Security Now Episode 895 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte / Steve Gibson (00:00:00):
It's time for security. Now, Steve Gibson is here. We have an update on that. Microsoft Windows driver block list flaw, I guess you'd call it. Three years. They haven't updated it. Finally they have. And how you can do it manually anytime you want. SQL light. S SQL I t e has a big security flaw. It's everywhere. We gotta fix this one. And then some thoughts after 20 years in Britain's GC hq, what we've learned about security. It's all coming up next on Security Now. Podcasts you love from people you trust. This is TWiT.

This is Security now with Steve Gibson. Episode 895 Recorded Tuesday, November 1st, 2022. After 20 years in GCHQ. Security now is brought to you by NordLayer. Nordlayer is a secure network access solution for your business. Join over 6,000 plus fully protected organizations at and get your first month free when purchasing an annual subscription. And by Kolide, Kolide is endpoint security that uses the most powerful untapped resource in IT end users. Visit to learn more and activate a free 14 day trial today. No credit card required and by ITProTV. If you're looking to break into the world of it, or if your IT team needs to level up, get the introduction you need with ITProTV. Check out an ITProTV business plan by visiting Today it's time for security. Now the show. We cover your safety at home and abroad, mostly on the internet, generally with computers.

Mr. Steve Gibson is the king of security. Hi, Steve. Yo Leo. Good to see you. Great to be with you for the first day of November. No, can you believe it? November, 2022. Amazing. Wow. We're gonna have a little rain tonight. I heard you are in the rain. Yeah, Now it's actually cleared up and we sent it down south just for you. Thank you. Wow. We could use all the moisture we can get down here. Yeah, no kidding. Oh, thank you very much. Yeah. okay. So there was an interesting array of news, but nothing really grabbed me until I was catching up on my Twitter feed. And somebody, probably one of our listeners over in the uk posted a link to sort of a, a memoir of a, actually it was like the, the goodbye posting for, or posted by the guy who's been running the UK's cybersecurity Oh, for the last decade and has been at G C H Q for the last two decades, for 20 years.

And so he had a lot of interesting things to say. I, it won't shock anybody because if you have been listening to this podcast, interestingly enough, these are pretty much the themes that keep echoing through, you know, the microphone here, but still interesting to get a perspective from somebody completely outside of this podcast. So this this episode 8 95 is titled after 20 years in G C H Q. And I went back and forth about whether it should be at Gch H q or in Gch H q. But I just thought, well, okay, we'll go within but we're gonna revisit first the Windows driver block list, which has received its long needed after three years update. Oh, man. I know. And, and actually some weird official policy statement about this. Like what? Anyway also Microsoft has developed their own definition of a cve, which seems determined not to have as many just by changing the definition.

Of course. Why not? Why not? We also <laugh>, we'll note that sometime today, actually it did already happen. The Open SSL project will be releasing an update for what was originally believed to be an ultra critical flaw in open SSL version three, not the earlier versions, but now they've sort of, I guess, mitigated the criticality due to the fact that it's not so easy to have it happen. Anyway, so we're gonna, we're we're gonna mention that. Also we're gonna look at a remote code execution flaw in Windows T C P I P stack. We've got a ubiquitous problem in the past 22 years of the widely used sequel light library. And a surprising percentage of malicious proofs of concepts found in GitHub pass keys is to get another supporter. And the first part of a professional tutorial explaining, Get this how to exploit the Chrome browser has been released.

Finally, a tutorial it's <laugh> always needs that. That's, that's good. That's what we need. But the best news is it's not on YouTube. I thought, Oh my God, I might have to watch another YouTube video. No, this is just, you could scroll. Thank goodness. We must be old timers. Cause I have the same exact reactions, like, Please. Yeah. Every time I'm looking for something, it's, Oh, you can find out about this by watching this YouTube. Hey guys, it's like, no smash smell button. Just tell me. You just please just print it. It's an interesting incentive at play. I just found out about, because YouTube won't put an ad in unless you're a certain length. So they always have to get to a certain point. Oh. and that's why they pad these things. You get the, you know, the words. Yeah. In, in other words, it's not, it doesn't generate money for the person posting it until it's long enough to have you two precise insert.

So then they pad it. So, and for some reason they decided, I guess, well, we won't maybe cuz we wanna keep people watching. We won't give you anything we're gonna talk about until about 10 minutes in <laugh> all this prologue. It's like, please, I don't yeah. Anyway. Anyway, World, The good news is this tutorial is written and you can scroll. Oh okay. Then after a bunch of listener feedback and a quick spin write update, we're gonna look at the goodbye posting of the UK's head of cyber security after his 20 years. Interesting. I think a neat podcast for our listeners. And of course we've got the picture of the week, which is kind fun because you wonder why they put a high security gate on this entrance or exit or whatever the hell it is. I, I really, the the best part of this is the subtitle.

So I'll Yes, I'll leave that. I'll leave that for a you in just a little bit. But first a word from our sponsor, NordLayer NordLayer safeguards your company's network and data. Well, that, that doesn't tell you much, but that's a start. With a surge of ransomware attacks and employees choosing to work remotely, business networks have become much more vulnerable than ever. So how does NordLayer protect you? It's secures and protects remote workforces and protects business data. It could even help you ensure security compliance. It's easy to start nor layer just takes 10 minutes to onboard your entire business or create a, a completely secure network 10 minutes away from a completely secure network. You can easily add new members, create teams and private gateways. Even do things like IP allow listing site to site connection, network segmentation, setting up secure network access.

You wanna get one month free? Take a look. You might want to go to nor N o r d l a y e Nor layer is also easy to combine as it's completely hardware free. It's compatible with all major operating systems. So you can implement security features across all teams no matter what they're using. You can add things like two-factor authentications, single sign-on biometrics, threat blocks, smart remote access, NordLayer, easy to scale, choose a plan that fits your business requirements today, grows with you tomorrow. You could choose your rate of growth. You'll even have everything centrally in one place. You could check the server usage, monitor connections to your gateways, view the activity, log the console, and this is great. One Lord Layer user agreed. He said we were looking for an easy way to securely connect our remote workforce to our infrastructure.

And this is it. Awesomely quick, friendly, and efficient support got us up and running in no time. Another said simple to install and operate no funny business and so fast, our teams don't even notice they're using it. Look, I know we talk a lot about, and most modern businesses are probably already adopting things like Sassy and zero trust and hybrid work security. Well, you get all of that and more with nor later. Bottom line, don't leave your business vulnerable. Try nor layer today, join more than 6,000 plus fully protected organizations nor Layer. If you wanna secure your business network, go to nor Get that first month free when you purchase an annual subscription, nor, give it a try. N o r d l a y e r nor We welcome him to Security Now and the Security Now podcast. Yeah, Cool.

Now the picture of the week. Okay, so we, we, there's a, a staircase sort of like, I don't know, like the back of a building or something coming down where clearly the intent was to prevent people who weren't somehow authorized to gain access to the staircase from the outside. I don't know if there's like a panic bar that you could push to release in order to get out, but you certainly can't get in. And this, it's, so the staircase has this protection gate, which is closed very tall. So it would be very difficult for you to, like, you'd have to have two people like to give you a, a leg up in order to like get to the, just like, to scale this and get over it. So, okay. Now the, the problem is that if you just go around the corner from this gate, there's the stairs just climb right over the railing <laugh>.

And there there is, there is a low railing, less than half the height of the big gate, which you know, would be difficult to scale. And the railing has been conveniently created to sort of have like a ladder. So you could even, you could even use it to help you climb over it. Yeah. And get you to the stair. Oh, we don't wanna lock you out. So right now, what was fun about this that you commented on was that I love it. Somebody who, who prepared this picture, they in a big green rectangle circled the gate, which you know, is what you're supposed to focus on and labeled it in scope. And then, cuz this picture shows both sides of this problem, there's a red box that circles this, like the simple means of bypassing the gate, which is labeled out of scope, not our problem.

<Laugh>. Yes. And so then I gave this, I gave this picture the week, the title quote out of scope equals somebody else's problem. <Laugh> meaning yep. Yeah. It's you know we didn't quite achieve our goal here, but you know, this is the, the fact that you can bypass this gate <laugh>. Well, that's not my problem. Not our problem. Not my That's right. We, you said you wanted a gate there, boss. So we gave you a gate. Okay. So recall our coverage last week of ours, Technica reporting, which was titled, quote, How a Microsoft Blunder opened millions of PCs to potent malware attacks. And that indeed some follow up digging revealed that many malware strains had been found to be actively leveraging known vulnerable drivers in what is now called the B Y O V D, the bring your own vulnerable driver attack.

 And also recall that Microsoft's minions, even those in elevated positions of authority, were openly rude and hostile to the researchers who are just trying to help, you know, to prompt them and to understand what was going on. And Microsoft said, Eh, that's this is the way we want it. Well, okay, this may be where shining a bright public light can help since Microsoft has gotten off their butts. And finally, after three years of neglect fixed this arguably important issue. Last Thursday, ZDNet carried the news with their headline, Next Windows 10 slash 11 Patch Tuesday. Okay, that means a week from tomorrow. I mean, no, we, sorry, a week from today. Next week n next Tuesday will be Patch Tuesday for November. They said, Next window. Next Windows 10 11 Patch Tuesday fixes Microsoft's botched Vulner vulnerable driver block list. And the subhead was, Microsoft addresses an issue preventing Windows tens vulnerable driver block list from being updated with new vulnerable drivers.

