Security Now Episode 868 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for Security Now, Steve Gibson is here. We'll take a look at the CSA. Mandated must update list. Why are there some very old flaws on there? Lenovo has a problem with more than 100 laptop models of vulnerability in Java, 15, 16, 17, and 18. That has a score of as high as 10 critical critical. And then we'll take a look across the past 10 years of zero days. Why are there more now than ever before? It's all coming up next on Security Now, podcasts you love from people you trust. This is TWiT. This is Security Now with Steve Gibson episode 868 recorded Tuesday, April 26th, 2022. The zero day explosion. This episode of security now is brought to you by net Foundry, reinvent the at work and eliminate the weight by decoupling security from infrastructure to protect our applications and data with open source zero trust.

Leo Laporte (00:01:11):
Grab your free swag and free tier. Now by going to netfoundry.io/twit. And by Barracuda, Barracuda has identified 13 types of email threats and how cyber criminals use them every day. Fishing conversation hacking ransomware, plus 10 more tricks. Cyber criminals use to steal money from your company or personal information from your employees and customers. Get your free book at barracuda.com/securitynow. And by Grammarly. Get through those emails and your work quicker by keeping it concise, confident, and effective with Grammarly. Go to grammarly.com/securitynow to sign up for a free account. And when you're ready to upgrade to Grammarly Premium, get 20% off. It's time for Security Now the show we're gonna protect you. Your loved ones, your privacy online with this guy right here. Steve Gibson of grc.com. Hello, Steve. Yo-Ho Leo. How are you ready with you again? We're closing out April the cruelest month of all with a bang.

Leo Laporte / Steve Gibson (00:02:25):
<Laugh> so this is episode 8 68. It's funny. You were talking to the MacBreak guys and wondering how long they'd been doing their show. And they were like, what was it? Eight fi eight, 15 or something that you just did with them? Yeah, you're ahead of the game. Yeah, we're at 8 68. So not a whole year, but you know, nearly that. Yeah. so you were the second podcast we did on Twitter was security now. Yes. Yeah. Yes. Well, and it was in Toronto that in between shooting the four episodes that we were doing of call for help, you are leaning on the, on the stage prop. And you said, what would you think about doing a, a podcast, a podcast on security <laugh> and I said a what cast <laugh> and the rest is, ah, and that was nearly 18 years ago. And both of us had darker hair.

Leo Laporte / Steve Gibson (00:03:18):
You have no lack of material, either more of it. Apparently not. So as speaking of which that's a perfect segue because today's episode is titled the zero day explosion, Ugh, Uhhuh. We're gonna take a close look at the us cybersecurity and infrastructure security agencies. Boy, that's a, a mouthful mandated must update list, including a couple of recent entries. We're gonna examine the somewhat breathtaking mistake that Lenovo made across more than 100 of their laptop models, as well as a. And this is separately, a cryptocurrency wallet implemented in a web browser, which is where we all say in unison, what could possibly go wrong? Then we're gonna look at another startling vulnerability that was recently discovered in Java versions, 15, 16, 17, and 18, all the last four major versions. We've got a bunch of interesting listener feedback. And one, I just put, I, I only have one representative sample of something that 200 of our listeners must have sent.

Leo Laporte / Steve Gibson (00:04:31):
We really have amazing listeners who are paying attention. I've got a brief sci-fi interlude the announcement of a major M reached for spin, right? And then we're gonna wrap up by taking a look across the past 10 years of zero day vulnerabilities, thanks to some recent research performed by the security firm. Mandiant and of course the title of this week's podcast gives away what's been happening the zero day explosion. Yeah. We seeing it in action. It's incredible. Yeah. We've been talking about zero days more in the last year or two than ever before. Yeah. I'm curious. Well, we'll talk about it. I'm curious what your thoughts are on why it's happening. What's what's going on. Yeah, we do talk about that. I, I figured you would <laugh> what do you know? What do you know or so they brought to you by Annette Foundry.

Leo Laporte (00:05:22):
This is an open source security tool that kind of really solves this problem of securing your network. And it comes down to something called zero trust, not zero day zero trust start with the premise that all networks are insecure, period. I mean, I think that's one thing we've learned. There's a way there's a will. There's a way people are gonna get in. So how then knowing that, do you stop DDoS attacks and brute force and credential stuffing and, you know, keep the CVEs and the zero day blues from biting your butt and the BGP, hijacks and fishing and well, everything, all the Beasties we talk about every week on this show. Well, open ZD, open ZD is the solution to isolate your apple locations, to isolate your data, to make the security of your network entirely irrelevant. Wait a minute. You're gonna say Leo. That's all I'm doing these days is securing my network.

Leo Laporte (00:06:29):
Exactly. <laugh> exactly. It's, you're pushing a Boulder up the hill and every time you let go, it comes right back down on you. What if instead of, I mean, you should probably still protect at the perimeter. Of course you should. You do all the things you're doing, but what if you could be sure that only the people who had the right to use a resource were using it open ZD was created by, and it's maintained by net Foundry as an open source free that's that's good news or right. An easy way for you and the rest of the world to embed zero trust, networking into anything. It provides everything you need to spin up a truly private zero trust overlay network. In minutes across anything, you could do it directly in your app. You could do it on any device. You could do it in the cloud.

Leo Laporte (00:07:15):
Any cloud it's built on principles, extensibility, flexibility, and scalability. I think the open source component really helps with that, right? That's kind of the ethos using open ZD isolates your absent systems. So they can't be subject to external network level attacks from malicious actors while protecting from internal or even S networks such as being immune to network side, channel attacks like fishing. It is quite literally zero trust for all your networks. You don't need expensive and risky, reactive patching. Again, you should continue to do all those things. I'm just saying, as you have learned, even when you all the things, right, you still have this risk and open CD gets rid of it. Agnostic design page ensure you only need commodity internet, outbound ports, you don't need network engineering skills to implement it. You could say goodbye to complex firewall rules, inbound ports, public DNS, static network, this control VPNs.

Leo Laporte (00:08:21):
And here's the best part. You eliminate the tug of war between developers and your security team. The former can work programmatically with software. The latter have isolated apps driven by policy visibility and the logs. They require zero trust. I mean, I know you've heard about it. We've talked about it, but it, it, it's a journey and you start wherever you need based on your priorities. But the most important step is that first step open ZD offers numerous STKs. They've got tunneling apps for all the popular OSS. They've got edge routers. They work with edge routers and cloud marketplaces. You don't even have to host opens eating net. Foundry has a SaaS solution. And yeah, I, I know you say, oh, well that's gonna cost. No, they even have free forever tier for up to 10 endpoints. So this is a solution. A small business can implement free or easily.

Leo Laporte / Steve Gibson (00:09:16):
It's so much more than I can get in a commercial. So let me tell you what to do. Go to net foundry.io/n E T F O U N D R y.io/ask, you know, around. Do you know about open CD? Have you heard of net Foundry? Everybody? I will tell you, oh yeah, this is the way to do it. You can go there or get some free swag. You can learn more. You can even get started including free forever. If that's what you need. Net foundry.io/get your free swag, your free tier. Right now, this is a brilliant solution and make zero trust accessible to all netfoundry.io/twit, and now the picture of the week. So, so this relates to our discussion a while ago about privacy enforcing or pro privacy web search. Of course, duck dot go is the service. And I actually found myself thinking about it recently.

Leo Laporte / Steve Gibson (00:10:19):
I clicked on some link from a Google search and where I was going was blocked by you block origin, because I was like in some redirection chain, I've had that bouncing. Yeah. Oh, it's just so wrong. Yeah. To, you know, it's like, I'm looking at the link, right. And it's a, it's a fake out link. It's not the actual URL exactly. That, that you get when, when you click on it. So I just thought, oh, and the, the, the sites that I was being bounced through that you block origin was protecting me from were really sketchy looking. It's like, this is a link on Google search and you, you go through all those other things. Yes, yes, yes. So I thought, well, duck do go. Anyway, the problem is, and we discussed this at the time. How do you know? You can say to somebody like with a straight face, you know, did you Google it?

Leo Laporte / Steve Gibson (00:11:13):
Or, or just, or it, you know, <laugh> yeah. Not quite so straight of a face, but, but duck, did you duck it? You know, oh, don't say that. Did you duck it? No. No, you don't wanna, that's too close to, you know, and so, you know, then, then, then it was ducking or, or, you know, like what too? I don't know. Yeah. Anyway, so somebody put up a tweeted me a picture that is because of what it is. It's got, as you said, a it's a meme, a common meme. Yeah. Of, of, of, of someone like, like saying no, no, no. To duck, duck going, you don't want say, you know, duck, duck going, that's clearly not helping <laugh> anyway, they're suggesting quacking. I cracked it. I qued it. Yeah. I qued. It cracked me. So you cracked that? Yeah. Yeah. Quack it, I like it.

Leo Laporte / Steve Gibson (00:12:04):
Just, just, just go crack it. Yeah. So thank you. I think that probably solves our problem is that feel like that's Drake, but I might be wrong. I don't know. I don't know who Drake is. I know I'll take chat room will tell me if I'm right. Yeah. There's something on his shirt that looks like a cheerleader in the, or man, I don't know what's going on. It's a hoops, man. That's a Nike air or something. Yeah. Air Jordan's. He's a hipster. Right? That's you were certainly right about me not knowing about the name. He's a well known, well Canadian rap star. That's not an oxymoron. Yeah. Well that doesn't help either. <Laugh> okay. Oops. So whoop. I'm pressing all the buttons. When nothing happening, you got all kinds of buttons over there. There we go. There we go. Okay. So CIS known exploited vulnerabilities catalog as we've noted from time to time, one of the services being provided by our awkwardly named us cyber security and infrastructure security agency, CSA has been the maintenance of a, you know, I never noticed the redundancy there.

