally coined due to its use in domain name space to make a website or email look like it's from a trustworthy source. The fact that we're now seeing a related attack seeping into the supply chain suggests how dependent software is today on third party packages. And of course think no further than log for Jay and that this has become so widespread today, that threat actors are now seeing this kind of attack as a viable vector. It's long been common practice to sanitize user inputs being accepted by an application what's becoming clear is that in today's composite application assembly environment, it's also becoming every bit is necessary to sanitize the backend build process as well. Those in the industry have noted that the likelihood of a successful attack varies depending upon how much control the maintainers of a repository have.

Leo Laporte / Steve Gibson (00:39:47):
In many cases, packages are signed and only known members of a development team are able to perform such maintenance functions in NPMs case. And many others end users are able to offer up modules and think no further than WordPress, what could possibly go wrong there? And the vetting of these modules from a security perspective will vary by the package manager. In this case, due to sheer volume of NPM users, it's likely the attack was successful across many machines based on the nature of the attack. It's more likely to affect new users of NPM, but even experienced developers could be affected if they failed to pay close attention to the name of a specific package they're installing given how quickly the maintainers took down the malicious content, the overall impact of the community, as we know was limited this time. So, you know, my feeling is all of this should be sending up bright red warning flares about just how brittle our community sourced supply chain environment has become. You know, we've got many years of sort of implicit trust here, and we know things are slow to change. Well, the bad guys have figured out supply chain is a, a big chunk of low hanging fruit. So it's becoming clear that insufficient attention has been given to true security here, or at least that security has taken a backseat to convenience. And that's not a safe place to be moving forward.

Leo Laporte / Steve Gibson (00:41:38):
We're gonna talk about a shocking decision that Honda's engineers made Leo. I am shocked. I tell you you're gonna be, I me tell you, you will be shocked. I, to wet my voltage course, you, you came to the desert to take the waters. And now you're shocked that we are in a desert, but no, in fact, you can have some water. Well, I actually, I want you to listen though, because I want you to correct me if I get anything wrong, it's time to talk about NetFoundry. And you know, when I think about zero trust to architectures and what net founder is doing with open ZDI, I think about you, because I think about the thing that you always taught people with shields up, which is it is better. If you are a device on the network to be stealth, not to close the doors, but not even to respond.

Leo Laporte / Steve Gibson (00:42:31):
Right? talk a lot about VPNs on this show, how you can encrypt traffic once it leaves your network so nobody can see it, but ultimately, and this is something I think, I don't know. I feel like Google was certainly where I first became aware of the notion of zero trust, but the idea that nothing even on your internal network is trusted until it proves who it is, is a very powerful idea in security. So that's, if I'm gonna put it in a nutshell in layman's terms, that's kind of what open ZDI is all about TNO. Yeah. TNO, TN O you kind of coined this idea if, if you are looking for a way to up DDoS attacks or credential stuffing or brute force or exploits, or, you know, zero days, BGP hijacks, there is a way a zero trust way to isolate your applications, your data, making the security of your network completely.

Leo Laporte / Steve Gibson (00:43:34):
I, it, you, you could open it all wide up because of zero trust trust. No one open ZD was created and is maintained by NetFoundry. It is an open source project. Now there reasons what you might want to use NetFoundry services. And I'll explain that in a second, but it's the, really, this is the next generation of secure, open source networking for your applications. With open ZD, you can spin up a truly private zero trust overlay network across anything. You can do it in the app. You can do it on a device. You can do it on a cloud. You can do it internally. It's the it's it's because it's open source. It's built on, you know, developer fundamentals that you'll recognize of extensibility and flexibility and scalability. You know, you get end to and encryption, I'm not talking of VPN. I'm talking about something much more sophisticated, a scalable plugable networking mesh built in smart routing and client proof of identity using certificates, strong crypto.

Leo Laporte / Steve Gibson (00:44:41):
It is just to me, you know, once I started to understand all this, I was so impressed. It works with C with go with swift, Android, Java NOJS Z sharp.net. You can build your own network. If you want. You can use it as a SAS using net foundries foundations. So you, you know, in fact, a good way to get your feet wet is to go through NetFoundry. It gives you everything you need to spin up a truly private zero trust overlay network. Your apps suddenly have super powers with the open ZD SDK. It's a really nice SDK, just a few lines of code or you can use their tunnelers to spin up zero trusts, networking in minutes across any cloud or device using open ZD, isolates your apps and systems. So if you need to explain this to the higher, essentially, they're not subject to external network level attacks.

Leo Laporte / Steve Gibson (00:45:35):
They they're just, it's just not possible from malicious actors, you protect from internal or even OS networks, immune network, side channel attacks like Phish. It is simpler really because you, you don't have to worry of about patching or, you know, reactive patching. The design patterns they use are completely agnostic. So essentially it's commodity internet, outbound ports without needing any special skills to implement it. No big firewall rules, anything like that, or, you know, say goodbye to inbound ports in public DNS, or VP ends. The other thing you'll love about this, it eliminates the tug of war between developers who want freedom and expressiveness, right? And security that wants to lock everything down because developers can work with the software programmatically and the security folks know that, you know, they have the peace of mind knowing that their apps are isolated, driven by policy visibility and logs that are required.

Leo Laporte / Steve Gibson (00:46:37):
Look, this is a, a complex subject, but this is state of the art now on how to protect your apps, your network, your devices, it's zero trust. It's a journey. So start wherever you need, based on your priorities. Open ZD offers numerous SDT, Ks tunneling apps for popular OSS, edge routers and cloud marketplaces. So you can host it. Yes, but you don't have to, you can use an NetFoundry, a SAS. And by the way, if you just wanna get your feet wet, they have free forever tears with up to 10 endpoints, which actually for a lot of people's all you need. You reminds me a little bit, you know, I'm no expert in this, but of how much we loved hamachi, right? Because you could create kind of a private tunneled network of your own. This is hamachi on steroids. This is like amazing stuff.

Leo Laporte / Steve Gibson (00:47:26):
I want you to learn about it. Go to NetFoundry. Again, they created it. They support it. They maintain it. That's another thing I think sometimes people go, I don't wanna do it open source cuz you know who, you know, some guy in in his mom's basement supporting the Nono, you got a great company behind this doing a really fantastic job with it. If you go to net foundry.io/twi, and please do that. So they know you saw it here, net foundry.io/twi, they've got some free swag. You can, you know, get some stickers for your laptop or whatever, but also take a look at the free tier up to 10 endpoints free forever. It's open source Apache 2.0 they've got fully programmable rest APIs for management. As I said, the SDKs are in any language pretty much that you'd want to use.

