Security Now Episode 902 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security. Now. Last show of the year, Steve Gibson is here. We're going to talk about the results of the poem to own competition. Everybody got hacked, everybody. Then it's the latest on last week's Microsoft Patch Tuesday. And finally, what exactly is coordinated inauthentic behavior. You'll find out nothing but authentic behavior. Next on Security Now podcasts you love

... (00:00:27):
From people you trust. This is TWiT.

Leo Laporte / Steve Gibson (00:00:35):
This is Security Now with Steve Gibson. Episode 902 Recorded Tuesday, December 20th, 2022. A generic WAF bypass Security now is brought to you by PlexTrac the premier cybersecurity reporting and collaboration platform. With PlexTrac, you'll streamline the full workflow from testing to reporting to remediation. Visit to claim your free month of the PlexTrac platform Today. Listeners of this program get an ad free version if they're members of Club twit, $7 a month gives you ad free versions of all of our shows Plus membership in the club. Twit Discord, a great clubhouse for twit listeners. And finally, the twit plus feed with shows like Stacy's Book Club, the Untitled Lennox Show, the Gizz Fizz and more Go to and thanks for your support. Thanks for listening to this show. As an ad supported network, we are always looking for new partners with products and services that will benefit our qualified audience. Are you ready to grow your business? Reach out to advertise at twit tv and launch your campaign. Now

It's time for security. Now, the show where we cover your security, your privacy, your online agenda online with this guy right here, the King of Security, Mr. Steve Gibson. Hello, Steve. I'm Leo. You'll be glad to know actually Paul Throt will be very glad to know that I left my Grinch costume <laugh>. You are so good, Lisa and I, so we're talking about the show that's not yet aired. It's gonna be a Christmas Day version of Twit, Steve, Jeff Jarvis, doc Surles, Paul Throt. Were and I were the old guys talking about the years news and so forth. But Steve really dressed it up with his Grinch costume <laugh>. And the thing that I was so impressed with is you didn't just do it. And then, you know, like Token Grinch, you kept it going. The whole two and a half hours <laugh>, he was doing his hands and you were impressive. <Laugh>.

Lisa and I both were really impressed. I have to say <laugh>. Well now everybody listening is thinking, okay, I, I didn't know if I was gonna make time, time to actually watch to watch podcast on Christmas Day, but maybe, but you can watch it whenever you want. You can watch it next year. I gotta see Gibson being the Grinch <laugh>. You. No, I thank you. You, you, Steve goes all in. He put his heart into that. And it's one of the reasons, you know, I think that this show does well and you really helped the network. I, I'm very grateful to you and always will be. Steve. We don't have a show next week. We have a best of you can take next week off. Oh goodness. Oh, what'd I say? What? No, no, that's okay. I get to work. It's been right. It's gonna be a major spin ride.

If you wanted to take six months off, it wouldn't be me that you'd have to worry about or Lisa. Oh, I know it'd be the fans. You can't know how many messages I receive about new ways to number the shows. I know. So that, so that 9, 9 9 is not a problem. That's gonna be a bad day in BlackRock when that happens, but it's not gonna be good anymore. Think about when, when I, on episode 900, it was only two weeks ago when I said, yeah, we have a hundred episodes left. So I got immediately scolded Gibson, where is your, you know, off by one Map <laugh>, that would be 99 shows left. It's like, oh, that's and an overflow. Oh, a math overflow. Buffer overflow. But it has to be very careful when talking to our, our audience, Leo. They but that, I think that's why they appreciate my being absolutely as I can be.

Absolutely. this week we're going to answer another collection of Burning questions. First, is there no Honor among Thieves? What was discovered during this year's Toronto PO to Own competition? What did we learn from last Tuesday's Patch Fest? Whose fault was the most recent Uber data breach? What happened when Elon tried to block all the bots? What's the first web browser to offer native support for Mastodon? What exactly is coordinated inauthentic behavior? And why is it such a problem? Hmm? What will happen to GitHub submitters at the end of next year? What measure could every member of the US Senate possibly agree upon? Oh God, exactly What application, <laugh>, exactly what applications are there for a zero width space character? And finally, what larger lesson are we taught by the discovery of a serious failure to block a problem that we should have never had in the first place?

The answer to all those questions and more <laugh> await the listeners of Today's Security Now podcast of 902. See, now this, this is exactly why you gotta do more than 999 shows. You've come up with the perfect way to introduce the tease the show. It's perfect. All those questions and more will be answered. I like, you know, and my theory, it matches my theory of life. Just as you're taking your final dying, last gasp of a breath, you figure it out. Oh, you don't, I thought you were gonna say, you say, is that all there is <laugh>? I was like, oh, I finally get it. Oh, I get it. Eureka. That's right. And of course, the kids never wanna listen to Grams. They he has no idea what he's talking about. So yeah. I just keep it to myself. Yeah, <laugh>, we yell at the clouds, so you don't have to.

That's right. Let's take a little break and then we're gonna get in the answers to all those questions and more with Steve Dickson. And of course, I forgot to mention that the title of the today's podcast, oh, what is it? A generic Waff bypass. Were, were any of, is that the answer to any of those questions? <Laugh>, happy Holidays <laugh> A generic Waff bypass. All right. A generic WF bypass is, is it, it it is involved with the larger lesson that we're taught by the discovery of a serious failure to block a problem that we should have never had in the first place. So that's what I thought. Okay, so that last one, ah, that's right. Is the last, that's right. Okay. Boy, what a, yes. I don't even, I have a buildup to that one. <Laugh> you. That's why you listen to this show, right, folks?

That's exactly right. And you know, one of the reasons we have such great sponsors in this show, cuz they know the people listening to this show are focused on tech. Many of them, you know, are in responsible for security in the, in the workplace. That's why PlexTrac wants to tell you about their product. Plextrac is your security team's secret weapon and a mighty fine tool. It is too, for Blue teams, for red teams, for the teams in the middle, the purple teams. Plextrac is the premier cybersecurity reporting and collaboration platform. And it really changes the way you're gonna get your job done. Cybersecurity absolutely needs PlexTrac, right? Because wouldn't it be nice? I'll give you, wouldn't it be? Here's a question. Wouldn't it be nice to gain control of all your tools, all your data, you know, get it all in one place, build more actionable reports, focus on the right remediation, even more important, communicate what needs to be remediated to the blue team effectively.

Are you working to mature your security posture, but struggling to optimize efficiency and facilitate collaboration within your team? Oie, this is the perfect solution for you. Plextrac, it is a very powerful but easy to use, very simple cybersecurity platform that does a bunch of different things. It centralizes all your security assessments, your pen test reports, all your audit findings, all your vulnerability tracking, and makes it easy for you to generate those reports so you can get these things fixed. It transforms the risk management life cycle. It lets security teams generate better reports faster. You can aggregate and visualize your analytics. You can collaborate on remediation in real time. So bottom line is it helps you get your job done. Fewer keystrokes, less work, making a report more time to do the testing. Plextrac is amazing. It addresses all the pain points across the spectrum of security team workflows and rules.

We'll start with it's second to none for managing offensive testing and reporting security findings. It'll run your pen test, but then you can take the code samples generated the screenshots. You can add videos to any finding. You can import findings from all, you know, all the major scanning tools, ESUs, burp, whatever it is you use. Import it right in. You can create custom templates so that, you know, you do that once. And then from then on a click of a button and your report is generated. You get analytics and service level agreement functions to help you visualize your security posture, which means you can quickly assess and prioritize to ensure you're tracking remediation efforts for your compliance efforts to show progress over time for the, for the the C-suite, the board to get built-in compatibility with industry tools and frameworks, vulnerability scanners, pen testing as a service platforms, bug bounty tools adversary emulation plans.

It allows you to improve the effectiveness and efficiency of your current workflow. You get robust integrations with Jira and ServiceNow. So that's nice cuz you, you create and you're generating these reports, but now you're also closing the loop on the highest priority findings. Enterprise teams can use PlexTrac to streamline their pen tests, security assessments, incident response reports, and so much more. And you're gonna love it cuz it takes the, the burden of reporting off of you makes it easy to do. So you can focus on the thing you there for, which is to do all these assessments, right? To, to find these problems. Plextrac clients report up to a 60% reduction in time spent reporting. Wouldn't that be nice? Wouldn't that be nice? You get a 30% increase in efficiency and a five x ROI in year one. All in all, PlexTrac provides a single source of truth for all stakeholders transforming the cybersecurity management life cycle.

I think sometimes it's, you know, it's, it's hard to say, well, I need this tool for reporting. You know, you, it's probably not so hard to say, well, I, you know, I, I need this or that to do some testing. But the reports are how you communicate your results to the people who could fix the problem to the people upstairs. A and it should be easy. It shouldn't be the thing that takes your time. Book a demo right now, see how PlexTrac can save your team. Try it free for one month. See how it can approve the effectiveness and the efficiency of your security team. Blue team, red team purple team. Simply go to plex and claim your free month. Now please go to that address, P L E X T R A C w i t. Okay. So that way they know you heard it here.

