Security Now Episode 909 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. We're gonna talk about in fact, at length, about the EU new legislation to monitor citizens Communications. This, this is a bad one, folks. Steve's got the details. He'll tell you why he doesn't like Q F, but he does like Sonology. If you're looking for a na, you want to hear that. And then a look at VMware's ESX I servers a massive exploit that's already claimed thousands of victims, and it's just a couple of days old. All that and more. Coming up next on Security Now podcasts you
... (00:00:40):
Love from people you trust. This is TWI twi.
Leo Laporte / Steve Gibson (00:00:49):
This is Security Now with Steve Gibson. Episode 9 0 9, recorded Tuesday, February 7th, 2023. How ESXi Fell.
(00:01:02):
Security now is brought to you by Drata. Too often security professionals are undergoing the tedious, arduous task of manually collecting evidence with Drata. Say goodbye to the days of manual evidence collection and hello to automation. All done at DTA speed. Visit Drata.com/twitr to get a demo and 10% off implementation. And by Barracuda, Barracuda has identified 13 types of email threats and how cyber criminals use 'em every day. Fishing conversation hacking ransomware plus 10 more tricks cyber criminals use to steal money from your company or personal information from your employees and customers. Get your free ebook at barracuda.com/securitynow. And by Thinkst Canary, detect attackers on your network while avoiding irritating false alarms. Get the alerts that matter for 10% off and a 60 day money back guarantee. Go to canary.tools/twit and enter the code twit in the how did you hear about response?
(00:02:09):
It's time for security now. Yeah, you've been waiting all week for the best show on the network, Mr. Steve Gibson makes it. So, hello, Steve. Yo Leo, good to see you be with you. <Laugh> for 9 0 9, our our first show of February. And of course we've got questions. Now, you used to say at the top of our q and a episodes, you have questions, we have answers. Yes. Whatever happened to those, we stopped those. Yeah. Well, because now we're teasing most of the questions and then providing the answers. You're asking the questions and answering them. That's right. We take care of the whole job here. So this week we wonder what is about to happen with the EU legislation to monitor its citizens communications. Why would a French psychotherapy clinic be keeping 30,000 old patient records online and who stole them? What top level domains insist upon and enforce H T T P S?
(00:03:13):
How is Chrome's release pace about to change? And when you say Russia shoots the messenger, is that only an expression were a fool? And is crypto soon parted? Or should that be, was exactly why is QAP back in the news? And what do I really think about sonology? Would companies actually claim unreasonably low CVS scores for their own vulnerabilities? No. What questions have our listeners been asking after all this recent talk about passwords? What's the role? What's the whole unvarnished story behind this week's massive global attack on VM VMware's ES X I servers and who's really at fault? These questions and more will probably be answered before you fall asleep. <Laugh>, but no guarantees. No guarantees. <Laugh>, some of them rhetorical I might add. Great, I'm excited. It's gonna be a good show. We also have a great picture of the week fitting in with a usual topic of our pictures of the week.
(00:04:21):
Indeed. but first a word from one of our fine sponsors. And this week I'd love to talk to you a little bit about Drata. This is an area of security that I was not really fully aware of, but obviously everybody in enterprise is this whole notion of, of audit of auditing and, and compliance, right? It's one thing to be secure, it's another thing to prove it. And in many cases, you've got to prove it. You've got <laugh>, you've got to have continuous compliance. But many organizations are still doing this manually. And that can be a big problem. As you grow and scale. Manual collection of evidence for compliance can really be a bottleneck. That's why you need to know about Drata as a leader in cloud compliance software. G2 says they're leader, they streamline your SOC two, your so 2,701, your P C I D S S, your gdpr, your hipaa, and all those other compliance frameworks that you've got to be responsive about.
(00:05:29):
They give you 24 hour continuous control. So you could focus on scaling and all the other parts of your business and make sure and know that your compliance is handled. And one of the ways DRA works and does this so well is because they have more than 75 integrations into tools you are already using. It's already part of your tech stack like AWS and Azure or GitHub or Okta or CloudFlare, and on and on and on. 75 different integrations, countless security professionals from companies, including Lemonade and Notion and Bamboo hr have shared how crucial it has been to Haveta as a trusted partner in the compliance process. DDA is personally backed by S V C I and why does that matter? Will, it's actually a, a testimony to how great DDA is. S V C I is a syndicate of CISO angel investors.
