Security Now Episode 889 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:01):
It's time for security. Now, Steve Gibson is here as always the week jam packed with security news. We'll talk about the breaches at Uber and grand theft auto and whether they're related. We'll also look at Google's very welcome use after free vulnerability technology. And as long as we're talking Google, a very important setting, you'll want to turn off in Chrome. It's all coming up next on security. Now, podcasts you love from people you trust. This is security. Now with Steve Gibson episode 889 recorded Tuesday, September 20th, 2022. Spell jacking
Leo Laporte (00:00:52):
Security now is brought to you by Barracuda. Barracuda has identified 13 types of email threats and how cyber criminals use them every day. Fishing conversation hacking ransomware, plus 10 more tricks. Cyber criminals use to steal money from your company or personal information from your employees and customers. Get your free ebook at barracuda.com/securitynow. And by BitWarden. Get the password manager that offers a robust cost effective solution that can drastically increase your chances of staying safe. Online. Get started with a free trial of a teams or enterprise plan or get started for free across all devices as an individual user bitwarden.com /twit. And by Tanium Tanium, unites operations and security teams with a single platform that identifies where all your it data is patches. Every device you own in seconds and implements critical security controls all from a single pane of glass. Are you ready to protect your organization from cyber threats?
Leo Laporte / Steve Gibson (00:01:59):
Learn more at tanium.com/twit. It's time for security. Now the show we cover the latest security news, the latest breaches ransomware, and this guy right here is in charge. Mr. Steve Gibson, homo Steve, yo Leo. Good to see you with you again, we were discussing fess before we begin recording <laugh> the years. I mean, I've have collected them since I guess you've stuck them on my head when I, my TWI in previous years. Right. And a Fs is actually a nice hat because, but it is brims. So yeah, I'm not sure exactly. It's intent. <laugh> yeah. I'm a kale where there's at least little grim over your eyes to cover your eyes. Yeah. So for episode 8 89, we're gonna talk about something which I don't mean to over alarm anyone. This is not a big problem, but it's an interesting information leakage, which people should be aware of if nothing else.
Leo Laporte / Steve Gibson (00:03:15):
And it was named by the people who stumbled upon it, spell jacking but we've got a lot to talk about. We've got last peak, last week's patch Tuesday also the changing landscape of cyber insurance, as a consequence of all of the attacks that the world is now being subjected to. And of course, we've sort of seen the writing on the wall there. We're also gonna revisit these sort of a collection of recent major network breaches. Of course, Uber made the headlines everywhere, but also rockstar games got hit by the same greetin. And then we have the final update from last pass about what happened there, which all I know that a lot of our listeners have been cold holding their breath about we're gonna look at another significant problem facing 280,000 WordPress sites and at probably a useful recommendation for future mitigations of similar things.
Leo Laporte / Steve Gibson (00:04:24):
We're gonna examine the cost of processing performance for the most recent RET bleed security mitigations. Someone did actually an engineer at VMware that they have a department called performance engineering at VMware, and he lived up to his department's title. Then we're gonna look at Google's very welcome use after free new vulnerability, mitigation technology, all of these problems that we're finding in browsers virtually our use after free problems and to their credit, they've tackled this thing, seemingly intractable problem. And then after sharing a few pieces of listener feedback we're gonna take a look at a surprising consequence of enabling Chrome's enhanced, spell checking, and talk about some mitigation. Is there so another great podcast for our listeners and a <laugh> a sad, but sort of like, okay, well of course a picture of the week. So yeah. Aww. Yeah. Sad. But a sign of the times, shall we say it is a sign, indeed.
Leo Laporte / Steve Gibson (00:05:42):
Some, a signage of the time, a signage of the time it's we will get to that in moments, but first a word from our sponsor name. Everybody in security knows. Well, I hope certainly expect Barracuda Barracuda. Barracuda of course protects you at the perimeter and protects us. We use Barracuda at the perimeter, but they also can protect you in your inbox. And that's pretty important. These days, email is a huge threat in a recent email trend survey, 43% of respondents, almost half said they'd been victims of a spear fishing attack. Unfortunately only 23%. They had said they had dedicated spear fishing protection. That's a bit a big wide hold. That's why it works. Right? Spear fishing is targeted. Phishing emails, emails targeted at your employees using information about your company, like the boss's name stuff that makes it very, very credible. And it makes me and any business leader terrified.
Leo Laporte / Steve Gibson (00:06:41):
How are you keeping your email secure Barracuda? This is their bread and butter. They have identified 13 types of email threats and how cyber criminals use 'em every day, not just fishing, but conversation hacking ransomware. Just a few. There are 10 more that cyber criminals use to steal money from your company or personal information from your employees and customers, or both. Are you protected against all 13 types? Do you even know what all 13 types are? Attacks are becoming so much more sophisticated than ever before? What the Uber attack? Perfect example, social engineering to pray on an Uber employee, got him to give up the family, jewels urgency, and fear sometimes playing into this. I didn't see it. I don't think they've released what the fish spear fishing attack was, but I suspect it was something like yeah, this Joe downstairs from it, we're just testing our systems, that kind of thing.
Leo Laporte / Steve Gibson (00:07:41):
Social engineering attacks like spear fishing business, email compromise cost businesses, an average of $130,000 an incident. And imagine the embarrassment, Uber and rockstar games, two of the big spear fishing attacks this week feel, I mean, that's reputational damage too. And of course you're always topical right at the start of 2019. Actually it started this year where testing became a big deal. You'd start Barracuda researchers start an increase in COVID 19 test related fishing attacks. The fact they went up 521% between October and January of this year. Cryptocurrency, a lot of interest in that the opportunity for attacks become ripe people. Bad guys take advantage of whatever's in the news Barracuda research that found that impersonation attacks grew with the price of Bitcoin. Almost identically <laugh> as Bitcoin goes up. So do the Bitcoin impersonation attacks probably the same thing when it goes down, though, right?
Leo Laporte / Steve Gibson (00:08:45):
In 2020, the internet crime complaint center, IC three received 19,369 business email compromise and email account compromise complaints, adjusted losses for those over 1.8 billion. It is not enough anymore to secure email at the gateway. You can't just protect at the perimeter. It's important of course, to leverage gateway security, protect against traditional attacks, viruses, zero date, ransomware spam, but targeted attacks. Spear fishing attacks are gateways useless against they go right through. You have to have protection at the inbox level. That's what Barracuda does, including AI and machine learning. It's necessary to detect and stop the most sophisticated threats, get a free copy of the Barracuda report. 13 email threat types to know about right now. You'll see how the cyber criminals are getting more and more sophisticated every day and how you could build the best protection for your business and your data and your people with Barracuda.
Leo Laporte / Steve Gibson (00:09:43):
Find out about the 13 email threat types you need to know about and how Barracuda can provide complete email protection for your teams, your customers, and your reputation. I'm not gonna what we won't do a quiz, but you really should know this. The quiz is, are you safe tomorrow? Get your free ebook at barracuda.com/security. Now B a R a C U D a.com/security. Now barracuda.com/security. Now love Barracuda, Barracuda, your journey secured. Let me thank him so much for supporting Steve's efforts here at security now. And the one thing I would add to that next time you talk about Barracuda. Yeah. Is the new fishing as a service. Oh, we talked about that last week. Fast concern. Yes. Geez. Everyone expects now to see a dramatic increase in phishing email. And of course the more lines you toss into the water. Yeah. The more fish you're gonna catch.
Leo Laporte / Steve Gibson (00:10:45):
Yeah. So our picture of the week is poignant. We've often shown pictures of the big automated electronic signage, which is showing something well, basically demonstrating that behind it is a unhappy windows system. And that turned out to be the case last week this was a large sign, like a roadway aisle sign, just acknowledging her majesty the queen showing 1996, hyphen 2022. And unfortunately the looks like windows 10 system that was driving the signage was running low on disc space. So popped up on the sign again, sort of apropo of that. What the sign was acknowledging. It says low disc space. You're running out of space on this PC manage storage and blah, blah, blah. Anyway, I just thought it was an interesting coincidence life does that to us. Sometimes I decided we have a new name Leo for the third, Tuesday of every month and that's patch Newsday <laugh> patch aftermath day.