Okay, so here's how Zd net summarizes the situation. They said Microsoft has released a new non-security preview. HA has released, you know, how like they do the non-security previews, the, the, the month before. So Microsoft has released a new non-security preview of November's Patch Tuesday update for Windows 10 and Windows 1122 H two. It brings improvements to the task bar, Microsoft account and task manager, as well as a fix for a serious Microsoft blunder that left a hole in the Windows 10 vulnerable driver block list. The preview is a non-security update that's available for Windows 10 and Windows 1122 H two. It contains all the changes in the upcoming November patch Tuesday except security patches. However, this preview also includes Microsoft's answer to a previous serious, to a serious security related error that the company made with its Windows kernel vulnerable driver block list. An optional security hardening capability introduced to Windows 10, version 1809.

So like the old one that's on by default in Windows 1122 H two, Microsoft has explained that the failed updates to the block list were due to it. And this weird language to it only updating for full Windows OS releases. They said, although it's not clear if this means previously installed Windows versus fresh installs or just that older versions of Windows were stuck on a block list that couldn't be updated. You know what? Like what does it mean? Full Windows OS releases in a support page detailing quote the vulnerable driver block list after the October, 2022 preview release. Microsoft states this October, 2022 preview release addresses an issue that only updates the block list for full Windows OS releases. Okay, So does that mean they're changing that or not? We don't know. They said when you install this release, the block list on older OS versions will be the same as the block list on Windows 11, version 21 H two and later.

Okay, so a catch up. Microsoft had told ours, Technica writes a ZD net that it was in fact regularly updating the vulnerable driver list, but that there was a quote, a gap in synchronization across OS versions. Again, with, it's no longer possible apparently to get Microsoft to actually tell anyone who what's going on. You just have to poke it and then experiment and figure it out for yourself. So they, they said on, they said, So the October, 2022 preview release is the promised fix, which should be released broadly in the November, 2022 patch Tuesday again next week through Windows update, Microsoft's release notes for the October Windows 1122 H two preview update states. It updates the Windows kernel vulnerable driver block list. That is the, that is in the, and that, we'll, I'll explain what this means in a second, but they said in the driver SI policy dot P seven B file this and I, well again, I'll explain that this update also ensures that the block list is the SH same across Windows 10 and Windows 11 for more information C knowledge base 5 0 2 7 7 9.

So Microsoft has a page where they talk about recommended driver block rules, which provides a bit more clarity. They say on that page and I have a link of the show notes. They say the, now this is what's weird. Okay, the block list, this is official Actually it's learn They said the block list is updated with each new major release of Windows, typically one to two times per year. But now I guess only one times a year cuz we're not doing two times a year Windows, major Windows updates. Okay. Including most recently with the Windows 11 20 22 update released in September, 2022. The most current block list is now also available for Windows 10 20 H two and Windows 1121 H two users as an optional update from Windows update. Microsoft will occasionally publish future updates through regular Windows servicing. But apparently like only with each new major release of Windows, which nobody understands, then they continue saying, customers who always want the most up to date driver block list, Well who would want that?

 They said can also use Windows Defender application control W D A C to apply the latest recommended driver block list contained in this article. For your convenience, we provided a download of the most up to date vulnerable driver block list along with instructions to apply it to your computer at the end of this article. Otherwise you can use the XML provided below to create your own custom W DAC policies. Okay, so <laugh>, they're saying here that the block list is updated with each new major release of Windows, typically one to two times per year. So it's curious that for some reason the exploitation of known malicious Windows kernel drivers will apparently be allowed deliberately and by policy for as long as one year or during the length of time of the gap between major Windows releases. And this is current policy given that B Y O V D now has its own abbreviation and that the exploitation of such drivers has unfortunately become popular.

It sure w would seem that some policy rethinking of this, you know, this, we are only gonna update this list with new major releases of Windows should be reconsidered. That page also said, customers who always want the most UpToDate driver block block list can also use Windows Defender application control to apply the latest recommended driver block list contain this article. So I have those instructions and a link to that page in the show notes, but anyone wishing not to wait can easily update their systems driver block list. So to give you a sense for this, it's download the WAC policy refresh tool and that's easy to find. It's at policy download and extract the vulnerable driver block list binaries. Now that's easy to find too. That's at driver block list. Then they said, and that actually gives you a zip with four files.

They said select either the audit only version or the enforced version and rename the file to s i policy dot P seven B. Copy SI policy dot P seven B two and then the, your Windows directory back slash system 32 back slash code integrity. Then they finally said, run the WAC policy refresh tool. You download it in step one above to activate and refresh all WAC policies on your computer. So, okay, not difficult to do for some reason they don't wanna do that for us except every major Windows release or so, So anyway, is there some way to protect that file, like make it be <laugh>, like presumably access to it or something like that'd be kind of just sitting there as a plain text file or something that seems presum now. So yeah, presumably that w d policy refresh tool Yeah. Is not something that that malware can use.

That seems to be the thing you need to take this. All those four zip files, there are 95 K byte files all dated October 19th. So, you know, middle of last month. And you get to choose between audit or reor enforce in either the server or the workstation flavor. So there's four different ones and hopefully as you suggest, Microsoft has prevented and, you know, bad things from happening to this, to these policies or turning them off. But it's just strange to me that like, they, like why isn't, why aren't known bad drivers known malicious drivers as important to fix every month as other, Is that like everything else? I don't get it. Oh, by the way when you apply these new policies, you must reboot because they note on their page that just having the policies doesn't prevent things that are already running.

Like, they're not gonna get kicked out of Windows. It's only when they're trying to get themselves loaded that the policy looks at it and goes, ah, not so fast and denies it access. So, and it turns out I can't even turn it on on my Windows 10 system cuz I've got a couple drivers that are not sanctioned and, and oh, now I know why they didn't do this. Not all drivers are sanctioned. Yes. And they knew it would cause tech support calls. Yes, there you go. It's like, Hey, why can't I use this? I wanna turn this on. Are they weirdo drivers that you have? I mean, what is Yeah, they are a couple weirdo drivers. So yeah, there, there's one that I actually hacked myself and signed in order to <laugh> <laugh> what could possibly go wrong. <Laugh>.

It was something, it was something that Lori needed for one of her for in order to distribute software and it wasn't working, so I hacked it and fixed it. That's nice to have a handy husband around the house. I was, and then Windows wouldn't run and it wouldn't load anymore. So I got, I got it signed <laugh>, and then, and then when it popped up in the list last night, I thought, Oh, oh yeah, that's, that could be a problem. Yeah, maybe you don't want this block list <laugh> anyway for everybody else it's when you try to turn this on, Windows will say what about this? And there were, I think there were three things that were a little sketchy that I had on my computer. So, yeah, Okay. But folks, he knows what he's doing. Don't try this at all.

<Laugh>. No. And it turns out it's kind of tricky to get Microsoft to sign a driver. You've gotta, you know, tell them I'm, I'm a good guy. And they said we don't know. We heard your podcast. Oh. so last Tuesday, the Singapore based security firms Star Labs disclosed a verified and patched vulnerability in Microsoft's SharePoint server 2019, which is current. It was an exploitable post authentication server side request forgery, which is not good. Now what's bizarre is that while this was clearly a flaw that needed fixing and fix it, they did, Microsoft refused to assign a CVE identifier for Star Lab's finding and their work. Now, this didn't escape the notice of some well known security insiders who took note and tweeted Kevin Beaumont, who we often quote who tweets as Gossi the dog. He quoted the write up where they noted, they said they meaning Star Labs said the bug had been fixed, but it did not meet the criterion required to get a CVE to. And then he put like a, a weird emoji after that. He's like, What? And so will doorman often also often quoted on the podcast he said, replying to Kevin's tweet, he said, A Microsoft CVE in quotes is a quote, security update with associated SRC writeup. And he said, using this definition as opposed to have the rest of the world uses cve, <laugh> is what allows them to say this isn't worth a CVE and mean it.

Wow. So now, just as we have Microsoft's own definition of zero day, now, we have disappearing CVEs courtesy of ignoring the industry's established vulnerability monitoring system by simply not registering discovered problems which require repair and updating. It's not a bug if we don't call it one and recall that we saw something like this before where Microsoft was claiming that if no user action was required, then no security event was warranted. We'll just all pretend it never happened since we'd rather project that image to the world. And on the subject of important things not being s swept, swept under the rug, we have, as I noted, what was believed to be an upcoming open SSL critical vulnerability update. Okay, so this was interesting because in order to facilitate the race, which would be between releasing a patch to an important open source system, and those who would invariably attempt to take advantage of the patch window before all systems were updated and patched exactly one week ago today, the Open SSL project gave the industry one week of advanced notice of a forthcoming what they called then highly critical patch to open SSL 3.0.

The patch release is today November 1st commenting on this back then, Andrew Ayer said he tweeted, This will be Open SSLs first critical vulnerability since 2016. Examples of critical vulnerabilities include, quote, significant disclosure of the contents of server memory, potentially revealing user details. Open SSL 3.0 0.7 update to fix Critical CVE out next Tuesday does not affect versions before 3.0. Okay, so the vulnerabilities, and we know what their, their number, their cve 20 22, 37, 86 and 36 0 2, they affect version 3.0 point X and do not impact open SSL 1.1 0.1 or Libre ssl. That was all that was known as of actually earlier this morning when I checked. Now we know that the patch is out. We know that it is less than critical. It's now considered high apparently because of some mitigations to how difficult it is to fix. I expect we'll be talking about it next week.