Plextrac.Com/Twit. we thank PlexTrac so much for supporting security now and the efforts of this cat right here. Don't forget plex Now I am ready for the picture of the week. And this one Ooh, really? Ooh, is interesting. Yes. So I titled this old school Message routing. And it's would be difficult to adequately describe this, but it's a fascinating picture it, and if nothing else, Leo, it shows us how far we've come because what we have is I'm old enough to remember going to a department store buying something with my mom. And the clerk would roll up the, the slip, put it in a tube pneumatic sh like a cylinder. A cylinder, and shove it into one of these holes. Yes. That is a pneumatic delivery system. And, and my, my earliest memory of that was when you did car, you know, auto ATMs, I remember that.

Oh yeah. We still have one in town. Earliest Yeah. Yeah. Where you'd actually like stick your, your checks and, and things in this plastic cylinder and then stick it in this tube and then we'd go and it was so satisfying. <Laugh>. Oh, it's wonderful. So, okay, so what we have, if, you know, if, if people could imagine a, a bunch of tubes that have sort of a li like a, a, a catcher at the end so that this, this cylinder is gonna come flying out of this tube. Like, and, and like stop. This is the switch room, which involves all of the ends of these tubes. And some poor guy who's standing there, I guess, like picking tubes up from one, like, like picking cylinders up that have arrived in one tube and then sticking them up in another tube and off they go, you know, back to, you know, like onto their destination.

This looks like a message routing or switching room for pneumatic tube transfers. And, but now what's interesting is that I don't see any labels on these things. There's like, I don't know what 30 of them or 20 of them that, that we can see and then over on the left or a whole bunch, like other rows of them. This is just fascinating. This is the inbound, this is your inbox, <laugh>. I don't know what you would do for outbound. Yeah, I guess you have to remember where it came out of. These are called according to the chatroom lampson tubes, and there's a website dedicated to it Oh, that's so good. That's so good. Amatic dot And, and, and also I love, I love the one there along the ceiling at the top. It like, it looks like it's, it, it starts to come down and then it changes its mind.

It goes, oh, nope, we're not gonna, we're not gonna end here. We're gonna go across and go back up somewhere else. So it's like, okay. And also when you think about it, you know, the, these things have some length to them, right? Oh yeah. Like, it, it's actually a, a, a canister that you're able to put documents in. So there's a minimum radius of the, for the bend of these things, or this canister's gonna get stuck trying to go around a c around a curve. So it must be that it had larger ends and a thinner body or maybe even a, like a concave body that would allow, you know, this thing to navigate around a corner because it's, it's got, we could see some corners. They're not sharp and, and they couldn't be anyway, just, you know, completely not about <laugh> packet. Well, it is kind of about packet routing, I guess. Oh yeah. There's this, this is a website all about it. Here's a scientific American article about the pneumatic tube system of New York City Now, it was published a couple years ago, so this but the original article was from 1897. This is, this is why the internet is so, there's nothing you can't find isn't, I mean,, there's a website for crying out loud. Ah, I love it. Amazing. Amazing. I love it. Yeah. And they're all over the world. I guess these pneumatic, there's a pneumatic railway. I'm not sure I'd wanna ride that <laugh>.

 Yeah, just j just lie flat and tuck your arms in. And we're just gonna close this little lid on this, on this round coffin and send you on your way. Yeah, I think there's a, actually that's isn't that Elon Musk's idea for what do he call that, that tube system that he wants? Not the the boring company, but he actually wanted to do a high speed tube hh Hyperloop Hyperloop. Thank you. Yeah, that was, that was last week. Well, no <laugh>, who know? He's a little busy now. Yeah, yeah. So a malware operation known as you are S N I F, you know, you sniff which we've noted a few times that they've kind of crossed our radar. It's the fourth one this year to suffer from internal squabbles, which end up surfacing in the public eye, disagreements over, you know, Russian's invasion of Ukraine, and in some cases strong pro-Russian sentiments, which have divided previous groups were the, were the nominal triggers in those first three instances.

But for number four, it appears that it's just about greed. You know, that's all the motivation we need. And this is, is heading toward the answer to the question, you know, know, is there no honor among thieves through a Twitter account, which was at ur sniffle, which may still be suspended. It was a while ago, at least an ex-member of this group, this, your sniff group, announced his intention to leak the real world identities of the top leaders of the group, unless he received a significant payout to prove his willingness to do so in a succession of tweets, you know, you, you are sniff, leak leaked various pieces of internal dialogue. Some of the group's source code and the names of three low level group members, that was enough to get this person paid. After that, he tweeted, he said, I just made more money in a single week than I have made in years pay workers.

Right? And they won't have a reason to leak stuff. And I couldn't help but note that it's interesting that this person considers to this have been an act of making money. You know? Wow. What a, what a different culture. Apparently the motivation to extort was heightened by something that the head of the group said in an interview with the VX underground project, though it's not clear. What about that was upsetting? The ur sniff leaker tweeted the interview angered me. He has been a bad boss for a long time. I've been waiting for the right time to release. And of course, you know, remember that this is a bad boss of a, of a, of a Russian ransomware group. So yeah. Bad kind of goes with the territory. It's hysterical, <laugh>. Wow. Yeah. I just wanted to click my paycheck and go home, but no. Yeah.

So I had to extort money in order to get paid or, or extort the, the boss for money. That's right. So anyway, I don't think we can count on all of the major groups to implode, but there's probably a little extra tendency for that to happen within an organization comprised of people who must be aware that what they're doing is not earning an honest day's living. You know, at least I guess we can hope so. Okay. upon to own Toronto, 2022 just happened, and it's always interesting to see what hackers wearing white hats are able to do to today's fully patched and UpToDate systems. Right? Because, you know that those are the targets is in, in every case, these things are 100% patched. And we've seen instances in the past where a, a, a group will get all ready to, to re to demonstrate a, a vulnerability that they've g very cleverly crafted in something and like, like the day before their demo, the publisher patches and like, not because they told them, right?

They, I mean, they will end up telling them all of the things that are done during these Punto own con contests end up being communicated to the publisher of the, of the thing that was compromised but not beforehand anyway. So the point is this is the, this is state of the art fully patched, as good as we know how to make it products that these guys are going after. So in the past we've taken people through a blow by blow, and sometimes I think that it ends up getting a little long. So the, what I, so I'm gonna summarize this a bit. The recently concluded Toronto 2022 hacking contest focused upon hacking routers, smartphones, printers, and other smart devices. So it was sort of an i o esque, you know, smartphones, printers, routers and, and other stuff. It was a four day contest that ended up getting won by Devor, which is the now well known Chinese Taiwanese penetration testing group.

Okay. So to give everyone some sense for this, I'm just gonna quickly scan down and I abbreviated these just the bullet points, which briefly describe the attacks. So, and, and this is just day one. Okay. Day one of the four day contest, a stack buffer overflow attack against the cannon image class MF 7 43 C D W printer, A two bug authentication bypass and command injection attack against the WAN interface of a TP link AX 1800 router, a command injection attack, which caused Lexmark Mc 32 24 I printer. To serenade the audience with a well-known Mario Brothers tune, we had a command injection attack against the WAN interface of the Sonology R T 6,600 AX router, a stack based buffer overflow against an HP Cannon Laser Jet Pro laser jet Pro M 4 79 F D W printer, an improper input validation attack against the Samsung Galaxy S 22, A command injection route shell attack against the land interface of the Sonology R T 6,600 AX router.

Again, another improper input validation attack against the Samsung Galaxy S 22 A two bug attack sequel injection and command injection against the land interface of the Netgear AX 30 AX 20 2400 router, a sequel injection on a router. That's interesting. Anyway, two different stack based buffer overflow attacks against the micro tick router and a Canon printer. Three bugs, two missing off for critical function and an off bypass attack against the sonology disc station DS nine 20 plus NASS two bugs, including a command injection in an attack against the HP color laser Jet Pro M 4 79 F D W printer, five different bugs leveraged in an attack against the land interface of the Netgear R A X 30, again, AX 2,400 router and three different bugs against a Netgear router and an HP printer. Now, you know why I'm only doing day one? And re remember, these were all 100% up-to-date devices all cut through all of that on only the first day.

 And it kept going like that throughout the entire event. As we know, landside attacks on routers and NAS devices are much less concerning than attacks that could be launched against the WAN interface. But this contest revealed plenty of both of those and the number of printer vulnerabilities that still exist. Well, I suppose we shouldn't be surprised, but obtaining well hidden persistence inside a network is an overriding goal of anyone who penetrates an enterprise's perimeter and printer protocols by their design loudly broadcast and advertise on networks because their goal is to be found. Unfortunately, this results in highly vulnerable printers shouting their presence in creating a perfect and often unsuspected place for a malicious post intrusion malware to set up shop and wait, thus becoming an advanced persistent threat. So anyway, I just sort of as a reality check, here's, here's yes, these guys are, you know, at the top of their game, right?

