Security Now Episode 907 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte / Steve Gibson (00:00:00):
It's time for security now. Steve Gibson is back, baby. We're gonna talk about the new Apple iOS 16.3 and why hardware keys may be not exactly what they mean to what evil purposes. Chat g p t been employed recently. You might be surprised at its capabilities and why Meta was fined by the EU for the third time this year. Plus then we'll talk about credential stuffing or credential reuses Steve prefers. That's all coming up next on a thrilling gripping edition Security Now podcasts you love

... (00:00:42):
From people you trust. This is twit.

Leo Laporte / Steve Gibson (00:00:51):
This is security now with Steve Gibson. Episode 907 Recorded Tuesday, January 24th, 2023. Credential reuse.

Security now is brought to you by ACI Learning. Tech is the one industry where opportunities outpace growth, especially in cybersecurity. One third of information security jobs require a cybersecurity certification to maintain your competitive edge across audit IT and cybersecurity readiness. Go to go do and by ExpressVPN, if you don't like big tech tracking you selling your personal data for profit, it's time to fight back. Get three extra months free with a one year package by going to And by Drata. Too often security professionals are undergoing the tedious, arduous task of manually collecting evidence with Draha. Say goodbye to the days of manual evidence collection and hello to automation. All done, at Drata speed. Visit to get a demo and 10% off implementation.

It's time for security now. Yay. The show that performs ju-Jitsu on the hacker community with this guy right here, <laugh>, our sensei, Mr. Steven Gibson. Hello, Steve. The podcast that shows you the problems you didn't even know you had, you didn't even know you were blissfully, coasting along answers. If the answers questions for you that you dare not ask <laugh> in a, in a dark room, it's our new q and a format. I really like it. And this, and this week, we again address a host of pressing questions. What other major player fell victim to a credential reuse attack? What does Apple's update to iOS 16.3 mean for the world? And why may it not actually mean what they say it was bound to happen? To what evil purpose has chat G P T recently been employed Uhoh, and are any of our jobs safe? Why was me defined by the EU for the third time this year?

And which European company did bid warden just acquire? And why P B K D F iteration counts are on the rise and are changing now daily? What's the latest news there? What other burning questions have our listeners posed this past week? What has Gibson been doing and where the hell is spin right <laugh>? And finally, what does the terrain for credential reuse look like? What can be done to thwart these attacks? And what two simple measures look to have the greatest traction with at least user annoyance? All those questions and more will be answered on today's 907th gripping episode of security. Now, <laugh>, maybe before your podcast player's battery runs dry. Let's hope. Let's hope. Let's hope. All right, we're gonna get to that in just a second. Of course. First, we want to talk about our sponsor. We have a picture of the week, I think as well.

Our show today brought to you by a c i learning. Now, we've perhaps you've noticed been showing this from time to time. During the shows, ACI has named our studio. They're our official studio naming sponsor. You know the name or you should for the last decade, our great friends at IT Pro brought you engaging, entertaining IT training. I know a great many of security now listeners are part of their 227,000 person strong cohort of learners. That's how big the IT pro community is. And many of your security now listeners, we're very grateful to you. So tell your friends about IT pro and now that it's part of ACI learning with IT pro ACI learning, what's been around for a long time is expanding its reach and production capabilities. So that means you're gonna have the content, the, the, the mode of learning you need at any stage in your development, whether you're just at the very beginning of your career needing those initial certs to get you started, or you're looking to move up in your existing job or even get a better job.

ACI learning is here to support your growth. And now thanks to ACI learning, it's not just it, but cyber security and audit read readiness as well. So we've really expanded the horizons of which you could do. It's fantastic. One of the most widely recognized beginner certs you will all recognize as the CompTIA A plus certification. It's a desktop support kind of assert that a lot of people get when they're trying to get into it. Like that's the first thing you get. Comp TIA courses at IT pro from ACI learning. Make it easy to go from kind of daydreaming about that better job you'd like. You know, I want to get out of this nine to five and get a great job in it to actually launching it to go from that dream to the, to the reality. Earning certificates opens doors to most entry level IT positions.

They're not gonna hire you if you don't have experience, but that cert gives them the confidence. You know, he knows his stuff, he's got the cert. It's also that you took the time and the effort and you, you took the exam and you learned this stuff. All of that really is something an employer is looking for. And that gives you of course, a start. But it's also a great way to get promotions if you're already in the field. Tech is one industry where opportunities are actually outpacing the growth of the job, of the, you know, the IT professionals. There are far more jobs now that they just can't fill, especially in cybersecurity. A recent LinkedIn study predicts IT jobs will be the single most in-demand roles in 2023. So keep that in mind. There's no time to waste. About one third of information security jobs require cybersecurity cert.

Actually about 23% of all IT jobs require a cert, but almost a third of the information security jobs need cert. That's their way of saying they, they know their stuff. While organizations are of course hungry for cybersecurity talent, the cyber skills gap is getting bigger every day. I mean, you're doing a lot just by listening to this show, right? But take the next step. Get that career going. The average salary for cybersecurity specialists, the average is $116,000 a year. ACI learnings, information security analyst and cybersecurity specialist programs are the front door, the way to get in and get certified and get those great jobs. Last year, the Global cybersecurity workforce gap increased by 26.2% compared to to the year before. That's a big gap and it's gonna be even bigger this year. ACI I learning offers multiple cybersecurity training programs. They can prepare you to ander or advance inside this exciting industry.

I'll give you some examples. The most popular cybersecurity certs offered at ACI Learning by IT Pro C I S S P, EC Council Certified Ethical Hacker. I love that cert. Certified Network Defender, cybersecurity Audit School and Cybersecurity Frameworks. And I gotta tell you where and how you learn really does matter. ACI learning offers fully customizable training for all kinds of learners by adding ACI learning. They've added in-person classroom training as well, right? You can do it on demand, you can do it remotely, you can do it of course, with the traditional videos. There's so many. Explore what ACI Learning has to offer it. Pro Audit Pro including Enterprise Solutions webinars, the Skeptical Auditor Podcasts, <laugh>, I love that. Practice Labs Learning hubs. So you can go in and, and learn in person and their partnership program Tech is one industry where opportunities outpace growth, especially in cybersecurity.

One third of information security jobs require assert to maintain your competitive edge across audit IT and cybersecurity readiness visit go go dot aci That's go dot ACI Don't forget to use that special code still there. Twit 30 to get 30% off a standard or premium individual IT pro membership and for your business. Ask about those two cause they have got great business plans. Go dot aci We welcome ACI Learning to Twit as a studio sponsor. That's wonderful. And we love it pro. We love these guys. So this is a really fantastic partnership. Go dot aci and join the, join the family of ACI Learning folk. Okay, Steve, I have a camera on you now so we can see your shining face. Oh, joy. And we can also see the picture of the week <laugh>. So we have a three frame cartoon.

 The first frame shows somebody sitting in front of what looks like a little laptop and someone outside the frame off to the right is saying he's advising him support for Windows 8.1 has ended. You should stop using it as you won't get any more updates. And in the middle frame, the guy looks a little confused and he says, wait, I don't understand. And then in the final frame he says, you mean I should stop using it? Just when it became somewhat less annoying. <Laugh> I've held, I've held on long enough. Oh Lord, it's true. Quite nice as a, as a user. Windows seven, not to be bothered by these. Wait a minute, you're still using Windows seven Works great. I'm sitting right in front of it right now. Yeah, I am. I'm hearing from so many people who are so pissed off about the end of windows eight one.

 It's like, well, it's, it's working. Everything's fine. I don't why do, but I, but you also understand why Microsoft doesn't wanna support it forever, right? I do, I'm a little annoyed that Chrome and Edge are now both telling me that I have to stop using Windows seven. I mean, I don't see them that often cuz I've switched back to Firefox as my main driver now. I, I was, it's interesting cuz I tried to give Edge a real run cuz I really do like vertical tabs and, and you know, of course I have that with, with an an add-on in Firefox. But I thought, Le lemme, I'm gonna give Edge a try. And it was a couple weeks ago that that it wasn't like running some pages correctly. I mean it just, the, the page wasn't working in edge. And I just, I thought, you know, you'd think they could like at least have their browser work.