Leo Laporte / Steve Gibson (00:48:14):
It's incredible. You can, you can do so much with it. So flexible. So expressive. I think you're gonna really be impressed. And I know when it, you know, you first say zero, trust you go, oh that's for Google it. No, it's not it's for you. I want you to check it out open Zeti it's had a great name net foundry.io, net foundry.io/to learn more. We're really thrilled actually to have NetFoundry on the show, cuz this is a solution that is superb. And and it belongs right here on security. Now Steve fully hydrated, he's gone to Morocco seeking the waters or Casa Blanca he's in Casa, Blanca seeking the waters. What's next. So it's been a while since we've talked about automotive vehicle security or lack thereof. Okay. So first our longtime listeners will recall all our coverage of Sammy Camcar and his development of what he named the, the roll jam attack back then.

Leo Laporte / Steve Gibson (00:49:23):
And I think it was 2015 Sammy demonstrated a $30 device that was capable of sniffing and jamming a cars, constantly changing, rolling codes. And we're talking about like for the remote, you know, door open car starts and, and like trunk open stuff, right. Which as we know, many car manufacturers use to unlock and start their vehicles and also to open garage doors. Sammy's role jams as system was effective against both microchip technologies. So named Keylock K E E L O Q Keylock access control system and also the so-called high security rolling code generator, which was being produced by national semi. And since it was able to Suber either of those two most popular technologies, it gave its perpetrator access to vehicles made by Chrysler de Fiat GM Honda Toyota, Volvo Volkswagen Jaguar, and those using third party add-on security systems from Clifford and Sherlock.

Leo Laporte / Steve Gibson (00:50:34):
And it was also effective against a wide variety of garage door openers, which all used the same chips made by microchip and national semi. Okay. Now, as we know, rolling codes are similar to the pseudo random numbers produced by today's six digit one time password, right? Or, or T O TP time based authentication systems. But those systems encrypt a sequential counter, rather that is the, the, the one time like the rolling codes encrypt a sequential counter rather than a time of day clock, both sequential counter and time-based systems are designed specifically, you know, the, the, what they're used for is to thwart replay attacks, unlike a password, which is inherently susceptible to replay attack, you get someone's password, you use it, right? Not. So with these one time tokens in the case of a counter based scheme, a legitimate rolling code is valid only until it is received by the lock, which then advances its own internal counter to expire the code, which it just received, which also prepares it to receive the next expected code.

Leo Laporte / Steve Gibson (00:51:55):
What Sammy demonstrated to the world back in 2015 was that the system was acute, but that it was not strong enough to stand up to an active. And what Sammy came up with was kind of brilliant that his little $30 device would be placed somewhere near a locked car or garage when its owner attempted to unlock their car Sammy's gadget would receive and store the first code while also jamming its reception to block it from working. So the cars owner would think, huh, and push the unlocked button to try again. The second time Sammy's device would again receive and block the reception of the second code, but then it would immediately forward the first code. It had intercepted the first time thus unlocking the car or opening the garage as its owner expected. The first code would work because the car or the garage door opener had been blocked from receiving it the first time.

Leo Laporte / Steve Gibson (00:53:08):
Right. Which would leave Sammy's device, holding the second and still unused code, which the receiving device would now be primed to expect. And which could then be used to place its owner's, you know in, in place of its owners, unlocking key, which I just think is so clever, you know, and Sammy's been around a long time, he's done all kinds of cool hacks like this. Okay. So that was then way back in 2015, what lessons he have been learned since, as it turns out, sadly, not nearly as much as we would hope. Some student researchers and their associates at the university of Massachusetts Dartmouth used a small assortment of off the shelf, widely available components to examine the signal being produced by Honda's vehicle unlock and remote start technology. They used the hack R F one SDR, you know, SDR software defined radio with a lap top an account on FCC C I d.io and G GQR X's SDR receiver software with a GNU radio development toolkit, just, you know, basically just assemble the off the shelf pieces, what they discovered, stunned them.

Leo Laporte / Steve Gibson (00:54:47):
The remote keyless system in Honda civics made for five years from 2016 through 2020 encompassing the Honda civic models LX E X, E X, hyphen L touring S I and type R all the same remote keyless entry and engine start system. And the keys for all of those cars produced for five years, emit an unchanging fixed for that car signal encoded using frequency F see shift keying. You know, FSK over a carrier at 433.2 15 megahertz standard, 4 33 megahertz frequency, the keys, various functions such as door unlock, trunk unlock, and engine start each emit different codes, but the codes for each function, it's a hard for you to me even to believe it never change. Okay. This means, and there are now multiple GitHub videos showing this successful unlocking and of these Honda autos can be achieved simply by replaying the same signals that were earlier produced by and recorded from the key.

Leo Laporte / Steve Gibson (00:56:22):
So what we've had during the intervening years appears to be a significant drop in deployed vehicle security, presumably because nobody was looking and there was no one to hold vehicle manufacturers accountable. Okay. You know, the multiple implications of this are obvious I'm sure to our listeners, if someone's key was found while they were at a party or at the gym or wherever it's various signals could be recorded, you know, kind of offline as it were, and then replayed at any later time forever to gain access to the vehicle. And even to remotely start its engine well remotely, meaning, you know, outside of the car or the key signal could be captured and recorded near the vehicle. When, when the key is being used in for example, an employee parking lot. And then an next day, when the vehicle is locked and unattended, it could be readily unlocked and entered.

Leo Laporte / Steve Gibson (00:57:30):
You know, unlike, for example, the use of a slim gym one of those super thin, you know, aluminum strips with a hook at the end used to unlock a car, which would make any thief conspicuous, anyone watching a remote radio attack, even a police officer would see the car unlock itself as the thief casually approached and entered the vehicle. And, you know, reasonably assuming that the car's owner had just approached and entered, it would help. But if the thief goes, as he gets in, just, you know, just to simulate, I think the car probably makes that sound right. It would cuz it doesn't know, does it? Yeah, it has no idea. It's the same signal that the key emits, okay. Despite this a spokesman for how Honda said they had no plans to update their older vehicles, even after researchers released their comparatively trivial proof of concept for this glaring design failure also known now known as CVE 20 22, 27, 2 54, when contacted and asked about this issue.