They're, they're the, the, the world's best hackers. Yet it appears that all they have to do is look at some device, make that the target of their scrutiny, and they can find a way in. So, you know, we, we need to, I guess anyone listening to this podcast long enough will have lost any sense that <laugh>, there's anything that's invulnerable to, you know, it's somebody who is serious about finding a way in. And in fact, that is the story behind today's main podcast story at the end. Okay? And speaking of getting into networks, it's not just lower end iot devices that are permitting bad guys to get into networks. Both Citrix and Fornet, who are two of today's largest providers of enterprise networking equipment, recently released security updates to patch zero day vulnerabilities. One in each of their devices that were being exploited in the wild against them.

In the case of the FORNET Zero Day, which created an unauthenticated remote code execution in the 40 os, which is what runs the company's S S L V P N devices, it was the way some ransomware was managing to crawl inside enterprise networks, which <laugh> is never what you want. And it was so bad that Fort Net did the right thing by also offering down version patches for their older out of support devices, which were still running their also vulnerable 6.0 firmware. The zero day was first spotted being used in the while by a French security firm last week and afford a net's credit. They patched it over the weekend in just three days. So props for getting it fixed quickly, but boy, you know what? This French security firm watched what were ransomware groups gaining entry to an enterprise network through this vulnerability. So, wow. And, and I said, you know, 2, 2 0 days. One, each FORNET and Citrix Citrix's is the other. And it's also an unauthenticated remote code execution exploit. Interestingly, this one was spotted by the nsa. Yep, our National Security Agency, in their security advisory, the NSA wrote that they saw the Chinese cyber espionage group designated a P T five leveraging that Citrix zero day. But the NSA offered nothing further about what was being done with the obtained leverage. So again you know, high end gear, also vulnerable, not just low end stuff.

Last Tuesday was the industry's increasingly well attended final monthly patch event of the year. And those offering up in incrementally more secure improvements in their code and products, notably included Adobe, Android, apple, Microsoft, Mozilla, sap, and VMware. Microsoft fixed 72 security flaws this month across their range of offerings. And that included a zero day that was being used to circumvent Microsoft's smart screen and mark of the web detection used, which was, which would the <laugh>, I got myself tangled up. The zero day was being used to bypass that to allow standalone JavaScript files to execute, because modern windows will execute JavaScript natively. And of course we covered this trouble recently. So it's very good that it's been fixed. The other issue Microsoft addressed was a problem that we also noted before here, which was that somehow malicious Windows drivers were being used by the Hive and the Cuba ransomware strains or groups, and those malicious drivers were being trusted by Windows because they were carrying valid Microsoft signatures.

Whoops. Okay. In this month's advisory, Microsoft wrote, we were notified of this activity by Sentinel One, Mandiant and Sofos <laugh>. So everybody was watching on October 19th, 2022 and subsequently performed an investigation into this activity. And, and I should just mention that Sentinel One, Mandiant and sofos, they've all got clients and their technology is on those clients' networks offering protection over and above what Microsoft is providing. So the reason all three of those companies all notified Microsoft on October 19th, 2022, is that's when all three of their technologies alarms went off. When drivers were acting maliciously, they immediately thought, wait a minute, how is a driver getting into the kernel and acting this way? So they yanked those, looked at them, found that they were all validly signed by Microsoft, and immediately notified Microsoft that that was what was happening. So, you know, that's the good thing about the way this industry is evolving with third parties who are offering, you know, real-time detection services for people's networks is, you know, they're able to close the loop and let Microsoft know when something bad has happened.

Microsoft said this investigation revealed that several developer accounts for the Microsoft Partner Center we're engaged in submitting malicious drivers to obtain a Microsoft signature. In other words, there were some bad partners there. They said a new attempt at submitting a malicious driver for signing on September 29th, 2022 led to the suspension of the seller's accounts in early October. So, okay, so early October, yet the drivers appeared on the 19th of October, which suggests that Dr that drivers were signed. Microsoft caught this happening on at the end of September, yet there were still drivers out there that Microsoft wasn't aware because they haven't, hadn't invalidated them. So then they appeared in use at the end, toward the end of October on the 19th, and that's when they got notified of something that basically they already knew about. Anyway, that was all good and not to be left out. Apple also updated WebKit to fix a zero day that was being used in targeted attacks against iOS users.

Uber has been having a rough time recently. Recall that about four months ago, the lapses gang breached Uber's security and caused them trouble. What's interesting about last week's second breach, which resulted in unfortunately the leaking of the personal details of 77 actually more than 77,000 Uber employees and also some source code and credentials for some of the company's internal IT network. And I should mention the, the Uber confirmed the authenticity of that re of tho of that leaked da of that leaked data. What's interesting is that this wasn't directly Uber's fault. The breach occurred in the network of an Uber contracted IT service provider whose name suggests or suggested to me at least that all the good names were already taken. This company chose to name itself protectivity it's T E Q T I V I T Y. Anyway, the day after Uber outed Tivity as being the, the actual proximate cause of this latest leak.

Tivity themselves disclosed the breach last Thursday. Uber may have been tech's big cus cu biggest customer, actually, I did some looking around and you know, they've got a bunch of them. But I mentioned this because other notable companies may also have had their data stolen since a breach of one large service provider can potentially expose the data belonging to all their clients. We saw this of course, couple years ago when all of those dental offices were in trouble because they were all sh they were all outsourcing their decel, their dental records management to one single provider, the so-called M S P, right? Managed service provider as an industry these days we're really sort of phasing a conundrum. Do you run your own in-house shop where you're, you are solely responsible for your company's security and it and everything, or do you decide that running networks and servers and points of presence and dealing with a constant need to focus upon security is not your main line business?

It, you know, it isn't what you should be spending your cycles on. And, and also that it's just become too complicated to do it right. You know, that's a valid consideration. So you farm it out to someone who promises to you that it will be their mainline business because that's all they're going to do. It is their business. And, you know, I think today that's a tough call. I think it can work out and be extremely cost effective to, to do this subcontracting so long as everything goes well. On the other hand, when something doesn't go well, you know, if it's a big breach at at, at a major, at a, at a major service provider, you know, potentially the, the damage can be huge because so many individual clients of theirs can be affected by a single attack. So again, a tough call, but increasingly I can see that it makes sense.

And this sort of goes back to the comment I made, I think it was last week, where, you know, the, the guys at the digit search customer advisory board meeting looked at me like I was nuts for still doing it myself, saying, you know, Gibson, nobody, nobody does their own hardware anymore. Okay? <laugh>, I don't know Leo, if every podcast on Twit mentions Twitter and Elon probably but you know, there he keeps doing things that are interesting certainly for us. So from the outside, that's one way to put it. <Laugh> from the outside looking in, it's difficult to understand the mechanisms at play inside Elon Musk's Twitter reign. You know, from the outside, anyone would get the sense of things lurching back and forth inside Twitter, presumably as Elon's as he described it himself, his biological neural net fires off whimsical edicts, which Twitter's remaining employees apparently quickly implement without any, without any buffering in a desperate effort to hold onto their own paychecks in this chaotic and fragile work environment, which has been created, you know, one moment we're done with layoffs, then we have more layoffs.

No, now we're really done with layoffs, then entire departments disappear. Collections of press accounts are suspended for an interval of seven days until the next day they're reinstated a new policy states that anyone tweeting a link which points to another social network will have their account suspended until a few hours later when that policy ends. You know, it really has been quite something to watch. And as I'm assembling the notes and details of this podcast, when I follow links to online events that would once have linked to Twitter, I'm increasingly being taken to Mastodon. Well, last week something else happened. As a result of a parent misfiring of Elon's biological neural net, he decided that he was going to block all of the bots. This, of course, was something that had endlessly bedeviled all of the pre Elon Twitter engineers how to block the bots.

Elon, it turns out, had the answer. So he declared publicly that he had a surprise for all of the bot farms. And last Monday, Twitter blocked entire IP address blocks, which were used by, it turns out approximately 30, 30 mobile carriers across Asia <laugh>, according to platformer, I I know this included the primary telecom providers for all of India and all of Russia, as well as Indonesia's second largest telecom. Of course, there were vastly more legitimate users in every one of those address blocks than there were bots. So three countries worth of legitimate Twitter users who all shared the same IP address blocks as a few bots were completely caught off from Twitter. And you have to like wonder, how could anyone not anticipate that happening? It's, it's, I don't know. Again, just incredible to me, what I can see is that Elon wants to own Twitter, but Twitter is not technology. It is enabled by technology. Twitter is a community. A community can be enabled and nurtured and encouraged. The one thing it cannot be is owned. Nobody owns Twitter's community. No one can, not even Elon.