Everything should be known. The source code diffs will be made. We'll figure out what they changed. It'll be reverse engineered. Maybe it'll be the case. Hopefully that bad guys won't be able to get much leverage from it. We'll know more next week. And Leo, let's find out more about our sponsors. <Laugh>, good time to do it, of course. And then I'll, we'll talk about this ip, this or this remote code execution in the ip, the TCP ip stack in Windows. Oh man, it's just a never ending litany of problems and issues and security flaws. That's why almost all your advertisers are <laugh> sell security products. <Laugh>, what does, what does Surprise Kolide sponsoring this portion of security. Now it's an end point security solution that I think has it right. They use the most powerful untapped resource in IT end users. Oh, I know.

If you're an IT professional, you're going, Oh, not my end users. Well, wait a minute, wait a minute. Slow down. When you're trying to achieve security goals, whether for a third party auditor, you know, your own compliance standards, the conventional wisdom, the MDM wisdom is lock it all down, right? Put glue in the USB ports, lock everything you can down. Here's the problem. Old school device management tools like MDMs force disruptive agents onto employees devices that slow performance sometimes treat privacy as an afterthought, right? And when you're doing that, you are now suddenly turning your, its into admins and end users into enemies. And it creates its own security problems because what is, what does the user end up doing? Now? This is too complicated, it's too slow. I'm gonna use my own stuff. And now your troubles, prob troubles really begin to multiply, don't they?

They turn to shadow it just to do their job. Kolide is completely different. It's brilliant. I love this idea. Instead of forcing changes on users, Kolide sends them security recommendations via Slack. Kolide will automatically notify your team when their devices are insecure. But it doesn't stop there. It then explains, you know, why it's insecure, why it shouldn't, you shouldn't, you know, leave your private key in public in your download folder, that kind of thing. And it'll send them that information step-by-step instructions on how to solve the problem. And you know what? Suddenly it's the IKEA effect when users are doing it for themselves, instead of something being imposed on them, they own it and they now they're attached to it and they are suddenly attached to your success. Keeping the business secure as an IT administrator, You'll love it because Kalia gives you a single dashboard that lets you monitor the security of your entire fleet, whether they're running on Mac or Windows or Linux.

Yes, totally cross platform. You'll see the glance switch employees, you know, have their discs encrypted or their os up to date or are using a password manager. You are using a password manager, right? Making it easy to prove compliance to your auditor's customers and leadership. And when you're reaching out to employees with a friendly automated Slack dm, educating them about security, about company policies, you're building a culture in which everybody contributes to security because everybody understands how and why to do it. And doesn't that sound like Nirvana? And it is totally, totally possible with Kolide user centered, cross platform end point security for teams that Slack. You can meet your compliance goals by putting users first. Honest, just have to trust me on this one. It really works. Visit now to find out how. If you follow that link, they'll hook you up with a goodie bag, including a t-shirt just for activating a free trial.

K o l i d e. This is my favorite. I have a couple. This is the, you know, it says Kolide on the back, but on the front it's just got a bunch of pinocchios with longer and longer noses except for one, right next to the words honest security, right? I also have a Kolide sticker on my laptop. I got a Kolide coaster from a bear <laugh>. Go to now. Get your goody bag and activate that free trial. It's a little scary, I know at first, but if you think about it, this is the right way to do it. And, and when you have a whole army of users protecting your security, you feel much better. K oh, you're not all alone. K o l id Now we thank Kaly so much for supporting security. Now you support us. Of course, when you go there, get your goody bag and you use that url so they know you saw it here.

Coal now, now on with the show. And Mr. Steven Gibson, speaking of putting glue in the USB courts. Yes. Yes. A a little tidbit that crossed while I was putting the podcast together, but I didn't lock it down into the show notes, was that someone plugged his USB rechargeable vape stick <laugh> into, into his Mac. Yeah. And up popped a screen asking that the this thing wanted permission to access his computer. OMG <laugh> what the, what? So we've talked about the USB condom, which you know, this, these vapes stick users should be using because this was this is not something <laugh> not something that you wanna have happen, obviously. Yeah. Okay. So speaking of network vulnerabilities, last week there was a worry about the possible impact of A T C P I P remote code execution vulnerability in windows.

That's an eye opener since the assumption is that it's a problem in the core kernel code where the T C P I P stack lives. And the worry was heightened by the fact that a proof of concept exploit was published to GitHub by researchers at Newman's Cyber Labs, who had reverse engineered the vulnerability through patch analysis. Again, my well windows patched it, and you can look at the difference between what was there before and what's there now and figure out what's going on. But the fact that there were patches to analyzed, as I said, meant to the problem had already been patched as indeed it hadn't been nearly two years previous. And this was in September's Patch Tuesday. Now, after reading through their research, it became clear that the conditions required for this vulnerability to be abused in the field were unlikely to occur. So it was mostly a theoretical vulnerability.

I I was shaking my head when I saw that the trouble was caused by fragmented packet reassembly in I P V six s IP SEC handling. How many times? Now, this would only apply to listeners of the podcast forever, but how many times in the years of this podcast when we were discussing the low level technologies of the IP protocols back in the early days, did we encounter exploitable bugs resulting from the attempt to reassemble fragmented IP packets? It turns out it's just difficult to do that. That and I think in my own, in the stack that I wrote for shields up, I think I just ignore fragmented packets when they packets when they come and fragmented, because it should actually never happen in any longer. It's, you know, it's legacy need anyway it was a constant theme for us in the old days.

So in any event, nothing widespread will amount from this. It's too specific, rare, and it's been patched for two months. But this will be one of the growing number of vulnerabilities that, you know, that major long term nation state players will add into their known exploits database for possible selective deployment when they encounter a still unpatched system, which qualifies for this very specific vector of attack. Though I have no firsthand knowledge of, or any evidence of this being done, there's just no chance that such databases do not exist in the world today. If someone were to put me in charge of the United States like process for this or, you know, similar people in China or Russia, you know, in charge of their cyber war fair effort, given what we know, you know, given that we know that vulnerabilities never really die creating such a database would be the first thing you would do.

Because when someone says to you, We need to get into this person's system, this specific system, you, you inventory that system, you look at what you can determine about that system, and then you query your database of known exploits that specifically target that system, and then you start going down the list in, in order to find your way in. That's just the way it's gonna be done, probably is being done right now. Okay, and speaking of proofs of concepts published on GitHub, I wanted to warn any of our listeners who might enjoy grabbing and trying such proof of concepts for themselves that a just published study of GitHub's hosted proof of concepts found that a surprisingly high percentage of all of them were deliberately malicious. Three academic researchers at the Laden Institute of Advanced Computer Science at the Laden University in the Netherlands published their research titled A Study of Malicious cve, Proof of Concept Exploits in GitHub.

The abstract of their paper explains, they, they said proof of concept exploits for known vulnerabilities are widely shared in the security community. They help security analysts to learn from each other, and they facilitate security assessments at red tubing tasks. Of course, we also know that they make it easier for bad guys to turn those proofs of concepts into actually aggressive malicious code, and that's a problem in recent years. They said POCs have been widely distributed, for example, via dedicated websites and platforms also via public code repositories like GitHub. However, public code repositories do not provide any guarantees that any given POC comes from a trustworthy source or even that it's simp that it simply does exactly what it's supposed to do. In this work, we investigate POC shared on GitHub for known vulnerabilities discovered from 2017 through 2021. We discovered that not all POCs are trustworthy.

Some proof of concepts are fake. In other words, they do not actually offer POC functionality or even malicious. For example, they attempt to x filtrate data from the system. They're big run-on, or they try to install malware on the system. To address this, we have proposed an approach to detect if a POC is malicious. Our approach relies on detecting the symptoms we've observed in the collected data set. For example, calls to malicious IP addresses, encoded malicious code or included Trojan binaries. With this approach, we discovered get this forty eight hundred and ninety three malicious repositories out of 47,313. That's 10%. Yes. No, no, that's 1%, but still a large number. No, no, no, you were right first. Oh, 10.3%. Wow, 10.3%. One in more than one in 10 of the studied repositories have symptoms of malicious intent. They said, this figure shows a worrying prevalence of dangerous, malicious proof of concepts among the exploit code distributed on GitHub.

So, you know, we've previously noted here that code repository such as NPM and Papi had become laced with malicious fake libraries. So I wanted to make sure that everyone knew that. Now, sadly, GitHubs published POCs need to be treated with similar caution, you know, as, as has often been said. So we can't have nice things <laugh>. So these are repositories labeled as proof of concept of malicious code. Yes. Proof. Well, no proof of concepts of vulnerability, Vulnerability of, So, yeah. So vulnerability exists. Someone said, here's a proof of concept. It's an example of how of malicious code, how an example. Yeah, an example of how to exploit the vulnerability. So it's not itself vulnerable, for example, it it, you run it and it pops up the calculator diy, Right? So see, see what I did? Yeah, Uhhuh, except you're not supposed to accept. Many of them are malicious in and of themselves, one and 10 <laugh> of, of, I would like to know though, what the, what the, what they call the signs of malicious intent are.

I mean, well, contacting a known malicious ip, right? Or having embedded malicious code, which has been obfuscated and is unrelated to the exploit being demonstrated. Yes. That's the key to me because obviously somebody, it is malicious code, it's a demonstration of malicious code, so it might have to contact that server, for instance. But if it's, if it's unrelated or it's trying to hide something, then maybe well, no, it, okay, so it's not a demonstration of malicious code, it's a de a proof of concept of a vulnerability. It's demonstration of a vulnerability. So it's like, you know, you know th there's this vulnerability in, in sequel, here's some code, right? Right. To show you how, like to benignly. I mean, these are always meant to be like Benignly show how to use the vulnerability, like, like to exploit it. It doesn't actually do anything bad.

