Security Now Episode 896 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now Steve Gibson is here. We'll talk about how Dropbox properly handled a minor breach and ask the question of whether you should ever trust a managed service provider more on the open SSL flaws. The FTC going at it with Chegg. I'm glad to see this. And is China cheating with zero days? That and a whole lot more. Coming up next on security Now. Stay tuned. Podcasts you love
... (00:00:31):
From people you trust. This is tweet.
Leo Laporte / Steve Gibson (00:00:40):
This is security now with Steve Gibson. Episode 896 Recorded Tuesday, November 8th, 2022. Something for everyone. Security now is brought to you by Thinkst Canary. Detect attackers on your network while avoiding irritating false alarms. Get the alerts that matter for 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter the code TWiT and the how did you hear about us box. And by Drata, security professionals are undergoing the tedious and arduous task of manually, manually collecting evidence with Drta. Say goodbye to the days of manual evidence collection and hello to automation. All done at Drata speed. Visit drata.com/twit to get a demo and 10% off implementation.
(00:01:35):
It's time for security now to show we cover you. Your privacy, your security, how the internet works, how computers work with this guy, this genius right here, Mr. Steve Gibson. Hello Steve. Yo Leo, great to be with you. This is a patch Tuesday. It hasn't fallen on an election day since 2016. Just a little bit of trivia there for those who are yes, following along and we owe today's show title to my wife. Lori and I were out walking yesterday and I was telling her what progress I had made so far. She said, So do you have a topic? And I said, I don't so far. I said, But that's okay. Sometimes nothing really jumps out or stands out or needs special attention. And so I just call it like a busy Newsweek or something. And she said, How about calling it something for everyone?
(00:02:35):
And I said, I like that. I like it. And so that's title something for everyone because we just have all kinds of stuff. We've got one of our pure Newsweek, we've got Dropboxes handling of a minor breach. We follow up on last week's open SSL flaws. The FCC has had it with a repeat offender and we're gonna find out how much total reported ransom was paid last year to the ransomware denizens. Ooh, Akamai has reported on fishing kits and that's some, it's like frightening. We've got some stats about what initial access brokers charge and we look at the mechanics of cyber bank heist, like how that's actually pulled off in the real world. We've got several more defi platforms. Defying belief Russia is forced to move to Linux. Finally, the Red Cross wants a, Please don't attack us cyber seal. We've got nutty Floridians who have gotten themselves indicted in a bold tax fraud scheme that you just can't imagine they could have possibly thought they could have gotten away with and well, because of indictments they didn't <laugh> also <laugh>.
(00:03:57):
You know how that is. Yeah, that's right. Also the question has been raised by Microsoft, whether China is cheating with zero days and in what I think is a fabulous idea that I hope the US might adopt the ncsc will be scanning the UK's citizenry for vulnerabilities and working with them to remediate them. And that's not all. There's more, we've got a great picture of the week. I've got some feedback from our listeners and a brief update on where write stands. So, oh wow. As I said something for everyone, Everyone that sounds like an excellent show. I'm looking forward to it. I always do and I also am happy to say so do our sponsors, especially the guys at Canary, they are big fans. And I should say that this is a group of people who know what they're talking about. The folks who invented the think to Canary to trained companies and militaries and governments on how to break into networks.
(00:05:06):
And it's with that knowledge that they built this, the thinks canary show they brought to you by the best little Honey pot money can buy. It's a honey pot that requires no extreme honey pot coating skill. Remember when we had Bruce Cheswick out in Boston for our last pass event? Yeah, he wrote the first honey pot and he was talking about that they found somebody in the network. And so he created a little attractive program that they would most likely run into a trip wire, if you will, for intruders on the network. And that's now, here we go. Fast forward many decades later, that's what this is all about. The thinks Canary looks about a portable USB drive, it's not very big. Connects to power and then to your network and then that's it. And then you let it sit. Actually, you will wanna go into your canary console and configure it.
(00:05:59):
This one's configured to look exactly like a S na. It's got the login page, it's got the proper Mac address, all of that. It's completely indistinguishable from a na, but it's not. It's a honey pot. You can make it look like a skated device. You can make it look like a Windows server, a Linux server. You can have all the services turned on a Christmas tree or you can have just some select services, just maybe a little port 1 39 action opened up. But the point is, they don't look like vulnerable or traps on the network. They look like valuable information. But the minute a bad guy touches it, you will know. And that's the key to the thinks to Canary. It's a canary in your coal mine. In effect the thanks to Canary solves this problem that we all should be aware of. We all have perimeter defenses.
(00:06:56):
You know, build a fort, you know, keep everybody out. But unfortunately nothing's perfect. Bad guys get in and then once they're in, they often have free reign, right? They have complete access to everything because we don't just say, Oh well they couldn't possibly get in on average. This is a terrifying statistic. On average it takes 191 days. It's more than six months for a company to realize there's been a data breach. Canary solves that problem. Attackers are sneaky. They don't necessarily wanna signal their presence. In fact, most of the time they want to prowl around. They want find resources. They can ex-filtrate valuable stuff. If they're planning a ransomware attack, they're gonna look at where your backups go, where everything goes before they trigger the ransomware attack. They want maximum damage. And now, as we know the latest is, they also wanna blackmail you afterwards with data from your server.
(00:07:56):
This is the key. The thinks canary. You can also use your canary and you wouldn't have just one. You'd probably have several spread around. Big banks might have hundreds, some big operations have many, many, many canaries cuz you want 'em in every nook and cranny. You don't want it to stand out. You could put it on active directory. So they're easy to find, which is a, it's a nice feature and you can make 'em look like absolutely anything. But you can also use the canaries to create canary tokens. These are files that look like spreadsheets or PDFs or documents that you also can scatter around. You can create as many as you want. And when they're opened or somebody tries to open they phone home and the canary alerts you. So this is a really good way of spreading these trip wires around your network and then hackers fall into 'em and then you are alerted.
(00:08:48):
It's designed to be configured in minutes. It's so easy to do. In fact, the only thing that kept me doing it is cuz I was trying all different things. Know it's so fun, you can make it be anything. You won't have to think about it again. If an alert happens, canary notifies you and they do it in any way you want. You won't be inundated with false alarms. It's dead silent until there's a bad guy snooping around. You can get an email, you can get a, or all of the above, email, text message, you get a canary console. It'll show you there. They support Slack. They also support web hooks, which means you can attach it to all sorts of stuff. There's Syslog. If you use Syslog, that's a nice way to do it. They have a full api, so you can write a little Python script if you want.
(00:09:27):
That'll ping you do anything you want. Data breaches typically happen kind of through a social engineering, a back door. You may not know what's happened. No alarms may go off unless you have the canary. You'll find Canaries deployed all over the world on all seven continents. They're one of the best tools against data breaches. You can read about all the love for Canaries on their site at canary.tools/love. But when the time comes you think, I wanna try these out. Go to canary.tools/twit so that way they know you heard it here and use the offer code TWiT in the, how did you hear about us box for get this 10% off the canary for life every year, right? For life. What's the pricing? Well, I like to be transparent up front and so do the canary folks. That's what they're all about. Let's say you wanted five of 'em, five canaries.
(00:10:26):
You could put one in every corner of your subnets and every VLAN that'd be 7,500 bucks for five of them per year. You'd also get hosted console. You get the upgrades, you get support, you get maintenance. If somebody sits on a canary or steps on it or it breaks for any reason, they just immediately, no questions asked. Send you another one. 10% off for life when you use TWiT and how'd you hear about a box? And they know you're gonna love it. I know you're gonna love it. But if for any reason it doesn't suit you got two months, a two months money back guarantee, full refund. These guys are confident. They know this is something awesome that you're gonna really like. But don't be fooled if you hear nothing from it. That's the good, That's a good thing. That's a good thing. When you hear from it, that's when you want to go, Oh, that happened to us once.
(00:11:15):
It was, I've told the story before, but boy that was like, wow. canary.tools/twitt offer code twi. Thank you Canary. They're great sponsors. They love this show. They say we will. We always want to be on this show cuz Steve's the best. They like to support your mission. canary.tools/twitt, you support our mission when you use that address. Do we have a picture? I didn't even look. We have a wonderful picture. I will lead up while you are getting it ready. Now I'm tempted to call this the dumbest thing I've ever seen except that we've got two previous occupants for that slot. One is the locked gate standing alone out in the middle of a meadow with a path running up to it. And it's like, what is this locked gate doing out in the middle of nowhere Who's not gonna walk around it? And sure enough, there's like a dirt trot and path on either side.