Leo Laporte / Steve Gibson (00:58:53):
Honda spokesperson, Chris Martin said it is not a new discovery and doesn't merit any further reporting. Yeah. And please stop talking about it. Martin confirmed that legacy technology utilized by multiple automakers may be vulnerable to quote determined and very technologically sophisticated thieves. Huh? The trouble is as we've so often seen what may have required sophistication at the turn of the century is now available using plug it together off the shelf technology, a precocious student in elementary school, huh? Could pull this off. Wow, amazing. Honda's Chris Martin added that Honda has not verified the information reported by researchers. Yeah. And they don't want to, and continuing the quote and cannot confirm if its vehicles are vulnerable to this type of attack. Honda has no plan to update older vehicles at this time. And there is no indication that the type of device in question is widely used, widely used.

Leo Laporte / Steve Gibson (01:00:14):
Okay. How would there be an indication, you know, you want thieves to voluntarily confess. Yeah, I did that worked great. Okay. One has to wonder whether Honda owners might get together in a large dare I say class and take some action about the fact that the security of the vehicles Honda has sold them as recently as two years ago is so readily compromised. Amazing. Like, you know, it's, it's magic, right? You press the button and your car unlocks. How is this different from what we've talked about before? I mean it's like way lower tech Leo, like, like in like before you had to be like the, the car sent your key fob a signal, right. And then the key fob had to, this is just a blind transmission of a fixed code. You know, it's like the remote control on your TV. Oh, that's terrible.

Leo Laporte / Steve Gibson (01:01:16):
I mean, it is, it is awful. Is it only Honda? Does anybody else use this? The that's a really good question because I doubt Honda is the only one, right? I it's probably a boy. Yeah. I mean, it's just, I mean now, and the problem now is it's now public knowledge. It's getting a lot of press. Everybody knows it. We know that a ha from ho Hondas from year two 13 through, I mean, 20, 20 16 through 20, 25 years of Honda civics, all you have keys with a static code. You'd simply record the code once and then you play it back anytime you want.

Leo Laporte / Steve Gibson (01:02:00):
It's it's just, that's terrible. It's unconscionable. Yeah. I mean, yeah, sure. Maybe it's true that any of these things can be defeated and we've talked about them, but to doing it is typically so burdensome that, you know, bad guys don't try it. It, you know, it matters how high the bar is, you know? And, and I, I didn't put it in the show notes, but, but Martin also said, yeah, you know, there's like slim gyms. It can be used to unlock doors. It's like, hello. Yes. But the thief has, you know, is exposed while they're doing it. You know, and so they don't do it. This makes it just, you know, falling off a log easy. Yeah. Wow.

Leo Laporte / Steve Gibson (01:02:47):
Well the us, the FCC Casper ski labs and Chinese telecoms are all mixed up last Friday in an announcement titled FCC expands list of equipment and services that pose security threat. The us federal communications commission added the well known to us Russian cybersecurity firm, Casper ski to its covered list, believing that the U use of Casper ski lab products, poses unacceptable risks to us, national security, the coverage includes information. The, the Casper skis, information, security products, solutions, and services supplied by Casper ski or any companies, including subsidiaries or affiliates. And the same day last Friday, the hacker one bug bounty program also terminated their relationship with Casper ski hacker one's decision to disable Casper's bug bounty program follows the news that Germanys federal office for information security known as BSI had warned companies against using cast Persky products. The German regulator indicated that Russian authorities could force the AV provider into allowing Russian intelligence to launch cyber attacks against its customers, or have its products used for cyber espionage campaigns.

Leo Laporte / Steve Gibson (01:04:25):
Just to be clear, this is all entirely without any precipitating evidence and only out of an abundance of caution, Casper ski responded by writing Casper ski is dis disappointed with the decision by the federal communications commission to prohibit certain telecommunications related federal subsidies from being used to purchase Casper ski products and services. This decision is not based on any technical assessment of Casper ski products that the company he continuously advocates for, but instead is being made on political grounds. Casper ski maintains that the us government's 2017 prohibitions on federal entities and federal contractors from using Casper ski products and services were unconstitutional based on unsubstantiated allegations and lacked any public evidence of wrongdoing by the company. And there has been no public evidence to otherwise justify those actions since 27 Dean and the FCC announcements specifically refers to the department of Homeland securities 2017 determination as the basis for today's decision Casper ski believes today's expansion of such prohibition on entities that receive FCC communications related subsidies is similarly unsubstantiated and is a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Casper's products and services.

Leo Laporte / Steve Gibson (01:06:09):
Casper perky will continue to assure its partners and customers on the quality and integrity of its products and remains ready to cooperate with us government agencies to address the FCCS and any other regulatory agencies, concerns. Casper ski provides industry leading products and services to customers around the world to protect them from all types of cyber threats. And it has stated clearly the, that it doesn't have any ties with any government, including rushes. The company believes the transparency and the continued implementation of concrete measures to demonstrate its enduring commitment to integrity and trustworthiness to its customers is paramount now. Huh? I completely agree that Casper ski has never given us any cause to mistrust them, but that's not the question or the problem. That's a misdirection. I think that misses the point and they know what the point is, where they are is the point. So I'm not sympathetic to Casper skis, plight.

Leo Laporte / Steve Gibson (01:07:28):
None of this should have been a surprise to them. It's been their conscious choice to remain operating in Russia for the past eight years, since 2014, after their president and country illegally invaded Ukraine and annexed its Crimean peninsula and being in Russia, they know far more than we do how their country is being run and has been acting. We know that not everyone in Russia agrees with Putin and don't doubt that Casper ski would resist and fight any subversion of their integrity. That's all they have and that's a lot to lose, but given everything we've seen recently, it might not be their choice. And that's the point given the awesome networking power that a deeply trusted and embedded company such as Casper ski wheels and in the context of an authoritarian regime, which is increasingly acting as if it has nothing left to lose. There's every reason to worry that Casper's employees could be forced to act against their will.