 You c you're always welcome over at Twitch social <laugh>. You could have your own mast on account, I promise not to ban you. Well, we're gonna see, because, you know, he famously he held a poll over the weekend. Oh, that's all silly, silly. I know. He said, if this poll says I should no longer be CEO E O I will resign. Yeah, of course the poll said, please resign. We're waiting. We're yeah, go. We're done, <laugh>. We're done. Well then he said, be careful what you wish for, which is probably true. Cause God knows he would take over. The problem is, I think he's destroyed. I mean, you know, the, the, you know what, one of the things that I'm seeing, in fact we're gonna get to this in a minute. This is the coordinated inauthentic behavior, which is just this wonderful phrase. I love that phrase.

Yeah, it is, it is difficult to do this, Leo. It is, it is difficult to be in an ownership or, you know, catbird position with any large social media network. You, you are gonna be constantly fighting abuse. On the one hand, you wanna open your gate and allow everybody in the world to come in and participate. Unfortunately, we know that the world has a whole bunch of bad people in it and, you know, bots are a thing. And, and so it's just, this is really hard to do. And, and I would argue Twitter was doing the best job they could. And of course then they got all, they ran a foul of all of these issues of, well, you know, should we allow people to scream fire in a birding building or not and add infinitum. Anyway Elon appears to have badly broken it, and it's not at all clear to me that him disappearing is going to suddenly, you know, fix it.

I don't know how you do that. Yeah, it's sad. Anyway, the good news is, speaking of Mastodon, Vivaldi recently became the first browser to have its own Mastodon instance, Vivaldi Social. Now, the new version on the desktop is also the first to integrate Mastodon natively into the browser itself, along with the ability to pin tab groups and other UI improvements. They said, we believe in providing alternatives to big tech while putting your privacy first and launched Vivaldi Social, our Mastodon instance. And today we are integrating Vivaldi social into the sidebar of our desktop browser becoming the first browser to offer this functionality. So anyway, I just wanted to give a tip to to Vivaldi and note that it's interesting that this has happened. Hey everybody. Leo LaPorte here. I'm the founder and one of the hosts at the twit Podcast Network. I wanna talk to you a little bit about what we do here at twit because I think it's unique and I think for anybody who is bringing a product or a service to a tech audience, you need to know about what we do Here at twit, we've built an amazing audience of engaged, intelligent, affluent listeners who listen to us and trust us when we recommend a product.

Our mission statement is twit, is to build a highly engaged community of tech enthusiasts. Boy, already you should be, your ears should be perking up at that because highly engaged is good for you. Tech enthusiasts, if that's who you're looking for, this is the place we do it by offering 'em the knowledge they need to understand and use technology in today's world. And I hear from our audience all the time, part of that knowledge comes from our advertisers. We are very careful. We pick advertisers with great products, great services with integrity, and introduce them to our audience with authenticity and genuine enthusiasm. And that makes our host Red Ads different from anything else you can buy. We are literally bringing you to the attention of our audience and giving you a big fat endorsement. We like to create partnerships with trusted brands, brands who are in it for the long run, long-term partners that want to grow with us.

And we have so many great success stories. Tim Broom, who founded it Pro TV in 2013, started advertising with us on day one, has been with us ever since. He said, quote, we would not be where we are today without the twit network. I think the proof is in the pudding. Advertisers like it Pro TV and Audible that have been with us for more than 10 years, they stick around because their ads work. And honestly, isn't that why you're buying advertising? You get a lot with twit. We have a very full service attitude. We almost think of it as kind of artisanal advertising, boutique advertising. You'll get a full service continuity team, people who are on the phone with you, who are in touch with you, who support you from, with everything from copywriting to graphic design. So you are not alone in this.

We embed our ads into the shows. They're not, they're not added later. They're part of the shows. In fact, often they're such a part of our shows that our other hosts will chime in on the ad saying, yeah, I love that. Or just the other day, <laugh>, one of our hosts said, man, I really gotta buy that <laugh>. That's an additional benefit to you because you're hearing people, our audience trusts saying, yeah, that sounds great. We deliver always overdeliver on impressions. So you know, you're gonna get the impressions you expect. The ads are unique every time. We don't pre-record them and roll them in. We are genuinely doing those ads in the middle of the show. We'll give you great onboarding services, ad tech with pod sites that's free for direct clients. Gives you a lot of reporting, gives you a great idea of how well your ads are working.

You'll get courtesy commercials. You actually can take our ads and share them across social media and landing pages That really extends the reach. There are other free goodies too, including mentions in our weekly newsletter that sent the thousands of fans, engaged fans who really wanna see this stuff. We give you bonus ads and social media promotion too. So if you want to be a long-term partner, introduce your product to a savvy engaged tech audience, visit Check out those testimonials. Mark McCreary is the c e o of authentic. You probably know him one of the biggest original podcast advertising companies. We've been with him for 16 years. Mark said the feedback from many advertisers over 16 years across a range of product categories, everything from razors to computers, is that if ads and podcasts are gonna work for a brand, they're gonna work on Twitch shows.

I'm very proud of what we do because it's honest, it's got integrity, it's authentic, and it really is a great introduction to our audience of your brand. Our listeners are smart, they're engaged, they're tech savvy, they're dedicated to our network. And that's one of the reasons we only work with high integrity partners that we've personally and thoroughly vetted. I have absolute approval on everybody. If you've got a great product, I want to hear from you. Elevate your brand by reaching out, break out of the advertising norm. Grow your brand with host red ads on twit. Do TV visit twit tv slash advertise for more details, or you can email us, if you're ready to launch your campaign. Now, I can't wait to see your product, so give us a ring. On the topic of governments recognizing the growing dangers of known vulnerabilities in the networks of the enterprises within their own borders.

Remember, we've, we've talked about a, a couple governments, I don't think it was the Dutch government. And, and I meant to go find out which one we'd, we'd referred to before, but, but it was, there was another note of some government that was going to, you know, like announced they were gonna start scanning their own citizens. It might have been the UK anyway in this case the Dutch government has been doing it. And they just said that since the beginning of this work, that, which was the summer of 2021, so about a year and a half ago and about a year and a half worth of this, they have sent more than 5,200 warnings to Dutch companies concerning security vulnerabilities within their networks. Officials said that around 76%. So three out of four of these warnings were for sensitive systems being accessible via the internet, R D p smb, L D A P and so forth.

The other 24% of the warnings regarded malware infections, leaked credentials or unpatched systems. So presumably they're you know scanning the internet and seeing a version number in the, in the greeting of something and saying, whoops, that's not the latest version. And they send the company a note saying, Hey, you know, maybe you ought to update your email because you're running an old one, which has some known vulnerabilities. So anyway this is not the first time we've encountered this and it seems to me like an entirely sane thing for governments to do in the interest of helping to protect their own national interests and those of all of their citizens and the enterprise operating within their borders. So I expect that we're gonna be seeing more announcements of this sort in coming years.

Okay, c i b, that's the abbreviation for coordinated inauthentic behavior. A term that I love, a recent report from Facebook's parent company, meta it introduced me to this term coordinated inauthentic behavior. And, and I love it cuz it's such a wonderfully neutral and politically correct term to describe the behavior of organizations and countries that have figured out that they could use fraudulent postings and replies on Facebook to influence beliefs and behavior through massive coordinated campaigns. Facebook's report, which they published on Thursday, last Thursday was titled Recapping our 2022 Coordinated Inauthentic Behavior Enforcements. They noted that since they began focusing upon the explicit abuse of Facebook services for what they term covert in influence operations, they've disrupted 200 identifiably separate global networks that were, that were the source of these campaigns. Those networks were based in 68 countries, but far from evenly as we'll see and operated in at least 42 different languages.

Two thirds of the campaigns. I thought this was really interesting. Two thirds of the campaigns were targeting their own local audiences in their home countries, and only one third were aimed at audiences outside the country. So, you know, abroad in terms of targets, more than 100 different countries from a A through Z Afghanistan through Zimbabwe have been targeted by at least one C I B network, foreign or domestic. With the US being the most targeted with 34 of those operations followed by Ukraine, and I'm sure that's only in the, in the most recent year targeted by 20 c I B networks and then the UK targeted by 16. So 34 for the us, 20 for Ukraine, 16 for the uk. And a single covert network might often be simultaneously targeting multiple countries at once. In one case, for example, a network running from Iran was simultaneously targeting 18 countries on four different continents.

Okay, as for the originators of the campaign networks, perhaps not surprisingly, Russia leads the list of the originating sources of these networks with having 34 networks identified closely, followed by Iran with 29. And then the next highest with fewer than half of Iran's 29, interestingly, was Mexico, which surprised me as the, the, as the third largest source of these, these influence networks at 13. Interestingly, those are the top three, right? Russia, Iran, Mexico, China is not among them. Russia and Iran are the biggest perps in this game. And as I said, I was surprised about Mexico. So I went looking for some more information about them. As I suspected, most of the c i B networks originating in Mexico have focused primarily on regional or local a au audiences to Mexico. Often in the context of regional elections, those networks tended to be less tactally sophisticated and many were linked to PR or marketing firms, including instances where I love this one network simultaneously supported rivals in the same electoral post.