It just says, Hi mom. Right? But the idea, see, I was able to do this, right? Yeah, yeah. Yes, exactly. And you should not have been able to do that, right? You know, like, like, oh look, you know, Johnny Drop tables. Whoops. Yeah, yeah. You know, the, the Johnny Table's gone now, so that's not good. So anyway, so, so the point is just, you know, proceed with caution. Don't assume that a white hat hacker posted a proof of concept for something you are all hot and bothered about finding out how to do yourself. Treat it with care because more than one in 10 do not have your best interests at heart. They're taking advantage of the, what was the presumed sort of trust among developers. Yeah. Okay. And winning without contest, the title for the best named Vulnerability writeup of the year, we have a potentially serious sequel light Exploited Flaw named Stranger Strings.

Great name the concept or, or the, the rather, the concern of this behind this is significant because this flaw was first introduced into sequel light version 1.0 0.12, which was released on October 17th of the year, 2000, more than 22 years ago. And it was only just recently fixed in release 3.3 9.2, which was released this summer on July 21st, 2022. In other words, this flaw has been present in SQL Light for 22 years. And the biggest problem, if you, you might be thinking, oh, you know, sequel light, I don't use that, huh? The biggest problem is SQL Light is by far the most popular embedded database, which is used quite literally everywhere. Oh yeah, absolutely. Yeah. To get a quick sanity check just now, as I was putting the show notes together, I opened a command prompt, switched to the route directory of my primary system drive, and I entered the Command D space star, you know, asterisk sq, l i t e, space forward slash s s, meaning check all sub directories.

And the text console exploded with hits and scrolled off into oblivion. One thing I immediately noticed was that if you have anything from Mozilla, you've got lots of sequel light. Mozilla loves their sequel light for Firefox and Thunderbird in my cases. Okay, since this was too much information, I tightened the search to just the sequel light dll. So I did a dirt command, first of all, I cleared the screen because I wanted to get my, my console back. I mean, it was just literally, it was like the thumb just scrolled off to the nowhere. So clear the screen dspace asterisk sq, L i t e dot DLL space slash s, and the result was far more useful and much more chilling. The apps I have installed on my system, which embed the sequel light database engine, some of which I use frequently, but many others, which I haven't used after first installing them are Nova PDF nine, zend, Studio, Acrobat nine, Amazon's Kindle Reader Auto IT Net Beans, Pearls, CPA N Library, Python, Microsoft Edge, Thunderbird, Firefox, Free CAD colliere, two Stream Catcher Pro Networks.

That little network app I talked about last week, even it Ping plotter and php, and not one of these is an explicit database app. SQL Light is the way the world's apps organize any data that they are being asked to retain, even if it's just user preference settings. So here's what the Stranger Strings guys had to say. Stranger Strings is what they called this there from Trail of Bits. And they said Trail of Bits is publicly disclosing CVE 2022 35,737, which affects applications that use the SQL Light Library api CVE 20 22 35 7 37 was introduced in SQL Light version 1.0 0.12 released on October 17th, 2000 and fixed in release 3.3 9.2 released on July 21st, 2022. In other words, 22 years. And that what that means, every single copy of sequel light that everybody has, unless it's been fixed, and it probably hasn't, is vulnerable to this. They said it's exploitable on 64 Bit Systems and exploitability depends on how the program is compiled.

Arbitrary code execution is confirmed when the library is compiled without Stack Canaries, but unconfirmed when Stack Canaries are present and denial of service is confirmed in all cases. Now, just to remind everybody, a stack, a stack Canary is something which is, which the compiler can be asked to stick on the stack in order to protect from Stack Overrun. The idea is that, that when you perform a return to using the contents of the stack that decide where to go before the program does it, it verifies a cookie on the stack has, has not been overwritten before, assuming that the stack has not been smashed. So it is possible that the sequel light library has been compiled with those cookies on the stack, in which cases the app will crash rather than, than execute malicious code, they said on vulnerable system. But I don't, I have no knowledge of, of whether or not stack cookies are typically compiled in in, into binaries of SQLite.

 If somebody does shoot me a note on vulnerable systems, 35 7 37 is exploitable when large string inputs are passed to the sequel light implementations of the print F functions. And when the format string contains the percent Q uppercase, Q percent, lowercase Q, or percent W format substitution types, and we've not too long ago, we're talking about print F problems. Anyway, this is enough to cause the program to crash. We also show that if the format string contains the exclamation special character to enable Unicode character scanning, then it is possible to achieve arbitrary code execution in the worst case, or to cause the program to hang and loop nearly indefinitely. They said SQL light is used in nearly everything. <Laugh> echoing my comment from naval warships to smartphones to other programming languages, The open source database engine has a long history of being very secure.

Many CVEs that are initially pinned to SQLite actually don't impact it at all. This blog post describes the vulnerability and our proof of concept exploits, which actually does impact certain versions of SQLite. Although this bug may be difficult to reach and deployed applications, it is a prime example of a vulnerability that's made easier to exploit by what they called divergent representations that result from applying compiler optimizations to undefined behavior. In an upcoming blog post, we'll show how to find instances of the divergent representations bug in bins and source code. They said recent blog, a recent blog post, presented a vulnerability in PHP that seemed like the perfect candidate for a variant analysis. The, the blog's bug manifested when A 30, when, I'm sorry, when a 64 bit unsigned, your string length was implicitly converted into a 64 into a 32 bit signed into your went passed as an argument to a function.

So there was a, a, an implicit type conversion flaw. In fact, we talked about one of those not not long ago. They said, we formulated a variant analysis for this bug case found a few bugs, and while most of them were banal, one in particular stood out a function used for pro properly escaping characters in the P H P PDO SQL Light module, and thus began our Strange journey into SQL light string formatting. Anyway, they go on and on. They're, they're posting, I have a link to it in the show notes, is extensive and, and interesting. They did have a great piece of commentary toward the end about the testing of sequel light and how this high severity flaw happened and remained hidden for 22 years. They said SQL light, and this is actually comforting. SQL Light is extensively tested with 100% branch test coverage, meaning every single branch in the code receives a test.

They said, We discover this vulnerability despite these tests, which raises the question, how did the tests miss it? SQL Light maintains an internal memory limit of one gigabyte. So the vulnerability is not reachable in the SQL Light Program. The program is defined a way by the notion that SQL Light does not support big strings necessary to trigger this vulnerability. However, the C APIs SQL light is 100% written in C and and cross and highly cross platform portable. They said, however, the CS provided by SQLite do not enforce that their inputs adhere to the memory limit and applications are able to call the vulnerable functions directly. The notion that large strings are unsupported by SQLite is not communicated with the api. So application developers cannot know how to enforce input size limits on these functions. When this code was first written, most processors had 32 bit registers and four gigabytes of addressable memory.

So allocating one gigabyte strings as input was impractical. Now that 64 bit processors are quite common, allocating such large strings is feasible and the vulnerable conditions are reachable, where before, historically they weren't, which I think is really interesting. This essentially surfaced because we went to 64 bits and now that conversion from 64 bit lengths to 32 bit lengths, which could never have been a problem before suddenly could be. They said, unfortunately, this vulnerability is an example of one where extensive branch test coverage does not help because no one, they said, because no new code paths are introduced, 100% branch coverage says that every line of code has been executed, but not how many times. This vulnerability is the result of invalid data that causes code to execute billions of times more than it should. The thoroughness of SQLite tests is remarkable. The discovery of this vulnerability should not be taken as a knock on the robustness of these tests.

In fact, we wish more projects put as much emphasis on testing as SQL light does. Nevertheless, this bug is evidence that even the best tested software can have exploitable bugs. So on July 14th of this year, 2022, they reported the, the vulnerability, which they discovered to the Cert Coordination Center. On the 15th, Cert CC reported the vulnerability to SQL Lights maintainers. On the 18th, the SQL Light Maintainers confirmed the vulnerability and fixed it in the source code. And on July 21st, the sequel Light maintainers released sequel light version 3.3 9.2, which included the fix. The problem of course, again, is that many and probably most of the individual applications, which each brought along their own private copy of what is now a theoretically vulnerable sequel light engine, have not subsequently been updated. None of those things that I talked about, most of those have been updated since July.

So what do these guys say about this? How do they appraise the real threat if any that this represents? They wrote not every system or application that uses the sequel light print F functions is vulnerable. For those that are CVE 20 22, 35 7 37 is a critical vulnerability that can allow attackers to crash or control programs. The bug has been particularly interesting to analyze for a few reasons. For one, the inputs required to reach the bug condition are very large, which makes it difficult for traditional fusers to reach. And so techniques like static and manual analysis were required to find it. You wouldn't find it just by throwing crap at the wall and seeing if something crashed for another. They said it's a bug that may not have seemed like an error at the time that it was written dating back to 2000 in the sequel light source code when systems were primarily 32 bit architectures.

So here again, we have a bug that's very much like Log for J. It's buried, unseen inside random applications, many of which will never be updated since everything is working just fine, highly active and maintained. Apps like Firefox, Thunderbird, and Edge have all likely already updated their code, but many others never will. We can hope that no remotely accessible applications would be vulnerable to this, and it seems unlikely that any would be. But like so many other similar problems we've seen, this adds again to the growing list of latent known vulnerabilities, which riddled today's software systems.