But no, worked great in Firefox. Worked fine in in Chrome, didn't work in edge. I thought change, which is weird cuz it's based on chromium. I don't, that's very strange. Well, yeah, but they're of course, they're always trying to do weird things. I mean, there's all this other crap that you get. Like, I'm, I'm got, I'm, what am I getting? Points? I'm getting points. Oh, Bing being a rewards. Give me a break. I don't want break. I don't want points. Yeah, just give me the page I wanna see. But no, we're the, we're not gonna give you the page but we're gonna give you points. So that's not why I'm here. We're using a browser anyway. Paypal says that it was the victim of a credential stuffing, as is the technical term. You and I both prefer the term CR credential reuse, but we'll get to that.

 The credential stuffing attack in early December, according to a data breach notification letter, which they filed PayPal filed with the main attorney general's office. The incident impacted almost 35,000 user accounts, meaning that malicious actors succeeded in gaining access to nearly 35,000 PayPal user accounts using legitimate, you know, lock credentials. The, the, the credentials for those accounts. I've got some neat statistics that we'll be talking about later. After investigating PayPal said that despite the breaches, they did not find any unauthorized transactions among the breached accounts. Of course, this news, following on the heels of our coverage last week of the credential stuffing breach at Norton, LifeLock led me to take a longer look at the nature of credential stuffing attacks as today's title topic. So that, I don't know if it's related, but GitHub just stopped taking PayPal contributions for their you know, their supporter thing that they do.

Github. I wonder if, I wonder if GitHub knows something we don't know. Yeah, why would you not? One of the things that I did encounter when I was doing some research for the podcast is that many times the the credentials are logged as successful, but that's it. They are compiling them for the future. And of course, that's why they hope to go undetected. And in fact, I make the observation at the end of the podcast that of course, all we are aware of are the attacks which have tripped alarms. If, you know, there may well be attacks going on that no one is aware of because they're not tripping alarms yet. They're still verifying that they have got credentials now to get into a certain person's account in a certain location. And how would we know? So anyway we're gonna be talking about credential reuse.

 At the end of the podcast. Yesterday Apple updated their various OSS for phones, pads, watches, home and all. Ios moved from 16.2 to 16.3. And with this update, apple makes its new iCloud advanced data protection feature, which was the main topic of our December 13th podcast, which we titled Apple Encrypts the Cloud. Now it's nominally available to all users worldwide, as we discussed. Then, this potentially gives users the choice to protect almost all of their most sensitive data stored by Apple in the iCloud you know, offering true, you know, t n o trust, no one encryption, where Apple no longer keeps a set of keys. Now the user's device backups, message backups, iCloud drive notes, photos, reminders, voice memos, safari bookmarks, and Siri shortcuts. Oh, while also wallet passes. They're all included in encryption. Where Apple may have no keys, what's excluded are iCloud mail contacts and calendar, because those services inherently need interoperability outside of the user's device collection.

But I said Apple may have no keys because as nice as it has been for Apple to finally make this available, it requires every participating device that's logged into the user's iCloud account to be running an iCloud advanced data protection capable os. And that turns out to be a rather high bar to clear. I, I'm unable to turn on and I don't know anyone who has and I've, I've heard you Leo say, you know, I mean, yeah, okay, but I've got stuff that you know, isn't up to date, so I can't turn it on. You know, I suppose if all you had was an iPhone and an iWatch and you routinely rotate them to remain completely current, then it would work. But many of us, you know, who jumped onto the Apple wagon after Blackberry became non-viable, still missed that wonderful keyboard you know, but will have acquired and probably held onto a range of I devices over the years, many of which have stopped re receiving updates, even though they continue to be useful.

 As I've mentioned before, I have a fully functional iPhone six. Yep. <laugh>. It's right here you know, sitting next to me. It still works great. It has its own phone number. It's replaced my beloved landline. And as we know today, smartphones are actually little pocket computers. So it's handy to have next to me. And it's a fully participating citizen in my Apple ecosystem. It's got a headphone jack, which is great for having a lengthy, hands-free conversation with, with he headphones and, and a microphone, which keeps Bluetooth and G S M transmitter radiation outta my ear canal. But otherwise perfectly workable, phone is stuck back on iOS 12.5 0.6, where it will remain forever. I also have a seventh generation iPod Touch. It's a nice little i I device. It's back on 15.7 0.3. So anyway, just to be clear, this is not Apple thumbing their nose at us.

This wasn't an arbitrary decision that they made in order to sort of tease people. As was clear, when we discussed the technology, which they've had to develop in order to pull this off, they really did need to significantly update and revise iOS in order for it to be able to operate with this new, you know, they have no record of the, the keys in iCloud scheme. So, you know, the weeks' news is that iClouds, advanced Data Protection is now global and many people will be able to turn it on. But <laugh>, you, you have to have devices all able to be up at the latest and greatest.

Okay, when I saw the headline chat, G P T creates polymorphic malware, I thought, oh, great, <laugh>, that's just what we need now. We have AI writing malware. The news is that cybersecurity researchers at Cyber Arc, and I like that name because they, they'll maybe they're gonna need to have an arc interacted with open AI's Chat, G P T to have it create a new strain of powerful polymorphic malware, which did successfully manage to avoid all detection. Oh, great. Wow. Cyber Uhhuh <laugh>, I mean, Leo, you'll only have to ask for it, you know, chat G P T, please write some malware that will avoid all current detection. That's no problem. Presum presumable, no, probably it's, it's getting it from other malware strains, but the fact that it evades detection is fascinating. It means it is original enough that it doesn't look like it's predecessors.

Correct. So they, they recently released the, the CyberArk guys a technical writeup explaining that the malware created using chat, G P T could quote, easily evade security products and make mitigation cumbersome with very little effort or investment by the adversary. And, and that's the phrase, very little effort or investment by the adversary. That, that is pivotal here. I I i, this story is followed by one that's even more chilling. We'll get to obviously in a second. But, but it's the, it's the leverage that this provides. I mean, it's, it's like how Rob Rob said of his last Pass Vault decryptor. He wouldn't have done a gooey except it chat. G P T made it so easy. He just sort of thought to a, well, actually, I don't, I think he said he wouldn't have done it at all if chat GP hadn't done it for him largely.

And then, you know, hey, let's have a gooey. So, you know, gimme a gooey and a popped one. You know, there was a little bit of text overlapping problem, but oh, boohoo just, you know, tweak some p some p positioning of, of the gooey. So anyway, it, this is, this is significant. We have a couple more things. We'll be talking about chat G P T relative to here anyway, and since open AI did not want chat g p T to be used in this fashion, the researchers explained that the first step to creating the malware was to bypass the content filters, which initially prevented chat G P T from creating malicious tools. So, interestingly, there is some, there's some filtering going on there, <laugh>, but get this, believe it or not, the Cyber ARC researchers managed to get past this by simply insisting <laugh>, maybe use some exclamation points and posing the same question with more authoritative, more authoritatively.

They wrote, interestingly, by using chat G P T to do the same thing using multiple constraints and asking it to obey, we received functional code. So apparently chat G P T was initially somewhat reluctant to do evil, but the researchers simply became more parental and insistent and chat. G P T didn't want to get in trouble, so it produced the requested malware later. The researchers also noted that when using the a p I version of chat G P T as opposed to the web interface version, the system does not appear to utilize its content filtering. So that was something that, that is not in the api, probably they wanted to keep it pure in some sense, but for the, for the general population, they put something in that, you know, makes it less able to do what you can do. If you talk to the API they wrote, it is unclear why this is the case, but it makes our task much easier as the web version tends to become bogged down with more complex requests.

In other words, it was by, as they said earlier, by, by putting multiple constraints on the task, they apparently it like, it, it, it would wander off course and not give them what they wanted, as if it was like, like a, like, you know, two magnets who had a, had had the, the same polarity sort of repelling each other and like glancing off chat G P T would sort of try not to do, to make the malicious code. So these guys would put stronger constraints in to, to like keep it from veering off, and that's what was necessary in order to get it to do this you know, as if it was sort of trying not to. So they had to give it no choice. But doing that also bogged it down, whereas using the api, it didn't have any of that trouble. So <laugh> then after getting functional malware they were able to use chat G P T to mutate the original code to create multiple thus polymorphic variations of it.