Leo Laporte / Steve Gibson (00:12:18):
<laugh> right. So last Tuesday, Microsoft updated their range of software to resolve a total of 63 flaws, including well, either one or two publicly disclosed zero day vulnerabilities, depending upon whether you use Microsoft's more liberal definition of zero day, which does not depend upon having a vulnerability and active use, but either way, one of the vulnerabilities was being actively exploited. In fact, it was being so widely exploited that researchers with DB app security, Mandiant crowd strike and Zscaler all encountered it in the wild and reported their findings of it to Microsoft. So it's CVE designation is 20 22 37, 9 69, and it is a windows common log file system driver elevation or privilege. And given that it's a file system driver, which runs in the kernel, any of those many attackers who were apparently using this and having some fun with it were obtaining full system root level privileges on the machines they were attacking.
Leo Laporte / Steve Gibson (00:13:38):
So the good news is that was happening to unwitting windows users and presumably in targeted attacks. So not widespread, but it did come to the attention of four different security firms. Other than that, there were 30 remote code execution vulnerabilities, 18 elevation or privilege vulnerabilities. So the most problem solved were the two worst type classes of problems you can have, which are remote code execution and elevation of privilege. Then there were 16 fixes for the edge browser chromium vulnerabilities, seven information of disclosure vulnerabilities, seven denial of service vulnerabilities, meaning, you know, could crash something. And then one of these Oso generic security feature bypass vulnerabilities, and there were some admins reporting problems with group policy management and settings after installing last Tuesday's problems. So Microsoft didn't get away completely unscathed, but there were no reports of anything widespread affecting typical windows users. So a quieter patch Tuesday than we've been seeing recently Lloyds of London limited, of course the famous insurer has told its global network of insurer groups that new or renewed cyber insurance coverage policies must exclude nation state attacks as of March 31st, 2023. So about six months from now, Lloyd cited systemic risk to the insurance market as a whole reason for the change. Also adding that policies must also exclude losses from war, unless there is a separate exclusion for this type of, I guess, an exclusion for the exclusion.
Leo Laporte / Steve Gibson (00:15:47):
And it's not surprising this sort of dialing back on cyber insurance coverage is what we've been expecting. And it's here. Insured firms are seeking ways to get control of the spiraling cost that they're seeing driven by recent increases in cyber crime, especially ransomware nation, state attacks are often most targeted and more about espionage than just casual theft or causing damage. But the consequences do sometimes spill over to do considerable damage to other organizations and the not Petya incident of 2017 appears to be the primary factor driving this decision. We talked about this a couple times there was a protracted legal battle between Merck and its fleet of insurers over get this 1.4 billion that Merck was claiming in damages caused by that attack. And remember, Leo, we talked about it must be that they were just trying to replace all the PCs yeah. That they had.
Leo Laporte / Steve Gibson (00:17:01):
Yeah. I mean, 1.4 billion. There's also loss of business revenue too though. Remember, I mean, if you're down for five weeks, that could be a billion dollars in a company that could hurt you. Yeah. Yeah. So anyway as we've noted before cyber insurance coverage had previously been relying on an acts of war exclusion to address incidents such as these, but last year's ruling. Oh, I forgot to mention that Merck won their battle. They got their 1.4 billion from their insurers. So basically in response to this, the insurer, the insurers are saying, okay let's rethink contracts moving forward here. So there's now an explicit nation state exclusion. The invasion of Ukraine has stoked fears among the well among insurers that similar cyber exchanges may slip their containment and cause ancillary damage. There's also been at least one smaller incident of this nature, the acid rain malware that was aimed at Ukraine's via sat service at the start of the war.
Leo Laporte / Steve Gibson (00:18:25):
We talked about this at the time back in February, or I guess it was March but that also ended up hitting and affecting. Basically it sort of lost containment. It also affected a large wind Turine system in Germany and it was insured. And so that they had to pay up. So insurers are looking to pull back on risk. As companies are increasing their demand for cyber insurance coverage. I mean, companies are saying, oh, we never really thought about cyber insurance coverage before, but that seems like a good thing. And Lloyds has been planning a change of this sort for some time. And they've been drafting an assortment of contractual clauses throughout last year, working to clarify when cyber attacks can be considered acts of war and catastrophically damaging enough to be expect to accepted from coverage. So anyway I just wanted to mention that this is happening, that costs are going up, that it's now estimated in fact that the amount of money that insurers are gonna be asking for the coverage that companies wish will be expensive enough that half of companies will say, that's just too much for us. We're gonna go without, so insurance is always tough, right? Because you're paying for it whether you need it or not, until you do need it and then you sure wish you had it. So anyway, we are seeing a general tightening in the insurance market basically a raising of operating costs for corporations as a consequence of so many that have been insured and forced major payouts.
Leo Laporte / Steve Gibson (00:20:21):
Okay. So then as you mentioned, Leo, we also had a number of major breaches occurring. Recently. Uber got a lot of attention, mostly I think because the attacker was Soren. It, the attacker was just plastering the fact of this attack everywhere. So it wasn't like Uber had any choice, any opportunity to keep it quiet. They suffered as a consequence, a significant embarrassing network intrusion. Last, I got a kick out of their first posting last Thursday. Let's see, it was in the evening 6:25 PM. They just tweeted. This came from Uber underscore coms saying we are currently responding to a cybersecurity incident. We are in touch with law enforcement, which they've actually been talking that up a lot as if maybe that's gonna scare people, I guess. And they said, and they would be posting additional updates as they become available. So that was Thursday the day after that last Friday in the interest of keeping the lines of communication open, although they still didn't have lots of information after what is arguably a very short time.
Leo Laporte / Steve Gibson (00:21:40):
They said while our investigation and response efforts are ongoing, here is a further update on yesterday's incident. They said four things. We have no evidence that the incident involved access to sensitive user data, like for example, trip history. Second, all of our services, including Uber, Uber eats Uber freight and the Uber driver app are operational third. As we shared yesterday, we have notified law enforcement. As I said, they keep talking about that. It's like, okay fourth internal software tools that we took down as a precaution yesterday are coming back online this morning. So good that they're keeping lines open. And then finally three days after that, which brings us to yesterday, the 19th, we get a significantly more comprehensive update. They said while our investigation is still ongoing, we are providing an update on our response to last week's security incident. They said an Uber external contractor had their account compromised by an attacker.
Leo Laporte / Steve Gibson (00:22:52):
It's likely that the attacker purchased the contractor's Uber corporate password on the dark web. After the contractor's personal device had been infected with malware, exposing those credentials and then list, get this, the attacker then repeatedly tried to log in using the contractor's Uber account. Each time the contractor received a two factor login approval request, which initially blocked access eventually. However, the contractor accepted one and the attacker successfully logged in. So as I understand this, and there's some confusion in the wording of this and in the reporting, but it sounds like because they also later said that they've in they've tightened their multifactor authentication parameters. This appears to have been a brute force, multifactor authentication bypass. And we've seen that happen in the past. Since the typical multifactor authentication uses six digits amp six digits is a clear compromise between convenience and security. We talked about this years ago when this first surfaced, there is literally for a single challenge, a one in a million chance of correctly guessing a given multifactor authentication challenge.
Leo Laporte / Steve Gibson (00:24:22):
But if nothing stops someone from making as many guesses as they wish, as often as they wish 100,000 guesses would yield a 10% chance of guessing of getting one. Correct. Anyway. So that appears to be what happened is that they acquired username and password credentials, but they were stopped from an easy authentication by multifactor authentication. But because the Uber had not configured strong lockout policies, which I'll talk about in a second bad guy was still able to get in. So they said from there the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G suite and slack, the attacker then posted a message on a company wide slack channel, which they're posting, which many of you saw and reconfigured Uber's open DNS to display a graphic image to employees on some internal sites. Oh boy that's mean <laugh> there was yes.
Leo Laporte / Steve Gibson (00:25:33):
Guess what that image was? Oh Lord. A graphic image. So they said our existing security monitoring processes allowed our teams to quickly identify the issue and move to respond. Our top priorities were to make sure the attacker no longer had access to our systems to ensure user data was secure and that Uber services were not affected. And then to investigate the scope and impact of the incident. Here are some of the key actions we took and continued to take, and they list six. We identified an employee, any employee accounts that were compromised or potentially compromised, and either blocked their access to Uber systems or required a password reset. Second, we disabled many affected or potentially affected internal tools. Third, we rotated keys effectively resetting access to many of our internal services, meaning updated their passwords. Fourth, we locked down our code base preventing any new code changes.