Leo Laporte / Steve Gibson (00:13:08):
Oh, it's so bad. And I was thinking maybe I was playing where if, if you said infrastructure and cyber security, that would work agency agency, then you, you get rid of one of the securities. Yeah. Cause it, otherwise it's cybersecurity and infrastructure security. You should write a letter to the department of redundancy department because I <laugh>, I think they need to fix this for sure. Actually I'll write another letter to the do at least redundancy department. Yeah. Because they, they wouldn't respond to only one. So, okay. So this is a growing list of actively, and this is the key actively exploited vulnerabilities, not just all vulnerabilities, but the ones that are like being seen. So we normally refer to this list in the context of ceases. What I like to call there are Christmas cancellation policy of which, you know, from last year, which which is of issuing, standing mandates to all federal agencies within its governance, that they must patch this or that by some specific date, typically only a few weeks after the issuance of a mandate.

Leo Laporte / Steve Gibson (00:14:21):
Now, at the end of today's podcast, we're gonna be talking a bit about patching philosophy and about the idea of priorit or the feasibility, I guess, of prioritizing patching to focus upon those issues that are being actively exploited. The, you know, the logic behind that's obvious in a bureaucratic environment. It certainly makes the imposition of the inconvenience that's suffered by the need to take down and patch running systems and services justifiable. But boy CI's list is growing now so large that it's, it's being referred to as a catalog, which is a better description than a list. So at some point it loses some of its punch as it becomes easier just to patch everything, which as we'll see is the strategy that I think the makes the most sense overall. Okay. That said there have been some notable new entries added to CISs, constantly growing catalog of mm.

Leo Laporte / Steve Gibson (00:15:28):
You know, must patch immediately. Dates. CSA informs us that the CVSs 7.8 vulnerability in windows print spooler that was patched as part of February's patch Tuesday. Okay. So a little over 60 days ago you know, we've had March and April patches since then, but what they fixed in February is actively being exploited in the wild. It's a privilege escalation vulnerability, which a hacker will need to leverage if they're able to arrange to get into a system, but under limited protective privileges, they need to escalate their privileges in order to, you know, perpetrate their nastiness. So here's a perfect example of a more than 60 day old patched problem. Right? I mean, it patches are available and it's, it's even on windows that's, you know, like aggressively broken us, broken down all of our resistance again against applying patches. So it's like, okay, fine. 60 days ago it was doubtless immediately reverse engineered and put to use.

Leo Laporte / Steve Gibson (00:16:43):
The only place it's gonna be effective is against machines that have not yet received their February updates yet says this thing is being exploited in the wild that's what's happening back in February when Microsoft listed this defect as fixed, it was tagged as exploitation, more likely. And they were apparently right about that. It's interesting. And, and I think somewhat sad to look at the CVSs year dates for things the CISA ads to its actively being exploited in the wild catalog. There were two others. One was, they just added a cross site, scripting vulnerability, which was found in the zebra. I had to look it up the zebra collaboration suite. You know, it's certainly not mainstream. It's a Java based suite, which is hosted on Linux. It's been around since 2005 and its ownership has changed hands many times. I don't know what that says about it.

Leo Laporte / Steve Gibson (00:17:54):
I have a relative who changes jobs often, and that kind of was a little sketchy. Anyway, this thing was first written by a company originally named liquid CIS who changed their name to Zimbra, which Yahoo later purchased before selling it to VMware, who then sold it to intelligent systems who then also changed their name to Zimbra before being sold to Syco. So I guess if a lot of companies had great hopes for it or maybe the price was right, I don't know. But in any event, this cross site scripting vulnerability was identified and patched four years ago in 2018. And CSA now tells us that it is currently being actively exploited in the wild and guess where Ukraine's computer emergency team somehow still in operation cert UA released an advisory last week, cautioning about email phishing attacks, targeting government entities with the goal of forwarding victim's emails to a third party email address by leveraging exactly that Zi vulnerability.

Leo Laporte / Steve Gibson (00:19:11):
So, okay. It's not just theoretical assis said it's actually happening right now. Some Russian misre saw that someone was still using Zimbra. So they checked their, their own catalog, which is titled the big book of every possible way to hack someone and found a four year old cross site scripting vulnerability that would come in handy. If that Zimer instance had not been updated in the past four years, the most recent Zimbra update was just over a little year ago on April 7th, 2021. So Zimbra could have been kept current that instance that was apparently found being hacked, but apparently it hadn't been, so this is not wrong that this four year old obscure vulnerability is being exploited <affirmative>, but are they right to add it to the USS emergency must patch by may mandate? You know, that's what I'm wondering about are, are, are any us federal agencies known to be using zebra?

Leo Laporte / Steve Gibson (00:20:29):
I have no idea, but if so, wouldn't it make much more sense, cuz there's gotta be like, what one, one or two, if any, wouldn't it make more sense to be a little bit more proactive and give them a call? You know what I mean? Like target those agencies rather than everyone else with an entry that just adds unnecessary noise to the growing list. And as things four years old, another just added entry is a three year old stack buffer overflow. Now stack buffer overflows. They're not good. This one carries a CVSs of 9.8, which as we know, those are the ones you pay attention to, you know, that's a standup and take notice score and it occurs in WhatsApps V O I P component. How is it possible that anyone using WhatsApp will not have updated it since 2019? I mean, this thing is a three year old problem that was patched.

Leo Laporte / Steve Gibson (00:21:32):
So Leo, I guess that perhaps we're living in a bubble, I that's the only conclusion I can come to, perhaps we've been drinking our own upgrade Kool-Aid for so long that we're completely out of touch with a real world. There must be a significant proportion of users who actively and proactively ignore or perhaps mistrust or just don't think they need offers and requests to update their software. You know, it's working and not obviously they, they, so, you know, they think, I see no need to mess with it. And as we know, it certainly is the case that having something work and having something that works also being actively impervious to abuse are two very different things. But we know that, you know, that's one of the most important lessons that everyone listening to this podcast myself included has learned through example after example through the years.

Leo Laporte / Steve Gibson (00:22:38):
But that's probably not at all obvious to the typical user who thinks, well, it works. I can message and talk and it seems fine here. So whatever they're trying to sell me or to get me to do, I probably don't need or want, so I'm not gonna change anything. But again, even so does a three year old vulnerability, even, you know, maybe if someone in Bangladesh had their Android phone compromised as a result of using an even older version of WhatsApp, you know, does it need to be taking up cognitive space in this's catalog? I think it's an open question three or four years is a long time not to have updated software. You know, it's clear that there's a very long tail on many of these vulnerabilities. We talked last year and the year before about critical flaws in a T C P P stack being widely used in, you know, by $5 internet of things, light switches and plugs, none of those things are ever gonna be updated.

Leo Laporte / Steve Gibson (00:23:57):
So they will be latently vulnerable as long as they're in service. But that isn't what CSA is targeting. I don't have an answer light switches and plugs cannot be updated, but for federal agencies to never update in use software, for which updates are ready and waiting is unconscionable. You know, so I'm glad there's a mandate. I hope it has some teeth behind, but I, you know, as I was thinking through this, I thought, you know, maybe have these things expire after a year. But like, you know, get agencies like force them somehow not to be more than a year out of date. And they shouldn't be more than a, you know, you know, in some cases, a few days out of date, the rate at which we're now seeing patched vulnerabilities leveraged into exploits has accelerated dramatically in the last couple years. And we're gonna be touching on that shortly Lenovo Leo I, who I heard you refer to Lenovo's U E F I problem on some podcast recently.

Leo Laporte / Steve Gibson (00:25:08):
So, you know, this has been in the news a lot. Oh yeah. It's not Sur, it's not surprising. I'm I'm aware of it cuz I buy a lot of Lenovo hardware. So that's been the ThinkPad, right? Yeah. Like, yeah. The think yes, the premier laptop. So as we know, when a PC is powered up, something needs to wake up and configure the various parts of the machine. The video needs to be started. The fans need to spin up all of the machines, various mass storage subsystems need to be initialized. And then the firmwares configuration needs to be checked. The proper operat system needs to be located and its OS boot code needs to be initially loaded into Ram so that control can be turned over to it to continue booting the machine. The first PCs did that using their basic input output system, B iOS or bios, that would was good for about five years.

Leo Laporte / Steve Gibson (00:26:10):
It actually didn't last very long cuz the PC just exploded in terms of, you know, what everybody wanted to do with it. So the limitations which had been built into the bios assumptions began to cause more problems than they were worth than they were worth almost automatic and various Mickey mouse workarounds were created to overcome many of these problems while Intel worked on a wholesale replacement of the bios. The initial attempt was the EFI, the so-called extensible firmware interface, which quickly matured into the unified extensible firmware interface, U E F I and we find ourselves right back where we always do the original bios was so dumb. The it could not be infected. It was originally implemented in ma <laugh> sometimes dumb is a good thing. <Laugh> that's exactly. It was originally implemented in masked RO meaning that the firmwares bits were etched into a metal mask at the factory could never be changed.

Leo Laporte / Steve Gibson (00:27:24):
It did mean you had to get the code right the first time, no update. And yeah, that was something people used to be able to do, but we don't do that anymore. So that soon gave way to non-volatile flash rom, which could be updated. But the code it implemented was still bless dumb sometimes for some things the dumber the better, because if all you want is to boot an OS, you really don't need that much smarts. The bios did it just fine. And the lesson we keep falling into and we keep failing to learn is that the more complicated, capable and smart, we make things, the more leeway in latitude, the system has to go very badly wrong. So welcome to the unified extensible firmware interface, where malware is also able to extend the firmware.