They said, quote, we can mutate the output on a whim, making it unique every time. Moreover, adding constraints, like changing the use of a specific API call in the code makes security products lives much more difficult. So they said, thanks to the ability of chat g p T to create and continually mutate these injectors, they were able to create a polymorphic program that is highly elusive and difficult to detect. So that's the first piece of two pieces of distressing news. Second is checkpoint research has been looking at the same question and I, I got a kick out of the title of, of their posting about this. They, they called it opun ai cyber Criminals starting to use chat G P T. They published an article a couple of weeks ago titled opun ai. As I said, cyber criminals starting to use chat gp.

In other words, the research I just noted turns out to be a bit quaint. The use of open AI's chat G P T to create malware is already a reality. In their report, checkpoint shared three specific case studies that resulted from their research into discussion threads ongoing now on the dark web. The report was illuminating and important for our future. So I'm gonna share what they found. They said at the end of November, 2022, OpenAI released chat G P t, the new interface for its large language model, which instantly created a flurry of interest in AI and its possible uses. However, chat G p T has has also added some spice to the modern cyber threat landscape as it quickly became apparent that code generation can help less skilled threat actors to effortlessly launch cyber attacks. And again, that's the key. Less skilled threat actors meaning more bad guys can now get in on this.

You need, you know, don't have to know how to code as much. In checkpoint research as previous blog they said, we described how chat G P T successfully conducted a full infection flow, whereas, so they were basically doing what the cyber art guys did using chat G P T, experimenting with it to see if it could create malware. Yes, successfully conducted a full infection flow from creating a convincing spearfishing email to running a reverse shell capable of accepting commands in English. The question at hand is whether this is a hypothetical threat or if there are already threat actors using open AI technologies for malicious purposes. Checkpoint's analysis of several major underground hacking communities shows that there are already first instances of cyber criminals using open AI to develop malicious tools as suspected. They wrote some of the cases clearly showed that many cyber criminals using open AI have no development skills at all.

Although the tools presented in this report are pretty basic. It's only a matter of time until more sophisticated threat actors enhance the way they use AI-based tools for malicious purposes. Okay, so three case studies. The first one, creating an info Steeler on December 29th, 2022. A thread named chat, G p t benefits of malware appeared on a popular underground hacking forum. The publisher of the thread disclosed that he was experimenting with chat G P T to recreate malware strains and techniques described in research publications and writeups about common malware. In other words, you know, using the, what these things do as a guide, asking chat G p T to create something that does that. Wow. As an example, they wrote, he shared the code of a Python based steeler that searches for common file types, copies them to a random folder inside the temp folder, zips them and uploads them to a hard coded FTP server.

Okay, now just to, to, to pause, I'll note that that's, that's not anything that would be difficult for any coder to code in any language that they wanted to, right? But this is presumably somebody who doesn't know how to do that. So ask chat G P T and outcomes some Python. So they said, our analysis of the script confirms the cyber criminals claims. This is indeed a basic Steeler, which searches for 12 common file types, such as MS office documents, PDFs, and images across the system. If any files of interest are found, the malware copies the files to a temporary directory, zips them and sends them over the web. It's worth noting that the actor didn't bother encrypting or sending the files securely. So the files might end up in the hands of third parties as well. On the other hand, you just ask chat g p t to please use htd p s and you know, it will.

The second sample this actor created using chat. G P T is a sa is a simple Java S snippet. It downloads putty a very common s, ssh, and telenet client, and runs it covertly on the system using PowerShell. This script can of course be modified to download and run any program including common malware families. This threat actor's prior form forum participation includes sharing several scripts like automation of the postex exploitation phase, and a c plus plus program that attempts to fish for user credentials. In addition, he actively shares cracked versions of spy note, an Android rat, you know, remote access Trojan malware. So overall, this individual seems to be a tech-oriented threat actor. And the purpose of his posts is to show less technically capable cyber criminals how to utilize chat G P T for malicious purposes. With real examples, they can immediately use study number two, creating an encryption tool.

On the 21st of December, a threat actor dubbed U S D O D posted a Python script, which he emphasized was the first script he had ever created. When another cyber criminal commented that the style of the code resembles open AI code, U S D O D confirmed that the open AI gave him a quote, nice helping hand to finish the script with a nice scope analysis of the script. Verified that it is a Python script that performs cryptographic operations. To be more specific, it is actually a hodgepodge of different signing encryption and decryption functions. At a glance, the script seems benign, but it implements a variety of different functions. The first part of the script generates a cryptographic key. Specifically it uses elliptic curve cryptography and the curve ED 2 55 19 that's used for signing files. The second part of the script includes functions that use a hard coded password to encrypt files in the system using the blowfish and two fish algorithms concurrently in a hybrid mode.

These functions allow the user to encrypt all files in a specific directory or a list of files. The script also uses RSA Keys, uses certificates stored in PEM format, MAC signing, and Blake two hash function to compare the hashes and so on. It's important to note that all of the decryption counterparts of the encryption functions are implemented in the script as well. The script includes two main functions, one which is used to encrypt a single file and append a message, authentication code to the end of the file. And the other encrypts a hard coded path and decrypts a list of files that it receives. As an argument, all of the aforementioned code can of course be used in a benign fashion. However, this script can easily be modified to encrypt someone's machine completely without any user interaction. For example, it could potentially turn the code into ransomware if the script and syntax problems are fixed.

While it seems that U S D O D is not a developer and has limited technical skills, he is a very active and reputable member of the underground community. U S D O D is engaged in a variety of illicit activities that includes selling access to compromised companies and stolen databases. And of course, now thanks to chat G P T, his skills have been amplified. And finally, third case study, another example of the use of chat G P T for fraudulent activity was posted on New Year's Eve. It demonstrated a different type of cyber criminal activity while our first two examples focused more on malware oriented use of chat G P T. This example shows a discussion with the title Abusing Chat, G P T to create dark web marketplaces scripts. In this thread, the cyber criminal shows how easy it is to create a dark web marketplace using chat G P T.

The marketplace's main role in the underground, in the underground illicit economy, of course, is to provide a platform for the automated trade of illegal or stolen goods, like stolen accounts or payment cards, malware or even drugs and ammunition with all payments in cryptocurrencies. To illustrate how to use chat G P T for these purposes, the cyber criminal published a piece of code that uses, uses third party API to get up to date cryptocurrency prices, Monero, Bitcoin and Ethereum as part of the dark web market payment system. So they say it's still too early to decide whether or not chat G P T capabilities will become the new favorite tool for participants in the dark web. However, the cyber criminal community has already shown significant interest and are jumping into this latest trend to generate malicious code. Checkpoint research will continue to track this activity through 2023 and they finished finally.

There is no better way to learn about chat GT's abuse than by asking chat G P T itself. So we asked the chat bot about the abuse options and received a pretty interesting answer. So, question how threat actors abuse open AI chat. G P T replied, it is not uncommon for threat actors to abuse the use of artificial intelligence and machine learning to carry out their malicious activities. One way they might abuse open AI specifically is by using the company's language model technology to generate convincing phishing emails or social media posts. These could be used to trick people into clicking on malicious links or giving away sensitive information. Another way that threat actors might abuse open AI is by using the company's machine learning algorithms to create realistic synthetic media, such as audio or video that could be used to spread disinformation or manipulate public opinion.

It is important to note writes the bot that open AI itself is not responsible for any abuse of its technology by third parties, the company takes steps to prevent its technology from being used for malicious purposes, such as requiring users to agree to terms of service. Oh, that'll solve the problem that prohibit the use of its technology for illegal or harmful activities. Wow. Wow. As always, the real worry here, which we've seen play out for years, is that the easier it is to perpetrate a crime, the more crime will be perpetrated. In this case, as checkpoint chillingly noted quote, some of the cases clearly showed that many cyber criminals using open AI have no development skills at all. In other words, these would be ransomware operators have been lusting over the windfalls being obtained by others, but they've been held back by their lack of coding skills. That barrier is now being lifted as code writing bots become available to do their bidding without ethics, morals, or conscience.