(00:12:15):
The other dumbest thing was that generator that had to be grounded. So someone stuck a piece of rebar it into a pale of dirt and hooked the ground wire to the rebar. And it's like, okay, I don't think that's quite what they had in mind when they said you need to ground this generator. Okay, here we've got a very tall gate, which looks like it's an electric gate. It's a good looking gate. Very nice looking gate. Yeah. Got an intercom on the side so you can buzz the person. It looks like maybe three different units are back there somewhere. And you are not supposed to get in or out, presumably Uhuh. No. The problem is that the genius, the genius who designed this gate, used a series of horizontal bars now. And so I gave this, the caption can't get in. How about use the built in ladder <laugh> because I mean it's designed for scaling the gate.
(00:13:24):
You just, I can't get in. What should I do? Oh look, it's a ladder. How handy I Convenience. I mean if all they had to do was make them vertical and then you'd just be like stuck. You'd be looking like a prison bars. But no, they built a ladder from the gate. And so it's quite easy though. This goes down. This is maybe the third dumbest thing that we've seen on the podcast. It's in the list. That's definitely, yeah, we are acquiring them over time. Okay, so last Tuesday which was the 1st of November, Dropbox posted of their own experience titled How we Handled a Recent Fishing Incident that targeted Dropbox. And the short version is, I think they handled it pretty well but there are some lessons to be had surrounding the event. Their announcement began with of the required do not worry disclaimer. They said we were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub.
(00:14:40):
No one's content, passwords or payment information was accessed and the issue was quickly resolved. Our core apps and infrastructure were also unaffected as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal because we take our commitment to security, privacy and transparency. Seriously, we've notified those affected and are sharing more here. Then I'm skipped over a bunch of background and the part I wanted to share with our listeners was this. They said at Dropbox we use GitHub to host our public repositories as well as some of our private repositories. We also used Circle CI for select internal deployments. CI is some automation technology CI standing for continuous integration. So they said in early October, multiple Dropboxers received phishing emails, impersonating circle CI with the intent of targeting our GitHub accounts a person could use their GitHub credentials.
(00:15:53):
They explained to log into Circle ci. They said, while our systems automatically quarantined some of these emails, phishing emails, right? Others landed in Dropboxers inboxes. These legitimate looking emails directed employees to visit a fake circle CI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a one time password to the malicious site. And as we know, all of this bypasses, I mean this approach will get around the use of one time password authenticators. So they said this eventually succeeded giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories. Whoops. They said these repositories included our own copies of third party libraries, slightly modified for use by Dropbox internal prototypes and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure access to those repositories is even more limited and strictly controlled.
(00:17:20):
And finally, on the same day they said we were informed of the suspicious activity. They don't indicate how, but this is why, you know, need to do network monitoring. Like Leo you were just talking about with that previous sponsor. They said the threat actor's access to GitHub was disabled. Our security teams took immediate action to coordinate the rotation of all exposed developer credentials and determine what customer customer data, if any, was accessed or stolen. We also reviewed our logs and found no evidence of successful abuse to be sure we hired outside forensics experts to verify our findings and reported this event to the appropriate regulators and law enforcement.
(00:18:09):
So there are three points that I wanted to highlight from this report. The first is that we have yet another instance of a major security savvy, a network savvy organization, Dropbox, right? I mean they know their way around or they wouldn't still be around being successfully attacked and breached even in the face of knowing that this is going on. Their email filters worked to prevent their employees from being subjected to this error prone event mostly. But those filters also failed just enough to allow bogus fishing attacks to reach their employees. And notice that these were code developing employees, not, for example, less sophisticated clerical or office workers who you might have in a huge organization that aren't, wouldn't be expected to be up to speed on computers. These are people who like log to circle CI and GitHub and they were fooled. The point is fishing, and we'll be talking about that several more times before the end of today's podcast.
(00:19:27):
The second point I wanna make is the introduction of a new concept, which I would turn, I would term the phishing email attack surface. We're all familiar with the traditional concept of an attack surface, right? The idea being that the more potential points of entry that exist, the greater the threat that any one of those might be inadvertently left open or somehow breachable. So this new concept that I would call the phishing email attack surface uses this recent Dropbox experience as a perfect example, noticing that the more complex an organization's setup is, which is to say the greater number of ancillary services an organization employs, the greater is their phishing email attack service. They're just more things that have log-ons and authentication requirements and again, more points of entry. The modern trend is products as managed services where companies are increasingly contracting out for an increasing number of services rather than rolling their own.
(00:20:53):
The theory of this is sound. Why reinvent the same wheel over and over, especially when there's little additional value to be added by doing so just contract for this or that service while focusing upon the company's core mission rather than wasting time on developing and running all of those other things that are common to all companies. Sounds great. But recall all of the downstream damage that the breach at Solar Winds created. Solar Winds was a provider of exactly this sort of outsourced services model. And also remember all of those dental offices that were being breached and the hospital services that were hit by crippling ransomware when their ms, their managed service provider was breached. The danger represented by managed service providers is exactly what I'm referring to here. So I wanted to observe that we as an industry still have a serious problem with remote network services authentication.
(00:22:04):
The very fact that phishing emails even exists as a security issue demonstrates that this serious problem has not yet been solved. So the more remote network MSP services an organization maintains, the greater their phishing email attack surface will be. The third and final point I wanted to make was where Dropbox wrote, they said on the same day we were informed of the suspicious activity. The threat actors access to GitHub was disabled. Our security teams took immediate action to coordinate the rotation of all exposed developer credentials and determine what customer data, if any, was as accessed or stolen. We also reviewed our logs and found no evidence of successful abuse. To that. I say Bravo. When we were all growing up, our elementary schools conducted periodic fire drills without warning alarms would sound throughout the school and the entire school class by class would file out in an organized manner to previously designated locations While I was a school.
(00:23:20):
Those alarms never went off except for during drills. But if someday they were to, the entire school was prepared. My point is every organization must now be prepared for the possibility of a network breach. So breach drills should become a thing that all responsible organizations conduct. Just as fire drills were once that when we were in elementary school, just as one A school might be on fire after a network intrusion. We've seen the stats showing that time really can be of the essence. So planning for a breach, including having some drills should be something that responsible organizations do. Drop boxes immediate response showed that they were ready and prepared for that eventuality. And again, I think that is of crucial importance. I think it's also important to point out that that's probably why in many cases it's better to use at MSP than do it on your own. I mean, if we were to count all the flaws that people introduce themselves by trying to do it themselves, that's gonna far outweigh the number of exploits because of MSP was taken advantage of, right?
(00:24:51):
I mean I think that's a useful consideration. The problem with an MSP is the single point of failure. So a breach at Solar Winds gets everybody devastated. Yes, so many clients, but I think about Bit Warden for instance, and some people, again with Bit Warden, one of our sponsors and password manager hosts their own and they often say, Well why do you let bit warden host it? Because I always say, Cuz I think they're gonna, Yeah, I could host it myself. I think they're more likely to keep it locked down than I am and backed up. Yeah, you don't, don't risk losing the cloud presence <affirmative>. I mean it certainly is a consideration. I guess the thing to do would be but you gotta trust him as always. Yeah, find some balance point, for example. Don't give no consideration to the security of the services that you're hiring.
(00:25:51):
At least have them run the gauntlet and demonstrate that it makes sense for you to put some portion of your security in their hands because you are, when you're outsourcing a service, you're outsourcing the security of that service and that services access back into your organization. And that's what bit the hospitals and bit all those dental practices when their common MSP got hacked. So I sort of wanted to put it on people's radar to consider that if Dropbox hadn't been using ci, well, they wouldn't have been prone to the circle CI phishing emails, and so that couldn't have happened. Maybe something else would've happened, they would've gotten in some other way. But that's the way it happened. So it's very much like having exposed ports. Each of those things represent some exposure and that means an expanded attack surface two weeks ago. As we talked about last week, when it was one week ago, now it's two weeks ago, the open SSL project maintainers told the entire world that one week from then a critical vulnerability would be patched and necessarily revealed to the world.
(00:27:26):
So last week, the severity, the good news was it was downgraded from critical to high. Since there's some possibility that one of the two problems could be weaponized, the advice remains that everyone using any version three point X point X of open SSL where those Xs aren't zero and seven which is to say if you're using anything before 3.0 0.7, which contains the two fixes that should be looked at. So, okay, here's what we know now as access as it suspected last week, we would to find out what was going on. Here's what the project maintainers wrote about the most serious of the two problems. It's got a CVE 20 22, 36 0 2 now rated at high severity. They said a buffer overrun, which is of course where most of these problems begin. A buffer overrun can be triggered in the X 5 0 9 certificate verification, specifically in name constraint checking.