Leo Laporte / Steve Gibson (01:08:41):
So it's not Casper ski for a moment that I don't trust it's their ruthless and imoral government that ultimately controls them, which we cannot afford to trust in this instance. And, and there are plenty of good, maybe even better choices in the world. It's not like they have a exactly. Now I have to point out that Kaspersky got his technical education from the KGB higher school, which prepares intelligence officers for the Russian military and KGB. He has a degree from there in mathematical engineering, computer technology. He served in the Soviet military Soviet military intelligence service as a software engineer. And he met his wife at a KGB vacation resort two years before he founded Kaspersky antivirus. I'm not saying, I mean, here's part of the problem is everybody loves Eugene. Cuz he goes, he's a very good salesman. And he goes around and he goes to conferences and stuff.

Leo Laporte / Steve Gibson (01:09:39):
And you know, he buys people, drinks, Toorak used to swear by Kaspersky probably because he used to hang with Eugene. Yep. I don't know. I think there's, there's no evidence, but there's enough smoke and, and yes. And, and your point Leo is why take the risk? You don't have to. So why and all this, by the way is saying you can't use government subsidies to buy Kaspersky. Right. Right. By the way, you can't buy a lot of Russian stuff right now. Not because they're inherently insecure, but because it's it's money to Russia. So I don't think this is a bridge too far yeah. And, you know, from my standpoint, there's no way I would feel completely comfortable right now if my computer was running software that was routinely phoning home to Russia. That just, yeah. You know, seems a bad idea. We're waiting for the big cyber attack. And they were implicated in the, in the leak of the NSA hacking tools. Yes. Whether intentionally or not they were in, they were involved. Yep. Which is not to say that other AV might not have also been doing the same thing, but you know, theirs went to Russia.

Leo Laporte / Steve Gibson (01:10:49):
So anyway, and, and you know, it for what it's worth Casper ski has not been singled out for this treatment, at least not globally last weeks to see, to designate Casper ski as a national security threat follows previous decisions to ban and revoke China UNICOM America's license over serious national security concerns in January of this year and two and a half years or two and a half weeks ago, the FCC added the Chinese telecommunications companies. Wawe ZTE HIRA communications, hick vision, and and Dawa to its ban list back in June of 2020 wawei and ETE were designated national security threats to the integrity of the us communications networks or the communications supply chain. And now the Chinese state own mobile service providers, China, mobile, international USA, and China telecom Americas have been added as well. So, you know, tens are running high and, you know, Leah we're in this weird world of deep economic co dependency with those, we do not trust it's freaky.

Leo Laporte / Steve Gibson (01:12:03):
I mean, I don't think I have anything. I don't think I owed anything that didn't come from China. It's all made in China, baby. Yeah. Yet, you know, here we are, you know, and how many times have I about our IOT stuff. Right. You know, all my, my lights and plugs and things turn on and off because they're connecting to Chinese cloud services. I actually think that's a good thing. Not for, from a security point of view, but from a, a global economic perspective interdependence is good for peace. And if it weren't, if we weren't so independent interdependent, we couldn't sanction Russia to the degree we have. Obviously's not enough to stop them, but well, it is not enough to stop one man. Right. And I think that's the problem. That's the problem is that this guy is, you know, believed to be the richest person in the world.

Leo Laporte / Steve Gibson (01:12:52):
You know, nothing, he doesn't care doesn't at this point and there, there are no handles on him. There's nothing we can do. Right. And, and so we'll see what happens. But yikes Austin Wise tweeted me from, at Austin Wise, he said on the most recent security now episode, the phrase use after free was overloaded. And he means overloaded in the object oriented sense to mean both using a pointer after calling free and a language run time gets confused about the lifetime of garbage collected memory. For the second case, he says the.net developers call it a GC hole. GC, as in garbage collection, a GC hole, the runtime normally keeps track of memory, but if it falls into a GC hole, it can get lost and freed to, he says, section 2.1 of this guide has more details about GC holes in.net. And then I have a link in the show notes, which he provided.

Leo Laporte / Steve Gibson (01:14:05):
He said, I think a phrase like GC hole could make it more clear when talking about these sorts of uses after free problems. Anyways, I love the show, thanks for helping everyone know how computers work and how they break. And so that's what he wrote, Austin. Thank you. And he's correct that, that the phrase use after free was overloaded. And that was point I was hoping to make, you know, much like someone saying that the security vulnerability allowed for security protections to be bypassed, you know, gee, thanks for the clarification. We've seen that in vulnerability reports, the term use after free has similarly become a catchall for any use of memory by any means whatsoever when that memory is no longer allocated. You know, last week we talked about how one obvious source of such error is a programmer whose code on their behalf makes that mistake by explicitly freeing something that can later be referenced.

Leo Laporte / Steve Gibson (01:15:10):
The link Austin provide a it to the GitHub page regarding Microsoft's dot net common language. Runtime offered a nice bit of detail about the challenges on the automatic garbage collection side. And so I did wanna share a couple paragraphs from that. It reads is your so, so, so this is written two.net code asking is your code GC safe. And then it says how GC holes are created. And it says the term GC hole refers to a special class of bugs that be devils the C R meaning the common language run time. You know, that's like the, you know, like the Java VM, right? It's the thing that, that reads the, the intermediate language. They say the GC hole is a pernicious bug because it is easy to introduce by accident. Repro rarely me, you know, reproduces rarely and is very tedious to debug.

Leo Laporte / Steve Gibson (01:16:18):
A simple GC hole can suck up weeks of dev and test time. One of the major features of the CLR is the garbage collection system. That means that objects as seen by a managed application are never freed explicitly by the programmer. Instead, the CLR periodically runs a garbage collector. The, the GC discards objects that are no longer in use, also the GC compacts, the heap to avoid unused holes in memory known as heap fragmentation. Therefore a managed object does not have a fixed address. Objects move around. According to the whims of the garbage collector to do its job. The GC must be told about every reference to every GC object. The GC must know about every stack location, every register in every non GC data structure that holds a pointer to a GC object. These external pointers are called root references armed with this information, the GC confined all objects directly referenced from outside the GC heap with, at these objects.