The report noted that this illustrates the danger of using covert influence operations for hire that might be providing inauthentic support to not just the highest bidder, but to multiple bidders at once. So again, we have this wonderful term coordinated inauthentic behavior, and now we have some sense thanks to, to Facebook. Facebook's work on this about you know, the, the spread and nature of these networks. Okay, s h a one we might say that we hardly knew ye but as it turns out we knew you, we knew ye quite well. The N I S T has formerly announced that many of what, well, what many of us have been assuming for some time the aging original ssha, one cryptographic hashing function function is officially being retired in its place is either s h a two or s h a three, both, which have existed for quite a while and have been in use for a long time.

But I did a bit of a double take when I saw that companies have now have, as of the N is t's announcement, companies have until the end of 2030 <laugh>, in other words, until the beginning of 2031, so another entire eight years from now to make that replacement. The end of N is T'S announcement said quote, they said modules that still use s h a one after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use s h a one because there's often a backlog of submissions before a deadline. We recommend that developers submit their updated modules well in advance so that C M V P has time to respond. Okay? Now, a cryptographer might have been a bit, a bit more explicit and careful in the wording of that mandate. I, I'd have written modules that are still capable of using ssha one after 2030

The reason for the added clarity is that as we've often talked about, many cryptographic systems obtain robust interoperability by comparing acceptable protocol suites that both ends understand and then negotiating the best and hopefully the most secure among those. But through the years of this podcast, we've examined a great many downgrade attacks where a malicious endpoint identifies that the other end is still offering a no longer considered safe, weak cryptographic protocol. So the sneaky end pretends that it cannot use any of the stronger systems, thus tricking the agreeable other endpoint into establishing a potentially vulnerable connection. So what we want is for all systems to immediately eliminate s h a one from their collection of acceptable hashing functions. Absolutely, it should no longer be offered. And you know, it is a fine point, but for the record, there are still some things you could use Ssha one for safely if you chose it, would make a fine hash for use in a P B K D F password based key derivation function where a hash is iterated is iterated a great many times, but, you know, given that its presence might allow its misuse, removing it altogether would be best.

Okay, and one last little tidbit for any of our listeners who are using WordPress last Wednesday Word Fence, the very useful third party WordPress app, web application firewall. People who have been identifying troubled WordPress add-ons, they launched a free and very useful looking vulnerability database for WordPress add-ons. I poked it around it a bit and I'm impressed. So I wanted to give our WordPress users a heads up about it. It is at hyphen intel. Again, h r e a t hyphen I n t e l looks like a very comprehensive listing of, of dangerous add-ons for WordPress. I would say worth taking a look at, making sure that, that you're not using any of those and are might be unaware of the problems. And Leo, time for me to cap catch up on my caffeine <laugh> at the moment. Ketchup on your caffeine.

That doesn't sound very tasty. Ketchup on my ad. Oh yeah, this is actually very tasty. Oh, okay. I'm loving it. Oh, well. I just wanna take a little moment to thank our club twit fans and members because you've really made this a banner year for us. A lot of what we do here at TWIT is paid for by Club Twit members, now more than 5,000 Strong. Our Mastodon instance that I've been telling Steve about begging Steve to join twit, that social our longtime forum. Steve has great forums. We do, of course, the irc, which is always accompanying every show we do and frankly keeps the lights on and helps us keep staff employed through the new Year. So thank you Club TWIT members. For people who are not yet a member of Club Twit, please consider joining be a great holiday gift for the geek in your life.

It's a mere $7 a month, a buck less than a blue check. You get so much more too. Add free versions of this show and all the shows we do access to other shows that are club only shows that yet haven't generated enough revenue to put out in public. We launch shows in the club because it's a great way to get shows started, like Hands on Macintosh with Michael Sergeant Micah, Sergeant Paul Throt Windows HandsOn Windows Show on Ted Lennox Show with Jonathan Bennett, the GIZ Fizz. Of course all of our events that we hold in there eventually we always hope to get shows out into the public. That's what happened with this week weekend space launched in the club grew an audience. We put it out in public. In fact good news. I think we're gonna start adding video to it very soon.

The Club really is approving ground for new shows. A great place to hang out in our club Tot Discord. A great place to hear material that you don't hear anywhere else. And it's just seven bucks a month. There's a year long package if you want to give a nice gift to somebody, you know, there's also corporate memberships. If you want to know more about Club twit, And again, thank you all of our Club TWIT members, we really appreciate you. We hope you have a wonderful, well all of you have a wonderful new year. We will not be here next week. We are gonna be doing reruns well, we'd like to call them the best of shows. We carefully edit them, craft them to be the best material from the year 2022. That'll be a week from today December 27th, and then Steve and I'll be back with a live show in two weeks, January 3rd.

This is our last show of 2022. January 3rd, the first show of the brand New year, Steve. Let's, let's continue on. Soldier on as you, as you. And you know, you're right, Leo. Ketchup on my caffeine. You got it now, <laugh>. I did, took me a little while, <laugh>. I got it. It wasn't a very good joke. I also don't put ketchup on my eggs for what it's worth. Oh, it's just not worth. How about hot sauce? Oh yeah. A little sriracha maybe or some tap Tito. Yeah, now you're talking. See? There you go. See. Okay, so a bit of closing the loop feedback from our listeners, Michael Lolly. He said, please, at SG G R C, it's pronounced Medibank. And okay, I'm glad to know that you didn't know saying, how would you know Medibank, MetaBank, Medibank and Medibank. And you know, that does sound more, more Australian, doesn't it?

Medibank, yeah. Yeah. In, in that kind of an accent. So thank you Michael. Glad to know Skynet tweeted me question about ADP referring to Apple's new encryption. That was the topic of last week's podcast. He says, once it were asks, once it's turned on and the keys are sent down to your device, is it stored in hardware or software? Because what happens when you get a new iPhone in the future? How do you get the keys over to your new iPhone? You can't set up the new phone and restore an iCloud backup once you log log on. So it would have to be by the method where you move your old phone close to your new phone. Correct. Okay. So, and I received a number of questions that are sort of related to this. The, the primary concept that I, I guess I want to get across is similar to the familiar pattern that LastPass and presumably all other password managers use, at least I hope they would.

In all of those cases, they are simply storing an encrypted blob on our behalf. They have no visibility into the blob. But by making that blob available across devices, devices are able to share a common set of passwords, or as in the case of Apple, a common set of decryption keys. So the process of Apple relinquishing the keys to iCloud is that Apple sends the current keychain blob, which it is never ha and has never been able to decrypt. And the current iCloud keys, which until now, it has held in its data centers HSMs to the user's device. The device uses its local private account key which never leaves the device to decrypt the key chain blob on the device and then adds the current iCloud key into the key chain. In this way, the keys that Apple was holding are moved from where Apple could get at them into the user's account key chain where Apple can never get at them.

The device then instructs Apple to delete the iCloud keys that it just sent from all of its data centers. Hsms now only the device has the old iCloud keys in its key chain. Then wanting to be thorough. The device performs a key rotation, changing the key that encrypts the iCloud data to one that Apple has never had in its possession. But again, since we're all quite familiar with the notion of trust no one and pre-internet encryption which is the technology that all password managers holding encrypted blobs that they're unable to decrypt use you know, I think that's the clearest way to think about this. And the best analogy, basically Apple is holding the stuff for us, provides the synchronization service among devices, but is only able to hand the devices these blobs, which are then decrypted locally on the device in order to give devices the keys, which then it's then able to use to go further.

 You know, one, one of the things that I've been saying for years is that we've got all these very cool crypto components, which we can assemble in any manner of different ways. Walt Stoneberg said, Steve, you have warned several times that pixelation is not a safe redaction technique. Someone just wrote a beautiful GitHub project that visually brings home The point, as you see, brings home the point. He said, as you see Unredacted being performed, and it's funny, I don't know why this started circulating again. I got a whole bunch of tweets about it and I thought, oh, cool, something new. But it was 10 months ago when we first talked about this and, and showed this. So not something turns out that that was new. Michael Brok, he said, hi, Steve, love your show. Read this article and thought it might be interesting for you.

Okay, so what this, what Michael sent and I appreciated it, was the verges follow up on their story about those UFI cameras that we talked about a few weeks ago. And remember, those are the cameras that promised that all of their storage was local and that nothing ever left the user's home, and that it was all transmitted directly to their phone. You know, and, you know and then of course in some reporting following up on, on some news that that was not the case. The, you know, the Verge was able to monitor their own UFI cameras from the other side of the country. So and, and you know, Leo, you and I talked about it at the time, this was the, that the, the company that was owned by Anchor, and it was our conjecture that, you know, the way this could happen because we like Anchor, we thought they were a reputable company, was that having, you know, after having launched their successful power supply product line, they perhaps purchased the UFI camera line in order to grow their business.