(00:28:41):
They said, note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. That meaning if it hadn't been signed, an attacker can craft a malicious email address to overflow four attacker controlled bites on the stack. This buffer overflow could result in a crash causing a denial of service, meaning it's your service is denied because the thing crashed or potentially remote code execution. Many platforms implement stack overflow protections, which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform. And compiler pre announcements of the CVE described this issue as critical. Further analysis based on some of the mitigating factors described above have led us to have led this to be downgraded to high users are still encouraged to upgrade to a new version as soon as possible.
(00:30:08):
A TLS client, I'm sorry, in a TLS client, this can be triggered by connecting to a malicious server in a TLS server. This can be triggered if the server requests client authentication and a malicious client connects. Okay, so the second of the two problems, there were two that were related. The second one is quite similar, but it only allows the attacker to overflow the stack with an arbitrary number of DOT period characters. I think that's hex 46. So the attacker's inability to overflow the stack with their own provided data, I'm sorry, the attacker's inability to overflow the stack with their own provided data. All they can do is dot characters limits the practical danger to a denial of service due to a crash that would result in a crash in open ssl. But in the reason that the more serious of the two was initially felt to be critical is that the stack overflow can be of attacker provided bites for attacker provided bites, which could be a jump or some just enough code, for example, to elevate this task if it weren't already, or to bypass security checks, whatever.
(00:31:55):
So what remains to be seen is whether anyone ever arranges to weaponize this attack. There's no doubt that many vulnerable instances of open SSL version three pre previous to zero seven will remain out in the world for the foreseeable future. They will have already been built into appliances that will never be updated. It's a relief that the trouble cannot be induced in an open SSL based TLS server without the server first requesting a certificate from a client. That's unusual enough. So as not to be a big issue, but if an open SSL based TLS client were to be induced into visiting a malicious server after this flaw were weaponized, that could result in the execution of code on the visiting client, thus compromising somebody who connects to a malicious server and that could pose sufficient inducement to, cause that is the potential of that could be sufficient inducement to cause major exploit creating players to investigate its weaponization. So we'll see if a year or two from now, we're not talking about, whoops, remember that open SSL vulnerability that was downgraded a high but was, you know, that should have been fixed wherever possible. Well, we'll see if that ends up happening. It could.
(00:33:46):
Okay we're gonna begin hearing of more instances of these sorts of reactions from the US federal government. And over time it will become widely known that companies cannot simply ignore their security responsibilities with impunity. On Halloween. The FTCs business blog post was titled Multiple Data Breaches Suggest Educational Technology Company Chegg, C H E G G Didn't do its homework, alleges the ftc. Now, we'll forgive the FTC for being cute about an educational company not doing its homework. But the points made in their blog posting about this were instructive. The FTC wrote, Chegg Inc sells educational products and services directly to high school and college students. That includes renting textbooks, guiding customers in their search for scholarships and offering online tutoring. But according to the ftc, the ed tech companies lacks security practices resulted in four separate data breaches in a span of just a few years leading to the misappropriation of personal information about approximately 40 million consumers.
(00:35:23):
The FTC complaint and some notable provisions in the proposed settlement suggest that it's time for a data security refresher course. Again with the educational approach at Chegg, are there lessons your company could learn the FTC deposits or wonders from where the FTC says Chegg failed to make the grade. Okay. Okay. In the course of its business. So here's what happened. California based Chegg collected, they said, the FTC said a treasure trove of personal information about many of its customers, including their religious affiliation, heritage, date of birth, sexual orientation, disabilities, and parents income. Why do they even they have my sexual orientation in the first place. Exactly. What the hell is that? Exactly? They're doing textbooks. Yes. <laugh>, I know. Even the Chegg employee in charge of cybersecurity Describe the data gathered as part of its scholarship service scholarship search service as very sensitive. Yeah. So there might be a scholarship for queer scholars or something like that.
(00:36:51):
So you'd have to give them that information, I guess, to find those in order to qualify. Right? It is. It's very sensitive. Yes. Yeah. And four breaches. I mean, it's very sensitive and they're not treating it responsibly, but wait till you hear Leo. It's unbelievable. A key component of Che's information technology infrastructure was simple Storage service s3, Oh boy, the cloud service <affirmative>. Cloud S3 Buckets can be secure, but they're offered they're cloud service offered by Amazon Web Services AWS that Chegg used to store a substantial amount of customer and employee data. The full complaint provides all the details, but the FTC sites a number of examples of what Chegg did and didn't do that were indicative of the company's lack security practices. For example, the FTC alleges that Chegg allowed employees and third party contractors to access the S3 databases with a single access key that provided full administrative privileges over all information.
(00:38:10):
Chegg did not require multifactor authentication for account access to the S3 databases. Rather than encrypting the data, Chegg stored users and employees personal information in plain text until at least April of 2018. Chegg protected. They had that in air quotes, passwords, outdated cryptographic hash functions until at least April, 2020. Chegg failed to provide adequate data security trading for employees and contractors. Chegg didn't have processes in place for inventorying and deleting customers and employees personal information once there was no longer a business need to maintain it. In other words, it just kept accruing the data at infinitum. Chegg failed to monitor its networks adequately for unauthorized attempts to sneak in and illegally transfer sensitive data out of its systems. In other words, across the board, your basic do the minimum possible laziness. The report continues. Should it come as a surprise that the complaint recounts four separate episodes that led to the illegal exposure of personal information incident.
(00:39:34):
One stemmed from a Chegg employee failing, falling for a phishing attack that allowed a data thief access to the employee's direct deposit payroll information. Incident two involved a former contractor who used Che's AWS credential the one credential to grab sensitive material from one of the company's S3 databases. Information that ultimately found its way onto a public website. Then came incident three, a phishing attack that took in a senior CHE executive that allowed the intruder to bypass the company's multifactor email authentication system. Once in the executive's email box, the intruder had access to personal information about consumers including financial and medical information. And incident number four, a senior employee responsible for payroll fell for another phishing attack, thereby giving the intruder access to the company's payroll system. The intruder left with the W2 information of approximately 700 current and former employees, including their birthdates and social security numbers.
(00:40:46):
Oh God, In each of the four incidents cited in the complaint, the FTC alleges that Chegg had failed to take simple precautionary steps that would've likely helped prevent or detect the threat to consumer and employee data. For example, requiring employees to take data security training on the telltale sides of a phishing attempt because they fell for it four times and nobody ever learned any lessons. No actions were taken as a consequence of those to settle the case. Boy, they gotten off easy. Chegg has agreed to a comprehensive restructuring of its data protection practices as part of the proposed order. Chegg must follow a schedule that sets out the personal personal information. It collects why it collects the information and when it will delete the data. In addition, Chegg must give customers access to the information collected about them and honor requests to delete the data.
(00:41:46):
Chegg must also provide customers and employees with two factor authentication or other authentication method to help protect their accounts. So it's gonna get better, but this is just a toothpick and a haystack. <laugh> in this largely still unregulated industry. We're operating in a wild west mode with non-existent oversight until failures are egregious enough to bring governmental scrutiny. And how many of these incidents were caused by employees? Employees falling for fishing schemes? All four of them even in an exec did. Yet there was no trading provided. The reason is none of those breaches directly affected che's. Bottom line. Oh 40 million of their customers had highly sensitive daily data revealed. Well, we're very sorry about that. Okay, right. Well, I'm not one who believes in government overreach and having Uncle Sam rummaging around in our private corporate businesses, but self-regulation isn't gonna work here. One solution would be to only provide tools that provide security, then at least security wouldn't need to be added on as an optional afterthought.
(00:43:10):
But as we all well know, we're not there yet. Where I am, Leo is in need of a water well that I can help you with. I can't help you with any of the other stuff, but we're gonna talk about the amount of ransomware payments made last week when we come back. Oh yeah. And it's a big number. I bet it is. Well, let me talk Before we do that, let me talk about our sponsor, dta Grata Tar. I think many of you who listen to this show, organizations run it where you have compliance requirements, right? We were just talking about the FTC stepping in with Chegg and Forg. You know what? I'm proud of the FTC for getting that enforcement and doing it right. And of course there are a lot of compliance issues that every company has these days because you've got data, right? If your organization's finding it difficult to achieve continuous compliance as it grows in scales is manual evidence collection. <laugh> slowing your team down.