Leo Laporte / Steve Gibson (00:28:29):
Lenovo has been most recently in the, we made a UFI mistake news recently last week, the guys over at <inaudible> whose motto is we live security, posted the results of their analysis. Some widely used Lenovo U E F I firmware their postings title was when secure isn't secure at all. Colon high impact U E F I vulnerabilities discovered in Lenovo consumer laptops. And the stories to tagline is ISSET researchers discover multiple vulnerabilities in various Lenovo laptop models that allow an attacker with admin privileges to expose the user to firmware level malware, okay. Firmware level malware. That's not what you want to hear. That's even less what you wanna have crawling around inside your machine firmware level. Malware enables the ultimate in root kit techniques. In fact, having its own worst name boot kit, the presence of firmware level malware means quite simply that it's impossible to trust anything about what the machine might do.

Leo Laporte / Steve Gibson (00:29:56):
Firmware level malware is able to infect and compromise is the operating system's own code during its boot process. Before it has had any opportunity to raise its own shields and reformatting the machines, mass storage and reinstalling, an operating system, or even removing and replacing a drive won't necessarily eliminate the problem because this malware has taken up residents in the machines, underlying firmware on the motherboard on a, on a, a nonvolatile memory soldered to the main board. Now we know that anybody can make a mistake and I am, as our listeners know, I am infinitely forgiving of mistakes, but the most troubling aspect of what the E researchers found was that two of the three big mistakes Lenovo made were the oversight of leaving highly exploitable drivers in the U E F I for room wear image, which should have only been present during the firmware's development.

Leo Laporte / Steve Gibson (00:31:08):
These drivers should have never left the factory. So it's not like they got, you know, a loop condition wrong or something like a mistake, you know, they've left stuff in there that it not be in there. How do we know <laugh> we know because the two drivers were actually named secure backdoor. <Laugh> that's the, in the U E I firmware. That's the driver's name. Yeah. We're gonna talk about oxymoron. Secure backdoor. Yeah. Yeah. Turns out it, it wasn't. Yeah. The other one was secure backdoor. P E I M so here's what Eun said. They said E set researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. Various. Yeah, we'll get to that in a minute. The first two of these vulnerabilities and we got two CVEs from this year 39, 71 and 72 effect, U E F I firmware drivers originally meant to be used.

Leo Laporte / Steve Gibson (00:32:16):
This is Eun only during the manufacturing process of Lenovo consumer notebooks, unfortunately rights E set. They were mistakenly included also in the production firmware images without being properly deactivated slash or deleted. These affected firmware drivers can be activated by an attacker to directly disable SPI flash protections that is using control register bits and protected range registers or the U E F I secure boot feature from a P user mode process running OS run time. Okay. So just to be clear about what CE just said, they said from a privileged user mode process in the OS, in other words, mistakenly a user, any user of these laptops mistaken, allowing some malware to run in their OS, which might innocently ask to be granted brief UAC privilege, elevation to install something. If that is, if it didn't bring along its own privilege escalation, vulnerability exploit, as it might, or which might set itself up to run as a system service, that code can disable all relevant.

Leo Laporte / Steve Gibson (00:33:45):
U E F I right. Protections to then surreptitiously install, semipermanent, hidden boot kit malware into the system's U E I firmware, and the user would be done the wiser. And we don't know how to scan for that yet. We're I mean, there there's been some talk of scanning, U E F I nothing much has come of it. <Inaudible> said it means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or E S P implants like LoJack to understand how we were able to find these vulnerabilities, consider the firmware drivers affected by, and then they, this, this, the CVE number, the 39 71 <laugh> they wrote these drivers. Imagine this Leo immediately caught our attention by their very unfortunate, but surprisingly honest names, secure backdoor and secure backdoor. P E I M after some initial analysis, we discovered other Lenovo drivers sharing a few common characteristics with the secure backdoor as risk drivers.

Leo Laporte / Steve Gibson (00:35:03):
Those are C HG, I guess that's short for change. And then boot DXE hook and C H C HG boot SMM you know, SMM is system management mode stuff, which is the, the OS under the OS, as it turned out, they write their functionality was even more interesting and could be abused to disable U E F I secure boot that's that's the CVE ending in 39, 72. In addition, they said, while investigating the vulnerable drivers, we discovered a third vulnerability SMM memory corruption inside the S w SMI handler function. Thus, we have CVE ending in 39 70. This vulnerability they allows arbitrary read, write from into SMAM, which can lead to the ex execution of malicious code with full SMM privileges. That's again, that's like the chip level privileges, nothing more privileged in the world than that. And they said potentially lead to the deployment of an S P eye flash implant.

Leo Laporte / Steve Gibson (00:36:19):
We reported all discovered vulnerabilities to Lenovo on October 11th, 2021. And I didn't have it in the show notes, but Lenovo responded a month later. Although the list of affected devices contains and here it comes, <laugh> more than 100 different consumer laptop models with millions, many of users worldwide from affordable models, like idea pad three to more advanced ones like Legion, five pro or yo yoga, slim nine. The full list of effective models with active development support is published in the Lenovo advisory. In addition to the models listed in the advisory, several other devices we reported to Lenovo are also affected, but won't be fixed due to them reaching end of development support E O D S. This includes devices where we spotted reported vulnerabilities for the first time, IDPA three 30 and IDPA one 10, the list of such E O DS devices that we have been able to identify will be available in E's vulnerability, disclosures repository.

Leo Laporte / Steve Gibson (00:37:38):
And what this tells us reading between the lines is that these vulnerabilities have been there long enough for those machines, which they started affecting to now have left, have gone out of their service life with Lenovo. Thus, they will never be fixed Lenovo. Oh yeah. I do have in the, in the notes, Lenovo confirmed the vulnerabilities on November 17th, 2021, and assigned them the following CVEs and <laugh>, and I mean, they're being, they're coming right out with it. CVE ending in 37 90 Lenovo variable SMM, and they say, hyphen SMM, arbitrary read, write the one ending in 39, 71 secure back door, disable SPI flash protections, and 39 72 change boot DXE hook disable U E F I secure boot. So given how incredibly active the cyber underworld is today, we keep encountering quite sobering evidence of it, you know, in every podcast. Now there's just no chance that these now fully disclosed and very well documented vulnerabilities will not be used to compromise the interests of some of these millions of Lenovo laptop users worldwide.

Leo Laporte / Steve Gibson (00:39:10):
And many of them are, you know, gonna be serious users. It will have happen. So here we are, once more noting that there's something very wrong with our industry's current development model, you know, how can this be allowed to occur over and over and over E set had to reverse engineer the proprietary code in this U E I firmware in order to find these problems that it's and it's affecting Lord knows what multiple of millions of Lenovo laptop users Lenovo messed up big time here, but for the record, they're not alone. These newly disclosed vulnerabilities merely add to the recent disclosure of more than 55 U E F I firmware vulnerabilities, which have been found in inside softwares. You know, I N S Y D E inside softwares inside H two O and HP and Dell laptops since the start of just this year among those are six severe flaws in HP's firmware affecting both laptops and desktops, which would exploited, could allow attacks to locally escalate to SMM privileges, which as I said, is as, as much as you can get on any hardware platform and trigger at least denial of service and maybe more so, you know, Lenovo is in good company or at least only the most recent member of this U I vulnerability doghouse.

Leo Laporte / Steve Gibson (00:40:54):
And as we know, it's not Lenovo's first instance of EFI problems. We've we've, you know, years ago they've also had problems. So we've managed to make our lovely little machines far more complex by designing in extremely powerful capabilities. Yes, we get lots more flexibility. We get remote management and remote maintenance and not surprisingly, it's also a mixed blessing. So a heads up to anyone using Lenovo laptops, regardless of the model you have, don't look at a list of effective models. First of all, there's there's hundreds. You should definitely check in to see whether your device has a firm more update outstanding. And for that matter, HP and Dell users would be well advised to do the same. Do you think these changes are driven by the needs of enterprise? In other words, are, are, are we personal and home users and geeks suffering because yes, exactly management capabilities built in exactly that yeah, exactly.

Leo Laporte / Steve Gibson (00:42:03):
That Leo, yeah, there should be. And there are a few places where you can get simpler systems of simpler U E I and core boot, open source firmware, things like that. And they are really not aimed at enterprise. When was the other thing I wanted to to mention, oh yeah. Firmware updates. Now it's interesting are increasingly part of the operating system update. I don't know if you've noticed that. Yeah. well, we, we, we, we know that window, for example, is patching the Intel, the Intel chip set firmware, right. Linux brings along the same thing exactly. To, to their credit, although it is a little, you know, a bit of a mixed blessing. Lenovo now has software that comes pre-installed on their machines, which is taking responsibility for keeping your machines firmware up to date. So it makes it better than if you like, you know, then like never, ever having the opportunity to proactively inform Lenovo machine owners and having a problem like this out there that would make them persistently vulnerable.

Leo Laporte (00:43:09):
Yeah. Yeah. And I'm persistently dehydrated. Yeah. Don't okay. Don't drink too much water. We've gotta keep your electrolyte level up as well. Our show today, <laugh>, he's got an 18 gallon jug he's ready to use our show today, brought to you by a name. Everybody knows insecurity Barracuda in recent email trends, survey Barracuda did 43% of respondents, 40 through almost half said they'd been victims of a spear fishing attack. And yet only a quarter of the response said they have some sort of dedicated spear fishing protection, which makes me wonder about the other quarter. Like they're just sitting spear fishing, as you know, is targeted emails at your employees to get inside a company's network. And because they're targeted, they could be so much more damaging. They might have the employee's name. They might have the boss's name. They might sound like they're coming from the boss with tasks that the boss might actually ask.