Leo Laporte / Steve Gibson (00:26:42):
Fifth when restoring access to internal tools, we required employees to reauthenticate. We are also further strengthening our multifactor authentication policies. And finally, we added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity. And this could sound like an ad for the idea of sticking canaries within a network, in order to catch somebody doing something as quickly as possible. Anyway, they said the attacker accessed several internal systems and our investigation has focused on determining whether there was any material impact while the investigation is still ongoing. We do have some details of our current findings that we can share. First and foremost, we've not seen that the attacker accessed the production I E public facing systems that power our apps, any user accounts or the databases we use to store sensitive user information like credit card numbers, user bank, account info, or trip history.
Leo Laporte / Steve Gibson (00:28:01):
We also encrypt credit card information and personal health data offering a further layer of protection. We reviewed our code base and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud provider, AWS S three. It does appear that the attacker downloaded some internal slack messages, as well as accessed or downloaded information from an internal tool. Our finance team uses to manage some invoices. We're currently analyzing those downloads. The attacker was able to access our dashboard at hacker one where security researchers report bugs and vulnerabilities. Of course we know hacker won well. They said, however, any bug reports, the attacker was able to access have been remediated. So no access to anything sensitive there throughout they wrote, we were able to keep all our public facing Uber, Uber eats Uber freight services, operational and running smoothly because we took down some internal tools.
Leo Laporte / Steve Gibson (00:29:14):
Customer support operations were minimally impacted and are now back to normal. And finally, we believe this attacker or attackers are affiliated with a hacking group called laps, which has been increasingly active over the last year or so this group typically uses similar techniques to targeting technology companies. And in 2022 alone, that is, this year has breached Microsoft, Cisco, Samsung, Envidia and Okta among others. There are also reports over the weekend that the same actor breached video game maker, rockstar games, we're in close coordination with the FBI and us department of justice on this matter and will continue to support their efforts. We're working with several leading digital forensics firms as part of the investigation. We'll also take this opportunity to continue to strengthen our policies, practices, and technology, to further protect Uber against future attacks. So I find nothing to fault Uber here. Well, except they acknowledge they're at multifactor authentication.
Leo Laporte / Steve Gibson (00:30:25):
If that was in fact, basically brute forced in order to allow a bad guy in, could have been strengthened. And it now is their response was immediate. Their communication has been swift and balanced. And I would imagine that their forensic team is likely glad to be able to get some sleep after a handful of probably very sleepless nights, that they are users of hacker. One speaks well of them, and they appear to have a well running security component to their it systems. Since their continuous auditing of systems were able to provide them with a lot of relevant information. When those audits were queried, they also identified a weakness, as I mentioned in their multifactor authentication configuration and their tightening up. So I guess a takeaway for everyone would be to think about the fact that just as username and password authentication should lock out for some period of time after a reasonable number of failed attempts, the same remains true even after multifactor authentication has been added.
Leo Laporte / Steve Gibson (00:31:37):
That is there's really no good reason for an authentic user to fail five times in a short period of time to properly authenticate themselves. Clearly if they've got multifactor authentication, they've got something which is generating six digits for them to enter and, you know, could understand a typo or a timeout once or twice, but not many times in a short period of time. So the lesson may be here that just adding multifactor authentication doesn't mean that you can then decide you no longer need other lines of defense, like short, like some time limited auto resetting lockout of an account and rockstar games. Of course they are famously the publishers of grand theft auto. And what happened to them, them was a massive leak of videos for the not yet released grand theft auto six, which I guess is a highly anticipated, super hot topic.
Leo Laporte / Steve Gibson (00:32:55):
Uber said there are also reports over the weekend that the same actor breached video game maker, rockstar games. And it's certainly believable that this is the same guy or gang, although I wasn't able to ascertain why they believed that. Cause when he released the videos, he used the handle, something like Uber hacker <laugh> okay. I hacked Uber or something like that, which that's not probative probative, but that's so well, but it is what I was gonna say was that he does seem to be liking, making a splash as lapse is. I mean, that's what lapses motivation mostly seems to be, is getting attention. So this guy put out more than 99, 0 videos showing gameplay from the upcoming GTA six on Sunday reports indicated that he's believed to be a teenager, but I was also unable to learn what backs that up. I just saw that in passing and in this instance he was using the handle teapot and he said he plans to leak more gameplay.
Leo Laporte / Steve Gibson (00:34:11):
And even some of the games source code. Although I wonder about that, because he doesn't say the kind of person who holds anything back. And so maybe he doesn't have source code. Maybe he does. We'll see. Anyway, rockstar games confirmed that the videos were authentic to Bloomberg's main games reporter, but has not commented on the news of the hack or if the hacker did indeed stale the game's source code. So there's breach number two, breach. Number three is coming back to update from our previous coverage. And that is last pass. Last Thursday, last pass published their final official post mortem exactly three weeks following their initial breach disclosure, which of course left some aspects of the attack unknown, cuz it was unknown at that time. So here's the final word from their CEO. He said on August 25th, 2022, we notified you about a security incident that was limited to the last past development environment in which some of our source code and technical information was taken.
Leo Laporte / Steve Gibson (00:35:28):
He said, I wanted to update you on the conclusion of our investigation to provide some transparency and peace of mind to our consumer and business communities. We have completed the investigation and forensics process in partnership with Mandiant. Our investigation revealed that the threat actor's activity was limited to a four day period in August, 2022. During this timeframe, the last past security team detected the threat actor's activity and then contained the incident. There's no evidence of any threat actor activity beyond the established timeline. We can also confirm that there's no evidence that this incident involved any access to CU customer data or encrypted password vaults. Our investigation determined that the threat actor gained access to the development environment, using a developer's compromised endpoint while the method used for the initial endpoint, compromise is inconclusive. The threat actor utilized their persistent access to impersonate. The developer once the developer had successfully authenticated using multifactor authentication.
Leo Laporte / Steve Gibson (00:36:44):
Okay. Now that's interesting. It appears that we have another incidence of multifactor authentication bypass. Essentially. We don't know enough about the way last pass has set things up, but it must just be that the bad guys obtain an authenticated session token from a successfully logged in endpoint. At least that's sort of what it feels like. It does remind us though, that simply adding multifactor authentication isn't any sort of universal cure. So they said, or he continues. Although the threat actor was able to access the development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults. And of course that's what we were hoping to hear. And it looks like we are first. He said the last past development environment is physically separated from and has no direct connectivity to our production environment. So that was one big question we had when we talked about this three weeks ago is what was the production environment ever in danger from a breach of the development environment?
Leo Laporte / Steve Gibson (00:38:08):
And he's saying, no, they are deliberately physically separated. So that's just great. That's exactly what we want. Great news. He says, secondly, the development environment does not contain any customer data or encrypted vaults. Third last pass does not have any access to the master passwords of our customer vaults without the master password. It's not possible for anyone other than the owner of a vault to decrypt vault data as part of our zero knowledge security model. He says, so that's what we would hope. And that's what we were talking about before. He's making the point that I made three weeks ago, which is that mistakes can happen to anyone. But as long as the security architecture of the system is designed for trust, no one operation all of their users will be completely protected and providing another example of proper design. The CEO explained, he said, in order to validate code integrity, we conducted an analysis of our source code and production builds and confirmed that we see no evidence of attempts of code poisoning or malicious code injection.
Leo Laporte / Steve Gibson (00:39:26):
And he said, developers do not have the ability to push source code from the development environment into protection. Again, really good isolation there. He said, this capability is limited to a separate build release team and can only happen after the completion of rigorous code review testing and validation processes. So from what he's saying, it really does sound like they have built this system properly in a significant chain. He said as part of our risk management program, we've also partnered with a leading cyber security firm to further enhance our existing source code safety practices, which includes secure software development, life cycle processes, threat modeling, vulnerability management, and bug bounty programs further we've adopted enhanced security controls, including additional endpoint security controls and monitoring. We've also deployed additional threat intelligence capabilities as well as enhanced detection and prevention technologies in both our development and production environments. And again, this is what I was saying.
Leo Laporte / Steve Gibson (00:40:38):
Last time we talked about it was all of that is what we would like to have happen. That is their existing architecture was good. They realized it could be made better and that's what they've done. So I think that those who have chosen to remain with last pass should have every reason to feel that last pass is a competent caretaker of their users of their own pre-internet encrypted data. As I was thinking about that, I realize that our long-term listeners will recall that early acronym we developed remember pie. The first one was P I'm glad you changed it for pie. Do you remember that? Oh yeah, that was pre encryption environment or something. Yeah. Pre right. Yeah. Good memory. Pre-entry encryption or something. And you realize that high might be better. Yeah. Pie was better than B indeed.