(00:44:13):
I can tell you about Drata G2 S highest rated cloud compliance software. They streamline your compliance if you're doing it by hand. This blew me away that so many companies actually do this by hand. If you need SOC two ISO 27 0 1 P C I dss, gdpr, hipaa, or you have other compliance frameworks, Drata gives you 24 hour continuous control monitoring. So you could focus on scaling securely. ANDRADA can collect that information. You need to prove compliance with a suite of 75 plus integration. Strata easily integrates with your tech stack through applications like aws, Azure, GitHub, Okta Cloud Flare, countless security professionals from companies including Lemonade and Notion love, both those companies, Bamboo hr, they have shared how critical it has been to have Drata as a trusted partner in the compliance process's. Deep native integrations provide instant visibility into a security program and continuous monitoring to ensure the compliance is always met, not it's just not just point to point.
(00:45:24):
It's always met. Drta allows companies to see all their controls to easily map them to compliance framework. So immediately, if you've got, well, for instance, framework overlap or gaps, right? Companies could start building a solid security posture from day one with draw to achieve and maintain compliance as your business scales expand your security assurance efforts using Thera platform. This is more and more important all the time. And if you listen to the show that's automated Dynamic Policy template, support companies new to compliance and help alleviate hours of manual labor. And the problem with manual labor, besides it being time consuming and laborious, is mistakes not with Jada and their integrated security awareness training program. And automated reminders are great for employee onboarding. They're the only player in the industry to build on a private, this is just what you were talking about earlier, A private database architecture from day one.
(00:46:24):
That means your data can never be accessed by anyone outside your organization, right outside your organization. DRA can't even do do it. All customers receive a team of compliance experts. So you're never alone. You get a designated customer success manager. They also really give you some assurance. They have a team of former auditors. People have conducted 500 plus audits available for support and counsel. So you kind of know ahead of time what you need to do and they can check what you're up to, make sure it's compliant. Your success is their success. Drta knows that with a consistent meeting cadence, you're never in mystery. They'll keep you on track and ensure there are no surprises, no barriers, and you're gonna love the pre-audit calls, which ensure you're set up for success when those audits begin. Drta is actually was kind of created by and invented by and supported by, backed by a syndicate of ciso, angel investors who know intimately what needs to be done.
(00:47:24):
S V C I, you might have heard of them. These CISOs were some of the world's most influential companies. Said, Yeah, this is something we need. This is this Isra. Say goodbye to manual evidence collection. Say hello to automated compliance. Please go tora.com/twi D R ata.com and add the slash twi if you would. So they know you saw it here. That's really important to Steve and me. draha.com/twi. Drta bringing automation to compliance at draha speed. It's everything you talk about on the show, Steve, is really a cautionary tale. And I just imagine these CISOs and CIOs and IT folks listening going, Oh boy, <laugh>. Oh boy, did we secure our S3 buckets today? This is well, and we talked a couple weeks ago, there was some survey, it was IBM who did the survey of the stress that, oh, can imagine CISOs are under. I mean, it is just, it's not a it's tough job. It's a horrible, it's a tough yes. Yeah. But a good job. But an important job. Thank you for doing it. It needs to be, And we're glad you listed security now cuz that gives me some confidence that you've paying attention, which is good.
(00:48:39):
Okay Fin Sen, which is the US Financial Crimes Enforcement Network Unit, which is part of the US Treasury Department, published a 10 page report detailing ransomware related events as reported by banks and other financial institutions through the Bank Secrecy Act. Also, BSA Vincen said that in 2021 things related, I'm sorry, things filings related to suspected ransomware payment substantially increased from 2020. Okay, so we're nearly a year behind, right? Cuz that's the way these reports go. Takes a while for them to filter through. So not like this year. We know this year was like a bang up year more so than even than 2021. Anyway, 2021 substantially increased over 2020. 2021 saw a reported 1.2 billion in known ransomware payments paid out. The agency finan estimates that roughly three quarters of these payments were made to ransomware gangs loaded located in Russia. And of course that's all the ones that we're talking about, the big guys.
(00:50:07):
All of this is Russian to a large degree. I've got a graph of the last few years of this but basically it is not quite exponential, but it's more than linear, more. But it looks like a hockey stick. It's a little hockey stick. Yeah, it's not good. It's going up fast. So boy, yeah, we don't want Russia to be receiving our money. And the problem is, well there's this much money behind it. 1.2 billion in cryptocurrency transfers. That's called incentive. And incentive by the way, is not what we want. That's why it's so low. In the left hand side of the chart, you can really trace the success of ransomware to the rise of crypto. Yes, Unless you could get paid without getting caught, there was really no way to make this happen. Remember it was Western Union transfers, that was the way it was being done.
(00:51:12):
Or you'd go down and buy car money cards from the seven 11. Right? Right, right. Sorry. No, absolutely. It's been the perfect storm where the bad guys realize, hey, this is great. We love this cryptocurrency stuff. Let's just ask for some Bitcoin. Akamai published their third quarter, their Q3 threat report for this year 2022, which they released right smack dab on the end on Halloween. Since fishing has grown to become by far, I mean, how many times have we spoken of it already in this 46 minutes? The most frequently detected first step in most successful attack scenarios. What Akamai's report had to say about fishing, I thought was telling. They said, as covered in the q2, that is their previous quarters 2022 report. The overwhelming fishing landscape scale and magnitude is being enabled. And this is news by the existence of fishing toolkits. Fishing toolkits support the deployment and maintenance of fishing websites, driving even non-technical scammers to join the phish adversary landscape and run and execute phish scams.
(00:52:39):
And anyone who's been listening to this podcast for long knows, that's like the worst thing that we could hear is you don't have to know anything. Now increasingly, in order to pull off this, which is why there's so much of it, they wrote, according to Akamai research that tracked 299 different phishing toolkits being used in the wild to launch new attack campaigns during the third quarter of 2020 2.01% of the tracked kits were reused on at least 63 distinct days, 53.2. So a little over half of the kits were reused to launch a new attack campaign on at least five distinct days. And all 100% of the tracked kits were used on no fewer than three distinct days with the average toolkit reused on nine days during the third quarter of 2022. So the bad guys are being fickle about their toolkits, they're jumping around trying different ones, and these are not long lived campaigns.
(00:53:58):
They're setting them up, setting out a bunch of emails waiting for how long they would expect the email to take before somebody opened it and clicked on it and they wait 5, 6, 7, 8, 9 days. And then they go, Okay, well try time to do a different campaign. They wrote further analysis on one of the most reused kits in the third quarter, counting the number of different domains used to deliver each kit shows that kits that abuse Adobe and m and t Bank are top leading toolkits Adobe with more than 500 domains just during q3. I know and m and t Bank with more than 400 domains. They said the reusing behavior of toolkits is more evidence of the trend of the fishing landscape that continues to scale. Moving to a fishing as a service model and utilizing free internet services. Phishing attacks are more relevant than ever.
(00:55:02):
And it's interesting cuz their mention of utilizing free internet services. Remember that was the one thing that the technical director of ncsc, who was the subject of last week's podcast, one of the things he said was, I wish something could be done to limit free hosting services. That is where so much of the problem is. And at the same time he said, But what can you do in an open government can't shut again? Yeah, exactly. But here, utilizing free internet services, the ability to just spin up a free hosting and create free internet service, that's a problem. But think about that 299 distinctly different fishing toolkits. And as I said, what we've learned from observation is that the easier something is to do, the more it will be done. The log for J vulnerability never swept the world as was originally feared because it turned out that the nature of the vulnerability meant that there was no one size fit all exploit for it available.
(00:56:16):
And if the script kiddies can't use something, then it's us significantly curtailed. But if script cuts can use something, then a feeding frenzy is the result. So on the front end, it has never been easier to get into the fishing business. And on the back end, there's a huge market for the services of the so-called initial access brokers. They're the ones who perform this, who develop initial access and then resell it. So any credentials that a phishing campaign can manage to obtain will find a ready market among those who can turn them in the devastating network attacks.
(00:57:05):
I do have one little bit of news before I talk about initial access brokers. And that is Akamai reported seeing, although this was in their admittedly very skewed sample set in, and which I'll explain, they saw a 40% increase from 25% to 65% in the use of DNS over tls. But that's not global. That's their enterprise and their own small and size business customers. But still, although this doesn't represent the world a large currently, more than 70% of all DNS remains over UDP and it's, But what I think will happen is this will be a very gradual change as new systems are engineered from scratch, it's more likely that those new solutions will probably choose one of the encrypted forms of DNS rather than old school udp. So we can hope, and it certainly says something that went that Akamai's own enterprise and small and medium sized business customers really have started to adopt DNS over tls.