Leo Laporte (00:44:16):
And, and it makes it so believable that it's sometimes I think almost impossible for employees to ignore them. That's just one of 13 different kinds of email threats. Barracuda has identified Barracuda studies them of course, and how cyber criminals use these threats every day, fishing and conversation hacking and ransomware. There's, there's lots of tricks. Cyber criminals use to try to steal your money from your company or personal information or both <laugh> from your employees, from your customers. Are you protected against all 13 types to even know what all 13 types are? As we have been pointing out, email cyber crime is becoming more sophisticated. These attacks are becoming more difficult to prevent. They're using social engineering prey on your fears, inducing, urgency all with an eye to getting somebody to act without thinking social engineering, it's hacks like spear fishing and business, email compromised cost businesses, and average of stand back for this $130,000 an incident.

Leo Laporte (00:45:18):
Can you afford to lose that $130,000? And it's always tied to, you know, topical stuff as the demand for COVID 19 tests increased. For instance, the beginning of this year, Barracuda researchers saw of course, an increase in COVID 19 test related Phish attacks between October and January 521% increase as people become more interested in cryptocurrency. You guessed it. That's where the bad guys go. The Bry price of Bitcoin, of course as it continues to go up means that you're gonna see a lot more attempts to steal your wallet. Barracuda research found that impersonation attacks grew 192% in the same period in 2020, the internet crime compliance center, IC three. See, that's a good name, IC three received 19,369. Business email compromise and account compromised complaints with adjusted losses of over 1.8 billion. Look, I must have by now, I've surely convinced you. You need to protect yourself and securing email at the gateway level.

Leo Laporte (00:46:26):
Isn't enough in anymore. You've gotta leverage gateway security of course, to protect against traditional attacks like virus zero day, ransomware, spam, other threats, but a targeted attack. Man, your Gateway's defenseless against that. You need protection at the inbox level, including AI and machine learning because the attacks are evolving faster than, you know, the Mount anti malware can evolve. So you gotta use AI machine learning to detect and stop the most of a sophisticated threats. Look, here's what you should do. It's free. It's easy to get a copy of the Barracuda report, 13 email threat types to know about. You'll see how cyber criminals are getting more and more sophisticated every day. It's the reason you listen to the show, right? And how you can build the best protection for your business, your data, and your people with Barracuda. Find out about the 13 email threat types you need to know about and how Barracuda can provide complete email protection for your teams, your customers, and your reputation for your free ebook.

Leo Laporte / Steve Gibson (00:47:23):
Go to barracuda.com/Security Now B a R R a C U D a barracuda.com/Security Now Barracuda your journey secured. And we thank them so much for their support of Security Now you support us too, when you go to that address, barracuda.com/Security Now, Steve. Okay. So I read the title of this piece of news in the record and it just made me shake my head. The item is titled ever scale blockchain wallet, shutter's web version <laugh> after vulnerability found. Okay. I, I mean, really, I gotta put my wallet on the web. That's a good idea. What moron <laugh> could possibly think that offering a web browser based cryptocurrency wallet was insane? Well, it's easy. It's convenient. <Laugh> anyone who was capable of beginning to create such a thing should know. It's just a bad idea as we often observed on this podcast, just because you can do something doesn't mean you should do that.

Leo Laporte / Steve Gibson (00:48:43):
Here are the first two sentences of the records story. They wrote quote, the company behind ever surf a wallet for the ever scale. Blockchain ecosystem is shuttering its web version. After a vulnerability was found by checkpoint researchers, the ever surf team confirmed that the vulnerability allowed attackers gain access to wallets. Yeah, duh, because it's on a web browser. <Laugh> oh my God. Okay. The, the, the record is reporting on research, which was performed by checkpoint research. The checkpoint guys explained, they said block chain technology and decentralized applications provide and their decentralized applications, or, you know, web apps provide users with a number of advantages. For example, users can utilize the service without creating an account, and it can be implemented as a single page application written in job of a script. This type of app. No, they're being very fair here. This type of application does not require communication with a centralized infrastructure such as a web server, and it can interact with the blockchain directly or by using a browser extension like meta mask.

Leo Laporte / Steve Gibson (00:50:11):
In this case, the user is identified using keys that are stored on a local machine inside a browser extension or a web wallet. Okay. Now the phrase web wallet itself should be outlawed, but okay. If a decentralized application or a wallet stores sensitive data locally, it must ensure this data is reliably protected. In most cases, decentralized applications running inside the browser are run inside the browser and therefore may be vulnerable to attacks such as cross side scripting. Just to name one of like countless this research describes the vulnerability found in the web version of ever surf. Maybe we should call it never surf a wallet for the ever scale blockchain. They finish by exploiting this vulnerability. It's possible to decrypt the private keys and seed phrases that are stored in the browsers, local storage. Yeah. In other words, attackers could gain full control over victims, wallets.

Leo Laporte / Steve Gibson (00:51:33):
Okay. Now, Leo, you're gonna love the details of this. Okay. It turns out that that one of the code libraries, the implementers used, you know how everybody now is just grab a library here, grab a library there, and God, you know, and hope that it hasn't been compromised by some supply chain attack, which is another problem. One of the code libraries, the implementers used is not fully supported or one of the functions in one of the code libraries is not fully supported in web browsers. The code attempts to obtain a cryptographic nonce with a call to the function device info dot get unique ID. The problem is that this function requires access to its underlying device. So it's only defined when running natively on, in Java, on Android iOS or windows. I have a snippet of the function, actually, it's the entire function. It's a one line function cuz JavaScript, you know, is crazy with the, with the way it, it operates where you're able to, I never write

Speaker 2 (00:52:49):
A one like this. This is

Leo Laporte / Steve Gibson (00:52:51):
Ridiculing <laugh>. I know you're able to chain a bunch of OS and the first or that succeeds is the one that gets taken as the value of the en closing function. You can't anyway, its a see it very well on the screen. It's no, you really can't see it anyway. I've gotta snippet of it. What it show, what it shows is for those who read JavaScript, that it is, it is obtaining a value of, of, of the, the underlying platforms, default dot unique ID. If, if there's an, an evaluation of the OS as Android, iOS or windows and otherwise it's a, it's also a conditional expression, which is another creation of, well, it exists in several languages. Now it's a condition expression. If it doesn't exist in those languages, that is the function is undefined. Then it returns unknown. Literally the string unknown. Now of course the string unknown never varies right from browser to browser or instance to instance or user to user.

Leo Laporte / Steve Gibson (00:54:01):
So when the OS is not Android iOS or windows natively, the function returns, as I said, unknown in quotes. And thus that value is never unique and that value is used to salt. The hash, as we learned years ago on this podcast, salting hashes is crucial to the security of hashed password storage because the salt effectively customizes the hash per use with the salt broken checkpoint was able to trivially brute the users six digit pin. Yes. On top of everything else. Even if the system was working correctly, its entire security was controlled by a six digit pin. <Laugh> checkpoint wrote CPR, you know, checkpoint research roughly reimplemented the key derivation and key store decryption in no JS and performed a brute force attack on the pin code. This resulted in a performance of 95 passwords per second on a four core Intel core I seven CPU.

Leo Laporte / Steve Gibson (00:55:27):
Although this is not a very high speed. It is sufficient for the attack on a six digit pin code. In the worst case scenario checking 10 to the sixth possible variance means the entire attack takes approximately 175 minutes and that's worst case. They said for our experiment, we created a new key in surf and dumped the key store from the browsers unencrypted local storage. In our case, the attack took 38 minutes. At the end, we got the derived key and decrypted the seed phrase that could be used to restore the keys on another device. In other words, this was never secure. And in this case, I mean, first of all, as I said, the idea of doing a browser based wallet is just nuts. It, it it'd be like, I, I don't know, putting a wallet on a lemonade, stand in the front yard and you know, trusting that no one is gonna come along and, and take it.

Leo Laporte / Steve Gibson (00:56:36):
I mean, it's just, it's, it's insane browsers struggle with security and do not, you do not want your, your cryptocurrency private keys anywhere near a browser. So I just, I just, you know, and, and again, the had this, it, it, the pro it would've been a bad idea to implement it on a browser in any event, but this is a classic instance of why it's a bad idea. Libraries were used that were not fully understood. They deployed this thing without ever verifying that the hash was never changing. And so the same hash was being used to always in encrypt the user's data. And it just meant that the whole thing could be, be brute forceable checkpoint also noted that in the same way, back in the day, Leo what were those tables called? Rainbow tables. Rainbow tables. Yeah. Yes. And so basically you could create a rainbow table using some GP in the cloud to come up with the hashes for all 10 to the sixth possibilities that wouldn't take a lot of time.

Leo Laporte / Steve Gibson (00:57:55):
Then you could simply decrypt everybody's wallet who has one of these things that, that you're able to get ahold of. So just, you know, a bad idea. Okay. Java, once again Java 15, 16, 17, and 18 received a, the, the JDK, the developer's kit received must updates last week, Neil Madden, the sum, what excitable guy at rock forge, who discovered a new and quite severe problem with Java considers it to warrant a CVSs of 10.0. Now, I think we should reserve that for the software apocalypse or perhaps when Skynet obtains, self awareness the result of the industry the I'm sorry, the rest of the industry gave his discovery a still very healthy CVSs of 7.5. And in no event, should this one be ignored. Anybody doing Java development, using security needs to date using from last week's critical update. So here's what Neil wrote about his discovery.