Leo Laporte / Steve Gibson (00:41:40):
Pre egress encryption, maybe that's. Whoa, thank you. Whoever was listening that was mere. No, no kidding. Encryption remembered. I know that. I don't remember anything that happened recently, but boy, I got a good memory for that old stuff. <laugh> welcome to the club. I'm gonna sip on some water while you'll tell us about our next be my guest. You might even want, well, nevermind our show today. <laugh> brought to you by yes. Pee. Yes. That's what I was thinking. Ben warden, <laugh> you go have time. I go on and on about bit warden, cuz I'm such a fan as you know, bit warden is the open source. In fact, it's the only open source cross platform password manager that can be used at home can be used at work can be used on the go is trusted by millions. It's really the right choice for your password manager, especially in business with bit warden, you can securely store credentials, notes, documents, everything across personal and business worlds.
Leo Laporte / Steve Gibson (00:42:45):
And that's really nice for your business. Everything though, with bit warden starts with the creation of a personal vault. And one of the things I love about bit warden, cuz it is open source and I've talked to them. Their business model does not require them to convert free users. Everybody gets a free personal vault. Everybody that's take advantage of that right now, go to bit warden.com/twi. But if you want to go to the enterprise, okay, you set 'em up with a vault. That's got my passwords in it. Now we're gonna integrate you into the corporation, the organization's system. And you get both the best of both worlds. It's a really great solution. The thing I love about bit warden is they they're actively in development. For instance, we mentioned the unique email system. They have a username generator now, which I love they can integrate with all the popular email forwarding services, including my own.
Leo Laporte / Steve Gibson (00:43:42):
They just added fast mail. So I'm thrilled about that, but simple login, a non-ad Firefox relay. So what you'll do is you can create, instead of using your same old email, every single time, you can create a unique email, which gives you another layer of security and it gives you privacy too, right? With bit warden you generate a new username, you'll have the option to create an email alias with a sub selection for the service you prefer. I use fast mail. I've already set it up, but to set it up was very easy. Enter the API key for your account with a chosen service. You select the desired options. It'll remember all of that. Of course, once generated, you've got a new alias and just like your password bit warden remembers it. They've got it. It's locked in and it'll auto fill it from now on.
Leo Laporte / Steve Gibson (00:44:30):
So using unique usernames, email addresses and passwords for every account. I mean it's still one factor something, but boy, it's three different things. A bad guy would have to brute force or guess or steal from you. It's a great method for increasing internet security and privacy. It it adds protection to logins in the face of data, breaches and leaks. You can use it with bit warden in the web vault, the desktop app, the browser extensions mobile is coming. It's not here yet, but that's coming in a future release. If you use bit warden to do your authentication, your T OTP codes, you could access it more easily on a dedicated screen in their mobile app. Now they're always improving it. It's always getting better. Bit. Warden is a fully customizable password manager that adapts to your business needs another feature they added. I love bit warden send fully encrypted way to send transfer sensitive information, text or files.
Leo Laporte / Steve Gibson (00:45:28):
You of course use unique and secure passwords for every site with enterprise grade security, that's GDPR and CCPA and HIPAA and SOC two compliant. The vault is end to end encrypted mitigating fishing attacks. And they've added even more enterprise capability by adding skim support S C IM to make it easier to provision and manage users. I mean they just keep getting better and better. So use it at home free forever. I actually pay less than a buck a month for a premium account just to support 'em you get a few extra features. If you're a business, look at the team's organization option that's $3 a month per user, which lets you share private data securely with coworkers across departments. So the entire company enterprises you'll look at better bit wordss enterprise organization plan. That's $5 a month per user. Of course your basic free account free forever for an unlimited number of passwords or upgrade to the premium account.
Leo Laporte / Steve Gibson (00:46:22):
As I did very affordable, I think it's 10 bucks a year. I mean, I just do it as a donation, frankly, but you don't ever have to. And that's beautiful. The family organization options is great too. You'll get premium features for up to six family members, a total of $3 and 33 cents a month. So all round a great deal, great technology that Steve and I are fans of password managers. And I love bit warden. The only open source cross platform password manager that you can use at home on the go at work trusted by millions of individuals, teams and organizations worldwide get started. You can get a free trial of the teams or enterprise plan, or as I said, free forever across all devices as an individual user, just go to bit warden.com/twit bit warden.com/twi. I don't know if they want me to tell at people this or not, but they were just in the news, they got a 100 million grant to improve bit warden.
Leo Laporte / Steve Gibson (00:47:27):
I'm thrilled about that. That's a hundred million dollars in new venture capital. And I think that to me, that means bit warden has the resources they need to get better and better and better. Wow. Isn't that great? Yeah. That's a chunk of money from PSG, a growth equity firm. Battery ventures. Yeah. I don't know what that makes their valuation, but that's pretty darn good. And there's still open source, which I love. Yeah. Bit warden.com/trip. Please use that address. So they know you saw it here back to you, Steve. So we have a CVSs of 9.8 for WordPress. Last time we talked about a big vulnerability hitting WordPress. I came away suggesting that anyone who is using WordPress in anything other than it's embarrassed out of the box, essential configuration, that is anyone who has added any of the gazillion tantalizing. WordPress add-ons ought to give serious thought to running a third party application firewall on their site.
Leo Laporte / Steve Gibson (00:48:33):
There are three or four of those, but one stands out and that's word fence. It's the one that we keep referring to since they appear to be most on top of this particular chunk of the industry. They're the ones who are discovering problems more than any of the others. When I remember I went looking for other WordPress add-on companies and I found that there were others, but they weren't nearly as active as these guys. Anyway, as we know WordPress matters, right? It's just shy of 40% of the Internet's websites. So to that end word fence last week, put out a report which serves as a perfect case in point the report is titled. PSA is in public service announcement zero day vulnerability in WP gateway, actively exploited in the wild. And they said on September 8th, 2022, the word fence threat intelligence team became aware of an actively exploited zero day vulnerability being used to add a malicious administrator user to sites running the WP gateway plugin.
Leo Laporte / Steve Gibson (00:49:52):
They said we released a firewall rule to word, fence, premium word, fence care and word, fence response customers to block the exploit on the same day, September 8th, I don't know what those three things are, but they have some sort of a product lineup. They said site's still running. The free version of WordPress will receive the same protection 30 days later. Well you might as well <laugh> as well not have it. If you don't get it for a month. Anyway, the word fence firewall, they said has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days. Okay? So this WP gate plugin is a premium plugin tied to the WP gateway cloud service, which offers its users a way to set up and manage WordPress sites from a single dashboard. Part of the plugins functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator into the site.
Leo Laporte / Steve Gibson (00:51:03):
So they said we obtained a current copy of the plugin on September 9th and determined that it is vulnerable. Okay? So their model is they've got these application firewalls deployed. They see something happening. And in WordPress, since it's all PHP based, they're gonna be seeing some odd looking query that's being made that. So that brings it to their attention. They look at what plugin the PHP query is targeting. And in this case, the next day they got a copy of the plugin and analyzed it to see what was going on. So they said, we determined that it is vulnerable. At which time we contacted the plugin vendor with our initial disclosure. And they said, we've reserved vulnerability, identifier CVE 20 20, 2 31 80 for this issue. So they said, this is an actively exploited zero day vulnerability and attackers are already aware of the mechanism required to exploit it clearly, cuz that's how it came to their attention.
Leo Laporte / Steve Gibson (00:52:11):
They said we're releasing this public service announcement to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover. They said, if you're working to determine whether a site has been compromised using this vulnerability, the most common indicator of compromise is a malicious administrator with a username of range, X, R a N G E X. They said, if you see this user added to your dashboard, it means your site has been compromised. So they also mentioned that if you're unable to get an update to this WP gateway, remove it from your system or take some action to prevent it from being accessed because that's the way these bad guys are compromising so many WordPress sites. So personally I'm no longer running any WordPress sites. I was for a while to maintain a blog, which I infrequently posted to.