(00:58:28):
As for initial access brokers another third quarter report came out from a threat intelligence firm, kela, K E L A. They published a report on the initial access broker side of the network Intrusion marketplace's report stated that during just this third quarter, this past third quarter that just ended this year, they found over 570 unique network access listings for sale with a cumulative requested price of approximately 4 million US dollars. Okay, so just to be clear, someone responding and agreeing to purchase one of these 570 listings would be receiving, and this is something that's done through a tour hidden service on the so-called dark web. They would be receiving the means to log into an unsuspected company's network with useful network privileges within that set of 570 listings. The average price to purchase access was $2,800 and the median price was $1,350. And prices have been rising since the second quarter.
(00:59:57):
The total number of listings remained almost unchanged between the second quarter and the third quarter appearing at the rate of around 190 new access listings per month. So think about that. So there's a marketplace where people could go and in fact, as we'll get to it later, remember the numb skull Floridians, they actually went here and they asked for access to CPA and tax preparer networks. I mean it's that this marketplace is that specific. You can go there and you can say, I want to get into the networks of these types of businesses and you can purchase credentials that do that. And those new credentials are appearing at the rate of 190 listings per month.
(01:00:59):
That's six and a quarter new listings per day, by the way. So anyway, at the average price, $2,800 to purchase access to somebody's network and typically there's 570 of them up at any one time. Wow. Okay. We will get to Florida in a minute. I found an interesting little bit about that, shared some details about how bank heist work although they don't receive a lot of coverage over the past decade, banks have not escaped ever increasingly sophisticated cyber attacks. Many banks have been hacked and have collectively lost billions of US dollars in serious intrusions. The two most notorious and successful threat actors that pulled off successful bank heist were a group called Carbon Act and also North Korea's Lazarus Group A which is an apt, an advanced persistent threat group. Lazarus we've talked about before the attack geography, interestingly enough, has been evolving over time.
(01:02:14):
Initial cyber, hes tended to target organizations in North America and in Europe. Once those regions were fully explored and security began tightening up, there was a move into Asia and Latin America. But as those banks also began to seriously upgrade their network defenses and security movement has been now more recently in the direction of Africa, a region that is until now been left largely unscathed. But a joint report published this week by security firm group, IB and Orange's cert team, a French speaking cyber group tracked as their, okay, we'll, we'll pronounce them operator, although the T is a numeral one. So O P E R A numeral one er, also known as common raven or the desktop group. They've recently been wreaking havoc across the African continent. Well recently from 2018 through 2021. This report covers nothing in this report since then. But actions that have continued, the researchers said they linked this operator group to 35 different intrusions at different organizations across 15 countries in Africa with most of the targets targeting banks group ib.
(01:03:44):
And the orange researcher said that while the group used basic fishing attacks and off the shelf remote access Trojans to gain an initial foothold in their victims' networks once inside a network, this operator group has exhibited both restraint and patience. Some intrusions lasted for months as the group moved laterally across banking systems, observing, mapping the internal network topology and patiently waiting before springing their attack. The group's target was banking systems that handled money transfers. And this is what I found so interesting. The report explained once their network penetration had reached those most sensitive systems where the actual money transfers are managed, the group would set a time for the heist. And working with a large network of some 400 money mules would orchestrate a synchronized, coordinated transfer of funds from the bank's larger legitimate accounts into the 400 mule accounts. With the money mules immediately withdrawing the stolen funds from their accounts via ATMs in a coordinated ATM cash out before the bank's employees had the opportunity to react.
(01:05:20):
The mules would refresh the ATM screens at the appointed time waiting for their account balance to suddenly jump up. Then they would drain the cash, drain the account for cash and quickly leave the area. Thus, of course, bringing new meaning to the term decentralized finance. The group one B researchers said they had linked operator intrusions to bank heist totaling $11 million. But the group is suspected of stealing more than 30 million total, though not all the incidents have been formally confirmed. So anyway, I thought that was interesting. The bad guys get in using fishing or remote access. Trojans set up a presence in the networks, explore the networks, being quite patient, sometimes taking months until they determine what is there and get into a position where they're able to actually perform account funds transfers. They then reach out to their network obviously a PREESTABLISHED network of 400 individual, I mean in individuals who then at a prescribed time go to ATMs where their own mule accounts have suddenly become wealthy and dump all the cash out of the ATM that they can and then take off and head somewhere else just to sort of keep an eye on Defi.
(01:07:09):
Not to anyone's surprise the Defi platform. Skyward Finance confirmed last Wednesday that a clever hacker had exploited a vulnerability in its smart contract system and Madoff with 3 million of cryptocurrency. And I guess at this point for us, the proper expression would be, or the response would be a yawn and the D five platform. So end, S O L E N D said it lost 1.26 million worth of cryptocurrency following an Oracle attack on its platform, which targeted the Hubble S h or S D H currency. So it's hard to keep track of all these things these days.
(01:07:56):
Leo, you're gonna love this one in a big what in the world took them so long bit of news, the Russian Ministry of Digital Development surveyed the country's largest IT firms, Russia's largest IT firms to obtain their recommendations for the best replacement for windows across Russian government and private sector networks. The three contenders are all Linux based operating systems because what else could they be? Yeah, they are. I mean, you're right. There is nothing else, right? What are they? Make it Mac? No, of course not. No, no. So they are the Astra Linux Alt Os and Red os. Red OS is the Chinese one, isn't it? The China has its own Linux distribution. The Chinese Communist Party recommends. Yep, yep. It would certainly make sense that it was red Os red, yeah. <laugh>. And again, how many times have we wondered what has taken them so long?
(01:09:07):
How could Russia be using windows? Yeah, it just astonishing mere, They're often using pirated copies of windows and often using out of end of life pirated copies of windows. So it's hideously insecure chi. The Chinese Linux is Kylin Linux, K Y L I N, and it's specifically for the mainland China market. Well, and get this, it turns out that Russia would not have moved away from Windows, but for their attack on Ukraine. Reportedly the Russian government is seeking a replacement. Only now after Microsoft pulled out of Russia, stopped delivering security updates to Russian systems and started blocking Russians access to Windows installation files. In other words, Microsoft left them with no choice. Yeah. So, okay. Linux again. I know, I wonder, I if, I guess I don't because they're moving to an open source operating system. Our NSA probably knows all about Linux and just as well as it does windows. So it probably doesn't really make a difference one way or the other. Okay. Leo, this one. Wow. We've all seen stories where in the midst of battle prominently marked Red Cross trucks come barreling in carrying non-combatants, wearing wide red cross arm band emblems with the hope and expectation that all combatants in the area, no matter who side they're on, will respect the Red Cross's global neutrality and allow them to care for the wounded in a bizarre and, Okay. I was gonna say interesting, but I think bizarre wins <laugh> move.
(01:11:15):
They're trying to do this in cyberspace. After two years of study. Last Thursday, the International Committee for the Red Cross, the I CRC, has published their resulting report, again, took 'em two years, titled, Digitizing the Red Cross, Red Crescent and Red Crystal Emblems benefits, risks, and Possible Solutions in explaining their intention. <laugh>, they wrote, as society digitize cyber operations are becoming a reality of armed conflict. A growing number of states are developing military cyber capabilities and their use during armed conflicts is likely to increase the I CRC International Red Cross has warned against the potential human cost of cyber operations, and in particular, the vulnerability of the medical sector and humanitarian organizations to cyber operations, both having been targeted in recent years. Against this background, the I CRC decided to investigate the idea of reflecting the internationally recognized distinctive Red Cross, Red Crescent and red crystal emblems in the information and commun communication technology I e a digital emblem. Since 2020, the I CRC is partnered with researched institutions to explore the technological feasibility of developing a digital emblem and convened a global group of experts to assess its potential benefits and risks. The idea and objective of a digital emblem was straightforward for over 150 years. The distinctive emblems have been used to convey a simple message in times of armed conflict. Those who wear them or facilities and objects marked with them must be protected against harm.