 A quick note that PayPal said they're gonna be starting to support Pass keys. Last week they announced their support for Pass as a pa, as a PayPal user, I'm super interested in having this experience. As I would imagine most of our listeners are since coverage of PayPal's announcement appeared to suggest that the support was already there. But PayPal's press release was not specific. They said dated October 24th, 2022 PR News wire today PayPal announced it is adding past keys as a secure login method for PayPal accounts. So I just logged into PayPal through Safari on my iPhone with iOS 16.1, and I was unable to see any option for pass keys anywhere. And I mean, I really dug around. So I'll ask any other PayPal using listener who uses Twitter to shoot me a tweet if and when. They actually see that PayPal's support for Pass Keys has gone live.

A lot of the press coverage of this, that it got a lot of coverage and many of the coverage said that it's there, but if they actually saw it or found it, I was unable to. So, but cool that that would be there. I would love to, you know, have this experience, see how it works on the sign in screen, tap the account name, field type, other options. Pass pass K from nearby device are similar. I don't, I don't know. I'm just, look, this is from Apple, not from PayPal. Oh, oh, oh, oh. I'll, I'll try it while we're you do have to, it looks like on your phone for a new account on the account, sign up screen, enter an account name when you see an option to save a pasky. So something has to pop up. Let's see, on an existing account, which is you sign in with your password, then go to the account management screen where you should see that option.

I'll try it. Okay, I'll try it. Cool. I'll get back to you. Cool. oh, one very cool thing. The last thing I need to share with everyone is potentially quite exciting for the right sort of listener crowd strikes, Jack Halon has just released the first of his three-part extensive tutorial series titled Chrome Browser Exploitation. And as I mentioned, and we had fun with at the top of the show, I was so relieved to see that it was not on YouTube. Jack's tutorial leads its reader through the details of exactly how to poke at Chrome. He tweeted Today I'm finally releasing a new three-part browser exploitation series on Chrome. This was written to help beginners break into the browser exploitation field. Part one covers V8 internals such as objects, properties, and memory optimizations. Enjoy. So I've got a link to it in the show notes.

 It's on j Browser hyphen, I'm sorry, Chrome hyphen browser hyphen exploitation and no hyphen one for part one. So I think many of our listeners might find that interesting. A little one, actually, two pieces of miscellaneous. So many people tweeted to me about the recent passing of Kathleen Booth at the age of a hundred. She was born on July 9th, 1922 at and lived until September 29th, just a couple days ago. Anyway, I wanted to thank everyone for making sure I knew Kathleen was a very early pioneer of stored program, digital computers. She developed and built several machines through the course of her life. And the reason for everyone's tweets is that she's credited with developing an early notation for her machine's instructions, which she referred to as contracted notation. It's considered to be the earliest predecessor of what today we now call assembly language. And of course, everyone knows that my finalists for assembly language, Kathleen remain very active with computers and computation throughout her life. And in 1993, she co-authored a book on neural networks titled Using Neural Nets to identify Marine Mammals with her son, Dr. Ian Booth. So, quite a remarkable woman, and thank you to everyone who wanted to make sure that I knew.

 Okay. Bit of closing the loop. Hume Math tweeted, he said, The wonders of os Provability reminds me of Knuth, which, and Donald was quoted, Beware of bugs in the, in the above code. I have only proved it correct, not tried it, <laugh>, of course. Famously he wrote all of his code as in a pseudo code that doesn't actually run on any, I think it's called Mix. I keep trying to remember the name. Yes. Mix, Mix, Mix was the pseudo machine. Yeah. That, that, that he wrote his code for. Yeah. And anyway, he's got a great sense of humor and he's famous for that. So I think at the above, code <laugh>, I have only proved it correct, not tried it. <Laugh> <laugh>. A someone tweeted to me from the, their, their name as Cal, and he said, at SG G or C, Glad you tried Edge for SN 8 94.

Did you get to try the built in? No extension needed Vertical tabs. They're the best implementation I've ever seen. Also, you could use U Block Origin Light in Firefox and chromium browsers. Now it's compatible with Manifest V3 and Cal to answer your question and everybody else says yes. The first thing I did was turn on vertical tabs in edge. I used it again yesterday and, and actually all morning. So like it a lot David Flint said, listening to s N 8 94 and the discussion on the proposed Australian legislation, Is it possible, Oh, I'm sorry, is a possible benefit of the strict liability for data breach, not a possible reason for the breached entity to pressure Microsoft into taking responsibility for the flaws and their software? Oh, word. So he says, as you yourself have said, it is not impossible to produce perfect software. It just takes time and effort, that seismic changes, That seismic change can only be a benefit.

Well, I certainly agree on that issue, David, at this point, with their size and grip on the world's personal and mostly enterprise desktops, Microsoft is utterly untouchable. Their market of value, their market value, you know, their, their stock evaluation is the only thing that I can imagine swaying them. And really nothing puts them at risk. They're too big to care. The licensing, licensing agreements hold Microsoft harmless for any behavior of their software and systems and none, not one of the things they have chosen not to care about in danger. Their position we're occupying a world where now for the enterprise, which they have, you know, they've clearly indicated is the only thing they care about. There is no practical alternative to Microsoft. So there's nowhere for anyone to go. Alan Wilkins, he said, Can a new form of cryptography solve the Internet's privacy problem?

Okay. And that's an interesting question. And the answer is no, because our current cryptography is not the problem. Today's crypto, when it's done right, is utterly unbreakable. It can and does provide perfect privacy. The problem is that data that's been encrypted will eventually be decrypted. After all, it's only useful after it's been decrypted. And as soon as it's decrypted, privacy problems arise. If the data remains encrypted, no problem. But if you're never gonna decrypt it, you might as well delete it. In which case again, no problem. But also then no data. So the problem is not with the encryption or with the crypto, it's what happens the rest of the time. You got, ma'am, I turned that off, but it's still, why is it talking me? Didn't is that pebbles? I guess I turned it back on the dates from the year, from the days of Compus serve.

Oh wow. Somebody on Comper who Oh, is their kid. I remember that. Yeah, yeah, yeah. Four year old Adam, Jamal Craig, he said There comes a time in every programmer's life where they try to optimize their layer zero IO keyboard workflow. Have you ever tried alternative keyboards? He said, and then he lists kenesis split or other ergonomic keyboards or alt keyboard layouts, devor act Colmack, et cetera. And then my answer is, I never have my first wife's nickname for me. The one I can repeat in public was this creature, creature of habit. Yes. Which was quite appropriate. She knew you Well, I think <laugh> creature of habit. Yes, I have. I appear to be extremely sensitive to any change whatsoever in my keyboards. My perfect world would have a limitless supply of cream colored northgate, omni key 1 0 2, super rigid and clunky keyboards with a high actuation force.

The control key must be to the left of the A key with the function keys to the left of them in two vertical columns where they're easily accessible, not arranged along the top where they're virtually unreachable. You like the old IBM layout with the function keys? Yes. On the left. I don't like it, Leo. It is where they're supposed to be. I haven't seen it's a keyboard with that way in a long time. And that's why you saved those Northgate sitting in I'm sitting in front of it right now. Wow. I forgot about that. Then to the right is the inverted T Yeah. Navigation pad. Yeah. And at the far right is the 10 key numeric pad with a numb lock permanently off <laugh> by some grace of God. I am sitting in front of that keyboard right now, and I have another at my other location.

Both are still working after 35 years. Knock on wood. They're probably pretty clicky too, aren't they? The Oh my God, you can you, I mean, I have to be, I was, while you were talking, I was typing something very psych as like as quietly as I could <laugh>. But you, you can't be. So the beauty of this keyboard, which has been in front of me, think about it for more than half of my life. Wow. Because I'm 67 and I've had it for the mo for the most recent 35 years, is that my brain appears to be directly connected to it. If I stop to think about typing, I stumble. But if I don't think I just do, then text and actions flow unbidden now. Yes. I've tried other keyboards. The closest key switch is this it? Nope. Nope. Cause the function keys are along the top.

Well there's also on the left, you get the best of both sports. That's interesting. This is the omni key ultra, which is a newer, It's although, Oops, there's a problem. The escape key is up there in the top. Oh, that's no good. Supposed to be. No, no. It's supposed to be Can't can't have that. It's supposed to be where the back tick is to the right of the, of the numeric one. Yeah. I dunno. So the closest key switch I found is the cherry mx blue. Yes. It has the highest actuation force with the most clicky snap action. No, I need both. There are keyboards I could switch to if I really had to, but I already have some keyboard repair kits standing by waiting for the day that I'll need to bring one of these beasties that I have back to life. There are people who who rejuvenate these and sell them and this sell 'em at great price.

I might add hundreds of dollars. 700. Yeah. Yes. Yeah, yeah. Did you have these ally? Yes. These are your original, the I bought these from art. What was this Art something? Lein. Northgate computer. Oh, in Northgate computer. Yeah. So yeah, this is a function there. That's is function's gate key. Yeah. You gotta go back to the 1 0 2. Is that a 1 0 2? It says 1 0 2. It's not the one. Oh, but it's a phony 1 0 2. Yeah. Close. Close, but no cigar. See, I use the Tilda and back tick in in Lis and m Max. Well, I do too. I've got one. It's just not in the wrong place. <Laugh>, <laugh>. Of course not. Now you make me want these. I want one of these. Oh, it's, they're so nice, Leo. It just, they're clunky and you, it's got a PS two connector. So then you need a PS two to USB converter to, Yeah, I have a Model m an old IBM model M that uses that.