Leo Laporte / Steve Gibson (00:53:29):
But if I were doing so today for first of all, I tend not to be adding lots of bells and whistles to my site. I'm happy with more of the bare minimum functionality. But if you had lots of sites that you were using this cloud based dashboard in order to manage them you should know that that's a problem. I take a look at these word fence people. They seem to be good folks. Although again, as I said, there are a bunch of similar offerings because this sort of add-on is useful. And in fact, as we'll see, it's exactly a web application firewall, which led the people who created it to the today's podcast topic. Okay. This I loved two months ago on July 19th security. Now episode eight 80 was titled RET bleed. As we discussed at the time, it's another of the ongoing and ever evolving speculative attacks against the Intel and AMD micro architectures until security researchers began looking closely and developed the specter and meltdown attacks.
Leo Laporte / Steve Gibson (00:54:50):
Intel and AMD were both happily inventing and incorporating all sorts of clever tweaks into the execution path of their processors for the sake of improving their performance. In essence, all of these performance tuning tweaks involve having the processors, micro architecture, learning something about the code it's executing, unfortunately. Well, the good news is that allows it to correctly anticipate what's likely to happen again, but it allows the micro architecture to be probed by software that understands that there is basically a trail of breadcrumbs following behind the code. When this all works, it allows the code to execute much more smoothly. But the big question we always ask and ponder, but so far we haven't received much of a clear answer to because Intel doesn't want to tell us is what the performant what's the performance impact of turning off these features. What happens if we disable this micro architectural optimization in the interest of enhanced security Friday before last on September 9th, a VMware engineer in the VMware's performance engineering department posted the results of his analysis of exactly this into the Linux kernel archive list under the subject performance regression in Linux Nel 5.19, which is the just recently U updated and released kernel.
Leo Laporte / Steve Gibson (00:56:47):
And it's the one that incorporates treatment for RET bleed. He wrote as part of VMware's performance regression testing for Linux kernel, upstream releases. We have evaluated the performance of Linux kernel 5.19 against the 5.18 release. And we have noticed performance regressions in Linux VMs on ESX, I as shown below, get this computing performance has fallen 77 0% network throughput down 30% storage bandwidth down 13%. He said after performing the bicept between Colonel 5.18 and 5.19, we identified the root cause to be the enablement of IBR RS mitigation for Spector V2, vulnerability by commit. And then he's got the hex number of the commit that added that to the kernel. and it's titled X 86 slash bugs colon report, Intel RET bleed vulnerability. He said to confirm this, we have disabled the above security mitigation through Colonel boot parameter and it's specter underscore V2 equals off in 5.19 and reran our tests and confirmed that the performance was on par with 5.18 release.
Leo Laporte / Steve Gibson (00:58:38):
Okay, so the IBR RS to which the engineer refers stands for indirect branch restricted speculation, which indel describes as an indirect branch control mechanism that restricts speculation for indirect branches doing that is necessary as our re bleed podcast two months ago, explained in detail to prevent a surprising rate of data exfiltration from otherwise completely secure operating systems. Consequently, since that would be bad, the Linux kernel starting with 5.19 does so by default, unless it's prevented from doing so with a kernel boot override parameter and to their dismay, what the VMware performance engineering folks discovered was that compared to the immediate preceding current Linux kernel 5.18 5.19, as I said, sees a 70% reduction in the performance of compute intensive tasks, a 30% reduction in network throughput and a 13% reduction in mass storage performance. I have a link in the show notes to VMware's Linux Nel archive posting for any Linux efficient autos among us who will want all the details on this and on the specific benchmarks which were run and how it was done.
Leo Laporte / Steve Gibson (01:00:15):
The guy who posted this from VMware provided complete details. My feeling about all of this has not changed from its first appearance and Leo it's, it's the opinion you and I had from the beginning end users have never had much, if anything, to worry about from any of these subtle architectural attacks, it's the big data center cloud server, guys running many different virtual machines across a heterogeneous client population that does have cause to worry. So if I were a Linux hotshot, I'd be disabling all of these specter ish mitigations and free up my processors to run with as much intuition about the code they are running as possible. The only danger you would face would be a cross process information bleed. And that auto in order to have a cross process information bleed, you've got to have something running in your machine, which is all already running in your machine, which is able to perform this sort of operation.
Leo Laporte / Steve Gibson (01:01:35):
Now having said that, I do recall that we talked about RET bleed, big operable from code in a browser. And of course that sort of blurs this boundary but typically it has to run for a long time to get any information. And it's gotta find out where the information is, blah, blah, blah. So again, my sense is end users really don't have much of a concern if you've got no problem at all. Under the latest Linux kernel from a performance standpoint, then obviously leave the stuff enabled, but recognize depending upon which distro you're using and which Linux kernel it's got and what mitigations it has by default there is a huge difference in performance when you turn these specter mitigations on versus off. And we finally have some what look like very good numbers to support that. So again, I guess I would say it's an individual preference, but you need to understand that there is there's some serious performance hanging in the balance.
Leo Laporte / Steve Gibson (01:02:52):
And I also wanted to tell everyone about some very encouraging news from Google's chromium team. Okay. So the trouble with my doing that is that it really gets down into some technical weeds. And I did not wanna devote an entire podcast to talk to tackling a single complex topic that most of our listeners won't care that much about mostly you're gonna want the headline. So this involves pointer reference counting and what they call poisoning quarantined pointers before the pointer's release. It is some seriously cool, but also complex pure computer science. But again, all we really need to know is that the single most troublesome aspect of the chromium code base that is those ubiquitous use after free errors and their exploitation are finally gonna be resolved. So I do wanna share some of what Google explained. So here's how they begin their explanation. They said memory safety bugs are the most numerous category of Chrome security issues.
Leo Laporte / Steve Gibson (01:04:09):
And we're continuing to investigate many solutions, both in C plus plus and in new programming languages, the most common type of memory safety bug is the use. After free. We recently posted about an exciting series of technologies designed to prevent those technologies. Collectively star scan, as you know, star, as in wild card scan are very powerful, but likely require hardware support for sufficient performance. In other words, we can't have that today. They said today, we're gonna talk about a different approach to solving the same type of bugs. It's hard, if not impossible. They wrote to avoid use after freeze in a nontrivial code base. It's rarely a mistake by a single programmer. Instead one programmer makes reasonable assumptions about how a piece of code will work. Then a later change invalidates those assumptions. Suddenly the data isn't valid, as long as the original programmer expected at an exploitable bug results.
Leo Laporte / Steve Gibson (01:05:24):
They said these bugs have real consequences. For example, according to Google's threat analysis group, their tag team, a use after free in the Chrome HTML engine was exploited earlier this year by North Korea and as shown in the percentage bar chart below half of all known exploitable bugs in Chrome are used after freeze. And I have a chart in the show notes, which I grabbed from their blog posting, where these blue bars in this percentage bar chart are shown pretty much, especially later on those are that's every quarter from the second quarter of 2015 through the first quarter of 2021. And certainly from around 2019 on those blue bars have represented about half of the total bugs that Chrome has seen. And of course we're talking about them all the time on the podcast. So then they introduced the concept of what they call their miracle pointer PTR.
Leo Laporte / Steve Gibson (01:06:36):
They said miracle pointer is a modestly named a technology to present exploitation of use after free bugs. Unlike affor mentioned star scan technologies that offer a noninvasive approach to this problem, but would require hardware that doesn't yet exist. Miracle pointer relies on rewriting the code base to use a new smart pointer type, which is raw underscore PTR. There are multiple ways to implement miracle pointer. We came up with around 10 algorithms and compared the pros and cons of each after analyzing their performance, overhead memory, overhead security protection guarantees, developer, ergonomics, et cetera. We concluded that the backup pointer was the most promising solution. So that was the one from around 10 that they end up choosing as the implementation for their so-called miracle pointer. They said the backup ref pointer algorithm is based on reference counting. It uses support of Chrome's own heap, allocator known as partition Allo, which carves out a little extra space for a hidden reference count for each allocation, raw underscore pointer increments, or decrements.
Leo Laporte / Steve Gibson (01:08:04):
The reference count when it's constructed, destroyed or modified when the application calls free or delete. And the reference count is greater than zero partition. OC quarantines that memory region instead of immediately releasing it, the memory region is then only made available for reuse. Once the reference count reaches zero quarantine memory is poisoned to further reduce the likelihood that use after free accesses will result in exploitable conditions. In other words, typically what we've seen is the pointer, which has been released is pointing to something useful still into the operating stack where real damage could be done. So they are deliberately writing something illegal into that pointer so that if someone had access to it, it wouldn't be pointing to anything useful. And they said in the hope that future accesses lead to an easy to debug crash, turning these security issues into less dangerous ones. And they said we successfully rewrote more than 15,000 raw pointers in the Chrome code base into raw underscore pointer, then enabled backup ref pointer for the browser process on windows and Android, both 64 bit and 32 bit in Chrome, 1 0 2 stable, a note that we're all running 1 0 5 now.