Leo Laporte / Steve Gibson (00:59:12):
He said, it turns out that recent releases of Java were vulnerable to a flaw in the implementation of their widely used E DSA. That's the elliptic curve, digital signature algorithm. And by the way, that's now the default across like all state of the art algorithms are using E C DSA. And we'll see if some examples in a second, he said, if you are running of the vulnerable versions, that is Java of 15, 16, 17, or 18, then an attacker can easily forge some types of SSL certificates and handshakes allowing for interception and modification of communications signed JWTs. Those are Jason web tokens, Samal assertions, or O I D C I D tokens. And even web often authentication messages, all using the digital equivalent of a blank piece of paper. He said, it's hard to overstate the severity of this bug. If you are using E C DSA signatures for any of these security mechanisms.

Leo Laporte / Steve Gibson (01:00:27):
And as I said, E DSA is now the default standard then an attacker Riely and completely bypass them. If your server is running any Java of 15, 16, 17, or 18 version before the April, 2022 that's last week's critical patch updates CPU. He said for context, almost all web often Fido devices in the real world, including UBI keys, use E C D S a signatures and many O I D C providers use E DSA signed JWTs Jason web tokens. I use it for my SSH keys, but that wouldn't be impacted by this cuz you're I'm I would not imagine Java for my S SSH right, exactly. You're probably not. You're not connecting to something that Java based. No. Yes. So he says, if you've deployed 15, 16, 17, or 18 in production, then you should stop what you're doing. And immediately update to install the fixes in the April, 2022 critical patch update.

Leo Laporte / Steve Gibson (01:01:44):
And finally, he says, Oracle GA have given this a CVSs score of 7.5 assigning no impact to confidentiality or availability, which I, I agree is questionable. He said, initially we at forge rock graded this a perfect 10.0 due to the wide range of impacts on different functionality in an access management context, forge rock customers can read our advisory about this issue for further guidance. So in any event for any listeners, if anybody is a Java developer, if you don't already have it, if you haven't received a notice definitely update your Java JDK to the latest and apparently 15 and 16 have gone out of support. So they're never gonna be fixed as I understand it, hopefully everybody has by now moved to 17 and 18.

Leo Laporte / Steve Gibson (01:02:40):
We have a bunch of interesting closing the loop feedback this week 7 3, 3 7 that's of course, lead upside down. He said of SN 0 8 63 and use after free. He said, why does the deallocated memory not get zeroed? Why does Malik not also zero out the deallocated memory? Would that not solve the use after free issue? It's it's a nice point, but here's the catch. It turns out it's not the memory. That's not the contents of the memory that's been freed that matters it's that you have a pointer, which used to point to some memory, modern, automatic languages make it impossible or difficult or at least managed to get a pointer. You have to get to, to get some thing that refers to something else. You get that from the, the underlying language you unlike C or, you know, obviously assembler where, you know, a pointer could just be, you just make one these, the, the, the next generation automatic languages are, are dealing with on your behalf for you.

Leo Laporte / Steve Gibson (01:04:02):
So it's, it's the, it's the fact that you are able to retain something that you got from the language, which was a pointer. And then what it points to got freed means that you might get lucky and that what it, and that it will then in the future point to something that you shouldn't be able to point to. Anyway, it's the pointer. That is the key, rather than the contents of what was released a w K tweeted re feedback on 8 67, he said on Ms. Windows auto update service, he says, my thoughts are on the routers. I, Bruce Schneider articulate and give examples on how cheap I OT devices are designed and manufactured in publicly available talks and seminars. He said, a team is assembled, as Bruce said, a team is assembled and then immediately disassembled after the process. And there is no one left to actively package and push patches to these devices, unlike the teams at apple, Microsoft, and Google, which anyway, I thought that was really interesting.

Leo Laporte / Steve Gibson (01:05:17):
He said, coupled with this, I S shutter at the recent incidents and demonstration from solar winds that your supply chain updates, servers and processes can be compromised. And commandeered Schneider comes to the conclusion that market forces cannot help here. Consumers want their devices produced fast and cheap, and thus, only regulation would be the cure. Anyway, he asks, I wonder what your thoughts are. And of course, you know, we we've talked around this, certainly a lot. My thoughts are that we're doing this all wrong. That know that it is, is wrong, that it is necessary for security firms to reverse engineer proprietary software, which tens of millions of users are, are actively using that. Nobody else had to sign off on that. Nobody else had to look at that the company said, trust us, it's secure. You know, it's the, my favorite example is voting machines.

Leo Laporte / Steve Gibson (01:06:23):
How is it that we're using proprietary voting machines that were, that were never vetted in any way as is just, you know, it's broken. It leads me to, to conclude where we must still be in the early days of all this, because this can't continue. Andy in the UK said on Google, a email addresses can be checked just by sending an email to it. If it bounces good point <laugh> yes, I, yes, never thought of that. He says, if it bounces the account doesn't exist. So it makes very little difference to Google. If they reveal the address does exist during the ath process, however, others using email as ID shouldn't reveal if it's for a valid account. And however, I, I just chose Austin out of a hat and that hat was briming with, I'm not kidding, like maybe 200 public and private tweets who all said Steve here's what's going on.

Leo Laporte / Steve Gibson (01:07:33):
Austin says listening to episode 8 67, that was last week during your conversation about authentic processes and email addresses being revealed during the process. Leo asked why an application like Gmail would ask for an email address first, before moving onto the next step of the authentication process. See more and more often all the time. Now this is because many apps use many identity provide oh, and authentication workflows. Your email address will determine which authentication let's do next. Yeah. Yes. Yeah. The application will walk. Do you want go to Okta? Do you want to do duo? Do you want do a password? Yeah. That makes sense. Are you using a UBI key? Are you gonna go to a password? Do you have a custom Samal identity provider and so forth? So thank you everybody. I just, I wanted to thank everybody as a group who said Steve, apparently you don't do this, but everybody else is having to do of this more and more.

Leo Laporte / Steve Gibson (01:08:35):
Yeah. And so makes absolute sense. Makes sense. Thank you. Makes yeah, everyone. Yeah. And finally, go ahead. I was just gonna offer a break, but I think you have another one. Ah, we got a couple more things. See me. He said, hi, Mr. Gibson. Hi. See me. He said, I just thought I see you get a kick. I, I see you. You get a kick out of this. He said on your recommendation, I put the McCollum Gibraltar trilogy in my wishlist on Amazon. It's only sold as individual books, but wanted to save a few bucks, but I'm sorry, but wanting to save a few bucks, my son-in-law contacted the seller that turned out to be the author himself. Yeah. Michael McCullum, who agreed to refund the difference in postage. So I received a $7 check signed by McCullum and three autographed books for my birthday.

Leo Laporte / Steve Gibson (01:09:37):
And I just wanted to remind people. He is one of my favorite authors. His site is sci-fi hyphen az.com. He's a self-publisher. He does offer all of his books in ebook format. They are DRM free using the we trust you. And he he's got two trilogies. There's the Gibraltar trilogy. And the Anar trilogy, both are on my must read reading list. He is literally a rocket scientist. He designed one of the pumps that's in use on the international space station. He's an engineer, but he, he is a beautiful storyteller. And what I love about his stuff is they are really clever. I mean, the, they are, they've got lots of aha moments and they're surprising and really, really gratify. So, and, and they're not expensive. So sci-fi hyphen az.com. Speaking of sci-fi I wanted to note that I finished book four of the Baba verse after doing the trilogy.

Leo Laporte / Steve Gibson (01:10:52):
And I'm back to Rick, Brown's frontiers saga. You'll never run out of those. No, holy cow. Although I will run out of patience, that's the problem. Yeah. Because you know, it, I, I, I should say I should explain. It never happens. That I, at least not recently that I stay up reading after Lori falls asleep on my lap. <Laugh> but do you put the cook on her head? No, no, hold it off to the, I hold it off to the side. Very you're a good partner. Good. I could not, I could not, this is last night. I could not stop reading this first book of the third 15 book story. R yes, dear. <Laugh> doesn't your arm get tired. We need to get an arm to hold your Kindle. Just cut that over. Yeah. <laugh> so and I just did wanna mention too, that I have hopes for next week star Trek discovery was way too hyperactive for me.

Leo Laporte / Steve Gibson (01:11:58):
It just seemed like a big like VR video game. I just didn't get into it, but we've got strange new worlds starting where it is a prequel to the original first you Kirk and Spock and McCoy series. If a trailer looks good, it, it really does. Yeah. I'm, I'm just, I, I would like a, a star Trek for adults. Maybe there's no market, but you know, I'm one. I would watch it. Yes. Oh goodness. Yes. So, you know, it would be if we could return to the, to star Trek's original roots, you know, which the next generation was also faithful to, of actually telling stories rather than only having an excuse for special effects. So, and I've not yet looked into the second season of Picard after the disappointing first season, although I know it's there and it's just so sad to see Patrick looking so old.

Leo Laporte / Steve Gibson (01:12:56):
Mm-Hmm <affirmative> frankly. And I've not started the sixth season of the expanse though. It's also, I think it's probably done by now. So, and finally, I have a milestone that incremental development release of spin, right? Which I posted 1:47 PM last Friday afternoon. Really surprised me tester after tester has been reporting that everything that's been completed so far is finally working perfectly Soly and better than ever for them. The reason that surprises me is that the code spin right now has, is not relying upon any bios to interface it to mass storage adapter and drive hardware. Yet it is finally working on every piece of hardware that everyone has of any a and vintage. As we know, operating systems are able to achieve this by bundling a raft of hardware, specific manufacturer, supply drivers, which the OS loads on demand based upon the hardware. It detects in the system when it's booted, but that's not a practical approach for spin.