Anyway, we don't know, but, you know, I, I guess I'd want to forgive them a little bit for, you know, making such a mess. Anyway, the Verge checked back and what did they find? Their follow-up story is headlined Anchors UFI deleted these 10 privacy promises instead of answering our questions. And the subhead reads, two weeks after getting caught lying to the Verge anchor still hasn't sent us any answers about its security cameras. Instead, it's nerfed the UFI privacy commitment. So one of the things on the verges page is it, they have this wonderful mouse based sliding divider where you can slide the, the, the divider with your mouse back and forth and, and it reveals either it's, it's like a shutter revealing either the old or the new privacy claims <laugh>. And, and if you pull it to the, I think you, you pull it to the right, you see the original claims where you know, nothing leaves your facility, you know, it's all kept locally, blah, blah, blah.

You pull it to the other side and you get then the updated claims, which are dramatically toned down. So anyway, the Verge makes a very good point, and it's sad, but on the other hand all of these systems are out there. They can't change the way they operate, and I'm sure they never operated the way they said they did. Someone just got a little maybe over, you know, enthusiastic or carried away when they were writing the marketing material for this anyway. Or, you know, maybe they did add features later where like they began to offer cloud things and never updated the page in order to make it correct. So, you know, they've done that. Now Elaine, he tweeted at Elaine under underscore Geiger, he said, thanks for another excellent episode. I do have one question about TikTok. Do you see a difference between the bands on ZTE and Huawei versus TikTok?

He said the FCC has labeled all three as unacceptable risk. He said, also, I just saw that there is a bipartisan bill that would quote, end all commercial operations of TikTok in the US and other social media platforms that are sufficiently controlled or influenced by America's foreign adversaries, including China, Russia, and Iran. He said, it'll be interesting to see where this goes. So, okay, I wanted to include Elaine's tweet to give me the opportunity to note that last Wednesday, the entire US Senate voted unanimously passing a bill, which would bar the installation of TikTok from any government owned devices. So yes, whereas initially, a handful of Republican governors and an attorney general may have been first during the previous week or two. Now we have unanimous and obviously completely bipartisan agreement on this, which is astonishing to me. Wow. But it happened. But to Elaine's question, I do regard these selective bands such as on Z T E and Huawei, and even on TikTok as mostly ridiculous theater because we are so intimately, deeply and inexorably enmeshed with Chinese technology products.

You know, I look around and everything in my home, all of the electronics that I own and the electronics in what I drive was fabricated in China, every bit of it. And I'm sure, sure, that's the case for all the people listening to this podcast. And speaking of listening to this podcast, this podcast is literally brought to your ears thanks to networking chips and processors and transistors all made in China by Chinese citizens, you know, and much of it was designed there. So to me, none of this posturing and saber rattling makes any sense. It, you know, it, it must be that some sort of geopolitical kabuki is transpiring at a level that's far above my pay grade. I'm just a simple technologist who does understand networking and processors and transistors. So I know that if China did actually want to be evil, the west would be in deep trouble, because in the interest of economy, we've allowed ourselves to become utterly dependent upon products which we need from China.

You know, I don't want that to be a bad thing. I hope it's never gonna be a bad thing, but if it is gonna be a bad thing, then the problem is way bigger than a couple of wayward Chinese companies. So, you know, maybe I don't get it, but you know, I, it is sort of similar to me being amazed that Russia was still using windows like for the last many years and still is. You know, they're, they've finally said that they're thinking about moving to something Linux based, presumably. And there's, there've been some rumblings of the, of the same thing from China. Just to me it seems crazy that, that that would be the case. But, you know, here we are utterly dependent upon another country and now saying we don't trust them. Well, we're unable not to trust them, frankly. So that's what I think.

 <Laugh> and finally, David Ruggles, he sent, he said reaching out regarding the zero width space mentioned in security. Now last week, he said, I use it to fix stupid programs. For example, if you want to reference an account on Twitter without tagging them, enter the at sign, then a zero width space, and then the account name and it won't get tagged. And he then he gave some examples of things that were not tagged were, and weren't tagged in his tweet to me. And so he said at sign the real ruggles versus at sign, the real ruggles, they looked identical. Only one was lit up. He said, similarly in Excel, it defaults to adding a hyperlink. When you enter anything that looks like a U R L or email address, you can use the zero width space to prevent that behavior without changing the look of the text.

So that was cool. I think that's very clever. The problem is, you know, I mean, well, and I should say, I, I should say I can see many applications for that as well, but it leaves the question, how do you enter a zero width space through the keyboard? I asked the Google, and I was told the zero width space is a Unicode character, U capital U plus 2 0 0 B, which is also H T M L ampersand pound sign 82 0 3 semicolon, right? And, and, and Google said, it's remarkably hard to type on windows. You can type alt and then 82 0 3. Well, I tried that and I got, what is that, the symbol for maleness? I think anyway, <laugh>, that didn't work. ALT 8 2 0 3. So if anyone can figure out how to type these, how to enter the zero width character through our keyboard, I think that seems like a useful thing to be able to do.

Yep. people were also using it to post their mastodon link on Twitter because ah, it didn't look the same. I mean, look the same way without tri, without triggering, yeah. The thou shall filters, shall not post. Yeah, <laugh>. Cool. Okay. Briefly I'll note that spin right is looking quite good. By the end of this past weekend, we were at the eighth alpha release. Every known weird data recovery behavior that we've were, that we were seeing appears to have been resolved, and Twitter is now cruising through even the most damaged and troubled drives. While my focus was on getting spin right to properly perform, its that those primary functions, I had also been accumulating a list of less critical, but still necessary to do items and art testers that have been getting a little restless have been suggesting new features that they'd like to have.

And, you know, nothing big, but, you know, there are some, some convenient things that make sense. So, you know, by the end of today Sunday, two days ago, I told the group that I would be retrenching now and disappearing for a while while I worked my way through everything that was on the wishlist and the things to be fixed. After today's podcast, that's what I'll be doing when I return with Alpha Release nine. It should be very close to finished. I'm, you know, I'm sure there'll be a few loose odds and ends. That's the nature of such a complex project. But, you know, I, I have to say that I, with some pride and relief that everybody who's been testing 6.1 has been very impressed by this new spin rights speed and capabilities. So we are we're getting there.

It's not gonna be a Christmas present. It's not gonna be a y New Year's present, but it's gonna be early in 2023 that we finally have this 6.1 for everybody, okay? A generic WAFF that's w a f bypass. As an industry, we've matured to the point where vulnerabilities are being discovered only in specific implementations of some specific solution and, and only in typically in specific versions of those implementations. In other words, you know, whereas once upon a time, the entire industry would realize that an established standard could be abused in an unexpected way, and everyone's implementation would need to be changed. That that's where we were. A perfect example was everyone's d n s servers, which were emitting queries from ports sequentially assigned by their underlying operating system, and often emitting those queries with sequential identifiers. When that came to light you know, we, the, those who were focused on D n s realized this would allow for successful d n s spoofing at scale and the entire industry repair d n s overnight.

 These events stand out because thankfully, they become so rare these days, as we know, problems have generally become much more obscure and specific. For example, it might be that if you're still using the out of support version, 2.02, 9.472 of Jimmy Crack's query Reader re reflector <laugh>, you need to update it to at least version 2.42 6.327 in order to avoid problems with query reflection, back flush and you should do so immediately. We don't, you know, those are the kinds of things we're often seeing now, <laugh> to today. You know that it's not real. Folks, don't go looking for Jimmy's back crack. Don't worry unless you actually do have Jimmy Crack's query reflector, in which case you've got other problems. Today's rarity of big generic protection bypasses has made their existence extremely interesting, and a group known as Team 82 recently discovered just such an industry-wide mistake.

They discovered an attack technique that acts as the first generic bypass of, excuse me, multiple web application firewalls being sold by industry-leading vendors, including at least Palo Alto Networks, F five, Amazon Web Services, CloudFlare and Imperva. Okay, so before we proceed, we need to briefly revisit another one of those holy crap events, which hit the entire industry many years ago, and which due to its difficulty, the industry continues to grapple with, and that's S Q L or SQL Injection stated succinctly. SQL injection can occur when there is some way for user provided input to be passed to a sequel database for its interpretation. A sequel database is driven by strings of characters which express commands and queries simply by typing commands. New database tables can be created. They can be populated with data queried for their data and deleted when they're no longer needed. New users can be instantiated, passwords can be changed, privileges can be granted all through simple text commands and further increasing the system's power.

The simplicity of this interface allows SQL databases to be queried over networks. The simplicity and the power of this interface explains sequel's success. But the simplicity and power of this interface has also been at the heart of one of sequel's longest running vulnerabilities. Wikipedia tells us that the first known public discussion of sequel injection appeared around 1998, incites an article in frack P H R A C K magazine, you know, long since discontinued SQL injection has been the bugaboo of web applications from the start. The first web apps gleefully presented a form asking their user to please enter their full name to look up their record in the site's database. The designer of this form assumed that that's what anyone would do. So whatever string they provided as their name would be added into a sequel query string to access the site's database. And all was well until it occurred to some clever individual that the website had inadvertently given them direct access to that site's SQL database backend.