Wow, Leo, I have to wonder though, how good, really the, I mean, look, the, you could easily write that code that searches for a file, bundles it up and sends it out. That's not absolutely, that's not absolutely complicated code. But crypto, there was some serious crypto there. That's interesting. Yeah, that was running crypto and getting a message, authentication code and, and using public key pub, public key crypto. And it was doing it all correctly. You know, I mean, it's like co-pilot get a co GitHub's co-pilot which writes code for you. It also uses G P T to do it. I presume it's getting that code of some kind from stuff it's scanned into its databases, right? Production coders spend a lot of time cutting and pasting, right? Yeah. We, we, we, we go find that's right either our own previous work or somebody else's previous work and say, well, this chunk of code does what I need, so drop it in over here.

Right? Right. And that's, that's all this is probably doing, but still, and then you, you know, you you glue it together. Yeah. Yeah. But again, accessibility matters. That's what we're seeing. Yeah. Yeah. Ease. Yeah. Yeah. Ease. Yes. Point of access. Yep. Do you wanna take a little break? I would love to. I thought you might. I got that sense. Your timing is perfect. It's a good time to talk about Express V p n longtime sponsor of the show and my personal choice for a virtual private network. Couple of words that should send chills into your heart. <Laugh> profiling, surveillance, data harvesting. These are, there are a lot of things you know, we appreciate about our, our tech overlords like Google and Facebook and Apple, but what can you actually do about it if you rely on their products and you don't want them to snoop on you?

I mean, we, we can't all go spend $44 billion and buy a by our favorite social network, right? The good news is you don't have to be a billionaire to take a stand. You can use express p n put it on all your devices, mint, windows, Mac, Linux, iOS, Android. You could even put express VPN n on your router, sportsman router makes they even sell their own router that you can use to protect the whole household. And for less than seven bucks a month, you can join me and fight back against Big Tech by using Express P n I just don't want 'em to snoop on me. Honestly, that's not unreasonable. There are other benefits of course to express V P N you know, it protects you against bad actors sitting on the same network in an open wifi hotspot. It'll lets you geographically change your location so you can, you know, watch, we used it in Mexico cuz we, we wanted to watch the football game and I fired up Express vpn, said, yeah, I'm in Miami right now.

Yeah, that's it. And was able to watch Thursday Night football on, on Prime. That was awesome. You know, if you were worried about companies, whether it's big tech advertising companies like Google and Facebook, or your internet service provider or your cellular carrier, tracking your searches, looking at your video history, looking at everything you click on, and then selling that personal data on, we know data brokers love this stuff, then you should use a service like Express VPN to anonymize your online presence with Express vpn. When you put that button on the app, you're suddenly running on the public internet, not from your locale, but from the server, the Express VPN server you're on going out to the public from there with their IP address. So it's completely anonymized. And one of the thing I do like about Express Vpnn, and one of the reasons you want a paid provider is they rotate their IP addresses all the time.

So they're not obviously even a, a VPN N address. It's just, it's just another IP address to these guys. So there's no way to match you up to anything else. And it's so easy to use Express vpn. You'll also, and I always mention this for, for this audience, cuz you're sophisticated, you know, they also take the extra step because we've talked about this before, to keep you private. See, when you use a vpn, you're just kicking the can down the road. They have access to all the same stuff that Google and Facebook and, and your I S P have. It's, it's just passing it down to them. So you've gotta trust them. You want an a VPN that never logs, that's Express VPN n They have third party audits on a regular basis to verify that they do live up to their privacy policy, zero logging, but they go the extra step.

They also design their servers, so they couldn't even log if they wanted to, even if they were a malicious employee. And, and by the way, the third party audits have also said yes, the trusted server technology works exactly as Express VPN says. When you press that button, that big button that says, you know, go, go private on your phone, it spins up a server on Express VPN's servers wherever you're, you're going to in memory in ram, this trusted server runs completely out of RAM and it's sandbox. So it can't write to drives at all. You can only write to memory. And then once you're done, you push the button and the memory goes and it's gone any trace of your visit. They also use a custom Debbie and Linux install of on all their servers that refreshes. It wipes the drive every reboot, it starts from scratch, every reboot.

That's actually great. That's a good way to run a system if you don't have anything you wanna save. And in this case, they don't wanna save anything about you. They take the extra step. There's a good article, I you could Google it on bleeping computers about how Express BP n does this. It's, I think, really interesting. If you don't like big tech tracking you and selling your personal data for profit, it's time to fight back, go to Right now you get three months of Express VPN free. When you buy a one year plan that brings it down to below seven bucks a month, I think that's a very fair price for a very good service. So fast. That's the other thing. They invest in the bandwidth that you won't even know you're using it. So it doesn't, you don't feel like your sluggish, you're slow, you're on a vpn.

Not at all. It's really amazing. Express Now please use that address so they know you saw it here. It's the only one I use. The only one I recommend Now, Steve Arno, on we go. So Meta is continuing to have trouble with the eu. This is, they've got hit with the third fine of the year. The two earlier fines were however much more substantial. They were fined 210 million euros over GDPR violations by by Facebook and 180 million euros for GDPR violations May being made by Instagram. The third fine is a lot more tame. It's only five and a half million euros for ignoring the GDPR with WhatsApp. I'm mentioning this because we talked about the cause of this most recent violation when it occurred nearly two years ago, back in May of 2012. I mean 20 21. Recall that WhatsApp was exceptionally heavy handed by choosing to display a series of pop-up messages that Meta was showing to WhatsApp users, informing them that they needed to either accept the new terms of service or be kicked off the platform in the future.

And as I recall, I I dig a little, did a little bit of quick digging to see if I could find, I I'm sure that there was, the part of the objection was there was some very worrisome and objectionable clauses in the updated terms of service. So it wasn't just that people had to like say yes or else, but the what it was that Meta was asking people to say yes to you know, was objectionable. And in retrospect, aside from this five and a half million euro fine, which is the size, you know, of a rounding error in Meta's balance sheet this appeared to have been overall, I mean this whole crusade of theirs to be a big mistake on Meta's part since it drove a significant exodus away from WhatsApp mostly to the benefit of Signal and Telegram, which, you know, accepted all of Meta's.

I mean all, all of WhatsApp's prior users with open arms. So lesson learned, I hope also on the business side, bid Warden has acquired Passwordless Dev and I'll admit that my heart skipped a beat when I saw the words Bit Warden and acquired near each other my film. Yeah, no, I thought, no, no, please. But I breathed to welcome si when I saw that Bit Warden was the one doing the acquiring and not the other way around. And who and why they purchased was even better News. Bit Warden has acquired the two year old EU based startup It's, it's kind of cool too. If you go to, it's, you know, nice big familiar bit Warden Blue and they've, you know, and they've salted bit warden a few times on the page to let you know that they're now a bit warden company.

So why did they acquire the group? Because they're a company specializing in Fido two web A oh, authentication Solutions. Paske Paske. Yep. Yep. And that's what that means. Pass keys are in bid warden's future. So, okay, so here's what bid Warden had to say in their announcement of this. They said today, which was last Wednesday, bid warden announced that it has acquired European based startup, a significant milestone in rounding out the bid warden commitment to offering open source, scalable and secure passwordless solutions to every business and end user founded in 2020. Passwordless.Dev provides a comprehensive API framework that minimizes complexities for developers seeking to build pass keys and FI oh two web often features such as face ID fingerprint, and windows. Hello trims down the development work around cryptographic operations, technical flows and more what used to take weeks can now be accomplished in minutes.

What is that? We were talking about cutting and pasting. Leo 5 0 2 Web off n plays an important role in improving digital security. Passwordless dot devs Swedish founder started as an open source project with an aim to make past wordless authentication more developer friendly, and ultimately to help eradicate phishing attacks that lead to costly data breaches. Passwordless.Dev unlocks the imagination of developers giving them the right tools needed to accelerate past wordless authentication for global enterprises. For enterprises with existing commercial and homegrown applications. Integrating modern Passwordless auth authentication flows is resource intensive. Passwordless.Dev accelerates enterprise security transformation providing an API framework to quickly turn existing applications into more secure passwordless experiences for users. So, you know, this is very cool. I mean, if nothing else Bit warden's acquisition puts, you know, moves onto everybody's radar, suddenly it's like, what, what is this? You know, we can, there's an open source solution that will allow us to drop in a module and immediately get past, you know, past keys or 5 0 2 web a authentication.