Yeah, Nice. But no, not as nice as yours though. I want the, I now want function keys on the left. That's where they kids were listening. So what, That's where there's talking Perfect. Remember Word. Perfect. It used the crap out of those. You had control F five and Alt F 10 and you could just do anything with that. Oh, those are the days. So as for optimizing my workflow this is why I, I would, I just did wanna mention this is why I spent the time before I started back on the work on spin, right. Nailing down my development environment. And I am so glad I did. I'm now able to make an edit to Spin Rights Source in Visual Studio in Windows. I hit Alt A, which is for assemble, which builds the entire project by the time I've released the A Key.

Then I turned to the keyboard attached to the utterly quiet Z ZMA board, which is at my right elbow and type G on that keyboard, which is short for go, which executes a dos batch file to load and run spin right under Brett Salters, who unfortunately we lost a couple years ago. Doss Periscope debugger from the directory. It shares over the network with my Windows machine. The whole experience is a joy, and I'm going to keep at it after spin, right? Six one, we're gonna go to seven and 7.1 and 7.2 with an equally, you know, perfect environment. Oh, <laugh>. And speaking of alt keys and so forth, Gordon looks like Hal Veka, he said, surely you must have known, Okay, Gordon, that surely at least wait a minute. Now. You didn't say it right. Surely you must have known that's right.

That at least since Windows three point x control tab will switch between child windows of an app. Surely since, since the invention of browser tabs, this has also worked to switch between tabs in the same vein. Control F four will close a tab or child window. These aren't limited to browsers. Of course, you can switch between Word documents, for instance, and Gordon. Yes. and I use all of those constantly because like, like our wonderful Paul who is a Windows, you know, keyboard shortcut maven you know, I've been, I've been doing that too. My assembly code, as I mentioned, is broken into many files of function. You know, it's by my in many files by function. So in Visual Studio, I'll often be collecting too many open files that I'm no longer working in. So Control F four rep, I used that repeatedly to close them quickly.

But what I was talking about, just to be clear, was alt tab, which in all my previous experience only switches among top level application windows. But here again on Monday here I was working on this. I'm an edge and using alt tab to quickly jump among edges. Most recently viewed tabs. It's great, but it came as a surprise to me. And there's another crucial difference between alt tab and control tab. Alt tab uses an MRU explicitly a a a most recently used list. So that alt tab takes you back to where you most recently were. Whereas controlled tab always moves forward in strict round robin sequence. So MRU is the most useful sequence for me. What's this one? Oh, <laugh>. Ooh, Simon. Tweeting from at talk underscore to Simon, he sent a link to a useful rant by a guy who discovered that PayPal's login dialogue was far too helpful.

It turns out it's true. It's really shocking, Leo. You're not gonna believe this. Okay. that completely separate and completely bypassing any and all other measures that a PayPal user may have set up on their account, including their password and any form of second factor authentication and probably including pass keys. We'll see once it gets there, there's always the option of providing your email address to identify yourself. Then clicking the login with one time code button, which is always there and which will send a six digit code via SMS to the user's phone. We know that SMS is not secure, so there's that. But Maddeningly, there is nothing that any PayPal user can do to prevent this short circuiting of any and all other means of login. I use PayPal. I use PayPal a lot. So I have my account set up with a long and gnarly password that no sane person could possibly enter correctly.

And a T O tp, right? A time-based, one-time password and my Trustee Authenticator app has an entry for PayPal. But all of that is for not if an attacker can arrange to somehow intercept my phone's SMS messaging stream. If so, they can log in with the code they receive and use nothing else. Nothing. The debate with PayPal's customer support has been raging o over this for more than a year. And the only thing PayPal will say over and over is quote, This feature is permanently enabled for the protection of our customers. Well, we know what this is about, right? We've seen this enough on this podcast to understand that PayPal's less sophisticated users must be provided with a backdoor into their accounts. You can't actually have security for something like this, or users will be frustrated when they cannot arrange to access their own money, even when it's entirely of their fault that they cannot.

So as a result, every PayPal user's security is reduced to this lowest common denominator in order to accommodate the few. Wow. So just avoid getting SIM jacked. Yep. Do you think eims this new Apple thing, well, it's not new and Apple doesn't own it, but Apples put it in all their new iPhones will help with that. Or does that make it easier? I don't know. Yeah. cuz you know, certainly there is the problem of physically swapping sims, but the biggest problem is that as we know, our telephone system is still actually not very secure. It's not secure. SS seven is, Yeah, always and always will be cuz they're never gonna fix it a mess. Yeah. Yeah. Okay. a little comment of update on where I am with spin, right? I have an, I had a number of things to fix and finish in spin right since I last spoke of it.

Most none of the new drivers had ever been exercised in the presence of unreadable sectors, which we talked about recently. The my ability to CR deliberately create flaws. Until now, we've all been testing on fully readable drives. Some of the documentation it turned out in the official A H C I controller spec, to which I had blindly written code cuz I had had no choice at that point, was revealed to be more ambiguous than I knew. So that necessitated that I re-engineered the means for determining which sectors failed amid a 32,000 sector read. So I did that. I've tested the crap out of it now. It's now working beautifully. Then with the ability to induce and locate defective sectors, I was able to work through spin right's entire data recovery system. Now that's all done and working as well and tested. Then I turned my attention to the detailed event logging system, which needed re major reworking to bring it into alignment with the various things that can now be reported since spin Right has direct access to the system's mass storage hardware and all that's done too.

Next up is performing the same defective sector relocation or LO location testing for spin right's for other drivers. The new bus mastering DMA driver, it's new IDE hardware driver and then both its basic and extended BIOS drivers and I've already started to work on those. So I reasonably expect to be finished with that by the end of this week. Then the final thing I need to do is revisit spin right's command line options to update them where needed. There are things that, some additional features due to the fact that I have hardware access now, like I can determine drives serial numbers. And so it would be nice to be able to allow the user to specify which drive they want to use through the command nine through the, the command line by specifying the serial number of a drive they know they want to test.

So anyway, that way, even if the drive should move around in the drive listing, as other drives come and go or as the BIOS reorders drives, the user will be always be able to select the drive they intend at that point. Spin right? Six one will be feature complete. So we're close. And it will have been finished with some confidence and I'll consider it to be at alpha stage. So I'll update GRC server to enable our testers to obtain their personally licensed test releases of it and we'll eliminate any problems that I have missed and that have been missed by all of our previous testing. I haven't mentioned it before, but I received news about a month ago that the commercial embedded operating system I've chosen for spin right's future will be leaving the market at the end of the year. <Laugh> <laugh>.

 So you're moving away from Fritos moving away from Fritos and this is something I've been worried about. Yeah. Since I recognized it could happen at any time. I'm not surprised by this actually since this on time. R toss 32 OS is old and mature and there is now so much competition in the embedded processor market. Intel X 86 chips are much more oriented to high end desktop processing and there are a huge number of lower end chips that make much more sense for embedded applications. So I strongly suspect that the licensing revenue for this thing has dried up quite a while ago and the guys finally decided, okay, you know, it's just, it's just not worth keeping this up. Now I'm not put off by the idea of a lack of support since I was planning to purchase the source code for this commercial system anyway.

Oh, oh, okay. So, so that I could fully customize it and extend it in any way that I might need for several more decades that I planned to be working on this. But this end of the year deadline means that I need to make sure that it's what I want and to commit to it before it disappears, which means billing up to the bar and buying a very expensive source code license for this entire commercial os. So while the spin right Testing gang is pounding on the fresh 6.1 alpha release, I'm gonna overlap their testing with my own testing of on Times os to make sure that I like its development environment and that I'm able to dual boot my code both on BIOS and U E F I, which is the whole reason I'm doing this. You know, I'll just create a very simple hello World app to test that.

Since purchasing the source code for this commercial OS will be a significant investment. I need to make sure that before I do it, it's gonna be something that I'm gonna want to use. So at, when that's done, I'll incorporate any suggestions our, our testers have come up with. I'll fix anything that they found that's not working and we'll move, spin right to its pre-release beta stage. And needless to say, it's feeling really great to see this project nearing its long a awaited conclusion. Yes sir. Very exciting. And speaking of a long awaited conclusion. Yes, Leo, there's a long awaited conclusion to this podcast at this point <laugh>. So let's let's hustle it along by doing our last ad as you prepare your story of 20 years inside G C H Q. Yep. But first a word from IT, Pro tv, you've heard us talk about this before.

In fact, I would bet that at least half of our audience already has joined ITProTV. My question is why isn't the other half? Because this is the greatest place to get into the world of it. If you're already in it, to upskill, to get new certs, to re-certify, to get a better job. Itprotv. And if you've got an IT team in your business, you need ITProTV to keep them on their toes. Your IT team needs the skills, the knowledge to ensure your business success, right? This is a benefit you can give them that they will love and use. Most importantly, this is something that they will appreciate. I know this for a couple of reasons. One, about 80%, actually a little more than 80% of all ITProTV users who start a video finish it. That means they're engaged, they don't lose interest, they don't wander off.

Maybe partly cuz the videos are only 20 to 30 minutes, but I also think it has something to do with the fact that they're trainers at it. Pro tv they call 'em edu entertainers are experts in the field. I mean, they know there's stuff you don't, you know, the worst thing is to be learning something from a guy who's never done it, doesn't know it. These are men and women who have worked, are working in the industry even more importantly than that, have a passion for what they're doing. So they communicate to you the excitement, the joy they get out of going to work every day. That's kind of important, right? You want your team to get that right. That's something you want your team to get an excitement about coming to work every day and solving problems, fixing things, getting things working. The IT industry is constantly changing too.