Rather than simply inputting their name, they could, for example, input a string, which closed the open query and started another entirely separate SQL command of their choosing. This allowed a remote visitor to directly issue s SQL L commands to the site's database. If the web designer had assumed that no one else could ever access the database, which of course is what they assumed the SQL account behind the website's form might even have admin rights, this would allow remote visitors to do anything they might wish. This has been such a common and persistent problem because the fundamental architecture of the system, this system is fragile. It is not inherently secure and re and resilient. It is inherently insecure. We need to take user supplied input, like some personal details, and embed them into a database query so that we can look up their record. You know, we have to do that, right?

The trouble with sequel is its power. That same query channel is also sequel's command and control channel. This has been such a longstanding and well understood problem that it found its way into one of xk CD's, brilliant comics, and we've talked about it in the past. The first frame reads it shows somebody look holding a cup of coffee saying, or I guess li listening over the phone. This is mom who's received a phone call and over the phone she hears, hi, this is your son's school. We're having some computer trouble. Mom replies, oh dear, did he break something over? And we hear the, the, the, the voice of, you know, the distraught principal saying in a way, did you really name your son Robert? Close, close Peren semicolon, drop table students semicolon. And mom says, oh yes, little Bobby tables, we call him. And then the principal says, well, we've lost this year's student records.

I hope you're happy to, which mom replies, and I hope you've learned to sanitize your database inputs such a classic, such a great comment. Perfect. Yeah. And, and then, and so what XKCD is telling us is like exactly this. So here's, I mean, stepping back from this a bit, the biggest problem is through all these years since it was first in first, first understood near the birth of the web, no one has fixed this. Instead, we just keep patching it. We focus upon each mistake in isolation rather than recognizing that the entire architecture is wrong for this application. Sequel was not created for the web. No one would've done that. It was first designed in the early 1970s. Leo, we were just talking about when we graduated from high school. <Laugh>. Yeah, back then's when, yeah. Yeah. That's when this, when, you know, at ibm, IBM came up with this before there was an internet or websites or web apps.

Unfortunately, the web found it, and it's been a troubled marriage ever since. The problem is every newly created web app creates another new opportunity to make a mistake in the parsing of user supplied input that would give a remote attack or access to the sites backend database. That's why I say that the systems we've built around this architecture are inherently brittle and fragile. That's why still today, SQL injection attack scans are constantly sweeping the internet, looking for that newly created, newly vulnerable web app. An S Q L injection remains at the top of the O OSP top 10 list of web application vulnerabilities. So what do we do if there's no sign that we're gonna fix the underlying problem? Well, the universal solution to protecting our networks from external hostility is to place a firewall in front of those networks and force all external traffic to be inspected and to pass through that gauntlet before it's permitted to reach our interior.

Presumably vulnerable networks, and thus was born the idea of the web application firewall or WAF for short, the fundamental concept of a web application firewall is detailed traffic inspection. Whereas packet level firewalls generally look no deeper than packet headers, which specify the source and destination IPS and ports for the purpose of monitoring packet flows. A web application firewall examines in detail the content of all web application traffic transiting its boundary in order to detect and block malicious attacks. So in XK CD's, example above a WF would spot and block a forms input field data that contains suspicious characters for a user's name, such as closed parentheses and semicolons. So that they would go no further with a web application firewall positioned upstream of an organization's web application servers that malicious data and intent would never reach any web applications that might not be adequately providing for their own protection.

Again, you wouldn't need this if mistakes still weren't being made freshly, but they are because this is all being done wrong, but it's, you know, it's what we got. So, okay, with this background, here's what team 82 had to say about their recent discovery. They wrote web application firewalls. Wafs are designed to safeguard web-based applications and APIs from malicious external H T D P S traffic, most notably cross-site scripting and S SQL L injection attacks that just don't seem to drop off the security radar. Gee, imagine that. I wonder why while re, they said, while recognized and relatively simple to remedy SQL L injection in particular is a constant among the output of automated code scans and a regular feature on industry lists of top vulnerabilities, including the O wasp top 10, the introduction of WAFs in the early two thousands. Okay, note that time.

Note that date early two thousands was largely a counter to these coding errors. Wafs are now a key line of defense in securing organizational information stored in a database that can be reached through a web application. Wafs are also increasingly used to protect cloud-based management platforms that oversee connected embedded devices such as routers and access points. An attacker able to bypass the traffic scanning and blocking capabilities of wafts often has a direct line to sensitive business and consumer customer information. Such bypasses, thankfully have been infrequent and one-offs target a particular vendor's implementation. Today, team 82 introduces an attack technique that acts as the first generic bypass of multiple web application firewalls sold by industry-leading vendors. Our bypass works on web application firewalls sold by five leading vendors, Palo Alto Networks, F five, Amazon Web Services, CloudFlare and Imperva. All of the affected vendors acknowledged Team 82 s disclosure and implemented fixes to their products SQL inspection processes.

Our technique relies first on understanding how wafts identify and flag SQL syntax as malicious, and then finding SQL syntax, the whaf, and then finding SQL syntax. The WHAF is blind too. This turned out to be Jason Java script object notation. Jason, they write is a standard file and data exchange format, and as commonly used when data is sent from a server to a web app, Jason's support was introduced in SQL databases going back almost 10 years. Modern database engines today support Jason's syntax by default, including basic searches and modifications, as well as a range of Jason functions and structures. While Jason's support is the norm among database engines, the same cannot be said for wafts. Vendors have been slow to add Jason's support, which allowed us to craft new sequel injection payloads that include Jason and that completely bypassed the security wafts provide attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud.

This is especially important for OT and IOT platforms that have moved to cloud-based management and monitoring systems. Rafts offer a promise of additional security from the cloud. An attacker able to bypass these protections has expansive access to systems. Okay, so what happened? History has shown that no one is able to always get SQL injection protection correct, because it's so much easier for it not to be correct. So the notion of a web application firewall is created to move the burden from individual input forms, fields, and web apps to the perimeter where a single comprehensive web application firewall will be able to protect all of an organization's applications at once. That happened about 20 years ago in the early two thousands. Now remember though, only for those organizations that deploy them. A web application firewall is like your big iron box. It's expensive, it needs to be constantly maintained, needs to be licensed.

Smaller organizations aren't gonna have them, but the big guys do for the last 20 years. The problem, of course, is that now it's become less imperative for those individual web applications, which are now safely ensconced behind their protective application barrier to be quite so worried about their own input form field content. After all, there's a big mean web application firewall at the front gate that's gonna keep little Bobby drop tables safely out of reach. So all as well. But then a decade passes and a particular syntax for describing the features and details of objects becomes popular. It outgrows its own modest origins and is adopted by other languages and applications because it does the one thing it was designed to do cleanly, minimally, and efficiently. And so the JavaScript object notation Jason grows increasingly prevalent. Perhaps it was inevitable that S Q L databases would ne would even would eventually choose to add their own support for Jason, and they did.

Here's what team 82 had to say about that. They said, in modern times, Jason has become one of the predominant forms of data storage and transfer. In order to support Jason's syntax and allow developers to interact with data in similar ways to how they interact with it in other applications, Jason's support was needed in sequel. Currently, all major relational database engines support native Jason syntax By default, this includes Microsoft SQL, Postgres, sql, SQL Light, and mys Q L. Furthermore, in the latest versions, all database engines enable Jason Syntax by default, meaning it is prevalent in most database setups. Today, developers have chosen to use Jasons features within S SQL L databases since it became available for a number of reasons, starting with better performance and efficiency. Since many backends already work with Jason Data performing all data manipulation and transition on the SQL engine itself reduces the number of database calls needed.

Furthermore, if the database can work with the Jasons data format, which the backend API most likely uses as well, less data processing pre and post-processing is required, allowing the application to use it immediately without the need to convert it first by using Jason ands S SQL L, an application can fetch data, combine multiple sources from within the database, perform data modification, and transform it to JS format all within the SQL api. Then the application can receive the JS formatted data and work with it immediately without processing the data. Again, while each database engine, while each database chose a different implementation, and Jason parser each supports a different range of Jason functions and operators. Also, they all support the Jason data type and basic Jason searches and modifications. And here's the key underlying what Team 82 discovered. Even though they wrote all database engines added support for Jason, not all security tools added support for this comparatively new though decade old feature, which was added as early as 2012.

This lack of support in the security tools, meaning the WAFs introduced a mismatch in parsing primitives between the security tool, the waf, and the actual database engine, which is implementing SQL and caused SQL syntax misidentification. They said, from our understanding of how a waft could flag requests as malicious, we concluded that we needed to find SQL syntax. The waft would not understand if we could supply a SQL payload that the waft would not recognize as sql, but the database engine would parse, we could actually achieve the bypass. As it turns out, Jason was exactly this mismatch between the wafts parser and the database engine. When we passed valid SQL statements that used the less prevalent Jason syntax, the wafts did not flag requests as malicious. The Jason operator at sign greater than symbol, which checks whether the right Jason is contained in the left one through the wafts into loops, and allowed us to supply malicious SQL payloads and allowed us to bypass the wafts by simply repenting simple Jason Syntax to the start of the request, we were able to exfiltrate sensitive information over the cloud.