Leo Laporte / Steve Gibson (01:09:52):
So it's been in there for a while. They said, we anticipate that miracle pointer meaningfully reduces the browser process attack surface of Chrome by protecting around 50% of use after free issues against exploitation. We are now working on enabling backup ref pointer in the network utility and GPU processes. And for other platforms in the end state, our goal is to enable backup ref pointer on all platforms because that ensures that a given pointer is protected for all users of Chrome. So after that they continue that's about, that's just the first piece of this blog posting, cuz they get into a deep discussion of implementation overhead, which comes down to the overhead of a four bite reference count for each pointer. But the bottom line is hats off to the chromium folks for not simply chasing their tails endlessly under the fantasy and fallacy that they're eventually gonna find all of the use after free bugs.
Leo Laporte / Steve Gibson (01:11:06):
We all know that as new code is being written and as old code is being modified, as many new bugs are being introduced, as old bugs are being found and eliminated, just take a look that chart, you could see that there's no, there's not actually no progress being made along those lines. If anything, there's more blue today than there was back in 2015 when they began doing this. So yay to them actually tackling this and developing some new technology. The only people who be made unhappy by this news are those who've been making their living off of discovering new ways to break into Chrome life promises, to be much more difficult for them, which is wonderful. I have a couple little bits of closing the loop from our listeners. Oh Peter G. Chase and actually a handful of our sharp eyed listeners looked at that picture of the week.
Leo Laporte / Steve Gibson (01:12:11):
Well, I'll say what Peter said first. He said the picture of the week looks a lot. Like they're actually bypassing the meter that looks like a meter box and that hadn't occurred to me, but it did to a number of our listeners. And of course that's even more interesting, right? So the idea would be that one of those big round faced electric meters has essentially the same sort of feet sticking out of it. Prongs that two bar fuses would. And so what's actually happened is that the people who are using that power, thanks for having it on the screen, Leo, right? The people who are using that power have bypassed the meter, which would normally be plugged into the front of that. Thus monitoring the amount of electricity being used by those people. So it looks like they're getting free electricity. Anyway, thank you. All of our listeners for pointing that out.
Leo Laporte / Steve Gibson (01:13:16):
Dan Taylor said hi Steve years ago, you mentioned Pegasus temp, E N C TMP, G E N C. And I recall that he says as the video editing software, you like and use, it's been at least 10 years since my first purchase, I have three different packages from them. The latest is video mastering works seven. He says, and I love it. Exclamation point. I just thought, I'd say thanks for steering me in their direction so long ago. And it's funny, Leo, I mean, you and I were messing with media back then. I remember that T MP, G E N C for me, I didn't have any video editing software, but that was my go to EG two coder. Oh back when EG two encoders had, were lit littered with all kinds of bells and whistles in the UI that allowed you to tune it in order to get the best compression and image appearance.
Leo Laporte / Steve Gibson (01:14:22):
I probably wasn't using windows at the time. So yeah, maybe not. Although I wouldn't know. And I didn't know, but they're still there. And Dan says, and they've got a bunch of nice looking software, so nice ed, oh boy Gio isle. I don't know Greg. He said I'm a long time Hema. He says, I'm a long time security now listener. But I do not recall hearing you mention the following benefit in the past. And it may be useful to some of your listeners. I am a C I S S P and I must maintain my certification by completing CPE credits. I've been submitting my security now attendance as a qualifying webinar, 1.5 CPEs for several years, and these submissions have always been approved best EDG. So ed, thank you for sharing that for any of our listeners, for whom that may not have occurred and who may also be needing CPE credits.
Leo Laporte / Steve Gibson (01:15:29):
Cool. That the podcast is a source for those. Yeah, that's great. Bob O'Brien he said in an alternate universe where everyone used squirrel would that stop slash thwart phishing attacks because they wouldn't have one's master key or encrypt the login handshake. Okay. Bob squirrel, I realized that when I talked about this last week, I didn't explain why or how squirrel solves a problem. It solves it in a couple ways. First of all, the key being generated by squirrel is tied to the domain name. So if you're at a fishing site with a bogus domain name, squirrel will generate a key, but it won't be the right key. It'll be a squirrel key for the fishing site rather than the squirrel key for the site. You think you're logging onto. So you automatically get that protection, but that client provided sessions. CPS feature that I mentioned, that's actually an additional layer of protection.
Leo Laporte / Steve Gibson (01:16:40):
The reason that all of these technologies are prone to man in the middle attacks is that the man in the middle is literally monitoring all of the traffic in both directions. Unencrypting it seeing sniffing it. And then reencrypt it. The way squirrel's client provided session system works is that this squirrel client itself, which is separate from the browser, initiates a connection to the server in order to negotiate credentials. So it automatically bypasses a man in the middle, going around it, talking to the proper server, even if it had the proper domain, which in a fishing scenario, it would not. So you sort of get multiple layers of protection from that. Anyway, thanks for the question. And for pointing out that I hadn't really explained it. And Leo, you're gonna love this one. Get a kick of this out of this, a tweet from our favorite Dutch ex regulator bet.
Leo Laporte / Steve Gibson (01:17:51):
Hubert. Oh, he tweeted, he heard us. Yep. Oh, he said, oh, I'm sorry. Bert. <laugh> bet. Bert said international attention for my resignation as regulator of the Dutch intelligence and security services in the security now podcast at minute 58, colon 40. Thank you. Steve Gibson at SG GRC and Leo Laport. I didn't mean to make fun of your name. I'm sorry. No, I think he really appreciated. He needed the attention. That's the whole point of resigning, right? Exactly. And the reason he blogged about it was to say, this is my beef about this legislation and the problem it has good. And so we helped him shine a big spotlight on it. Oh wow. So Burt you're welcome. <laugh> and one last bit. Yes bill SEMP. He said he tweeted another winner Steve. Second time. Now that you have recommended a book series that my wife loves.
Leo Laporte / Steve Gibson (01:19:00):
So he's that silver ships. Yeah. He's clearly talking about the silver ships and there is in the third book. There's something I need Lori to read my wife and she needs, and I think she'll enjoy getting to that point, but there's an alien, which this author creates. Oh, they are so wonderful. These aliens so enough. Can't wait, I'm reading William. Gibson's the peripheral because they're making a TV show out of it, which is coming next month. And I thought, oh, I've had this book for ages. I should read it. Cause I love William Gibson. It is not a good audio book. I can't follow it at all. His <laugh> I guess his stuff is so visual that you kind of have to see it in your head. And I it's just not working for me. So two days from now silver ships. Good, good, good, good.
Leo Laporte / Steve Gibson (01:19:51):
You won't regret it. Is the peripheral gonna be a movie or a serious cable? A series of on I wanna say HBO or apple TV. I can't remember which oh, good, good, good. So we don't have to have commercials. Yeah. Did you read that or you, I know you're William GIBS. A Fanny wrote neuro answer, which is the cyber punk of course novel. And I, that one I really loved, but I think it might be better for me to watch the show. Yeah. I think I'll do that too. Cuz my reading has been hijacked. Yeah, no kidding. Oh, it's so good. Yeah. You're gonna be on silver ships for the rest of your life. <laugh> the peripheral is Amazon prime video and I'm just looking at it right now. Looks pretty good. Looks like it'll be a good show anyway. You know, great high sci-fi lot of VR VR. You need some yeah. You need some yeah. Very futuristic. So it should be interesting.
Leo Laporte / Steve Gibson (01:20:45):
Okay. I think I should take a little tiny team. We break here and talk about Tanium. Before we get back to the meat of the matter, the reason we have all gathered together, Tanium, they'd like to say something the industry's approach to cyber security is fundamentally flawed. That's a big statement. It management security point tools only offer a small piece of the solution needed to protect your environment. I think, I guess we know that it's not stopping the Uber hackers and many of them promise they can stop all breaches when obviously they can't. Part of the problem here is you just don't have the information you need making decisions based on stale data, trying to defend your critical assets from tech, with tools that don't talk to one another is just no way for it. Teams to navigate today's attack surface it's time for a different approach.