Leo Laporte / Steve Gibson (01:14:17):
Right. What I was hoping we would be able to achieve was the creation of universal native drivers. One for IDE parallel, adapters with Pata, dry and another for a HCI adapters with Santa drives, where they would simply work everywhere on all hardware from the 1980s through the latest chip sets. I'm not only surprised, but I'm also greatly relieved. Since after many months of work, we finally have 100% success. And every indication is that this elusive goal has finally been achieved. I've been stuck here for a while, perfecting this foundation because everything that comes next, not just spin right, six one but seven oh and all of spin rights future or after that will be built upon it. And it's all based upon that new IO abstraction approach, which means that new mass storage technologies like native support for USB and NVMe and whatever comes after that can be easily added behind the abstraction.

Leo Laporte / Steve Gibson (01:15:30):
So once I catch my breath, I can finish the work on the rest of spin, right. Building upon this new foundation. And then we're gonna have 6.1. That is wow. Was great. Yeah. This is, I think, uniquely difficult because previous versions, let bios do the matching and now you you've gotta replace that bios call. Yes, that's tough. And it was a, it was a mixed blessing. On one hand, we got ease of interfacing because the, you know, the bios knew how to talk to its own hardware. Right? The problem is we also got a, a growing thickness of insulation through which right. Couldn't really see what was going on. And so, for example, anyone who's ever seen Dynas stat painfully slowly getting sector samples. It's like, it just takes so long because the, you have to issue a reset through the bios. Anytime you get an error and it can take like 20 seconds.

Leo Laporte / Steve Gibson (01:16:39):
So, so that's all gonna go away. This six one is just gonna, it's gonna do data recovery at a screaming rate that we've just never seen. I've never seen before. No one's ever seen it before. So you were using in 13 pretty much for, for everything. Yes. Which I mean, in the first edition made it easy, easier, a lot easier to write it. Cause you didn't have to test a variety of hardware or anything. Did, did the, did the move away from bios make or is in 13 always supported regardless. I guess it has to be right. It's still there in software. I mean, yeah, yeah, exactly. Yeah. You, it is, it is what the boot sectors use in order to get themselves booted. Right. So it's gotta be there. Yeah. But, but booting and OS these days is only a matter of reading, a few, you know okay.

Leo Laporte / Steve Gibson (01:17:28):
Of code into Ram and then it starts to bring the rest of itself in the memory. So it's all hard drive. So I guess I would guess this would be a first step in making it Mac compatible too. Cuz of course Mac's never had in 13, they never had bios. This absolutely will run on a Mac. Nice. Yep. Okay. Wow. You heard it here almost first. I'm sure the forums know it, but that's first I've heard. So that's great. Yeah, it was a good, it was a good, good Friday catch. Get in there. Get, get, get spin, write six. So you can get six one. It's almost here. Your Vos. I can't, that's gonna be a red letter day. Let me know I had, so I can get a cake and some balloons and confetti and stuff gonna planet. And we do want to mention our sponsor before we get to the subject, the zero day explosion of the day.

Leo Laporte (01:18:23):
But first let's talk a little bit about Grammarly. First of all, lots of love and support for Grammarly. Grammar was founded in the Ukraine is, is still in Ukraine. As far as I know, it's developers are still there. It's it's businesses are still there. They do a great job, but there's two reasons. I love Grammarly. One is that the other is it's written lisp. I love that. <Laugh> the AI part is Grammarly though. Despite the name is more just a grammar checker. It's more than just a spell checker. I want you to think of Grammarly really as a writing tool that allows you, helps you encourages you to clearly and effectively communicate your ideas. And I don't care how good a writer you are. Everybody needs this help. It's like having a good editor more and more. I see blog posts that are clearly nobody ever edited them, not just grammar and spelling errors, but convoluted sentences.

Leo Laporte (01:19:22):
Mismatched tenses, all sorts of stuff. That's, that's why editors are so important for writers and, and nowadays you just don't have writer editors in any more. You know, the writers just publish it direct. I think you need a copy of Grammarly. The free and premium features can save you time and give you the confidence of knowing your writing's professional. Grammarly is free. I, yes, I said that free to download, easy to integrate into your dearly life. You can actually, if you want, just go to the website and and paste in the paragraph you're working on you can't do a whole text that way, but you can get a quick feedback and that's free, but you can also add the extension and use a lot of the free features in Gmail, for instance, to help you work more efficiently with your emails or any of your projects in any package you work.

Leo Laporte (01:20:13):
Lisa relies on grammar Lee in her business emails because she's very, you know, to the point. And I know that I love her for it. You know, there's no BS straight to the point, but sometimes you maybe want a little please and thank you and hi, how are you? She's not great at the, so I call it social grease, but Grammarly will help her and say, you know that <laugh>, you might wanna add a little of this, a little of that. And it's great. And she really appreciates it. I'm I consider myself a very good writer, maybe wrongly, but I do Grammarly helps me think about what I'm saying and whether what I'm writing, communicates what I want to communicate. That's really important. Grammarly helps you save time, strike the right tone and deliver high quality work. I'll give you example. There are free tone detector.

Leo Laporte (01:21:03):
This is what I was talking about earlier. Helps you say what you mean in the right tone. Cuz a lot of times writing, you know, we're not used to the fact that sarcasm, for instance, isn't always seen as sarcastic. So this is it's very easy to misinterpret text Grammarly helps you get it. So it's clear what your intent is now when you get the premium, by the tone adjustments go even farther by helping you in sure. You're being clear and assertive in your emails, more persuasive, more confident, more polished. It'll suggest more decisive phrases and word choices. And Gram's not new to this. Gram's been doing this for a long time. It is a highly polished piece of software as very, very sophisticated tool gets better. Every time I use it, it's really impressive. They've added a, a full sentence rewrite. So you'll write a sentence and it says this would be a better organization so that you can convey your ideas.

Leo Laporte (01:21:59):
That's what it's all about. Avoiding miscommunication. Sometimes you wrote a sentence and you're attached and you, you can't see it clearly because you wrote it. So having the little tap on the shoulder and say, what about this? And often it's like, wow. Yes, thank you. The clarity suggestions in Grammarly premium simplify sentences by getting your point across better, clearer, faster by cutting unnecessary words, getting rid of the jargon. It's very easy for us geeks to use jargon, spots it right away, right away. I love that. You know, get through those emails, get your work done quicker by keeping it concise, confident, and effective with Grammarly. G a mm a R L Y grammarly.com/Security Now sign up for that free account. Try the free stuff. When you're ready to upgrade at Grammarly premium, you'll get 20% off just cuz you're our listener, grammarly.com/Security Now free to try.

Leo Laporte / Steve Gibson (01:22:58):
There's a free tier you can use forever. It's great. Or if you want to go pro get the premium package 20% off when you go to grammarly.com/Security Now it's it. You know, I think sometimes people, oh, don't tell me I don't don't it's not, it's not a nudge. It's it's not annoying. It's helpful. It's great. Grammarly.Com/Security. No, <affirmative> now let's talk about the zero day explosion and you know, that's what you want computers to do, right? Yeah. I mean, that was always, we just don't we, we, we, you know, computers had been a typewriter for so long, right? BA basically that's all they did. They, they, you know, they weren't really extending our brain in a lot of ways and well, and you know, it's not just horsepower. It's also memory Ram. Yeah. You know, and just software, true skill and grammar around and clearly these it's it's I mean, clearly the, if these guys are in the Ukraine, they've got some English speakers, cuz this is not something that you can well, they're distributed.

Leo Laporte / Steve Gibson (01:24:08):
Yeah. They're all over the world. And in fact they come in many languages too, by the way I should mention. Yeah. Yeah. Really good stuff. Wow. Very cool. Yeah. It's impressive. And lisp don't you love that MEU. Don't do. Yeah. <laugh> I love, I have to say a little, little bit of a lisp fanboy John McCarthy to be loud. Yeah, exactly. Okay. So the most interesting and important class of software and system vulnerabilities are those that are discovered when a security researcher watches something that's not supposed to be possible happening anyway, like especially formed packet, hitting a firewall and being admitted through the firewall, despite the clear firewall rule, which blocks its entry or the password challenge that is ignored by the attacker who's logged on with administrative privileges anyway, or the cryptocurrency mining malware, which suddenly launches Springs to life and begins operating on a system that was just reformatted and reinstalled from scratch.

Leo Laporte / Steve Gibson (01:25:18):
When a researcher watches something that cannot happen happen anyway, they may have just witnessed and discovered evidence of the exploitation of a previously unknown zero day vulnerability zero day vulnerabilities are a constant topic of this podcast. And just as this podcast appears to be in no danger of running out of security topics ever recently posted sobering research from and Google's project zero, make it pretty clear that we also won't be running out of zero days to discuss anytime soon. <Laugh> I have a chart which is quite makes you gulp in the show notes, 10 years of zero day tracking. What is going on? The show notes shows this chart of Manous sobering 10 year graph showing the number of zero days discovered each year from 2012 through 2021 last year. The counts for each successive year are 2, 3, 8, 15 21, 17 16 32, 30 and 80. So 10 years ago, the entire year of 2012, we encountered just two, zero days.

Leo Laporte / Steve Gibson (01:26:56):
And the next year only three, then the following three years rose to eight and 21. Then the next two years dropped back a bit to 17 and then 16 in 20 18, 20 19, doubled that to 32, 20 20, dropped it a bit to 30, but then last year exploded from 30 in 20, 20 to 80 zero days. So if you felt as though we had been talking a lot and a lot more about zero day vulnerabilities recently, well you would be correct. Some interesting observations emerged from Mandian research. They wrote in 2021 Mandiant threat intelligence identified 80 zero days exploited in the wild, which is more than double the previous record volume in 2019, that was 32 state sponsored groups continue to be the primary actors exploiting zero day vulnerabilities led by Chinese groups. The proportion of financially motivated actors, particularly ransomware groups deploying zero day exploits also grew significantly and nearly one in three identified actors exploiting zero days in 2021 was financially motivated. In other words, not espionage threat actors exploited zero days in Microsoft, apple and Google products. Most frequently likely reflecting the popularity of these three vendors. The vast increase in zero day exploitation in 2021, as well as the diversification of actors using them expands the risk portfolio for organizations in nearly every industry sector and geography. Particularly those that rely on these popular systems.