So this forms a very interesting story. We start with a fundamentally insecure design when a powerful database system from the nine, from the seventies, which was never designed to allow malicious users to access its command input stream is used as the backend database for a websites thus inadvertently giving malicious users access to its command input stream. Rather than recognizing that using SQL in this way is fundamentally a horrific mistake. Every individual website must patch their input field parsers in an attempt to prevent SQL command and query syntax from being submitted by the visitors to every site. SQL injection becomes a meme, and XK c D captures its essence in an extension of the firewall concept. Web application firewalls are created to centralize and concentrate the SQL syntax filtering challenge and all seems fine for a time. Then SQL syntax undergoes a fundamental extension as all SQL servers implement support for the increasingly popular JavaScript object notation.

But despite this extension, some of the industry's application firewalls failed to update their protection logic to incorporate an awareness that Jason can now be used to encapsulate an issue. Sequel queries. Fortunately, a team of white hat security researchers stumble upon this tidbit while they're working to discover just such a bypass, and they quietly inform the many vendors of those vulnerable web application firewalls of their discovery and all as well. Again, or is it because SQL is still powering virtually all web applications and the fundamental problem of now an even more powerful SQL syntax existing still remains. If Jason could be used to slip past web application firewalls to reach the sequel database behind how many websites, individual websites that are not being protected by a big iron web application firewall might now be vulnerable today to exactly the same. Jason bypass Happy New Year. <Laugh>.

A lot of the apps that I've used either use MySQL, which isn't the, it's sql, that's it. SY syntax. So accounts that's no, it's, it's exactly the same. It supports Jason. Yeah. As long as it supports Jason, how about SQL Light? Same thing. Yep. Okay. SQL Light, MySQL, Postgres, sql, as long as this supports the sequel language, which that, that's the IBM is the SQL server. That's the original as long, but these all support that language. So they're all, and even Maria DB is, is a really, is a Maria also supports, yeah. Yeah, because if everybody knows S SQL L and knows that language, right? So why would you have been new one? Yeah. exactly. Why would you invent a new one? Yeah. It's, it's horrible to put, use it as a backend for the web, but it's the one we've got. Well, I mean, you could use it as a backend, you just don't want to expose it.

Right. The problem is you are, you're, you're inherent if you say, you know, look up the username that the user inputs you're taking the, you're inherently taking the string they gave, that's gonna be a sequel string Yeah. And inserting it into a, into a query. Yeah. Yeah. It's, I mean the, so, so the problem is that that query is not just a query, it's also command and control, right. Account creation, table deletion. I mean, it is, it was never meant to be exposed to arbitrary input, but, oh, look, we got sequel. Let's use it as our backend <laugh> and sanitizing your input's merely, I mean, it requires you to be clever enough to catch all the perfect, perfect. Be perfect every single time. Yeah. That's why I say this is inherently broken, right. Inherently bad. Right? Right. W what would be the alternative? A a new language?

Well, any database query language is gonna have, is gonna be prone to this problem, right? Well, no, because a, a database query language should not let you delete the database that you're querying <laugh>. That's not a query language, that's a command and control language. So separating the queries from the control and command would be the solution. Yes. And it, you know, and, and it is reminiscent of the, the, the print F that we talked about, apple getting tripped over, right, right. Where the problem was, they, in, they the print f inherently mixes control with text, right. And Right. That's a bad idea. You should see what the format string and lisp can do. <Laugh>, I mean, it's print F on steroids. It predates print F because it's lisp. Right. And it is crazy the things you can do with that. It's a programming language in and of itself. And that's probably not a good thing. <Laugh>,

I would never, I could never imagine opening your, your website to a, to random format string. So I guess I could see the, I could see the inherent problem here. Yeah. Yeah. I, you know, I, I don't know how we fix it. You could, you could preserve, you could re-engineer it so that, so that the, the query was fundamentally limited through that channel that, you know, so that you, I mean, you could say, I won't accept command commands of any kind, only qu only search queries. Right. And, and I guess that's what sanitizing your inputs means. But it's hard to do that perfectly, especially since they're probably using regular expressions to parse it or something. I don't know what I wonder, I wonder what the current best practices is. Well, and, and then that's just it. The, the, the problem is, you know, how, how many times Leo, have we encountered, for example, A T C P I P stack where some, where security researchers figured out, oh, you know, we can't do things this way.

Right. We have to do them that way. Right. You know, a classic example is packet fragmentation. The it is, turns out it's bizarrely difficult to deal with fragmented packets, yet new people come along and reimplement a, the T C P I P stack and make the same errors that we fixed 30 years ago all over again. Yeah. Because there are some things that are just hard to get right. And, and the problem is, you know, it's like sequel is what everyone uses as their backend, and it's a bad idea. What you need a d database of some kind. I think what the, the bad idea is to allow commands to, to, you would think the permission structure would say, look, unless you're logged in as a, as a permissioned user, you shouldn't be ex able to execute commands and then just keep the, the privilege level of the, of the web server and the web query's low.

It seems like that would be solvable. Well, unfortunately, the programmers who put this together never think that they, well, and they also want the power. They're like, well, you know, you know, they wanna be able to do it like this code. Yeah. It's great. Yeah, yeah. Yeah. I don't, I I I don't think it's insoluble. And you do need a database on the backend. I mean, that's, that's the modern web. You don't want flat files. I, I bet you're all flat files though. You don't have a database in your backend, do you? Actually, one of the things that has been really heartening is that when you go to G R C and you put your, your spin right serial number in and, and in order to get a link for the pre-release, it's shocking how fast it is <laugh>. Yeah. Cuz you're, did you write the program yourself?

Of course you did An assembler. Of course. It's a, it's a super lean embedded database that's being, that's being accessed in assembler. Of course. Yeah. And just, it's a simple index database and it is like, it is amazing. And it took me a while to say, to realize, you know, everything else I use, I click the button and it's like, okay, wait a minute. You know, it's still spinning. Oh, and then it comes up. But not grc. It's just pow. Nice. Very interesting. Of course, this is why, this is why you have to listen to the show. Right. The best, most interesting stuff. It's been a great year, Steve. I, I think you'll enjoy the best of, we've found some really fun bits Oh, neat. To put together. That's next Tuesday. Then the following Tuesday, January 3rd, we're back again with episode. What'd that be?

9 0 3. Yeah. 9 0 3 baby. Wow. We're getting close to the end. <Laugh>. Don't say that. Don't say that. It's like walking off. We got a whole two years. We got a long walk off of Short Pier ahead. This is my, that's right. FA used to say Steve That's the Gibson Research Corporation Go there to get spin. Right. The world's best mass storage, maintenance and recovery utility. Currently 6.0, 6.1 is so close that if you buy 6.0 now, it will only be a matter of time before you get 6.1 for free. So, and you can participate in the development of 6.1, although it's pretty much in the bag. I think it's pretty much done here. It's working. Yeah. You can also get the podcast there. Steve has two unique formats. Of course, we both have 64 Kilobit audio. I have video at Twitter tv slash s and he has a very small audio version.

The 16 kilo, or it is a 16 kilomet or eight kilobit. It's tiny. 16. 16 kilobit. We didn't want to go on lower than that. It would sound like Thomas Edison. 16 kilo. It is still pretty scratchy. 16 kilobit audio for the bandwidth impaired. Also transcripts, which are actually incredibly useful, both for search and reading along as you listen. It's also the most compact format of the show. Show notes are also there. Grc.Com. You can leave him feedback at His Twitter is open at SG grc, so you can leave a DM there forum, get him on Mask on eventually. Don't worry. You can also go to our site, twit tv slash sn or the YouTube channel dedicated security. Now that's a great way to sh share little clips of the show of the video with people. Hey, you gotta watch this boss.

We gotta take that, that website offline, that kind of thing. And subscribing probably the easiest thing to do. And your favorite podcast player. That way you'll get it automatically. You can build your collection of a collect all 902 security nows Steve. Have a wonderful holiday. You're going anywhere. You're gonna stay home. You're gonna code I bet. Nope. We're gonna stay put. We're gonna, I'm, we're, we're gonna stay germ free and I'm gonna write a bunch of code, lot of code for Christmas. All be coding for for Christmas. Have a happy New Year. Enjoy some fine burgundy and we will see you next time on security now. See you next year, my friend. Byg bye. The world is changing rapidly, so rapidly in fact that it's hard to keep up. That's why Micah, Sergeant and I, Jason Howell talk with the people Macon and breaking the tech news on Tech News Weekly every Thursday. They know these stories better than anyone, so why not get them to talk about it in their own words? Subscribe to Tech News Weekly, and you won't miss a beat every Thursday at twit tv.

... (01:56:58):
Security Nooooow.

All Transcripts posts