Leo Laporte / Steve Gibson (01:17:49):
These objects may in turn reference other objects, which in turn reference other objects and so on. By following these references, the GC finds all reachable live objects. All other objects are by definition unreachable and therefore discarded. After that, the GC may move the surviving objects to reduce memory fragmentation. If it does this, it must of course update all existing references to the moved object. Anytime a new object is allocated. A GC may occur. GC can also be explicitly requested by calling the garbage collect function directly. Garbage collections do not happen asynchronously outside these events, but since other running threads can trigger garbage collections, your thread must act as if garbage collections are asynchronous, unless you take specific steps to synchronize with the garbage collection more on that later. And don't worry, we won't get there. Finally, a garbage collection hole occurs when code inside the common language run time creates a reference to a garbage collection object neglects to tell the garbage collector about that reference performs some operation that directly or indirectly triggers a garbage collection then tries to use the original reference at this point, the reference points to a garbage memory to garbage memory and the common language runtime will either read a wrong value or correct whatever that reference is pointing to.

Leo Laporte / Steve Gibson (01:19:36):
Whew. So I liked that just because it, it should give everybody a sense for how much machination is going on in visibly behind the scenes, how excruciatingly easy it is for the automatic runtime garbage collector to get out of sync with the program's use of variables. I mean, the fact that this, the fact that, that people even tried to do this to me is mind boggling. And yes, I am staying with assembly language, which has no garbage to collect. Hey, you said something earlier about type casting and assembly language. You don't even have types really. Yeah. Does he do, does the assembler respect types? And you could say this is yes, but it's really how big a register it needs are like that. Right. How much of the register's gonna use and structures are types. Oh yeah. Okay. So a float, you have to represent differently than an integer and a 32 bit integer can be represented in, in, in a 32 bit, three, two bit integer and a 32 bit register, so sort of types, but, okay.

Leo Laporte / Steve Gibson (01:21:02):
So for example, say that there's something that I want to refer to sometimes as a word and sometimes as a double word, just for like convenience, right. Because for example, so, so a word is 16 bits, hardware dependent. Yes. A word is 16 bits. A double word is 32 bits on X 86 on X 86. Yeah. So, so I really only to use 16 bits, but I may wanna load this thing into a 32 bit register. So what I'll declare and I do this in spin, right. Is I'll, I'll declare something as a, a word you using DW declare word. Yeah. And then I I'll have like a, then I'll say zero. So I'm actually declaring two words two. Yeah. Which so, so, so I've reserved 32 bits, but, but the Intel instruction set is a little Indian instruction set. So the least significant bites come first, which means that I, I can refer to that location as a word, but I can also load it into a 32 bit register because that second word will be the high half of the 32 bits doesn't matter.

Leo Laporte / Steve Gibson (01:22:23):
Yeah. And exactly. But in, but in the assembly, if I try to, to use a move instruction, say move you know, E ax and then the name of that variable it'll complain because I've declared that as a word and I'm trying to load it into double word register. Yes. So what I can do is, well actually there is an instruction for zero ending, a 30, a 16 bit into 32. So I could do that, which, but I could also say move E ax, D word pointer, and then the name. So what I've done is I've cast that I've overwritten the word size of that and said to the assembler, trust me, baby, I got this, this is a D word. And so the assembler doesn't complain. It says, okay. And it loads the 32 bits that are there. So, so it's really because the assembler is doing some type checking.

Leo Laporte / Steve Gibson (01:23:24):
Yeah. It is. It is a, it is a strongly typed assembly. I would never have thought of that. I mean, you don't that's are you using mam still? What are you using? Yeah, mam. I'm still, so that's, that's a feature of mam, but I mean, if you're really handing assembly, you do whatever the hell you want. Right. I mean, oh, and Leo, the mic code isn't doing type checking or is it? No, the microcode is not, it doesn't is all in the it's you tell me to put that in the EA X register. It's it's I'm gonna put it there. It's yes. It's just an age of the programmer. And I have to tell you it's helped. It's caught me. Oh sure. A number of times where I'll just like do something and then I'll go, eh, I go, oh, that's right. That's a word. And so it's very useful to have that. It's interesting. Hmm. Yeah. I heard you say that. And I thought, wait a minute, how would you type cast assembly? Well, you can.

Leo Laporte / Steve Gibson (01:24:16):
And Leo, we could take our break. Okay. Before we talk about targeted exploitation, Ooh. Heavy duty stuff. Let's talk about in Chrome. Yeah. WWT, World Wide Technology and Fortinet WWT, as you I'm sure know, is, I mean, they're the enterprise hardware and software gurus. They offer security solutions and services to protect your businesses. And of course, as you know, if you listen to this show, the bad guys are constantly updating their strategy. Constantly moving. I hope you are WWT can help your organization prepare and combat those next gen threats, be, be ready for whatever comes down the pipe. You really do wanna work with WWT. You need a company that has the vision. The service is the capabilities needed to deliver security controls to reduce the risk for your organization. But you also want a company, an enterprise partner that understands business. They're not technology for technology's sake.

Leo Laporte / Steve Gibson (01:25:19):
They know that whatever technology use has to support your business, your strategy, your goals, and that's why it's a great partner for you because do that. They're business people themselves. They understand they focus really hard. I know their executives are constantly learning, taking classes, training, talking to one another talking to enterprise companies to really understand something that's evolving, probably just as quickly as the bad guys today's enterprise businesses is enterprise technology is the bread and butter for WWT. Their team has the resources and the platforms, the hardware, and the software to completely protect your organization. And with three decades of experience, they have proven track records to help you succeed, whether you're the large healthcare organization that they came in and they did an analysis for. And because they wanted to move to an electronic health record technology. Actually, this is from a, a reference on on their website, well known company.

Leo Laporte / Steve Gibson (01:26:20):
I'm not gonna name names, but you know who they are 90% of after they did all the analysis, the expert knowledge state of the art tools in depth analysis, 90% of the vulnerabilities they found. And there were some could be fixed just and fixed and kept fixed by putting in a comprehensive, systematic approach to patching. So they implemented that, but that's not all they don't just say, okay, thank you very much. And leave. They stuck around to do skilled training and rep repetition for the employees and the staff to make sure it would always be secure they're partners. That's the point. They're not, they're not just geeks. They're business. People who partner with you to make your business work better like that retail bank, that, that wanted infrastructure that could survive a catastrophic cyber security event, a giant ransomware attack. For instance, WWT came in.