And there's another reason why you'll really appreciate it. Pro tv, they have seven studios. They're running all day every day, Monday through Friday to update and create new content because the tests change, the questions change, the software changes, the hardware changes. This is a fast moving field. So you are only really, I mean this is why, you know, getting a book at a bookstore or library is not going. It's gonna be out of date by the time they print it. And often when you go to a technical school there, instructors haven't been actually working in the field in a long time. This stuff gets outta date instantly. This is what's great about it. Pro tv, you will not find fresher content. And by the way, every, every single IT subject, every cert, 5,800 hours of up to date IT training for Microsoft, Cisco, Linux, Apple Security Cloud, technical skills, compliance, even soft skills.

This is the place to get the training your team needs to serve you and your business. And with the business plan, you get a great dashboard that lets you track your team's results. You can manage their seats, assign an unassigned team members, you'll get monthly usage reports that are graphical, that are visual, which makes it very easy to explain the spend to the higher ups. You know, they like seeing the stuff like that. You'll get metrics like logins, viewing time tracks completed. You can completely manage the users. It doesn't have to be a whole team. It could be a subset, it could be one guy, two guys. You can even say you take this individual course because all the courses have full human written transcripts. You can find the thing that your team or team member needs to learn and say learn. Watch that.

Learn that. Come back to me and report back. It is just a great way to learn that your team will really be grateful for, which means they'll use it. And of course ITProTV, everything I just said goes for individuals too. If you wanna get into it, this is a great place to go. Give your team the IT development platform they need to level up their skills while enjoying the journey. Itpro.Tv/Securitynow go there right now. This is, this is the thing you've been looking for to keep your team up to date or yourself IT now. We thank ITProTV. They've been they've been sponsors of this show since they started. We, you know, we grew together and they're just doing great IT now. And I thank you for using that address so they know you saw it with Steve.

Thank you. Itprotv. All right, Steve, I think it is time to enter G C H Q. So as I said, this week's topic began as a Twitter DM from Jonathan Z. Simon. He said, Steve thought you might appreciate this, the thoughts of the departing technical director of the UK National Cyber Security Center. And as we know, I did appreciate what a 20 year veteran and technical director of the UK's ncsc, that's the National Cyber Security Center and G C H Q, whose name is Ian Levy, had to say about the valuable lessons he's learned. And I know that our listeners will benefit from it too. His posting was long, so I've edited it down for size but I've otherwise changed as little as possible. His initial blog entry his final rather his final blog entry, he titled it Humorously so long and thanks for all the bits of course, in reference to Douglas Adams Hitchhiker's Guide sequel.

 So he said, It's with a heavy heart that I'm announcing that I'm leaving ns ncsc, G C H Q and Crown Service. Being technical director of the NCSC has been the best job in the world and truly in honor. I spent more than two decades in Gch q with the last decade in this role and its prior incarnations I've met and worked with some of the most amazing people, including some of the brightest people on the planet and learned an awful lot. I've got to give a special mention to everyone in NCS C and wider GC H Q because they're awesome. I've also had the pleasure of, of working with vendors, regulators, wider industry, academia, international partners, and a whole bunch of others. I like to think I've done some good in this role and I know I couldn't have accomplished as much without them.

He says, regardless, there's a lot left to do. So I thought I'd leave by sharing 10 things I've learned and one idea for the future. And again, I've whittled those down. We won't go through all of them cuz some of them are just weren't needed. He said as a community, cybersecurity folk are simultaneously incredibly smart and incredibly dumb. This superposition doesn't seem to be unique to our community, though in World War ii, the Boeing B 17 flying fortress was the work ho workhorse bomber of the us as you'd expect. A lot of them were lost during combat, but a lot were lost when they were landing at base. Pilots were blamed. The training was blamed, poor maintenance was blamed. Even the quality of the runways was blamed. None of this was supported by any evidence. After the war, someone actually did some research to try to understand the real problem.

Imagine you've been on a stressful bombing raid for 12 hours without sleep, you're tired, it's dark, it's raining, and you're on final approach to your base. You reach over to throw the switch that engages the landing gear and suddenly with a lurch, your aircraft stalls and smashes into the ground killing everyone. This picture of a B 17 cockpit instrument panel shows what the pilot would see and at this point, he actually shows a picture of the B 17 cockpit instrument panel. There are two switches next to each other. One switch he is labeled land safely. The switch to its immediate right is labeled die horribly <laugh>. He says there's no amount of training in the world that could compensate for this design flaw. There's nothing to stop the most obvious error turning into a catastrophic outcome. The land safely switch, which operates the landing gear and the die horribly switch, which operates the flaps are very close to each other and identical.

Wow. <laugh>. It turns out it was a UI flaw Yeah. In the layout of the panel that was killing all of these people who were landing their B 17 bombers. So he says, blaming users for not being able to operate a terrible design safely. Sound familiar, but this investigation, he said led to something called shape coating, which persists as a design language. Today, most modern aircraft have a lever to operate the landing gear and a little toggle on the end of the lever is wheel shaped. So when you grab it, you know what you've got hold of. Yeah, that's smart. The, the flaps control is generally a big square knob. And guess what? They're not next to each other anymore. The aircraft world has learned from its mistakes in cyber security. We come up with exquisite solutions to incredibly hard problems, manage risks that would make most people's toes curl and get computers to do things nobody thought was possible or in some cases desirable.

But we also continue to place ridiculous demands on users. He says, take a deep breath, not to mention clicking links in emails or password policies. He says implicitly expect arbitrary complex implementations of technology to be perfect and vulnerability free in the long term. And then berate those who build the stuff we use when they fail to properly defend themselves from everything a hostile state can throw at them. I've always found this cognitive dissonance interesting, but I haven't found a way to reliably and easily work out when we're asking for daft things. The nearest I've got is to try to determine where the security burden lies and whether it's reasonable to ask that party to shoulder it. Is it reasonable to ask a 10 person software company to defend themselves from the Russians? No. Is it reasonable to ask a critical infrastructure company to not have their, their, their management systems connected to the internet with a password of secure password?

Bloody right. It is the trick for making cybersecurity scalable in the long term is to get the various security burdens in the right place and incentivizes the entities that need to manage those burdens properly. Sometimes the obvious person to manage a burden won't be the optimal one. So we may wanna shift things around so they scale better. And let's be honest, we do suffer a lot from groupthink in cyber security. So here's my plea. The cyber security community should talk to people who aren't like us and actually listen to them. Stop blaming people who don't have our elites skills when something goes wrong, build stuff that works for most people most of the time rather than the easy or shiny thing. And put ourselves in the shoes of our users and ask if we're really being sensible in our applications and expectations. We haven't got that right yet.

And he says, We're treating the symptoms not the cause. He says, This month marks the 50th five oh 50th anniversary of memory safety vulnerabilities back in October of 1972. A US Air Force study first described a memory safety vulnerability. He says Page 61, Although the whole two volume report is fascinating in the 1960s, L F one published the seminal work titled Smashing the Stack for Fun and Profit, Explaining how to exploit buffer overflows. In the first three months of 2022, there were about 400 memory safety vulnerabilities reported to the national vulnerability database. As Anderson at all say in their report, this is the result of a fundamental flaw in the design of the hardware and software we use today. The exact same fundamental flaw they identified in 19 72, 50 years ago. Nothing has changed. And what is our response to this issue? Basically we tell people to write better code and try harder.

Sometimes we give them coping mechanisms, which we give cool sounding names like static and dynamic analysis or taint tracking. But in the end, we blame the programmer that's treating the symptoms not the underlying cause. And once again, harks back to the B 17 design problem. I think we do that because fixing the real problem is hard. Doing so breaks a bunch of existing stuff. What was I saying last week about the operating system, which could be perfect, but it wouldn't run anything, right? It would break everything, nothing to run doing so costs people money, doing so seems to be daft if you are in the commercial ecosystem, right? As, as I've also recently said, you don't get paid for doing something secure. This is where he says government can step in under the Digital Secure by Design program. We are creating, we're we're finding, I'm sorry, we're funding the creation of a memory safe microprocessor and associated tool chain.

If this works, it won't fix the stuff we already have, but at least it'll be possible to build systems that can't be exploited through memory safety errors without expecting every programmer to be perfect all the time. All of the active cyber defense services where services are really treating the symptoms rather than the underlying causes. And I'm really proud of what we've achieved with the A c D program and with the ACD program and we've used it to force some systemic changes, but even that program is about mitigating harm caused by the problems we see. Rather than fixing the problems, we really need to get to the root causes and solutions to some of these really thorny issues. For example, one problem in my opinion is that it's too easy to set up free hosting for your cyber crime site. There's no friction and no risk to dissuade would be crims hosting companies that aren't incentivized to make it harder because if one of them does it, they'll just lose customers to a competitor, which is commercial insanity.

Should government regulate the provision of hostings? Almost certainly not at least in democratic countries, but there's got to be some way of squaring this circle and the many other apparent paradoxes that have dogged cybersecurity for years. I've just not had the chance to work out how so someone else needs to hint, hint. And he says, under much to learn you have young padawan. He says, There have been a couple of big incidents in the last year or so that have rocked the cybersecurity world. The attack on solar winds now attributed to the Russian state was hailed by some as a heinous unacceptable attack. The vulnerability in the widely deployed log for J component caused mass panic only, some of which was justified and has kicked off a load of knee jerk reactions around understanding software supply chains that aren't necessarily well thought through both of these attacks.