Great. So they, they wrap up saying, together, bid warden and Passwordless dev provide a turnkey solution built on the 5 0 2 and what web off n standards that are defining the future of passwordless as part. Is that, is that gonna be a noun now? Oh, as part of this announcement, bid warden is excited to launch the bid warden beta program giving enterprises developers and security enthusiasts the opportunity to test and provide feedback on the product. For more information on the beta program, please visit, and that's the site And the announcement goes on to show a development timeline with past key support shown as coming this year, 2023. So, yay. In some other bid warden News last week, bid warden increased their default client side P B K D F two iterations to 350,000. At this point, this only applies to new accounts and it's unclear whether they plan to upgrade existing accounts automatically though, as we'll see in a second, they're aware of the issue.

One of the biggest lessons that last passes missteps taught everyone is that updating key derivation function difficulty retroactively or retrospectively is crucial for long term user security. Then this morning when I, when I was putting the, the, the finishing of the podcast together, their tweet over on Mastodon, do you call it a tweet? What do you call it, Leo? It's a toot. A toot. A toot. Great. Their t <laugh> <laugh> like beans. Yeah, well it's an elephant. Ah, oh, of course. Perfect. Yeah. So they tooted, oh they said in addition, this is, as I was saying, it was 42 minutes old when I saw it this morning. In addition to having a strong master password default client iterations are being increased to 600,000 as well as double encrypting these fields at rest with keys managed in bit warden's key vault peren. In addition to existing encryption, their toot goes on.

The team is continuing to explore approaches for existing accounts. So they get that and they finished. In the meantime, the best way to protect your account is with a strong master password. See more information here. And they have a, they have a nice looking password strength meter. It's at bid hyphen strength. And I poked around at it a little bit and it does a good job. It's not impressed by my haystacks style passwords, you know, with a lot of repetition in them, which would be difficult to brute force cuz it recognizes there's not a lot of raw entropy there. But so, so it's a, it's a passable meter. And it did like the password that I, that I am using as my master password o over in bit word. You probably said it but I'll say it again. Bit Warden is a sponsor.

We should dis Oh yes. Disclaim that. Yes, I'm glad you did. But we do, we do like them too. <Laugh> and everybody knows. Yeah, yeah, yeah. Okay. And O OSP in other news not to be left behind O OSP has also just increased their recommendation for pbk DF two. Oh, remember it was 350,000. Yeah. Now it's also 600,000. All right. I said it to 2 million. I said it to the max. I think I'm good for a while. That's, that's what I would recommend. Yeah, why not? Why not? Yeah. Yes. So this is in response to, you know, the growth and performance and availability of high power cracking hardware rigs. And finally it appears that bid warden may be moving to the use of argon two P B K D F Veronica. Now remember, P B K D F itself is an abbreviation for password based key derivation function.

Unfortunately, it as pbk DF two is also the name of an actual pbk D f. So that can be a little confusing. You know, I've not yet looked closely at Argon two, but it's clear that it's gonna need to have a podcast of its own here coming up pretty soon because we need to know what that's all about. Well, and you remember one of our listeners did do an s script plug in poll request for that, and I guess they, they looks like they don't wanna opt for that. They, is there a reason you would choose Argon two over s script? They're both memory hard, right? They are. And I, again, not having looked at them, I can't comment on either of them. I implemented s script myself, right? For squirrel. So I I I know all about it, but presumably argon to is, you know, well it won the, there was some power wire, there was some competition, some, some couple years back.

Yes, yes, yes. There, there was a, a key strengthening competition and Argon two was the winner, although it's, its initial implementation had a side channel leakage problem because the, the path it took was dependent upon the password that it was being asked to strengthen. Mm-Hmm. that's all. Well, that's also the case with s script. As far as I recall, my decision was that because this was being done on the client only that, you know, side channel wasn't a problem. Cuz if you already had some compromise on, on your client the game, no, the jig was up, they, they could just be logging your keystrokes and grab the password when you type it in. Right? So, so that was de a deliberate decision on my part. But there are variations of Argon two since which solved that problem. So the, the, I'm sure the one that's being used is the one that for, you know, why not get side channel protection you know, while you're at it.

So I have some feedback from our listeners. It gives me a chance to address some other broader concerns or issues. John sent, he, he was replying to Simon Zfa, me and Bit Warden and he said, I'm trying to figure out whether low derivation iterations are head in sand or just slowness of the industry to recognize the problem. I'm currently part of a team implementing a new identity platform and they don't currently support Argon two or S script is pretty much B crypt or pbk D F two. And so you know, he's like, what? What's the problem? And I was reminded of the early days of computing leo, which you and I both have lived through. I remember those. Yes, there was, yes, exactly. There was the often cited expression you never got fired for choosing ibm. That was a reflection of the fact that while the choice of IBM computing gear might not have been optimal, for example, C D C controlled data corporation was making some lovely mainframe machines at the time.

If something went wrong with a C D C system, the exec who had chosen them might be asked, why didn't we go with ibm? Whereas if a problem developed with an IBM system, no one would question the choice to go with them. In other words, better safe than sorry. You know, and that attitude pervades the realm of crypto where it's too often the case that those who are making the decisions are going with the safe choice over the optimal choice. You know, safe as in well no one will you know me if I choose this. Well, you know, that's P B K D F two cuz they can point to everybody else who's using it. Although I would argue its day has come and gone. You know, it's absolutely the case that the era of non memory, hard password strengthening algorithms is over the rise of G P U based cracking rigs means that, as I said last week continually increasing iteration counts is just running ahead of a, an oncoming train.

It makes much more sense to just get off the tracks. Anyone implementing a new identity platform today should definitely look at functions that are memory hard. And you know, I noted that one of the things that LastPass was doing, I got this from when I went through that detailed crypto document of theirs to, to for last week's podcast note, was that they did a whole bunch of P B K DF two and then some s script. It's like, why not? There's no reason not to do all both more. Some whatever <laugh> Do it all. Do it all. That's right. Just throw the kitchen sink at it. Yeah. Dan Bullen said, Steve, I'm a longtime security now listener and heard you mention the iOS app O T P off in one of your recent last pass episodes. I noticed the app has not been updated in over a year.

Would you still recommend it? Thanks and have a great day. Okay. Now I'm obviously somewhat weird as regards creating software since Spin Ride six never had a bite changed in it in 18 years, but I'm not alone. I encountered another example recently that this quite understandable question of his brought to mind. I've mentioned that spin right seven and beyond will be hosted on a proprietary OS colonel, the licensing and support for which was discontinued at the end of last year. Before that happened, I paid $34,000 to receive the source code of the modules that I would need, which I now own the system's German creator Peter Peterson, who has been quietly working on and publishing this operating system colonel since the mid nineties. You know, it's his life's work much as spin write is one of mine. He recently wrote to the support email list in order to explain what happened.

He said, many users have asked me the last few weeks why we have to close the company on time. Everybody says that our software is good and thus should be profitable. This is why it no longer works our problem. We have run out of bugs 10 or five years ago. Yes, that's awesome. 10, you said 10 or five years ago each new release contained numerous bug fixes, but that is no longer. So for that reason, more and more on time, R toss 32 users see no reason to purchase updates. Okay? So my point is this, this is the holy grail of software. You know, this is possible true software artistry where software is perfected and is actually finished. You know, it's done. No more updates, nothing more to fix because it works perfectly. It's a finished work. But sadly that concept has become alien to us.

We have been so abused and used by schlocky companies who have realized that we have no choice other than to take whatever it is they ship, that it's gotten to the point where we now think that there's something wrong with a product that is not being constantly fixed even when there's nothing broken. So, back the Dan's question. O t p oth works perfectly. It has every feature I need as far as I can see. It's finished not being updated. Great. No bugs left to fix. Yeah. And surprising, I get it. Mark Jones, he, he said, I hope you can explain a paradox. Unbreakable encryption means any and everyone can have access to an encrypted blob, even one representing your most valuable passwords. It's valueless in the absence of the key. It seems paradoxical to me that last pass further encrypted a user's master password and required use of that password to send the vault.