Leo Laporte / Steve Gibson (01:27:12):
Of course they locked everything down, but they were also able to just as a side benefit reduce system outages by 40%, they reduced costs by 48% by automating infrastructure structure. WWT is a company that helps you holistically because they see your business as a business, not just a bunch of technologies, risk management, endpoint, security, network, security, identity, and access management, cloud security WWT can help you in every area, work with you to make your business safer, more are more reliable and ultimately more profitable, cuz that's what we're all there for. Go see how WWT at Fortinet can protect your business assets, protect your intellectual property with the holistic security approach that works for today and for tomorrow wwt.com/twi to get started, let World Wide Technology help. U w wt.com/worldwide. Technology makes a new world happen. WWT. all right. Back of the book, sort of let's talk about the topic of the week.

Leo Laporte / Steve Gibson (01:28:24):
So I thought that the term targeted exploitation, it was a little more catchy than calling the podcast. The exploitation of CVE 20 22 0 6 0 9. Now I bet him has a a good name for it. I'm sure. Let me look at, I bet they do. Yes. You know, itchy camel or, oh, I'm gonna look it up while you go on. Okay. So let's talk about last month's Chrome use after free exploitation last week on Thursday the day before Google pushed their second urgent update to Chrome, their tag team, you know, the threat analysis group provided some very interesting information about their detection of attacks, which were leveraging that first zero day that was closed mid by their first urgent update of the year.

Leo Laporte / Steve Gibson (01:29:26):
Since except in the case of Microsoft, we're almost always talking about vulnerabilities in the past tense. I thought it would be interesting to take a closer look into a case study of targeting. You know, we're also often talking or, or, you know, or taking an appropriate. What I think is an appropriate, relaxed stance toward the need to update when something will almost certainly only be used against specific targets since part of the chances that that's us. But you know, and I think this case history should serve to provide a useful reminder of what can actually happen. And also, you know, what targeting really looks like on February 10th, the threat analysis group discovered two distinct north Korean government backed attacker groups exploiting a remote code execution vulnerability in Chrome, which was given CVE 20 22, 0 6 0 9. These groups activity has been publicly tracked as operation dream job and operat apple juice. J E U S oh Lord. You know, I think they are taking some hints from the VNO Nim. Yeah. I can't find it. There's so many VNO NIMS. Oh God, they're so bad. They need a search engine at V vol NIMS.

Leo Laporte / Steve Gibson (01:31:00):
So we observed the campaigns targeting us based organizations says, Google speaking of themselves, Google says we observed the campaigns targeting us based organizations. Spanning news media. Here it is trollop bomb. D that's not any better lop Bondi. Oh, wait a minute. That's 20, 20 0 6 0 9. Sorry. Sorry. I gotta get 20 22 0 6 0 9. Oh, very confusing. I tell you I'll keep, I'll keep looking. Okay. So Google observed the campaigns targeting us based organizations, spanning news media, it cryptocurrency and financial technology industries. They said, however, other organizations and countries may have been targeted as well. One of the campaigns has direct infrastructure overlap. No, they have no name for it. No name for it. I'm not, I'm not get going on M get up. And you know, I I'm still following that ridiculous thing. Oh I do. I ever. So every so often I look at what're coming up with, it's just, just nuts.

Leo Laporte / Steve Gibson (01:32:12):
It's like turn that off. They do turns out of a search engine@vm.org, but they have a name. So I, you know, come on. This is a big CVE dudes. Yeah. Shocking why I'm talking about it. So so they found out Google found out about this on February 10th, patched it on February 14th of obviously of this year. So four days later, again, prop to Google for responding so quickly, they said that early they, they said the earliest evidence we have of this exploit kit being actively deployed is January 4th, 2022. So of course what happened was once they knew, once they saw it and understood what was happening, they were able to look back in logs and realized, oh, we didn't know that was, but that was, and that was happening back as far back as January 4th. So in other words, what 42 days that this was going on, they said, we suspect that these groups work for the same entity with a shared supply chain, meaning, you know, malicious supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques.

Leo Laporte / Steve Gibson (01:33:29):
They said, it's possible that other north Korean government backed attackers have access to the same exploit kit as well. In this blog, they said, we will walk through the tactics, techniques and procedures. And we now have an abbreviation for that, right? Ttps, tactics, techniques, and procedures share relevant IOCs and that's indications of compromise and analyze the exploit kit used by the attackers in line with our current disclosure policy. We, we are providing these details 30 days after the patch release. In other words, we're sure by now this update is leaked out to all of instances of Chrome. So we can talk about it. The campaign consistent with operation dream job targeted over 250 individuals working for 10 different news media, domain, registrars, web hosting providers, and software vendors. In other words, they know who these people are, right? And we've talked in the past that Google will reach out and contact these entities when they identify them to say you should know that maybe you clicked a bum link.

Leo Laporte / Steve Gibson (01:34:49):
And they'll think about that. They said the targets received emails claiming to come from recruiters at Disney, Google, and Oracle with fake potential job opportunities. The emails contain links, spoofing, legitimate job hunting websites like indeed, and zip recruiter, our sponsor. Wow. I wanna yep. Yep. And, and no I've got a screenshot of one of these emails and they, so it's got the padlock HT DPS and the URL reads indeed us.org, which is not the legitimate domain for indeed, but your know that exactly. Close enough. Yeah, exactly. Then it says slash view job and then a big scrambly bunch of characters, which all URLs as I was groaning about last week have, so you get this and it looks legitimate. I mean, you know, indeed us.org. It's not indeed.com, but again, who, who would know the email solicitation appears to be totally legitimate. I didn't actually read it, but I hope they have an English speaker in North Korea.

Leo Laporte / Steve Gibson (01:36:09):
Who's writing these I'm sure they do. Anyway. Victims who clicked on the, the, the links received by email would be served a hidden eye frame that would trigger the exploit kit. And remember, normally you can click on things that are, I mean, you know, it it's, it's because you know, our browsers are not designed to be vulnerable. So it's when there's a mistake, which the bad guys have leveraged that clicking on something gets you in trouble. But clicking on something is, you know, is required almost all the time in order to make something happen. So victims who clicked on the email links would be served a hidden eye frame that would trigger the exploit kit attack owned, fake job domains were Disney careers.net find hyphen dream, job.com, indeed us.org, variety, job.com and zip recruiters.org. So it's really close. It's really close. And, and, you know, zip recruiters.org, plural though, not singular.