Leo Laporte / Steve Gibson (01:21:43):
And Tanium has really emerged as the company to do this. They say it's time for convergence of tools, endpoints and it operations and security, no more data silos. They have solutions for government entities for education, financial services, retail, healthcare. You could trust their solutions for every workflow that relies on endpoint data. They've got asset discovery and inventory, which lets you track down every asset you own instantaneously. They can help with risk in compliance management, which helps you fix and find vulnerabilities at scale in seconds everywhere. They've got great threat hunting capabilities, which lets you hunt for sophisticated adversaries. In real time, you've got client management which can automate operations from discovery to management. And if you have sensitive data and probably you do the sensitive data monitoring will help you index and monitor sensitive data everywhere globally. In seconds, you might have noticed speed is a big part of this Tanium protects organizations where other endpoint management and security providers just can't with a single platform.
Leo Laporte / Steve Gibson (01:22:56):
Tanium identifies where all your data is across your entire it estate patches. Every device you own in seconds and implements critical security controls all from a single pan of glass. Kevin Bush, the vice president of it at ring power corporation says Tanium brings visibility to one screen for our whole team. And if you don't have that kind of visibility, you're not gonna be able to sleep at night. With real time, data comes real time impact. If you're ready to unite operations and security teams with a single source of truth and confidently protect your organization from cyber threats, it's time you met Tanium to learn more, visit tanium.com/twit T a N I U M tanium.com/twit. They're talking about sci-fi novels in our discord. That discord by the way is a great place to go. If you are want a community of people who listen to shows like security, now you like to hang with them.
Leo Laporte / Steve Gibson (01:23:59):
It's all part of club TWI, which has become more and more the country club for geeks. <laugh> no golf courses <laugh> but we do have our own Minecraft server. <laugh> several of them. We do have some really fun let's play stuff. I was doing a satisfactory on Saturday at the same time, as we were doing our untitled Linux show with Jonathan Bennett, we have lots of shows in the club that are club only like a hands on Mac with Micah Sergeant and Paul Theros windows weekly. Plus that's just the discord. You also get ad free versions of all of our shows, including security now. And you get the TWI plus feed, which includes conversations. Steve and I have and all the other show hosts before and after shows that don't make it in the podcast. There's lots of good stuff in there. How much would you pay for that? How about seven bucks a month? That's nothing couple of lattes a month and you're in it really helps us. It is becoming more and more important to our bottom line. It's almost 25% of our revenue now and we need it as the recession hits hard with podcast advertising. So you're really helping us out seven bucks a month. That's all I ask and add free versions. You wouldn't even hear this go to twit.tv/club.
Leo Laporte / Steve Gibson (01:25:14):
Leo Laporte / Steve Gibson (01:26:11):
Leo Laporte / Steve Gibson (01:27:27):
Anyway, there, the bullet part, the bullet points for them says stop client side attacks, plug auto into your application security suite and protect your supply chain. Traditional wafts, web application, firewalls, API security, DDoS, and bot protections are all essential components of your app sec suite, but they don't protect the client side gap in your third party supply chain. And so they said visibility auto provides continuous monitoring and analysis of first, third and length party, script behavior and vulnerabilities, which like what I was talking about before, where, who knows what scripts the scripts are, loading the scripts for also protection advanced malware guard and the script shield defend your website from Trojans fishing, malicious code injections, ma cart and client side attacks with realtime integration and control. Take control over client side, application security with precision script and policy dynamics, CSP automation. Anyway. So given that these guys are deep into watching and analyzing exactly what a user's browser is doing, it's not surprising that they found well that they would've been the ones to catch some unexpected and unwanted behavior from Chrome and chromium based browsers, specifically Chrome and Microsoft's edge.
Leo Laporte / Steve Gibson (01:29:02):
So what they found Google's Chrome and Microsoft's edge editor, which is of course chromium based. The enhanced spell check features are phoning home to expose their users in the clear passwords, usernames, email addresses, dates of birth, social security numbers, and so forth. Basically anything entered into form fields that is not recognized locally by their spell. Checkers is sent back as entered in the clear to Google or Microsoft to request spelling suggestions from their remote recommendation engines. Now that's obvious, right? I mean, that's what enhanced spell check is except that their by default are no limits on what is being sent back. And so it includes anything, not in the local dictionary, which certainly better be your passwords. So again, it's not the end of the world, but in an environment where we want and expect our browsers to locally hash our passwords so that they never leave our browsers in the clear sending every one of our pre hashed passwords to Google our Microsoft without our knowledge or permission, seems like something that someone should have thought about and should be preventing.
Leo Laporte / Steve Gibson (01:30:39):
And if the passwords, as I said, our, that we're using are present in our spell checkers, local dictionary so that they're not being sent to Google or Microsoft. Well, then we have bigger problems cuz you don't want to be using passwords <laugh> that are in your own local language. So I have a screenshot in the show notes of the Chrome, the Chrome browsers posted query and Google's reply when a user was logging into Alibaba with the test password, share password asterisk 1, 2, 3, and you can see that being sent in a little Jason blob on the left and Google replied with the pass, with the spell check suggestion, share space password, which is what you would expect it would recommend. But in the process, the user's password with no encryption of any sort went to Google and they got it. And the same things happens if you're using Microsoft edge.
Leo Laporte / Steve Gibson (01:31:55):
So again, not the end of the world, but not a good look. Also you could argue that it's never useful to run someone's password or email or social security number through spell check that all it's gonna do is gonna, if it did correct your password, he would mess it up. It'd be wrong. So that's terrible. So auto JSS co-founder and CTO Joss summit, he discovered the spell check leak while he was testing the company's scripts behavior. And he explained said, if show password is enabled, the feature sends your password to their third party servers while researching for data leaks in different browsers. We found a combination of features that once enabled will unnecessarily expose sensitive data to third parties like Google and Microsoft what's concerning is how easy these features are to enable. And that most users will enable these features without realizing what's happening in the background. And as we'll see in a minute I was guilty of having done. So at some point in the past I checked, it's like, oops, <laugh> ouch. So this unsuspected and inadvertent leakage could obviously lead to serious trouble for consumers and major industries when it comes to privacy, data protection and client side security, not to mention that it's a clear violation of HIPAA and similar privacy regulations, which rigorously restrict third party access to sensitive private information in principle
Leo Laporte / Steve Gibson (01:33:52):
When these features are active, any terminology such as medical conditions, which are not known to the local spell checker will be shared with Google or Microsoft. And if your browser is also logged into either company's websites since the post query is being made to their servers, your logged in session ID cookie will accompany the ABT spell check query. So they also know who you are. Not that there's anything wrong with Google or Microsoft receiving this. Not that there's anything, any reason to believe they're logging it or collecting it or doing anything, but they're receiving it from you. So JS noted that five websites and services of concern were, and they didn't do an extensive test, but they found out that they've noticed that office 365 does this Alibaba's cloud service does this Google cloud secret manager site does this AWS secrets manager did this. They added an update that it had that AWS had already mitigated the issue.
Leo Laporte / Steve Gibson (01:35:08):
And last pass site was doing this when they were notified. They noted that both AWS and last pass had immediately and already fully mitigated the issue. The auto guy said that last pass was the first to respond to outreach. And first to fully mitigate the risk they quoted last passes, Christopher Hoff, who's their chief secure technology officer saying quote, it is disconcerting that customers can inadvertently expose confidential data by enabling innocuous browser features and not understand that anything they type including passwords could result in that data being sent to third parties. And in the show notes, I grabbed a snippet of the last pass login page. Now, after they made the fix and you can see highlighted there and the body tag, it opens the body tag, it says spell check equals and then false in double quotes. Yeah, that's all that's necessary to shut this behavior down on that page, but nobody is doing it in the auto JS.
Leo Laporte / Steve Gibson (01:36:31):
Researchers created a demonstration video to illustrate how spelled jacking could easily expose a company's cloud infrastructure, servers, databases, corporate email counts and password managers in the video. An employee had enabled enhanced spell check features when he was using that to create a document. But that feature remains enabled for all sites and the user then visits after that goes to his enterprise database credentials and shows them being spell jacked and being sent to Google when he clicks on the show password button, in order to verify that he entered his password correctly. So the video uses a common scenario in the workplace to illustrate how easy it is to enable the browser enhanced spell check features and how an employee could inadvertently expose their company without ever realizing it. Most CISOs would be extremely alarmed to learn that their C's administrative credentials were unwittingly shared in clear text with a third party, even one, they generally trust such as Google or Microsoft auto JS tested more than 50 websites and sorted 30 of those into a controlled group, spanning six different categories of websites, which people use frequently and which have access to highly sensitive personally identifiable information P O PII data.