Leo Laporte / Steve Gibson (01:29:11):
Mand analyzed more than 200 zero day vulnerabilities that we identified as exploited in the Y old from 2012 through 2021, man considers a zero day to be a vulnerability that was exploited in the wild before a patch was made publicly available. We examined zero day exploitation identified in manding original research breach investigation find and open sources focusing on zero days, exploited by named groups while we believe these sources are reliable as used in this analysis, we cannot confirm the findings of some sources due to the ongoing discovery of past incidents through digital forensic investigations. We expect that this research will remain dynamic and may be supplemented in the future. In other words, that in the future, they may learn more about what's happened in the past. And they said, we suggest that a number of factors contribute to growth in the quantity of zero days.

Leo Laporte / Steve Gibson (01:30:20):
Exploited for ex example, the continued move toward cloud hosting, mobile and internet of things. Technologies increases the volume and complexity of systems and devices connected to the internet puts simply more software leads to more software flaw. The expansion of the exploit broker marketplace also likely contributes to this growth with more resources being shifted toward research and development of zero days, both by private companies and researchers as well as threat groups, finally enhanced defenses also likely allowed defenders to detect more zero day exploitation now than in previous years and more organizations have tightened security protocols to reduce compromises through other vectors. So I thought all those points were really interesting. Of course we wonder whether our count of zero days is recently higher because we're looking harder and more closely for them. This makes sense, given that we've established quite clearly that with all software in general, the closer we look, the more problem we find, some of those more problems will be exploitable zero day vulnerabilities.

Leo Laporte / Steve Gibson (01:31:53):
And the increasing level of specialization we've chronicled in recent years also leads to higher zero day counts through the creation of this exploit broker marketplace. Now, now that there's a marketplace, those who wish to deploy such exploits don't need to spend their time hunting them down. And those who specialize in hunting for new ways in can spend all their time doing nothing else and then selling them into that marketplace. And finally, so much of the lower hanging fruit has been found and proned that zero days are becoming the only remaining way to get in not exclusively, but to an increasing degree. This means that the pressure to discover new zero days is greater than ever before. And since, as we know, security is inherently porous, the harder you press on it, the results will be obtained. Man. Dent said, state sponsored espionage groups continue to be the primary actors exploiting zero day vulnerabilities.

Leo Laporte / Steve Gibson (01:33:13):
Although the proportion of financially motivated actors deploying zero day exploits is growing from 2014 through 2018. They said we observed only a small proportion of financially motivated actors exploiting zero day vulnerabilities. But by 2021, roughly one third of all identified actors exploiting zero days were finance motivated. We also noted new threat clusters exploit zero days, but we do not yet have sufficient information about some of these clusters to assess their motivation. Okay. So just to be clear about that, the primary motivation behind the use of zero days has historically been state sponsored espionage. You know, things like breaking into military contractors networks to steal plans for future weapons systems that are still on the drawing boards and things like that. But while such espionage remains dominant by far, even now, by, by two times more last year saw the rise in zero days being enabling, you know, being the enabling factors of so-called financially motivated extortion with ransomware and sensitive data exfiltration and threats of exposure being the, the, you know, the, the post zero day intrusion consequences and Chinese based cyber espionage groups remain.

Leo Laporte / Steve Gibson (01:34:52):
The number one exploiter of these vulnerabilities. Mandy said, Mandy identified the highest volume of zero days exploited by suspected Chinese cyber espionage groups in 2021 and espionage actors from at least Russia and North Korea actively exploited zero days last year from 2012 through 2021, China exploited more zero days than any other nation. However, we observed an increase in the number of nations likely exploiting zero days, particularly over the last several years and at least 10 separate countries likely exploited zero days since 2012 from Jan from January to March of last year, 2021, Mandy observed multiple Chinese espionage activity clusters exploiting four zero day exchange server vulnerability, collectively known as the proxy log vulnerabilities. Microsoft described activity in, into this campaign or ascribed activity linked to this campaign as half NA. So I'll just note that we appear to be focused upon the right things on this podcast.

Leo Laporte / Steve Gibson (01:36:20):
All of our listeners will recall the attention we gave to the constant stumbling Microsoft was making over their seemingly endless exchange server proxy lock on vulnerabilities. They just couldn't seem to get it right. What we didn't and couldn't know at time was that that string of Microsoft missteps was actually translating directly into a string of exploitation with Chinese ex espionage actors. At the other end, they noted that while some of the threat clusters involved appeared to carefully select targets, other clusters compromised tens of thousands of servers that is exchange servers in virtually every vertical and region. And of course that makes sense, right? No one entity owns these vulnerabilities and we have a head of heterogeneous environment of uncoordinated groups in China, Russia, and North Korea. Some are going to go for high volume spray attacks, whereas others are gonna go after specific targets. And this little tidbit was somewhat worrisome.

Leo Laporte / Steve Gibson (01:37:37):
Mandiant said Chinese cyber S Espina operations in 2020 and 2021. So just the most recent two years suggest that Beijing is no longer deterred by formal government statements and indictments from victimized countries. In addition to the resurgence of previously dormant cyber espionage groups indicted by the us department of justice, Chinese espionage groups have become increasingly brash. The problem is the world I think is becoming somewhat inured to the whole concept of cyber ESP, cyber crime and cyber attacks as years go by and we keep talking about them. It's just human nature that we're gonna be with, you know, gonna become less and less frightening and exceptional. They will simply be incorporated into our expectations where previously they were a big deal. It'll be just like, oh, okay, fine. You know, sort of like DDoS attacks are, it's like, oh yeah, that happens. As for Russia, Mandiant noted it in a sharp departure since 2016 and 2017, they wrote, we did not identify any zero days exploited by Russian G U sponsored a P T 28. That's you know, fancy bear until they likely exploited a zero a in Microsoft Excel in late 2021. However, open source reporting indicated that other Russian state sponsored actors exploited several zero days in 2020 and 2021, including possibly targeting critical infrastructure networks with a zero day in a Soho firewall product.

Leo Laporte / Steve Gibson (01:39:39):
And as we know, through the past four years, man dent said that they had noted a significant increase in the number of zero days, leveraged by groups that are known or suspected to be customers of private companies that supply offensive cyber tools and services. And, you know, we know <laugh> who those guys are. They said, we identified at least six zero day vulnerabilities actively exploited in 2021, potentially by customers of malware vendors, including one reportedly exploited in tools developed by two separate vendors in 2021, at least five, zero day vulnerabilities were reportedly exploited by an Israeli commercial vendor. Well, those two separate vendors they're referring to were the well known Israeli NSO group and a second smaller and lesser well known vendor of very similar exploit capabilities known as quad dream. Like the NSO group quad dream is also Israeli and competes in the same market as the NSO group, primarily selling to government clients.

Leo Laporte / Steve Gibson (01:40:56):
Man dent also noted that unlike in the past zero day, exploits were no longer appearing in underground exploit kits. That's interesting. They explained since 2015, we observed a sharp decline in zero, a vulnerabilities included in criminal exploit kits, likely due to several factors, including the arrests of prominent exploit developers. However, as the criminal underground coalesced around ransomware operations, we observed an uptick in ransomware infections exploiting zero day vulnerabilities. Since 2019, this trend may indicate that these sophisticated ransomware groups are beginning to recruit or purchase the requisite skills to exploit zero days that may have been formally developed for exploit kits. In other words, you know, an exploit kit, would've been, it would've like included zero days because they exist that would've essentially been tantamount to giving them away. Well, why give them away? If there's now a powerful, active, profitable market for them, they said Mandy has documented significant growth in ransomware in terms of both and impact substantial profits, as well as the increasingly compartmentalized outsourced and professional ecosystem that supports ransomware may have provided operators with two viable pathways to zero day exploit development and or acquisition financial resources and actor sophistication.

Leo Laporte / Steve Gibson (01:42:36):
In other words, ransomware operations increasingly have the money to purchase high value, but also high cost zero day exploits from underworld sources. And those underworld sources increasingly have zero day exploits to offer for sale. So where are all these zero days being found? We have a chart in the show notes. Mandiant says we analyze zero days from 12 separate vendors in 2021 with vulnerabilities in Microsoft, apple and Google products comprising 75% of total zero day vulnerabilities, likely as a result of the popularity of these products among enterprises and users across the globe. So Microsoft with all of their many products, apple with their family of bio iOS devices and Google with Chrome and the Android platform together as this just chart shows those top three account for just a tad more than 75% of those 80 zero days, which occurred during 2021, Microsoft has the most though they also, you know, have the most hardware sprawl.

Leo Laporte / Steve Gibson (01:44:04):
So I guess it's not surprising. Apple has the next most with Google, the fewest of the, and given the nature of Chrome and Android, that's pretty impressive. Really. There are nine other major and notable sources of zero days finishing out that top 12 in order of decreasing zero day counts, the remaining nine are Excelon Sonic fi Sonic wall, Apache Qualcom trend, micro Adobe, the Linux kernel pulse secure and solar winds. Mandy noted that the threat from exploitation of these major providers remains significant. Meaning my Microsoft, apple, Google that's where the zero days are. That's what the platforms that everyone's using. And, you know, that's where to really watch. They said, in addition, we noted a growing variety in vendors being targeted, which can complicate patch prioritization and make it more difficult for organizations who can no longer focus on just one or two vendors as priorities, which is really interesting, meaning there's just more to patch now than there was before they said from 2012 to 2017, Adobe was the, was the second most exploited vendor with nearly 20% of all zero days exploiting, wait for it, Adobe flash alone.