(01:13:34):
Well, good luck. I wonder whether during these past two years of study those working on this have noticed how many hospital networks have been cyber attacked? Yeah. We're not dealing with declared hostilities in a battle theater where there's any sense of honor and conventions, Geneva or otherwise. I'll be interested to see how this one plays out. I mean, and what would prevent non Red Cross organizations from putting up a Red Cross seal in order to protect themselves from attack? I mean, it's just loony now. Okay. Okay. Last Tuesday, the Department of Justices, US Attorney's Office for the Middle District of Florida posted a press release with the title band of cyber criminals responsible for computer intrusions nationwide indicted for RICO Conspiracy that netted millions. Okay. And now that's 36 millions to be precise. Okay. The alleged tax fraud crimes took place between 2015 through 2019.
(01:14:57):
DOJ officials said the group first purchased credentials from the dark web, allowing them to gain access to the internal networks of several certified public accounting and tax preparation firms located across the us. The group accessed the CPA and tax prep networks, stole the tax returns of thousands of tax payers, created six tax preparation businesses in Florida and then set of bank accounts and everything. I mean, full working businesses and used those companies to those six tax preparation companies to file more than 9,000 fraudulent tax returns in the victims' names and hijacks hijack text refunds, directing them towards their own accounts. And surprise surprise, somehow this was detected and they didn't get away with it. Now they're all facing on the order of 20 years behind bars for RICO charges and fraud and money laundering and interstate felonies and you name it. I think what was most interesting and illuminating about this was the idea that I mentioned before that things are so well organized on the dark web, that it's literally possible to search for network access by entity type is like, Yeah, I'd like to purchase network access credentials for CPA and tax prep firms in the us.
(01:16:44):
How much for how many? Wow this piece from Microsoft, I'm not sure about. This seems a little sp to me.
(01:17:00):
It appears to be the month four reporting and Microsoft is also out with their annual digital defense report. The report contained a great many interesting tidbits and buried among them was Microsoft's observation of an interesting change in China's profile. The observation begins with Microsoft noting that China's advanced persistent threat actors have leveraged significantly more zero day vulnerabilities during the past year than anyone else. Now, although most or if not all a p t groups rely upon zero day vulnerabilities for their exploits, Microsoft said that it had noted Chinese threat actors had an increased number of zero days over the past year. And most interestingly, Microsoft believes the sudden spike in zero day exploits exclusively by Chinese threat actors is the direct result of a new law passed by the Chinese government last year. We talked about this last summer. The new law was passed in July of 2021 and it entered into effect in September of last year, 2021.
(01:18:23):
It requires all Chinese security researchers to report to first report any new vulnerabilities they find to a state security agency. And yes, at the time this did raise some eyebrows. It was roundly criticized within the security industry. While the Chinese government claimed that it only wanted to maintain an accurate catalog of vulnerabilities for the sake of making sure that local companies would not dodge responsibility for failing to patch vulnerabilities in time. Thus leading, obviously Chinese users and government networks are exposed to attacks. Right, and that sort of sounds like a reverse engineered rationale to put a point on it, the new law also contains several generically worded clauses that could be interpreted to suggest that the Chinese government was setting up a secret process through which its offensive. Cyber units would have access to this trove of privately reported at the time unknown vulnerabilities while simultaneously suppressing the work of the InfoSec community for the benefit of the country's espionage operations.
(01:19:45):
Although no solid evidence has come to light to support these theories, mfo, Microsoft appears to be sold on this narrative in its latest report they wrote this new legisla, this new regulation might enna. This is Microsoft writing. This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them. The increased use of zero days over the last year from China based actors likely reflects the first full year of China's vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero day exploits as a state priority. To put a little more meat on the bone, Microsoft listed five specific zero days as possible. Examples of abuse to two in Zoho manage engine and one inch in solar winds serve you. Atlassian Confluence and Microsoft Exchange were exploits of these five zero days developed by Chinese a p t threat actors after they were reported through Chinese in-house vulnerability disclosure rules.
(01:21:09):
We don't know. Maybe on the other hand, would anyone be surprised to learn of zero days in those applications? Has all of that software been repeatedly plagued by major vulnerabilities and zero day exploits discovered by other researchers and exploited by other threat actors? Of course of that, there could be no doubt. So perhaps a more accurate and rounded assessment would be that we cannot blame Chinese a p t actors for looking at what everyone else is looking at and discovering the same zero days that others are finding. Could they be getting a little help from the State's mandatory disclosure law again, maybe, but public evidence seems to be sorely lacking. What I wondered, maybe reading between the lines is whether Microsoft actually knows more than they're able to disclose without reeling, without revealing their own sources and methods which they need to keep secret. Maybe this is a little bit of a shot across the bow saying read between the lines China because here's five zero days that we think are suspicious. Maybe they have grounds and they just can't talk about it.
(01:22:29):
And Leo, I need a sip of water <laugh> absolutely to continue talking about things. Well, I'm gonna just take a little moment then while you're drinking water although maybe later tonight you'll be drinking a little more red wine I think <laugh>. So to talk about Club Twit, a lot of what you hear on the network of course is ads supported, but ads don't cover all the costs and increasingly they're covering less and less, fewer and fewer of the costs. I haven't mentioned this before, but it costs us, Lisa told me this recently and I kind of almost fell over about three and a half million dollars a year to run twi. That's for salaries, rent, technology, all of that stuff that excludes anything I get paid or Lisa gets paid. That's a lot of money and advertisers have been great for us and they've covered that for a long time.
(01:23:30):
That may not continue. It's starting to look like it might be a little bit of a desert next year and that means Club TWiTs gotta fill the gap. Cuz honestly I'm skit. I don't <laugh> do it. So <laugh>, that means you and it means seven bucks a month less than what you'd pay for a couple of venti tall 20 shot lattes. But it also makes such a big difference in our operating budget. What do you get for seven bucks? I'm not gonna ask you for money, it's less than Twitter blue I might add. I'm not gonna ask you for money without telling you what you get. You do get something, you get ad free versions of this show and every show we do, you get shows we don't normally put out in public. We put every once in a while we'll put a hands on Mac or hands on Windows out, but there are many more of those.
(01:24:21):
Paul Throt and Mic Sergeant do those Inside Club Twit for the most part. Partly that's because Club Twit launches these shows just as it did with this week in space. And then as they gain legs, we can put them out as real, as real grown up podcasts. We also do an Untitled Linux show with Jonathan. Ben does a great job every Saturday afternoon right after the GFIs with Vicky Bartolo. He does a great job. Stacy's book club every other month. There's a lot of content, there's a great Discord server which is always very active. You're also supporting, I don't usually mention this, but you're also supporting things that are open to all as a club TWiT member, our IRC for instance which doesn't cost a lot, but it helps out our TWiT forums the twit Do community forums and a place that's become really busy of late.
(01:25:12):
Our twit mastered on instance twit.social. I recently just had a subscribe to a much to the top level tier with our host because it was so much traffic. I think we had 7000% increase in users over the last five days and I think it's gonna continue, which is, I'm thrilled. But all of that comes from Club twi. So you're really supporting a, I think a great effort, an important thing. You get ad free shows, you get the discord, you get new shows and other shows that we don't put out in public. Seven bucks a month. So this is my pitch to you if you like what we do at twit and you know what? It's completely fine if you can't afford it. I understand completely. There's no pressure, no peer pressure to do this, but it sure is nice if you do twit.tv/club. It's a way to show Steve and all of our hosts that you appreciate what they're doing. And by the way, if you just wanted an ad free version of security now we do offer that same page. TWiTT TV slash club, TWiT buy itself. That's just $2 and 99 cents a month. I would say spend the extra four bucks, get it all. But that's up to you and I thank you in advance. And now I return you to your fully hydrated host of security now Steve Gibbs <laugh>.
(01:26:37):
Yes. Okay, so I love this idea. I'll be interested to see what feedback I get from our listeners cuz not everyone might like it. But it's interesting the UK's cyber group, the NCSC will be scanning its public network space looking for known vulnerabilities. I think this is an interesting trend. We were of course just talking about the UK's G HC G C H Q NCSC Cyber Division last week when we covered the retirement of his technical director after his 20 years of service. And he certainly knew this was happening cuz this had to have been in the works for a while. So it was with interest that I noted what I think is the NCS C'S excellent plan to periodically scan its own UK IP space, searching for known vulnerabilities which are accessible on the public internet and reporting them for remediation to the owners of those IP addresses.
(01:27:40):
I think this is a terrific idea. So they have an information page, which they titled NCSC scanning information not too long. I'm just gonna share this cuz it's sort of in a Q and a fashion. They said this page provides information on the NCSC scanning activities. You may have been referred here by information left by one of our scanning probes if a system you own or administer has been scanned. So they ask why is the NCSC carry out scanning activities? They say a part of the NCS C'S mission to make the UK the safest place to live and do business online. We are building a data driven view of the quote, the vulnerability of the uk.