Why not serve it to anyone requesting it? It's useless without, the key is the password to get the vault really necessary if encryption is actually unbreakable. Okay, so Mark's paradox results when theory meets reality. In theory, he is of course correct, any wellen encrypted blob is just a pile of maximum entropy, pseudo random bits without any discernible meaning. And in the absence of the magic key, nothing can be done with that blob other than to store it and retrieve it. But then reality hits last pass. And as a matter of fact, bit Warden two, both that they needed to have a way to authenticate their users for web portal log on. To do that, they needed to retain a hash, which the client would derive from its user's key. But this would mean that the key and the hash were related to each other, which would present a potential danger for long-term retention of the hash, if it should ever get loose.

And of course it did in theory, just as it would be possible to brute force the password from the key. It would be possible to brute force the key from its hash. So both LastPass and bid warden elected to hash the hash another 100,000 times before storing them this way. Although the user's key, which they never receive, and the long-term storage hash are still related, that relationship becomes extremely difficult to reverse through brute force. The important lesson I wanted to highlight with Mark's question is that full crypto solutions that need to function in the real world often shed their ivory tower purity in order to meet the needs of their actual application. We always start out with the perfect ideal, but then we wind up dirtying it to make the whole system do what we actually need in practice.

Jaros law Sikora, he said, hi, Steve. I'm switching to Bit Warden and wanted to choose a strong and memorable password. I have no problem with the former 20 plus characters, meaning the strong part, however, I'm not sure about the latter. Many sources suggest using a poem or a quote, but if I were a hacker, I would think of it as well and created rainbow tables ages ago. So what's your suggestion for the memorable part? Okay, and I, this is one tweet of many that I received people saying, you know, need some more direction here. Okay? Because of the way our brains work, the phrase strong and memorable is a self contradiction. Our brains are wired to recognize and remember patterns. In fact, our brains are so strongly wired to find patterns that we're even fooled into seeing patterns where none exist. So what is memorable is a pattern, and any pattern means reduced entropy, and that means reduced security. It really is the case that if you care to have the highest quality master password, you need to take 20 characters completely at random with no pattern of any kind, thus, impossible to easily memorize and write it down.

As always, the thing to keep in mind is the threat model. Anything written down somewhere is inherently offline. So that's a biggie, right? Nobody, no one in a hostile foreign country can see the contents, for example, of your physical wallet in your back pocket. On the other hand, somebody in the physical world can potentially see your wallet. I loved Bruce Schneider's observation about passwords. He once said something to the effect of, we're very good at storing bits of paper. We have wallets and bits of paper, you know, for store wallets, for storing bits of paper and such. So choose a password that is impossible to remember and write it down on paper and stick it in your wallet. So that solves the keeping it offline problem. And if that makes you nervous, you can use the trick that Leo, you reminded us of, of modifying what is written down.

You know, the bulk of which you cannot remember the problem with. So again, threat model. If you have in your wallet a piece of paper, I'm not worried about somebody stealing my wallet. Let's say I have it in a, in a drawer. I've gotta pull it out, put it there, and type it in every time I wanna log into my password manager. That seems to me, I mean, that's something if, if you're in private, you could do, but if I'm at work and I'm doing that, that seems to me I'd rather have something in my head. I agree. And and, and so, so the, the, the, the case is, if it's in your head, it is unquestionably lower entropy. I mean, because there are patterns, even people who like use dice wear to, to choose words. You know, there are, what is it, 7,776 words, I think, in that dictionary.

And so, so you can take that if you use four of them to the fourth power, it's very good, but it's what the brute forces are gonna, it's pretty, it's pretty guessable too <laugh>, you know, it's what they're gonna run through in, in order to to, to do that. Now, if you then added your childhood phone number inter interspersed with your childhood zip code, right, then you'd be fine, right? That's it. Well, and so, and so the, the, the example that I sort of liked was imagine that if, if, if it did work for you to take 20 random characters start with those, add a lowercase X or something right in the middle with 10 characters on either side making the password. Now 21 characters long, adding a character can never decrease a password's strength. So you write down the password with the X in lowercase, but you enter the password with the X in uppercase, and if you forget and enter it in lowercase and it doesn't work, that'll remind you to change the case to upper.

I mean, you know, there are all, you know, all these different solutions and, and the fact is, any of these things that we talk about on this podcast, aside from Monkey 1 23 they're all good ideas. You know, they're, they're way better than the typical password that the typical user, you know, chooses. You know, if we, we've shown lists of passwords that have been captured, you know, like Troy Hunt's list, and it's full of 1, 2, 3, 4, 5, 6, and you have to really wonder what website even allows you to enter that these days. There are, there are, you know, <laugh>, there ought to be some way of, of, of, you know, some block of code that looks, you know, J JavaScript on the webpage. It says what? Really? No, you gotta add a seven <laugh>. What? Come on, man. Come on. Come on, man. <Laugh> Michael said, listening to SN 9 0 5, the last pass app programmed by chat, G P t interested me.

He said, I've recently purchased a 3D printer, an Arduino starter kit, keen to play around with electronics and programming. Out of curiosity, I punched in a query asking chat g p t to write an example of Arduino programming that would do exactly what I wanted it to do, and it seemed to generate the code alongside an explanation of how it worked. I have zero experience coding and feel like I'm cheating. Hmm. It, it seems that we're really on the edge of fundamental change with this tech. He says, I remember working out math equations with pencil and paper at school. Do kids still do that? He said, my project was to light up a green l e d when a connected temperature and humidity sensor was within a certain range. Read, if not, but I'm interested to see how complex a project could be accomplished with this.

Okay, so, you know, what does it mean that we are able to ask a non sentient bot to write an arguably complex piece of code for us? You know, I think it takes us down a few notches. We're quite proud of our sentience. We march around and point at the rest of the world's animals that appear to be lacking sentience, even though many of them also appear to be quite a bit more content than some of us. Once upon a time we used to be able to beat computers at chess. That's gone now. Chat, g p t is showing us they can also perform an increasing number of that. It, I'm sorry. It can also outperform an increasing number of people in an, an increasing number of endeavors. What this suggests to me is that while there is definitely a place for sentience, a surprising amount of apparent, apparently cognitive work can be accomplished without any, and Leo, as we were saying, you know, a lot of coding is, you know, reusing stuff that you learned years ago you know, is that doesn't require the edge of creativity in order to, to make it happen, right?

Right. I mean, guess it depends why you're coding. If, if you're a code monkey and your boss wants you to write, you know, 30 pages of code every month or day or week. Well, Elon, Elon that's, that's what I was thinking of, <laugh>. You might wanna you know, en en enlist some support, some help. Yeah, I can understand that. Yeah. And, and you could say chat G P T, this is too succinct. I need you to Yes. Solve the problem. Yes. Like with a lot verbose, lot more. Yeah, exactly. What's the hurry here? We don't need this to actually perform quickly. Just make it work. I love it. You know, spend some time doing other things. So someone posting as Mike loves the internet, he's, and he was also replying to Simon Zfa and me. He said, my kid told me that he wasn't going to clean his room because the entropy of the universe working a of, because of the entropy of the universe working against it being clean, it's inevitable.

What do you, I mean, why even try? So I replied, smart kid. Yeah. So that suggests that you can make an appeal to him with his brain. Explain that the entropy of the universe also works against him receiving an allowance <laugh>, which you're just gonna spend it, and I'll have to give you more next time. It's yo, receiving an allowance is definitely a non-random occurrence. Very good, Steve. You'd have made a good dad <laugh>. So if he'll work uphill against the entropy that's inherently trying to disorganize his room, you'll do your part to work against similar entropy to provide him with a bit of economic freedom. You are good <laugh>. And lastly, Simon tweeted. Okay, now, oh he, he, he tweeted five days ago. He, I he said at SG G R C, just a gentle reminder, today, 19th of January is T minus 15 years and counting until the Unix epoch bug 2038.

Yes. Yep. Now, it's not really a bug, but it's very much like the Y2K problem in the Unix operating system. And its derivatives time is an in integer count of the number of seconds that have elapsed since January 1st, 1970, being assigned 32 bit integer stored in two's compliment format. The most significant bit is the sign bit, which determines whether the entire number is taken to be positive or negative. The maximum positive value that can be stored in a 32 bit sign number is two to the 31 minus one, which is 2,147,483,647. That many seconds after January 1st, 1970 is as Simon notes 3 14 0 7 U T C on Tuesday, the 19th of January in the year 2038. Now, it occurs to me that since it's a Tuesday, I really don't wanna still be doing the podcast. It's a security nap day <laugh>, it could be a tumultuous Tuesday for the computing world.