Leo Laporte / Steve Gibson (01:38:08):
Okay, so remember that by default, all data entered into forms. That's not recognized by the browser's local spell check dictionary will be sent to retrieve remote suggestions, but passwords will not be sent until, and unless the user clicks the show password button. So that's some relief there and Auto's testing five websites per category where selected based on top ranking in each industry, they said that they tested to well, they were testing to create some benchmark for how much exposure might be occurring. So the six categories they selected were online banking, cloud office tools, healthcare government, social media, and eCommerce of the reference group of 30 websites tested 96.7% did send personally identifiable information back to Google. And Microsoft only one did not. 73% sent passwords when show password was clicked, but those not sending passwords only didn't because they lacked the show password feature on their site.
Leo Laporte / Steve Gibson (01:39:29):
So otherwise they would've. And interestingly, the only control group website that had mitigated the issue, there was one out of those total of what was it? 30 sites. Yeah, one out of 30, thus 96.7. The one that had was Google. So Google was aware of this and didn't want that personally identifiable information and possibly passwords, even being sent back to them though, Google did mitigate the issue for email and some services. They have not mitigated it for some of their other services like Google's cloud secret manager, also off zero, a popular single sign on service was not in the control group, but was the only website other than Google, which they found that had correctly mitigated the issue. So props to off zero. Anyway. So the point is the knowledge of this is out there, but it has not yet been receiving wide attention, which is one of the reasons I wanted to put it on everyone's radar today.
Leo Laporte / Steve Gibson (01:40:39):
As I noted in the example of last passes, mitigation companies can mitigate the risk of sharing their customers. Personally, identifiable information by adding spelled check equals false to the containing page or to all input fields. Although this might create problems for users who want spell check, I suppose ultimately that override could just be added to the form fields that might contain sensitive data like username, password, and so forth. Or please describe your medical condition. Fortunately, the enhanced spell check feature is not enabled by default, but once it's been enabled, it remained. So I was curious about my own settings. So I went to settings in Chrome and entered, enhanced spell that's as much as I needed to put into the search bar. And what do you know? It turns out I have enhanced spell check on. Of course you do. I'm sure I turned it on.
Leo Laporte / Steve Gibson (01:41:43):
It's just, if you added all your passwords to the dictionary <laugh> then it would always be okay. Right then it will never, yes, it will never need to go ask Google or Microsoft another solution if they have a suggestion for an improvement. Cause it's always spelled right. You mistyped your password <laugh> it looks like gibberish. So it was enabled in my instance of Chrome. I have no idea when I may have turned it on, but it's been on ever since Google makes it clear what's going on. They say right there under the option, text, you type in the browser is sent to Google, but you'd sort of think they wouldn't send your password field data but they do anyway. So well that's up to the people as you showed who have password fields to make sure spell check equals false. Yes. I think I hope would hope everybody would now go, oh yeah, I guess we need to do that.
Leo Laporte / Steve Gibson (01:42:42):
Right? Let's hope that happens. Yes. I'm looking at Firefox and I it says check your spelling as you type. And I have it checked. So probably is default in all likelihood. So while simply turning off enhanced spell check will resolve all concerns. Auto JS does offer a free Chrome extension that will alert users when they're visiting a website that has the risk of data leaks caused by enhanced spell check. Now the problem is all websites do virtually. So it may be a little annoying. Maybe it only pops up when you're on a password page. And so it's just gonna remind you of that. I wonder where fire fucks sell, sends my password and whether that's a that's good question, right? I mean, yeah, this might be something you want to turn off there as well. The operating system does spell checking in most operating systems.
Leo Laporte / Steve Gibson (01:43:38):
So you probably don't need the browser to do it true. Although it makes sense that Chrome would be bringing along their own just because they're Chrome and they want to cross platform and the same for everything and so forth. So anyway, for what it's worth, I've got the links at the very end of the show notes for today that there's something called auto JS shop secure, which they say they call free browser protection for shoppers. I don't know why it's not for everybody. And then also auto JS developer tools, which they said is free runtime script testing tools, which might be of use or interest to our more techy users. So I've not looked at either of those, but this just popped up on my radar. That personally identifiable information was by default, going to Google and Microsoft may not be something you care about may not be something you're exposed to if you never turned on enhanced enhanced spell check, but I'm sure there's a bunch of listeners who are saying, Ooh, crap.
Leo Laporte / Steve Gibson (01:44:44):
I didn't know my I'm as far as I can tell Firefox brings a dictionary with it. So this is a very googly thing to do. Oh no, no, no. We're not gonna have an dictionary to do spell check. We're gonna send it back to the server and let them do it. I think Firefox just use is not a problem because they use their on disk dictionary. So they wouldn't be sending it back to the home office so long as so long as they don't reach out and check, if something's not in the dictionary, make a theory to see. I think Google sees that as a feature. That's like when you do a Google search and you mistype it, this is actually, <laugh> a way I know some people check their spelling, they type it in Google search field to get the right spelling. I do it all the time.
Leo Laporte / Steve Gibson (01:45:27):
Isn't a matter of fact. Yeah. So that's kind of a feature of Google's turns out not to be such a good one. At least not when it's in your browser and not, when you don't know it's there. Yeah. Yeah. Now all of our listeners know good job, Steve, once again, this is why you listen to this show, right? Valuable, valuable stuff. You can get this show in a couple of ways. You can always watch us do it live. If you're in a hurry <laugh> I gotta know what happened today. Just we do the show every Tuesday. About right after Mac break weekly, one 30 to 2:00 PM. Pacific that's four 30 Eastern time. It's 2030 UTC. The live stream email@example.com. So you can just go there. There's live audio or video and listen along. And if you're doing that chat with us, IRC dot twit TV actually I'd appreciate it if you did, because people in there, they're not talking about security.
Leo Laporte / Steve Gibson (01:46:22):
Now. I think we have a lot of people who aren't sometimes a little over their head. So <laugh> go on in there and raise the IQ a little bit. We'd appreciate it. Sometimes when my wife and I are out walking, some neighbors will say, so you do a podcast. Should I listen to that? No, no, no. It's for a very special person. It's for you. <laugh> the discord also very good place to chat. If you're already a club TWI member, after the fact on demand versions of the show are always available. Merely go to the website, grc.com. That's Steve site. You can pick up a copy there. He has some unique formats. He has the 64 kilobit audio. Same as we firstname.lastname@example.org, but he also has 16 kilobit audio for the bandwidth impaired. He also has transcripts written by Elaine Ferris. So that's, that's really nice if you like to read along while you listen or you wanna search and every show has a transcript.
Leo Laporte / Steve Gibson (01:47:20):
So you could search those transcripts and find whatever you're looking for. That's a very nice email@example.com while you're there support Steve pick up a copy of his bread and butter spin, right? The world's best mass storage, maintenance and recovery utility. Currently 6 0 6, one's coming and you'll be getting it for free. If you buy it today, you can also leave feedback there at grc.com/feedback. And there's lots of other free stuff. It's well worth checking out, including shields up, which of course is the first thing everybody should do when they get a new router is test it on shields up. We have copies of the video as well as the audio at our website, twit.tv/sn. There's a dedicated YouTube channel to security. Now that's a good way to share clips from people. Just go to TWI, I'm sorry, youtube.com/security now. And you can just make a little clip and share it that way.
Leo Laporte / Steve Gibson (01:48:11):
That's a great way to do that. Of course, if you have a podcast player you could subscribe. We've been around for 18 years. If it doesn't have security now and it's directory, I don't know what they're doing, what they're playing at. Just subscribe that way. You'll get it. The minute it's available of a Tuesday evening, if you are watching or listening after the fact and you still wanna interact, we also have TWI firstname.lastname@example.org. Those are open to all and a Mastodon instance, which is like Twitter. Only beta is federated. And that those that's at twi.social. Again, open to all. So please join. Both of them. Love to have you in both places, Steve, I think we've done everything we possibly can do to save the world for this week. We'll be back next week with some more <laugh>. Thank you, Steve. We'll see you next time on security now. Bye bye.
Mikah Sargent (01:49:08):
If you are looking for a midweek update on the weeks tech news, I gotta tell you, you gotta check out tech news weekly. See it's all kind of built in there with the title you get to learn about the news in tech that matters every Thursday, Jason, how and I talk to the people making and breaking the tech news, get their insights and their interesting stories. It's a great show to check out twit.tv/tnw