Remind me of Groundhog Day. The log for J problem is equivalent to the problem we had with the heart bleed attack in 2014. Despite being a different sort of vulnerability, the community had a had lighted on a good solution to a problem and refused the hell out of it. I'm sorry, and reused the hell out of it. But we hadn't put the right support in place to make sure that that component open SSL was developed and maintained like the security of the world dependent upon it because it did. The Solar Winds issue was a supply chain attack going after a supplier to get to your real target. It's not the first time we've seen that either. Back in 2002, someone borked the distribution server for the most popular email server program, send mail, and for months, many, many servers on the internet were running compromised code that same year.

Open SSH distribution was borked to compromise people who built that product to provide secure access to their enterprise. He says, my point here is that we rarely learn from the past or generalize from the point problems we see to the more general case to get ahead of the attackers. Going back to the aircraft analogy, if the, if that industry managed risk and vulnerability the way we do in cyber security, there would be planes literally falling out of the sky. We should learn from that sector and the safety industry more generally. The US have set up the Cyber Safety Review board based on the National National Transportation Safety Board, which is, will hopefully be a first step in systematizing learnings from incidents and the like to drive change in the cybersecurity ecosystem. At the moment it's only looking at major incidents, but it's a start. I hope the community supports this in similar efforts and helps them scale and move from just looking at incidents to tackling some of the underlying issues we all need name fixing without some, some feedback, some sort of feedback loop.

We're destined to be a bit dumb forever. And finally he says incentives really matter. He says, Imagine you are a consumer who's about to switch broadband providers and you wanna compare two companies. One offers to send you a 60 page document describing how it secures the PE and P nodes in its M P L S network, how the OLTs in the fiber network are managed and how much effort it puts into making sure the O NT in your house is built and supported. The other one offers you free. Netflix, of course, everyone chooses the ISP with the free Netflix. Of course, in the telecom sector, customers don't pay for security. So there's no incentive to do more for your customers, which is what would drive the sector to get better.

He says that's where regulation can help and is one of the reasons that we with dcms pushed so hard for what became the telecom's security Act, the detailed security requirements in the code of practice make it clear what's expected of telecom's operators and the fines and the fines off com can levy when that's met are material. We're already seeing this drive better outcomes in the sector. If you ask anyone in the intelligence community who is responsible for the Solar Winds attack I referenced earlier, they'll say it was the Russian Foreign Intelligence service, the svr. But Matt Stoler makes an interesting argument in his article that it's actually the ownership model for the company. That's really the underlying issue. The private equity house that owns Solar Winds acted like an entity that wanted to make money rather than one that wanted to promote secure software development and operations.

Who knew? And Leo, if you remember thinking back to Solar Winds, there were some problems in the way they were managing their software that made no sense to us, right? Right at the time. It's because they're owned by private equity that just wants to squeeze it for money. He says, Now I don't agree with everything Matt says in his article, but it's hard not to link the commercial approach of the company with the incentive and capability of the people in it. It's then hard not to link the actions of those people driven by their incentives and capabilities with the set of circumstances that led to the attack being so easy for the Russians. Of course, the blame still sits with the svr, but did we accidentally make it easier for them? In both cases, the companies are doing exactly what they're supposed to do, generate shareholder value, but we implicitly expect these companies to manage our national security risk by proxy often without even telling them.

Even in the best case, their commercial risk model is not the same as the national security risk model. And their commercial incentives are definitely not aligned with managing long term national security. In the likely case it's worse. So I think we need to stop just shouting, do more security at companies and help incentivize them to do what we need long term. Sometimes that will, that will be regulation like the Telecom Security Act, but not always. Sometimes we're wanna gonna have shock horror to pay them to do what we need when it's paranoid lunatic national security stuff. But make, but making the market demand the right sort of security and rewarding those who do it well has got to be a decent place to start trying to manage cybersecurity. Completely devoid of the vendor's commercial contexts Doesn't seem sensible to me. Okay, He says, I know I've been banging on about this forever, but the last few years have shown how important the mantra is.

Details matter deep down. We all know how much details matter, but we also all seem to find it easy to fall back to generalizations and hyperbole. It is critical that we get into the detail of things, whether deeply technical, whether deeply technical things that only three people on the planet care about or discussions of policy that will affect everyone in the country. If we don't, we eventually make a catastrophic error that will have real world consequences. So here it feels to me like, you know, this is the, this is the previous head of the NCSC who's talking about, you know, bureaucracy has a problem because it has a pro, it has a problem dealing with things that are detailed. He says, while it's not pure cyber security, the somewhat polarized discussions about child safety and end to end encryption typify this problem for me. But I see it in many places.

I honestly think that getting into the real detail of hard problems is what helps us see pathways to solutions. As I said at the start, there's a long way to go for cybersecurity and a lot of hard problems still to solve details are your friend. And actually he then goes on at some length about what he calls his grand unified theory of cyber, where everything is known about everything about networks and software and functions and vulnerabilities and interactions and where everything can be interconnected and graph to drive decisions. I didn't include it here because it's very long and because the creation of artificial sentience will likely occur first <laugh>. So anyway, I thought that sharing his recitation of the fundamental problems was useful. And even though I know they will all have sounded familiar to anyone who follows a podcast, you know, if nothing else, we do appear to be moving toward a general consensus of the problems.

Although, yes, we can look back over the past 50 years since the identification of the first memory based vulnerability and bemoan the fact that we also suffered from another one just yesterday, 50 years ago, we didn't have any grasp of the problems we were gonna be facing today. At least we have that. So it's a start. Yeah. Even if, you know, even if all we could talk about is blue sky new operating systems that don't actually do anything. I d I do feel like we're making some progress. I mean I, it, I mean I know that the landscape is litter with security problems, but I feel like we, at least we're understanding what the issues are a little bit better. Yeah, Yeah. And it, it has to be that bringing pressure to companies that need it Yeah. Is where the solution lies. Yeah, well you do that very well.

As well as ex explain and elucidate what's going on in this world around us. Steve Gibson, his website,, the Gibson Research Corporation, that's where you'll find spin, right? The world's best mass storage, recovery and maintenance utility, six point ohs. The current version six one is in processes you hear very close. If you buy six, oh now fear not. You will get a free upgrade to 6.1. So you're not gonna miss out. Plus you get to participate in the development as we get closer. He also has copies of the show there,, including two unique copies. He's got a 16 kilobit version for the bandwidth impaired and transcripts written by a human Elaine Ferris. So those are great. You can search those to find what you want or, or read along as you listen or you know, use them however you like.

Grc.Com, lots of other free stuff there. Well worth checking out. We have 64 kilobit audio at our site, We have a unique format video if you wanna watch, see all the blinking lights blink, that's also a twit TV slash sn or on YouTube's a Dig YouTube channel. And of course you can subscribe to either version of the show at the website, I'm sorry, at well yeah, at the website we have links to your pod, the main big name podcast clients, but really any podcast client, if you search your security now or twi you should find it and be able to just press a button and subscribe to it at no charge. We do have ad free versions of the shows all the shows including this one for 2 99 a month. Or you can spay spend seven bucks a month and get all the benefits of Club Twi, which means all the shows add free the special TWI plus feed with lots of stuff we don't put out in public, like hands on Windows, hands on Macintosh, on titled Linux show, Stacy's book Club, the GI Fizz.

We also use the club to launch new shows and we have a great Discord server, which is incredible, a wonderful place to hang out. I think that's a great deal for seven bucks a month for the holidays. You can buy a year long package for the the geek you really like. And we also have corporate packages and get along of corporate memberships all of a sudden, which is wonderful. It really helps us you know, stabilize in very uncertain economic times. Now I know it's times are tough for you too, so don't worry. We will always offer free versions for those of you who can't afford it, but if you can seven bucks, that's all every month and it sure helps us an awful lot after the fact. Oh, I did mention all that. Oh, I know what I didn't mention.

When we do the show, which is Tuesdays round one 30 Pacific four 30 Eastern, we are going off daylight saving time on Sunday. So our new UTC time will be 2130 utc. You figure out what time that is in your local jurisdiction. I don't know. It's up to you on that 1 21 30 and I mentioned that, not because you could always download it at your leisure, but if you wanna watch us do it live, get the very first version of this show as we're recording it. You go to at that time. You'll be able to watch that. You can chat if you're watching live. That's one of the advantages of live is interactivity. The IRC is open to all of and of course the discord for you. Club TWI members join us next Tuesday. Election day, Steve, oh my God. Came up on us fast. Yep. Boy, it's gonna be interesting. Yeah, it sure is. Super, super interesting. Could be the last election we ever, ever have. <Laugh> or that'd be nice. You could vote <laugh>. Thanks Dave. We'll see you next time on Security now. Thanks buddy. Bye.

Jason Howell (02:01:49):
Don't miss all about Android. Every week we talk about the latest news, hardware, apps, and now all the developer goodness happening in the Android ecosystem. I'm Jason Howell, also joined by Ron Richards, Florence Ion and our newest co-host on the panel When to Dow, who brings her developer chops. Really great stuff. We also invite people from all over the Android ecosystem to talk about this mobile platform we love so much. Join us every Tuesday, all about Android on

... (02:02:22):
Security now.

All Transcripts posts