(01:28:32):
This directly supports the UK government cybersecurity strategy relating to understanding UK cyber risk. This will help us to three things better understand the vulnerability and security of the UK Help system owners understand their security posture on a day to day basis and respond to shocks like a widely exploited zero day vulnerability. That's interesting. So they'll be on top of that when they find out something new like heart bleed for example. They would immediately scan the UK's web servers and be proactive rather than passive. Next question. How does the NCSE determine which systems to scan? They answer these activities cover any internet accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact. The NCSC uses the data we have collected to create an overview of the UK's exposure to vulnerabilities following their disclosure and track their remediation over time.
(01:29:42):
Boy, this just sounds wonderful to me. Next question, How is scanning performed To identify whether a vulnerability exists on a system, we first need to identify the existence of specific associated protocols or services. We do this by interacting with the system in much the same way a web browser or other network client typically would. And then analyzing the response that is received. For example, we may be able to determine the existence of a vulnerability known to exist in version X of a type of commonly used web server software by making a web request to the url and then they give an example.dot/login.html and detecting the value version X in the content of the page that is returned. If the vulnerability is then remediated in a subsequent version Y, we can identify this by similarly detecting the value version Y in the response. By repeating these requests on a regular basis, we maintain an UpToDate picture of vulnerabilities across the whole of the uk.
(01:30:56):
Wow. What information does the NCSC collect and store? We collect and store any data that a service returns in response to a request for web servers. This includes the full HTTP response, including headers to a valid HTTP request for other services. This includes data that is sent by the server immediately after a connection has been established or like the SMP headers for example, or a valid protocol handshake has been completed. We also record other useful information for each request and response such as the time and date of the request and the IP addresses of the source and destination endpoints. We design our requests to collect the smallest amount of technical information required to validate the presence slash version and or vulnerability of a piece of software. We also determine, I'm sorry, we also design requests to limit the amount of personal data within the response.
(01:32:02):
In the unlikely event that we do discover information that is personal or otherwise sensitive, we take steps to remove the data and prevent it from being captured again in the future. Question, how can I attribute activity on my systems to NCSC scanning? They answer all activities performed on a schedule using standard and freely available network tools running within a dedicated cloud hosted environment. All connections are made using one of two IP addresses, 18.1 7 1 7 2 4 6 or 35 1 77 1 0 2 31. And they said note that these IP addresses are also both assigned to scanner.scanning.service.ncsc.gov.uk with both forward and reverse DNS records. So that's very cool. That means you could do a DNS lookup on scanner.scanning.service.ncsc.gov.uk and it would return those two ips. Or if you did a reverse lookup on either of those ips, that's the DNS that you would get to know what that was. So they said scan probes will also attempt to identify themselves as having originated from ncsc where possible, for example, including the following header within all HTTP requests.
(01:33:49):
And the header is X hyphen, NCSC hyphen scan, colon, NCS C scanning agent. And then they provide a URL to the page that I've been sharing for so people can find out what's going what that's about. What precautions and safety measures does the ncse take when scanning they answer? The NCSC is committed to conducting scanning activities in a safe and responsible manner. As such, all our probes are verified by a senior technical professional and tested in our own environment before use. We also limit how often we run scans to ensure we don't risk disrupting the normal operation of systems. And finally, can I opt out of having servers that I own or maintain being scanned? Answer yes, please contact scanning@ncsc.gov.uk with a list of IP addresses that you wish to exclude from any future scan activity and we will endeavor to remove them as soon as possible once validated.
(01:34:58):
So si, as I said, sign me up as a fan of this concept, given the sad and sorry state of so many, so much consumer crap. And unfortunately the patch latency of so many enterprises all of which is hung out on the internet to be attacked. I think this makes a huge amount of sense. I mean it's not like we're not all being scanned all over the place all the time anyway. I mean I referred to it, it was one of the first acronyms that I, or abbreviations that I coined and that was IBR because I started getting involved in internet security and I thought, what is all this packet noise? And so it's internet background radiation, it's just random crap out on the internet that hits all of our ips from time to time. So I think it would be great if the US could take up similar responsibility and do something like this or maybe defer to individual ISPs to police the traffic on their own networks and inform their customers.
(01:36:18):
Well this was the big argument some years ago when spam, well it's still a problem, but when it was really a problem, all a ISP would've to do is block port 25 at the SMTP port and they would effectively kill spammers on their network. And for a long time, companies like Comcast, the biggest ISP in the US wouldn't do it because they were afraid of the huge cost of tech support calls from people saying, Well I can't send my email anymore. And they eventually did do it. So ISPs, we've talked about this before, ISPs could without doing the scanning that the British are doing, do a lot to police the outbound traffic from their Yep. And because they don't have to haven't done it, they have not been made to do it. Yeah, and I think that their blocking of Port 25 was also self-interest because they were getting complaints from their network was sending all the spam and it was it a customer in their network.
(01:37:23):
Cox, my cable provider blocks port 25. So I have a way around that in order to contact my SMTP server at grc. But something has to be done. Just a quick note about Twitter, since I'm about to share two listener feedback tweets, as my followers probably know, I have the blue verified check mark seal and so many others who have commented, I'm not going to be paying anything for it. I don't need any advanced features. I'm not paying anything for it now and I'm certainly not gonna be paying a hundred dollars per year to keep it. Well it would also devalue it because anybody pays eight bucks regardless would get it. So it's no longer verifies that you are who you say you are. It only means you paid eight bucks. So it completely devalues. It doesn't mean verified anymore. So if it's taken away, I'll still be me.
(01:38:22):
I'm not paying either. In fact, I got off Twitter, I'm done with that. I did note one thing in passing, which I thought was interesting, the Twitter alternative Mastodon reported that it had recently reached, not surprisingly, an all time high of 655,000 active users after an influx of get this 230,000 new users just last week alone, up to a million now. And our server has 7000% increase in users, a 2000% increase in interactions. Wow. You should join. Can I put a plug in for twi.social? I would love to have you. We even have on twit.social, we have a custom icon that's your head. So I think you need to Well I should know, all I really do with my Twitter account is tweet the link every, and you don't have to give up Twitter to do that, but I suspect if you joined Twitter social, you would probably get in some very interesting conversations.
(01:39:30):
Cuz people who listen to our show are, many of them are there. And the thing to understand about Mastodon is I'm running, it's federated. So I'm running, it's like email, I'm running a server. But you can follow and people can follow you from all over the Fed averse. If you were, and I will give this to you@stevetwi.social, everybody would know to follow you or if you wanna be G sg grc, whatever you wanna be, you can be, Well, I should be, I don't wanna getting very engaged in conversation. That's not what you don't have to, it's it, It doesn't require it. It's up to you. I'm not gonna push you into it, obviously. In fact, one of the great things about Macon, I'm a little reluctant to promote that we do this cuz I don't want a whole influx of Twitter people in here. I want people who are nice people <laugh>.
(01:40:23):
Well good news is Leo, the only people who are hearing this are the people are want Yes. Are nice people. A very good way of putting it. Yes, it's a safe space here. And that's how I feel about GRCs news groups. It's, it's a fabulous place where I'm able to get real work done. I should mention that I will be firing up a mailing list. Finally, I have to do it in order to announce spin. Right? Six one to all of spin, right? Six OHS owners. Exciting. So that has to happen and I'm gonna create a number of different sublists and so forth. And I'm thinking as Twitter becomes sort of an uncertain deal and frankly they're an awful lot of our listeners. Who are they? They're always refused to be on Twitter. So I will probably, one of the things that I'll do once I get a mailing system running is to just send out a short note every week to containing the show notes link because Oh, that's a great idea.
(01:41:26):
Yeah, yeah, that's a great, that way everyone will be able to get it. So okay closing the loop. Two bits of feedback. As I said I wanted to note that it was fun to receive all of the feedback from my discussion of my preferred keyboards last week, Leo. Not surprisingly, lots of people had opinions about keyboards there. There's lots of discussions going on in various places now. So it turns out that I'm far from the only one who cares passionately about basically the way their primary device feels under their fingers. David Stricker said this week you talked about alt tab acting as MRU most recently used. He says, But alt but controlled tab as round robin Firefox has an option to set control tab to act in mru. And it's one of the reasons I use it over chromium based browsers. He said, I opened a bug with Chrome to allow MRU and their response was simply won't fix.