Leo Laporte / Steve Gibson (01:45:39):
<Laugh> they said, of course, yeah, 2012. Remember those days we observed, they said a significant drop in Adobe exploitation since then, almost certainly by flashes end of life. Yeah, no kidding. How many times do we lament the continued existence of flash when it was so obviously obsolete while also being such a global menace? So what's the future outlook of the world for zero days? Man, dent says, we suggest that significant campaigns based on zero day exploitation are increasingly accessible to a wider variety of state sponsored and financially motivated actors, including as a result of the proliferation of vendors, selling exploits and sophisticated ransomware operations, potentially developing custom exploits. In other words, zero days are big business and that business is currently seeing what can only be described as explosive growth as for what enterprises can do about this. Manian says the marked increase in exploitation of zero day vulnerabilities, particularly in 2021 expands the risk portfolio for organizations in nearly every industry sector and geography while exploitation peaked in 2021.

Leo Laporte / Steve Gibson (01:47:11):
There are indications that the pace of exploitation of new zero days slowed in the latter half of the year. However, zero day exploitation is still occurring at an elevated rate compared to all previous years, they said many organizations continue to struggle to effectively prioritize patching, to minimize exploitation risks. Again, many organizations continue to struggle to effectively prioritize patching to minimize exploitation risk. We'll come back to that. And remember that survey we talked about recently where CIOs and it professionals confessed to just how bad their organizations truly were about applying patches in a timely fashion to this Mandy and added were, we believe it is important for organizations to build a defensive strategy that prioritizes the types of threats that are most likely to impact their environment and the threats could, that could cause the most damage starting with the relatively few number, actively exploited vulnerabilities.

Leo Laporte / Steve Gibson (01:48:33):
When organizations have a clear picture of the spectrum of threat actors, malware, families, campaigns, and tactics that are most relevant to their organization, they can make more nuanced prioritization decisions when those threats are linked to active exploitation of vulnerabilities and, you know, okay, that just seems so unrealistic to me. I mean, in a perfect world. Sure. But we're talking about an organization dedicated dedicating someone to the full job of essentially continuously surveying the dynamic and constantly changing threat landscape. And cross-checking it with all of the organizations potential vulnerabilities, what organization is really gonna do that? The truth is that everyone in it is overworked and there's an awful lot of hoping for the best going on, you know, hoping for the best was what that survey revealed, right. It was like, well nothing happened today and it's quitting time. So there's no argument that all other things being equal focus, less upon theoretical problems and more on vulnerabilities that are actively being exploited makes sense.

Leo Laporte / Steve Gibson (01:50:09):
Manian wrote a lower risk vulnerability that is actively being exploited in the wild against your organization or similar organizations likely has a greater potential impact to you. Okay. Yeah, no kidding than a vulnerability with a high rating that is not actively being exploited. Okay. So thus CISA they said a new CISA directive places, a significant focus on those vulnerabilities that are reportedly, actively exploited. We believe this will help increase the security posture year and strengthen patch management procedures. Except as I said toward the beginning of the podcast. Yeah. These things that are four years old, I, I, I don't know, you know, a cross site scripting and a package that no one's ever heard of and it's taking up space and sort of diluting the, the other more important things. Anyway, they, they finish while zero day exploitation is expanding. Malicious actors also continue to leverage known vulnerabilities.

Leo Laporte / Steve Gibson (01:51:17):
Often soon after they've been disclosed, therefore security may be improved by continuing to incorporate lessons from past targeting and an understanding of the standard to window between disclosure and exploitation. And of course, we spend a lot of time here talking about that. They said, furthermore, even if an organization is unable to apply the mitigations before targeting occurs, it could still provide further insight into the urgency with which these systems need to be patched delays in patching only compound the risk that an organization supporting unpatched or unmitigated software will be affected. And again, yeah, obviously having read all that and shared all that and considering the practicality, I think of expending any great deal of time on prioritization. And also given that low priority exploits are still exploitable my own advice to any organization, especially in light of that survey, we covered which confessed that patching was clearly a priority would be to first and foremost, simply fix that period.

Leo Laporte / Steve Gibson (01:52:37):
Figure out how to arrange, to keep the enterprises software up to date. Yes. Systems need to be taken offline, updated and rebooted. Yes, it's inconvenient and yes, customers and employees and even upper management in the C-suites will complain. But today's, and tomorrow's reality is that last year, the number of zero day vulnerabilities, which were being used in the wild exploded from 30 the year before to 80. And those were only the worst of the crop. There were a great many more than just those 80 zero days, right? I mean, not on zero day vulnerabilities, many more vulnerabilities Microsofts themselves patched 128 vulnerabilities just two weeks ago, it's only gonna get worse. So, so to me, I mean, I get mans position. Yes. Wouldn't it be nice if, you know, if we like, you know, certainly you wanna look at all the notices and if you see something which is, you know, a glaring collision between something that's just been patched and software that, you know, your organization relies on and it's something that's exposed to the internet.

Leo Laporte / Steve Gibson (01:54:04):
Yeah. You know, just shut it down, turn it off, you know, patch it. But, but in general I, I, I think too, you know, all the evidence we see says that that shortly after patches are released, they are reverse engineered and attacks begin. So it is just a, a reality moving forward that, that there, there isn't an alternative to taking systems down I'm Ru you know, routinely and, and updating it, it, it has to happen. And the survey that we talked about demonstrated that it hasn't been happening. And you know, I, I don't talk about the endless stream of ransomware attacks they're happening constantly everywhere. I, I mean, there's just no point in, you know, filling the podcast with them, but they have not let up. And it doesn't look like they're going to yeah. So I mean, some of this is just reporting bias, right?

Leo Laporte / Steve Gibson (01:55:16):
Like we we're, we're we know more about it. We're more aware of it. Or do you really think there is an increase in zero days in, I, I really do think things are getting more complicated. Look at the perfect example is you U AFI before we had it. Yeah. You, you couldn't infect it. You know, now we have it and you can infect it. Yeah. So, and so, you know, we are seeing increased complexity. We're also seeing an increasing use of this, of this toolkit approach, right. Where, where, you know, the, the so-called supply chain attacks. Well, if you don't have a supply chain, you can't attack it. You know, if you're writing stuff in house, you know how it works. If you're grabbing modules off the NPM repository and dropping them in, then you're making mistakes. Yeah. Yeah. Because you didn't write it and you don't know how it worked.

Leo Laporte / Steve Gibson (01:56:06):
That's true. I mean, our suffer is more complex than ever before. Yes. Yeah. There's, it is doing more than ever before. Right. Right. But that means it's gonna be more complicated. Yeah. Yeah. Yeah. That makes sense. And there is more pressure there. Know, remember how many years did you and I sit here thinking, well, isn't that an interesting virus? <Laugh>, it's just moving around from place to place and it doesn't do anything. Right. Well, those weren't those days quaint, there's also nation state actors, which is a whole new player in this field, you know? Yes. The fact that, that, that she, Chinese espionage yeah. Is like where more than two thirds of these things are being leveraged. That should be sobering. And also the idea that there's sort of a Lafa attitude that there, you know, I mean, again, that's human nature too. It's like, oh, well, my computer works.

Leo Laporte / Steve Gibson (01:57:00):
Good luck. Yeah. Mm-hmm <affirmative> well, you don't need luck if you listen to this show and that's the truth. Steve Gibson is the man of the hour. Every Tuesday, 11:00 AM Pacific 2:00 PM Eastern 1800 UTC. We gather together to talk about the state of security in this world of ours. And no surprise. It's getting more tenuous. You got, it's really a show you have to live to every single Tuesday. You can watch us do it live if you want it live.twi.tv. If you're watching live chat, live@ircdottwi.tv or in our club, TWiT discord. After the fact of course, we've got other ways you can chat with us, including our TWiT forums@twi.community. Our mastered on instance, proudly not owned by Elon Musk at twit social. And of course, Steve's got his own forums@grc.com, including very active forums discussing spin, right? The world's best mass storage, maintenance and recovery utility 6.1 is a common.

Leo Laporte / Steve Gibson (01:58:02):
So go over to grc.com and get a copy of 6.0, you'll get a free copy B six one. And you can participate in these final stages of development while you're there. Do get a copy of this show. Steve has 16, two unique formats, 16 kilo audio for the bandwidth impaired. He's also got really useful transcripts written by a real human Elaine far. So she writes everything down. And that means you can read along his, you listen, you can search the transcripts to find a part of the show. I remember he said something about this. You can go right there. That is a very, very handy feature. And that's only@grc.com. We have copies of the show@ourwebsite.tv slash SN. There's a YouTube channel devoted to security now with all the videos of all the shows that have video anyway and of course you can subscribe.

Leo Laporte / Steve Gibson / Jason Howell (01:58:51):
If you want to get all the new shows, the minute they're available, just subscribe in your favorite podcast player and you'll get 'em pretty darn quick audio or video, your choice. That's just security now, search for it, or search for TWiT on their podcast player. You should find that easily since we have been around for what is it? 17 years. <Laugh> coming up on 18. Yeah. Wow. Yep. Let's see, what else? Oh, if you would leave us a five star rating on your podcast, because I think everybody needs to know about this show. Steve Gibson have a wonderful weekend. We will see you next time on Security Now see you in may. The world is changing rapidly so rapidly. In fact that it's hard to keep up. That's why Micah Sergeant and I, Jason Howell talk with the people, Macon and breaking the tech news on tech weekly. Every Thursday. They know these stories better than anyone. So why not get them to talk about it in their own words, subscribe to tech news weekly, and you won't miss a beat every Thursday at twit TV

... (01:59:55):
Security.

... (01:59:55):
Now.