Leo Laporte / Steve Gibson (01:37:26):
So that's the, ah, exactly. Yeah. And once, and once again, it's like, it's it's enough that you even that's typo squatting right there. Yes. Even exactly. Even if you were to scrutinize the URR L you know, you go, okay. Yeah. Zoo recruiters.org. That's good. So they said another Korean, a north Korean group whose activity has been publicly tracked as this is the other one operation apples juice targeted over 85 users in the cryptocurrency and financial tech industries leveraging the same exploit kit. This included compromising at least two legitimate financial tech company websites and hosting hidden, hidden eye frames to serve the exploit kit to visitors. So you could go to a legitimate FinTech website and get hit by this. In other cases, fake websites were observed already set up to distribute Trojan eyes, cryptocurrency applications, hosting IRA, and pointing their visitors to the exploit kit.

Leo Laporte / Steve Gibson (01:38:38):
And those sites were blockchain news.vip chain news, hyphen star.com financial times 360 five.com fire blocks.vip gate ex GA gate firing.com. GBC labs.com giant block.org humming bot.io, only nova.org and teen bean js.com. And then tho those were the, the typo squatting side. The two legitimate compromised websites between February 7th and ninth were www dot options. Hyphen it.com a real site and www.trading technologies.com. Another real site. The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit with hidden eye frames, which they embedded on both websites. They owned as well as those two websites. They compromised the kit initial serves some heavily obfuscated JavaScript used to fingerprint the target system. This script, they wrote collected all available client information, such as the user agent, the screen resolution and all the other stuff that's available.

Leo Laporte / Steve Gibson (01:40:18):
And then send it back to the exploitation server if a set of unknown to them, because they had no way to know requirements were met. Meaning if that fingerprinting said, oh yes, this is a go, the client would be served a Chrome remote code execution exploit, and some additional JavaScript. If the RCE was successful and that's this first zero day of the year, that's the Chrome RCE exploit. If that RCE was successful, the JavaScript would request the next stage referenced within the script as SBX, which is a common acronym for sandbox escape. Cuz of course you gotta get out of this browser sandbox. And they said, we, unfortunately, we're unable to recover any of the stages that following that followed the initial RCE. Okay. And, and this is really interesting the way the bad guys hide and protect themselves, being careful to protect their exploits.

Leo Laporte / Steve Gibson (01:41:30):
The attackers deployed multiple, say safeguards to make it difficult for security teams to recover any of the stages, which is why Google's team with, you know, absolute access to Chrome with were unable to get anything any more than to learn of the first RCE. A safeguards include only serving the eye frame at specific times, presumably when they knew an intended target would be visiting the site, which like think about that. So like it, the site is clean and it isn't doesn't contain the eye frame except right at the time that they expect that their email will have been received and will likely be getting the click if it's going to, that would bring the target back to the site. So a real narrow window during which that vulnerability is being sent to people who, who are end during the site in some email campaigns, the targets received links with unique IDs.

Leo Laporte / Steve Gibson (01:42:42):
This was potentially used. They wrote to enforce a one time click policy for each link and allow the exploit kit only to be served once per targeted visitor. So again, even if you grab the email from somebody who received it, you cannot obtain the RCE by reusing the link that was already used. Once the exploit kit would AEs encrypt each stage include the client's responses with a session specific key. So traffic sniffing won't work and additional stages were not served if the previous staged failed. So all of that being done to tightly constrain the disclosure of, for example, the sandbox escape, they know that because they saw it in the script that there was an SBX acronym. Presumably the, the RCE was then followed by a sandbox escape. Google doesn't know what it is because they weren't unable to get it because the bad guys are being so careful not, you know, to, to, to tightly control and con constrain the exploit chain step by step.

Leo Laporte / Steve Gibson (01:44:03):
And the second it's broken, it doesn't go any further. And as we said, using unique time only links, you're never able to begin to explore down that chain again. They said, although we re we recovered a new Chrome RCE, we also found evidence where the attackers specifically checked for visitors using safari on Macco at or Firefox on any OS and directed them to specific links on known exploitation servers. In other words, this set of exploits was for Chrome, but if somebody was coming in on safari on a Mac or fire FFO or using Firefox on any platform, they got their own exploits tuned to tho the environment that they were using. They said we did not recover any responses from those URLs. So Google's tag team has extreme visibility via instrumentation into their own Chrome browser, but obviously not into other non Chrome browsers, but this evidence strongly suggests that users of safari on Mac and Firefox anywhere may have been served their own different browser, specific exploits.

Leo Laporte / Steve Gibson (01:45:31):
I have a link of in the show notes, Leo, if you're curious, it's what virus total thinks of the exploit kit that Google discovered. I had I, oh, I was telling, I told a friend of mine about virus total. And he there cuz he had a questionable file and like one obscure AV engine of 70 thought there was a problem and he got all freaked out. I said, no mark it's okay. You know that, that means nothing. But this thing lights up like a Christmas tree with how many, you know, they said 25 out of all 59. Yeah. If you, if you ever see 25 AV engines thinking that there's, if there's something wrong don't go, don't proceed. Kaspersky. Got it. So did Microsoft. Yep. The attackers made multiple attempts to use the exploit. Now here's this is interesting too.

Leo Laporte / Steve Gibson (01:46:25):
The attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14th and, and Google says, which stresses the importance of applying security updates as it become available. Well, I'm here to tell you, I keep complaining about this. I was using Chrome days after this thing was patched and my Chrome wasn't patched. It didn't patch itself until I went to look at some point, would it with Firefox, whenever Firefox gets updated, it says you can't use this restart. Yeah. But Chrome doesn't do that. Huh? That's weird. Well it mean now my Chrome usage, you know, I have Firefox open statically. I generally start and stop Chrome multiple times through the day. It should update. So you'd really think it should. But it always is the case. When I look it goes, oh yeah, we got something it's like, well, it would've been nice if you just did that for me.

Leo Laporte / Steve Gibson (01:47:26):
Yeah. So they under protecting our users. They said as part of our efforts, and this is something I wanted to share as part of our efforts to combat serious threat actors, we use results from our research to improve the safety and security of our products. Upon discovery, all identified websites and domains. We're added to safe browsing to protect users from further exploitation. So that's, that's one good thing that w was done even. So that means even if my Chrome hadn't updated itself, safe browsing would've protected me. If my unsafe Chrome had tried to go to any of those places they, he said, but of course that also presumes that they have full visibility into all of the sites that were, that, that we're doing the exploiting. And they can never know that they said we also sent all targeted Gmail and workspace users, government backed attacker alerts, notifying them of the activities.