(01:42:35):
So we said FF and then space F t W. So anyway, I just wanted to share with our listeners something I never knew, which is that there was an option in Firefox that would allow you to change the behavior of control tab so that it is not round robin, but mru and I would find that much preferable PC owner. He said, Steve, what is the best commercial cloud storage secure, encrypted question mark. Okay, well I know that there are many choices but I did wanna mention I am still just to renew still a fan of sync.com, who I haven't talked about in a while. I've set up sync to completely manage the file synchronization between my two locations and it has never failed me. It's completely TNO trust, no one end to end encrypted. It has apps for iOS and Android of course runs under Windows and Mac presents a sync directory under Windows and Mac and allows for managed public link sharing despite the fact that it's end to end encrypted.
(01:43:54):
So it has all the features that you would expect from a mature, secure, encrypted commercial cloud storage provider. What I did was to move a bunch of sub directories that already existed on my system under this auto under syncs automatically synchronizing sync directory. So for example, I have C colon back slash asem where all of my assembly code work lives. So I moved that entire directory under the new sync directory. Then I used Windows. There's a command in Windows make link MK, L I N K, which creates what's known as a junction point. Linux refers to them as symbolic links or hard links. This creates a junction point where the relocated directory used to be at CCO and back slash this puts a link there so that all of the existing automation and batch files and everything that I have that expects my assembly language stuff to be at C and Bach Orem, it's still there as far as it's concerned, although it's actually under the sync directory and now automatically synchronized between my multiple locations and available wherever I am.
(01:45:26):
The only feature missing and they are painfully aware of it is Linux client support. But I expect that their evaluation of the market for Linux, I understand it's a skewed demographic here in this podcast audience, but Windows and Mac have such a high percentage of the total desktop share that they don't seem to be making much headway on a Linux client. No, cuz this has been going on for years. Yes, I, and I did wanna mention that without question. For me, the best feature, which I have used many times is that everything that is synchronized has full incremental versioning behind it without the user ever needing to do anything. Boy is that a win. And it has saved my bacon a couple times. I was once doing file versioning myself locally, but now it's just all built into the system that I'm using to synchronize, to synchronize my locations.
(01:46:28):
And it's great. They have multiple plans, including a free five gigabyte plan that you can use to get your feet wet and you can bump that, as I mentioned before when I talked about sync to a free six gigabytes if you go to sync.com, but use my affiliate code. Actually you can just go there in one jump if it's grc.sc/s Y N c, grc.sc/s Y N C and that'll give you an extra one gig. And I get one outta to my account too. So anyway, still bullish about sync. Again, I know that whenever I mention this I get like 15 people all with different cloud sync providers. So I get it that there are alternatives, but this is the one that I can vouch for. And as I said, it's, I've been using it, I use it every day and it's never let me down.
(01:47:25):
And lastly, oh boy, this is getting exciting. A quick update on where I am and what I'm doing, what I'm not doing. This podcast, I finished all of spin rights data recovery driver testing, all of its working. The oldest drivers for BIOS interface drives, ended up needing a bunch of updating that's all finished and tested as the final piece of work. I turned my attention to spin right's command line interface and it's built in command line help. I updated everything in the online help with the new design. The redesign of the way it's gonna work is finished. So the help guide is reflected to updated to reflect that. Now I'm in the midst of rewriting much of spin right's command line processor to make it well to see, to bring it up to speed with all of the other changes that spin right has undergone.
(01:48:26):
In the process of doing that, I needed to update right's list command, which causes spin right to exit immediately after discovering and characterizing all of the system's mass storage devices, which are accessible to it. It dumps that list in tabular Ask e text to the DOS console for this new spin. We also need a way of selecting drives through the command line. I could have just used the old way of indicating which line item in the listed table we wanted, but spin, right Power users use the command line to automate spin, right? And the ordering of drives could change over time if a drive was unplugged or it went offline, or if a new drive was plugged into a lower numbered port, which would then get enumerated sooner and appear earlier in the table. So a much more robust way of selecting drives is to allow a text match on any fields in the table.
(01:49:26):
Since that includes the drives model number and its serial number, it'll be possible to positively lock selections to specific drives. It'll also be possible to select multiple drives by class. For example, since one of the table's columns is type, it'll be possible to give spin, right? That command type A hci, which will cost spin, right? To pre-select all of the systems A H C I drives, but none others. So that's where I stopped working Sunday evening to put the podcast together. Tonight, Ill, well probably not tonight cuz this is election night, so I will be enthrall. But tomorrow morning, first thing in the morning I'll probably still have the election on in the background, but I'll be working on spin, right? Getting that finished and tested and then out into the hands of our group. So anyway, as I said to Lori during our walk yesterday, it's getting exciting and we have I think we're up to 406 registered testers in our GitLab instance. So we'll have a lot of people pounding on it, and we will move it as quickly as possible from alpha into beta, at which point I can be able to make it available widely.
(01:50:46):
Yay. Is that it? That's it. <laugh>. <laugh>. There was literally something for everyone. I was waiting for you to talk about the guy who had a billion dollars in crypto in his coffee can in his backyard. Did you see that story? I missed it. <laugh>. He had stolen it. Let me see if I can find the details. Oh, I did. I didn't know. I didn't realize it was stolen. I didn't hear something about someone who's stolen a bunch of crypto. Yeah, he'd stolen a bunch of crypto and he put it in on a little board cuz it strikes me, you could just write down the number of your wallet. You don't need to actually, yes, you yes could, But for some reason he decided to put it on a board and maybe he wasn't that sophisticated anyway. He had a, yeah, billion dollars worth of Bitcoin and it, was it a coffee can or it was hidden and he got found?
(01:51:50):
Oh yeah. Oh yeah. He got cut and I think he's been arrested. Yeah anyway, I don't, We'll probably talk about it on Twitter on Sunday <laugh>, cuz it's just a great story. Yeah. Mr. G, if you like what you hear here, you gotta check out his website. grc.com. Yes. Spin rights there. The world's finest mass storage, maintenance and recovery utility 6.0 is the current version 6.1, as you heard, just around the corner, you'll get it for free. If you buy six oh, now you get automatic upgrades. So it's worth doing that. You will wanna have this software if you have a hard drive or an ssd, you gotta have spin right? While you're there. Check out the show. Steve has two unique versions of the show. A 16 kilobit audio version and a transcripts written by an actual human, so they're actually legible and you can use those to search or just read along as you're listening.
(01:52:50):
He also has a 64 kilobit audio grc.com. You can leave him comments there. As you heard. He doesn't really want to talk to you, but if you wanna leave a comment, go to grc.com/comments. Sorry, feedback. Yeah, I don't blame you. I never read at replies either. Or You can go to Twitter, sg grc. Sure. I can't just sign you up, Steve at twit social. It'll be so, so much easier. I do reply to dms, I try to, I'm present, but extended conversations, everyone would rather have spin right than me. So <laugh>, yes, Get to work <laugh>. We have 64 Kilobit audio. We have video too at our website, TV slash sn. There's a YouTube channel. You could subscribe in your favorite podcast client as well and get it automatically the minute it's available. Some people like to watch live at the very freshest hot off the podcast griddle version.
(01:53:49):
We do the show Tuesdays. The time varies depending on how long Mac Break weekly goes somewhere. One 30 to 2:00 PM Pacific is what you're shooting for. 5:00 PM Eastern, 2200 UTC live. Twit TV is the stream. There's audio and video streams there. It's a nice thing having the background while you're working or whatever. And if you're doing that, you might as well chat with us@irc.twi.tv. Club members can also chat in the Discord. And I guess you know what, you could also comment on the TWiT social there. Steve won't see it, but I will. Or on our discourse, our forums@twit.community. So there's quite a few ways to interact either synchronously or asynchronously with me and other listeners. Don't expect Steve to get involved. He's got something better to do. More important <laugh>. Steve I hope you have a calm, relaxing night and we will see you next Tuesday on security now. Thanks buddy. Bye
Jason Howell (01:54:49):
Bye. Don't miss all about Android. Every week we talk about the latest news, hardware, apps, and now all the developer goodness happening in the Android ecosystem. I'm Jason Howell, also joined by Ron Richards, Florence Ion and our newest co-host on the panel When to Dow, who brings her developer chops. Really great stuff. We also invite people from all over the Android ecosystem to talk about this mobile platform we love so much. Join us every Tuesday, all about Android on twi.tv
... (01:55:23):
Security Now.