I suppose though, that by then we'll simply be able to ask chat G p T to fix all of the Unix time problems throughout our software and be done with it. As for spin, right? Sunday afternoon, I updated spin right to its 11th alpha release, and we're beginning to obtain clarity. A number of odd, the number of odd problems has dropped, but is not quite yet. At zero, we're at the point where only really, really troubled drives that are like really acting oddly or causing spin ride any trouble. But they should not be causing any trouble. So after today's podcast, I'm gonna return to work to understand and resolve the remaining mysteries. You know, I'm getting impatient to be done with this, but that's okay, since we're also getting very close to being finished. And once there spin, right, six one will be something to again, be proud of.

And the truth is, I can't wait to get started on seven. So we're getting there and Leo, we're got, we got here, so it must be time for me to do an ad, and then we're gonna talk about credential reuse, stuffing in the, in the vernacular <laugh>, yes, he doesn't wanna say it kids, but that's what he is talking about. Credential, don't get stuck, don't get stuffed. Our show today brought to you by draw, ah, if your organization finding it difficult to achieve continuous compliance as it quickly grows and scales. I have to say, I learned something from trada. There are people still doing manual evidence collection in their compliance efforts. And I thought, what? W that's, that's crazy. <Laugh>, as a leader in cloud compliance software, G2 says that Trada streamlines your SOC two. Your is o 27 0 0 1 P C I D S S, gdpr, your HIPAA and other compliance frameworks by providing 24 hour automated continuous control monitoring.

So you focus on, you know, whatever it is you're doing sec, you know, scaling securely or making dinner, and, I don't know, with a suite of more than 75 integrations, DRA easily integrates into your tech stack through applications like AW s and Azure works with GitHub, Okta, CloudFlare, and a whole lot more countless security professionals from companies like Lemonade and Notion and Bamboo HR have showed how crucial it has been to have DRA as a trusted partner in the compliance process. Strata is personally backed by S V C I. Why is that important? Well, S V CI is a syndicate ciso, angel investors from some of the world's most influential companies. They saw the need and that's why they invested. Inda. DRA allows companies to see all of their controls and easily map them to compliance frameworks. So you gain immediate insight into, well, let's say for instance, overlap.

You know, companies can start building a solid security posture. They can achieve and maintain compliance. They can expand their security assess, assurance efforts. And if there's overlap, you save money because you can eliminate that. Overlap draw's automatic automated dynamic policy templates, support companies new to compliance and help alleviate hours of manual labor. They're integrated security awareness training program. They're automated reminders to ensure smooth employee onboarding, and they're the only player in the industry to build on a private database architecture, meaning your data can never be accessed by anyone outside your organization these days. That's pretty important and very reassuring, isn't it? All customers get a team of compliance experts, including a designated customer success manager. So you never alone in the draw up process. In fact, they have a team of former auditors, people who have conducted more than 500 audits. They're available for your council and support.

So you could say, am I doing it right? With a consistent meeting cadence? They keep you on track to ensure there are no surprises, no barriers. They really, they, they, they, they carefully handhold you through the whole process. And you'll be glad to get Jada's pre-audit calls so you can prepare before your audits begin with Jada's risk management solution. You can manage end-to-end risk assessment and treatment workflows. You can flag risks, you can score them, you can decide whether to accept or mitigate or transfer or avoid them. DDA maps appropriate controls to risk simplifying risk management and automating the process. Andra DA's Trust Center provides real-time transparency into security and compliance postures, which can improve sales, security reviews and of course means you'll have better relationships with your customers and your partners. Say goodbye to manual evidence collection and say hello to automated compliance by visiting dra d r a

Bring automation to slash twit. We thank him so much for supporting Steve and security now, and of course, you're supporting us when you're using that address so they know you saw it here. Dra.Com/Twit. And now let's talk about stuff in your credentials. Let's think about cross-site credential reuse. Okay, so obviously credential reuse attacks. A k a credential stuffing is a cyber attack where attackers use lists of previously compromised user credentials to breach accounts on a system. The attacks use bots to automate and scale, and these attacks succeed because as we know, unfortunately, none of our listeners here, no one listens to this podcast, but many other users continue to reuse user names and passwords across multiple services. Okay, so again, not our listeners, but most of the world has not given any thought to log in security. I mean, it's, you have sort of be on the inside to understand that this idea, most of the world still has like their password, which they use everywhere.

Statistics have shown that about 0.1%. So that's one in 1000 credentials obtained from an earlier breach when reused on a different service will result in a successful login, one in a thousand. So that's statistically way better than you're gonna get with just brute force guessing. So today, credential reuse is an increasing threat vector for two primary reasons. First, there is broad availability of massive databases of breached credentials. There's a database we referred to it a few years ago, known as collection number one through five that made 22 billion username and password combinations widely and openly available in plain text to the entire hacker community. So they have them. The second factor, pardon the pun, has been the creation of increasingly sophisticated bots and bot fleets that spread the attack over both IP addresses. And over time, these newer networks often circumvent simple security measures like, you know, banning IP addresses that have too many failed logins.

This is likely what we saw with the Norton LifeLock. And then more recently, the PayPal attacks. Neither company had given sufficient attention to this problem, so their users became victims of their own, of their own password reuse. You know, technically yeah, their fault that their, that they reused the same password on Norton LifeLock as they did somewhere else, that some site that was compromised or also on PayPal. Similarly. So the simple fact is, if the ratio of success of using a reused credential is one in a thousand, those 999 other failed attempts should be readily detectable. Abl a bot fleet may be large, and many are, but they don't have infinite ips nor bots. The obvious solution is to throttle failed login attempts by delaying the return of a failed result. And since bots may hang up without waiting, after timing out for a short period saying, okay, well that didn't work.

This website wants to keep me on hold here, I'm just gonna disconnect and make a new connection. You also need to look at the source ips of the failed attempts, adding them to a short expiration delay reply list so that once an IP has been identified as malicious, then it'll always delay your reply. Okay, so putting credential reuse and brute force attacks into perspective while they're similar, there are several important differences. Brute force attacks, try to guess credentials using no context, just using random strings, hopefully the most likely strings first. You know, commonly used password patterns or dictionaries of common phrases, brute force attacks succeed if users choose simple guessable passwords. Hopefully nobody still is, but we know that's not the case. And brute force attacks lacking context and data from any previous breaches, just, you know, they end up with a, an overall much lower success rate.

But that's it. What that tells everybody is, since we've got 22 billion usernames and passwords that are, that are being commonly used and reused, try those first. So what this means is that in a modern web application with basic security measures in place, brute force attacks are far more likely to fail while credential reuse is far more likely to succeed, at least in part, brute force attacks are just too blunt and their very low success rate makes them stand out, makes them much more readily detectable and thus blockable one a one, one aspect of the most recent credential reuse attacks that we have not mentioned is that not only will a bot fleet spread its attacks across IP addresses and across time, but they also spread them across website targets rather than only trying, for example, to log into Norton LifeLock. You know, today's more sophisticated attack fleets will simultaneously be attempting to log on to, oh, I don't know how about PayPal?

And of course, many, many other sites. The power of this is that since websites are not communicating with each other, there is no shared login failure context. This means that attacks can be trying out the same credentials across many different sites at the same time to increase the overall rate of all of the attack while keeping any single sites attack rate low enough to prevent tripping any alarms. Remember, we are, and as, as I said earlier in the podcast, we're only aware of the attacks which do eventually trip an alarm. No one, but the bad guys is aware of all the many credential reuse attacks that remain undetected. And of course, those whose accounts have been compromised may eventually become aware when bad guys actually do use them. And I did, as I said, ear, ear earlier, I I did encounter some, not some mention of the idea that that an inventory of accounts were being accrued and collected by the bot fleets.