Leo Laporte / Steve Gibson (01:48:30):
I said before for Google is good about notifying people to who they can, that, that they've, that they may have been compromised. They said we encourage any potential targets to enable enhanced, safe browsing for Chrome and ensure that all devices are updated. They said tag is committed to sharing our findings as a way of raising awareness with the security community and with companies and individuals that might have been targeted or suffered from these activities. We hope that improving understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry. So let's talk about enhanced, safe browsing. We mentioned it before in passing, but I want to take this opportunity to just to talk about, you know, Google's like, like, you know what they're doing? So they said in 2020, we launched enhanced, safe browsing, which you can turn on, on in your Chrome security settings with the goal of substantially increasing safety on the web.

Leo Laporte / Steve Gibson (01:49:38):
These improvements are being built on top of existing security mechanisms that already protect billions of devices. Since the initial launch, we have continuously worked behind the scenes to improve our real time URL checks and apply machine learning models to warn on previously unknown attacks as a result, enhance safe browsing users, our successfully fish, 35% less than other users starting with Chrome 91, we will roll out new features to help enhance safe browsing users, better choose their extensions as well as offer additional protections against downloading malicious files on the web. Okay. So let's see, is there anything good here? Yeah. everyday millions of people rely on Chrome extensions to help them being more productive, save money shop, or simply improve their browser experience. This is why it's important for us to continuously improve the safety of extensions published in the Chrome web store for through our integration with Google safe browsing in 2020, the number of malicious extensions that Chrome disabled to protect users grew by 81%.

Leo Laporte / Steve Gibson (01:51:00):
This comes on top of a number of improvements for more peace of mind when it comes to privacy and security any extensions built by a developer who follows the Chrome web store developer platform policies will be considered trusted by enhanced safe browsing for new developers. It will take at least a few months of respecting these conditions before becoming trusted. Eventually we strive for are all developers with compliant, extensions to reach the status before meeting these criteria today, this represents nearly 75% of all extensions at the Chrome web store. But that means, you know, they said nearly 75. That means more than 25% don't let's see. And finally under improved download protection, when you download a file Chrome first performs a first level check with Google safe browsing using metadata about the download or file such as the digest of the contents and the source of their file to determine whether it's potentially suspicious for any downloads that safe browsing deems risky, but not clearly unsafe, enhanced, safe browsing users will be presented with a warning and the ability to send the file to be scanned for a more in depth analysis.

Leo Laporte / Steve Gibson (01:52:24):
If you choose to send the file, Chrome will upload it to Google safe browsing, scan it using its static and dynamic analysis classifiers in real time, after a short wait, if safe browsing determines the file is unsafe. Chrome will display a warning as always. You can bypass the warning and open the file without scanning uploaded files are deleted from safe browsing a short time after scanning. Okay, so under Chrome's three.menu, you go to settings in the dropdown menu. Then on the left of the page, you'll see security and privacy click on that. Then click on security in the middle. You're now looking at the safe browsing choice, if you want it as I would and do simply click the enhanced protection button to enable Google's useful. And I named it here, big brother Overwatch feature it. You know, it is that if you do this, then some of your surfing is being sent back in real time to Google for their verification.

Leo Laporte / Steve Gibson (01:53:40):
Well, the way I use Chrome, there's nowhere I'm going that I'm embarrassed for Google to know about. And so, and I, I mean, as the host of this podcast for so many years, I'm, you know, I'm becoming increasingly circumspect about the internet and about what's going on out there. And so sometimes I'm like trying, I'm looking for an, like the, the dos ethernet driver for some motherboards onboard ethernet for, you know, working on spin right. In order to do network debugging. And so I'm, you know, I'm going to some websites that look a little sketchy that are trying to get me to download their will goal your drivers for free. Yeah. You know, it's like, no, no, no, no, no. Yeah. And so I, I'm happy to have Google, you know, watching where I go and making sure I don't step in something that I'll regret later.

Leo Laporte / Steve Gibson (01:54:41):
So I, so I think our listeners probably fall into two categories. One is the, I don't want buddy watching me feeding anything back to the mothership. There are other users who probably think, yeah, I need the help. So I just wanted to make sure everybody knew that this enhanced browser protection is available. You can turn it on, I run with it on and, and I'm glad. Yeah, yeah, no, I think that's and, and a lot of browsers use Google's protection. They actually use that service. It's a service you can use in your browser. So, no, I think that's a good public service. Absolutely. Speaking of public services. You're the man. Thank you so much. Steve Gibson yet another fabulous security. Now this is a, a show we do every Tuesday. It's kind of a must listen for a lot of people every week. We're about one 30 Pacific, four 30 Eastern, 2030 UTC.

Leo Laporte / Steve Gibson (01:55:36):
If you wanted to watch or listen live, you at live.twit.tv. If you're watching live chat, live at irc.twit.tv or in our club, TWiT discord there's a lot of conversation going on in both places. After the fact on demand versions of the show are available from Steve directly at his site, grc.com. He has 16 kilobit audio versions for the bandwidth impaired, the normal 64 kilo audio and transcripts carefully crafted by Elaine Ferris. All that@grc.com while you're there pick up spin, right? 6.0, the world's finest mass storage, maintenance and recovery utility. Soon to be 6.1, Steve's working hard on that. You'll get a free upgrade if you buy now G rrc.com. We have the show at our website, twi.tv/sn there's a YouTube channel dedicated to it. And of course you couldn't subscribe free in any podcast client, get it automatically. The minute it's available. I think a lot of people collect all the episodes, all 864 of them.

Leo Laporte / Steve Gibson / Jason Howell (01:56:41):
It's too bad. Can't put that on your, I know they, because I, I watch it happening in my server's bandwidth. Yeah. The, I want 'em all. Yeah, yeah, yeah. That's awesome. We will be back next Tuesday, Steve. I hope you will too. Thanks for being here. We'll see you next time on security now. Bye. The world is changing rapidly so rapidly. In fact that it's hard to keep up. That's what, why Micah Sergeant and I, Jason Howell, talk with the people, Macon and breaking the tech news on tech news weekly. Every Thursday. They know these stories better than anyone. So why not get them to talk about it in their own words, subscribe to tech news weekly, and you won't miss a beat every thursday@twi.tv

... (01:57:22):
Security.

... (01:57:23):
Now.