It may very well be that those running the fleets are not interested in doing the attacking. They are building an inventory of known available logins for resale on the dark web, the possibility of observing a shared attacking context. That is what, you know, multiple sites being spread around the net have no shared attacking context, but the possibility of observing a shared attacking context is an advantage provided by single large hosting providers like CloudFlare. Whereas, you know, one offsites don't have any idea what's going on anywhere else. The front gate that CloudFlare provides, which forces all traffic through a common scrutinizing filter, affords an enhanced level of credential reuse protection for every one of the site's users who are behind that gate. So that's something sort of to keep in mind. Another benefit, aside from urging users to invent a new password for each site's login, which is an easy task for this podcast listeners, but is a difficult lift for most of the internet.

What else can be done to thwart the increasing, the increasing risk of credential reuse? Because I didn't mention this before, it is on the rise by far the most powerful solution is multifactor authentication. And of course, I don't mean SMS messages or email. What we really want is a time-based token. You set it up once and then there's no transaction that occurs during the login attempt other than you providing that the ever-changing six digit code to the site. Now, of course, I get it doing this, you know one time password multifactor authentication is always gonna be a heavy lift for the majority of users who feel that anything we do to protect them is just getting in their way, but nothing beats it. An example is when it first became clear to me, the last pass had actually screwed up. My first thought was to scan through the list of accounts that I have accumulated in my O T P off app.

For many years I've been taking my own advice and have accumulated, you know, a, a large number of those opting to use this time-based token, even though yes, it's more pain whenever it's offered. And particularly for my most important sites like DigiCert and Hover, both where I use them, of course, I was also using a very long and crazy password with you know, an updated large iteration count. So I was never actually worried. But the lesson here is that one time passwords is a great solution. There is another less obvious form of multifactor authentication that is increasingly being deployed, and I'm really glad to see it. It creates an spoof able and powerful signal available to websites, and that is the presence of the proper persistent cookie for an account. As we know, cookies could have either single session duration or be persistent and persistent cookies can be flagged, can be flagged as currently logged in or logged out.

Any valid login attempt will be accompanied by that browser's previous persistent cookie, if any. Even if it's flagged as logged out. If that account's proper cookie is not received, that signal can alert the site to potential abuse. And we encounter this very strong security measure from the, from the user side when we receive a note that this device or browser is unknown and will need additional verification before it is allowed to log in. Sure, that's somewhat annoying to users, but it's less annoying than needing to go look up a time varying one-time password for every log. And it provides a true high degree of account protection since it too is a valid form of multifactor authentication that's largely unseen by a site's users. Okay, what about caps? As we know, CAPS which require users to perform some action to profu to prove they're human, they reduce the effectiveness of credential reuse by attempting to make life more difficult for bots.

But as we know, caps are not only an imperfect protection, they can easily become an annoyance, so they should be used sparingly. We think of device fingerprinting as a purely evil thing, but it can be another useful signal for a website that's trying to protect its users. Javascript running on the page can be used to collect information about the u the about the user's devices and, you know, to fingerprint it what the o the os, the language, the browser, the time zone, the user agent and so forth. If the same combination of parameters are logged in several times within a short window or at, or, or attempted to be, it's likely to be a brute force or credential reuse attack. And the problem is fingerprints can be spoofed. A smart bot will make up those things and rotate them so that they appear to be different user agents each time.

What about ips? Whereas UDP source ips can be spoofed the roundtrip required by packets to establish a full TCP connection, completely thwarts IP spoofing. This enables sites to robustly track and monitor the true un spoof source IP of every would-be logging on user. As I noted earlier, throttling and monitoring can identify bots because certain ips are going to be identifying themselves as many different users and will be failing almost every login attempt. You know, 900, 999 out of a thousand. Another useful signal is attempted logins from non-residential traffic sources. For example, it's easy to identify traffic originating from within Amazon Web services or other commercial data centers. This traffic is almost certainly bought traffic and should be treated much more carefully than regular user traffic. One last interesting possibility is to disallow the use of email addresses as the user id. Of course, this is a mixed blessing because email is inherently unique and many sites want or need a valid email address.

So making it also double purpose as the user's login username is, is handy. But most historically leaked credential pairs are email and password. By simply preventing users from using their email address as their, also as their account ID or username, a dramatic reduction in the success of credential reuse will be seen and has be seen, has been seen in trials. So of all these countermeasures, the two forms of multifactor authentication basically stand out as providing the most traction. Explicit one-time password use is the first form and the requirement for a preexisting cookie, which the browser will send back you know, that result. And if, if, if it's missing, that's the thing which results in the site replying this device is not recognized. This technology forms another very powerful and useful block against the success of cross-site credential reuse. And when used in combination so that the prompt for an explicit one-time password is only being issued when the presence of an implicit persistent cookie is absent is probably the best of both worlds.

Users get strong protection, the site's not gonna have problems being abused. And certainly as soon as any bots realize that they, they're never succeeding because they're not providing a persistent cookie, which they have no way of acquiring, you know, they'll wander off and go somewhere else. So credential reuse a problem, you know, and as I thought through all this, this is aside from the need to switch password managers, when the password manager use you have been using has given you reason to believe that all of your account passwords may have been compromised, this is the one sane reason for changing passwords, right? I mean, in general, this whole change your password every six months and you can't use any of the last four that you used before. That's pain in the butt. But it is the, it is the issue of breach and reuse of those credentials. That is what, you know, induces the need to change passwords. So, you know the one piece of feedback that I really had from everybody, Leo, in the last few weeks is, boy, you know, changing passwords everywhere is really a pain. Ugh. Hope we never have to do that again.

Well, with, with 600,000 iterations of P B K D F two and a memory hard algorithm coming soon, we probably won't have to. Yeah, I'm actually very interested in in the, see if we can get either Sry or Argon two into bit warden. That would be, that would be very exciting. Yep. I'm told Dash Lane uses Argon two, so Yes. Yeah, they do. Yeah. Yeah, there are disadvantages to that as well. Everything's a, you know, trade off. It's nothing, nothing's perfect. We do this show as you might know, since you're watching it live, right? Or maybe not every Tuesday, <LAUGH> one 30 Pacific four 30 Eastern, 2130 utc the live stream and it's on all day and night is live Twit tv. It's, you know, sometimes previously recorded stuff, but it's always on for your, you know, you just have em running in the background all the time.

Audio or video. If you're watching live, do chat with us, or in our Discord. Now you have to be a Club twit member to use a Discord. So at, let me just put in a plug for that. Seven bucks a month gets you ad free versions of all the shows, including this one. You get access to shows we don't put out in public, like hands on Windows with Paul Throt and hands on Mac with Micah and, and the Untitled Linux Show. And there's, there's a lot more to that. We have events. You also get the, the Tip plus feed, you get the Discord. I think it's a great use of seven bucks a month and we sure appreciate it. It really helps us keep the lights on, keep the staff employed and keep producing great content for you. If you're interested in becoming a member, please go to

I will thank you in person. Once you do in our Discord after the fact, you can get a copy of this show at Supported in a couple of places. We have our copy at twit tv slash sn. Steve also has a copy at his website, which is He actually has the usual 64 Kilobit audio, but he has a unique couple of unique versions. One is a 16 Kilobit lower quality audio, but smaller file size for people with limited bandwidth. There's also a transcript written by a human, an actual human, Elaine Ferris. Those are really great to follow along as you're listening or to search for what you want. All of that's at He also has lots of other great stuff. The password haystacks, he's got the what is the now it's slipped by my shields up. That's it. The, the, yeah. And the DNS Benchmark. DNS Benchmark. So much good stuff. I could just go on and on. And his bread and utters there. Of course, the world's best mass storage, maintenance and recovery utility spin, right? 6.0 still there. But six point one's imminent, and you'll get a free copy if you buy today, Thank you, Steve. Have a wonderful week, and I'll see you right back here next Tuesday for another thrilling gripping edition of Security. Now, <laugh>, we're the last day of January together. Yes. Wow.

Jonathan Bennett (01:44:36):
Hey, we should talk Linux. It's the operating system that runs the internet, bunch game consoles, cell phones, and maybe even the machine on your desk. You already knew all that. What you may not know is that Twit now is a show dedicated to it, the Untitled Linux Show. Whether you're at Linux Pro, a burgeoning ciit man, or just curious what the big deal is, you should join us on The Club Twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills. And then make sure you subscribe to the Club TWIT exclusive Untitled Linux Show. Wait, you're not a Club Twit member yet? We'll go to twit and sign up. Hope to see you there.

... (01:45:18):
Security Now.

All Transcripts posts