(00:06:24):
So people who really know how important this is from some of the world's most influential companies, they back RDA because they saw that JDA solves a problem that they have in so many others. Do. With trada, your company can see all of its controls. You can easily map to compliance frameworks to gain immediate insight into overlap. So that saves you money, right? You can start building a solid security posture. You can achieve and maintain compliance, and you can expand your sh security assurance efforts, draw's automated dynamic policy templates, support companies new to compliance, and help alleviate hours of manual labor. Their integrated security awareness training program. The automated reminders ensure smooth employee onboarding that the only player in the industry that builds on a private database architecture. That ought to be really important to you. It means your data can never be accessed by anyone outside your organization.
(00:07:20):
It's truly private. Andrada is with you every step of the way. Every customer gets a team of compliance experts including a designated customer support manager. But even more importantly, they have a team of former auditors who have conducted more than 500 audits and are available for you to talk to for support for counsel. You can say, am I doing this right? With a consistent meeting cadence too. They keep you on track to make sure there are no surprises, no barriers, and when it's time for that audit, their pre-audit calls prepare you for when those audits begin with strata's risk management solution, you can manage end-to-end risk assessment and treatment workflows. You can flag risks, you can score them. You can decide whether to accept them to mitigate 'em, to transfer 'em, or avoid them. DRA maps appropriate controls to risks, which simplifies risk management. Automates the process to Andras Trust Center provides real-time transparency into security and compliance postures that helps for you in sales and security reviews and just better relationships with customers and partners.
(00:08:30):
Say goodbye to manual evidence collection and say hello to automated compliance. Visit draha.com/twi, D r A T ada.com/twi, bringing automation to compliance at draha speed D r ata.com/twi. We thank you so much for supporting our work here, especially what Steve's up to. And we hope you take a look at Drata and when you do, make sure you use that address so they know you saw it here. Drata.Com/Twit picture of the week time, Mr. G. So this one can, you could spend some time visually parsing this picture. It, it really begs many questions. So without further ado, what we have is a closeup of a chain which has been wrapped around the, the opening side of a fence, like, you know, to, to keep the fence closed now, and to call this a chain, it really doesn't do it justice. A chain is what you wear around your neck.
(00:09:36):
This thing looks like it could have been the anchor for the Titanic. You know, just in terms of the, the beefiness of this chain. But, but what's odd is that it's, it's actually, there's actually two pieces of chain that there's a center, three links, which are actually a little smaller than the main chain, which goes around in order to, to keep this fence closed. And, and for reasons not at all clear. We've got a, you know, your traditional master lock, a standard, you know, hasp style lock that is interlinking. The, the chain that goes around the, the, the opening to this little three link sub chain. And then, then there's a white nylon zip tie, which is connecting the small chain to, you know, this monster chain or the smaller chain. They're all big chains. And so it's like, okay. So now, and, and anyone who's ever like tried to manually pull one of those nylon zip ties apart, knows they are really strong.
(00:10:52):
In fact, I think aren't police now using them as like these 'em for handcuffs? Yeah, just disposable handcuffs. Yeah. Yeah. So you're not getting out of this. But, but at the same time, if you had, oh, like some, a knife or scissors, some toenail clippers. Yeah. Toenail clippers work. Well, yeah. Like nothing, you know, now you're able to get in here. So a and Leo, it's not like you couldn't use the only, the big chain with the map, with the master padlock to bridge across Yeah. The large chain. Yeah, that would work just fine. You don't need this little three chain, three link chain. I don't know what that's there for. Right? And no p no hokey white nylon, zip tie to like connect the two chains together. Pretty strange, really. I, I, the more, the more pictures of this we see the less faith I have in humanity.
(00:11:44):
And I really you know, I would like to get the backstory behind some of these, like, like the, what we had a couple weeks ago has been haunting me that, that, that piece of fence across the, across the sidewalk that had a sign on it sidewalk closed, except there was a sidewalk that was just fine on the other side, <laugh>. And, and you could go around it in either direction. It's just like whitty who, what, anyways, there's a couple of wags in our chat room, say, well, truthfully, it'd be harder. It's the master lock's easier to pick than the zip tie. So maybe, yeah, maybe the zip tie is actually not the weakest link. If it didn't have any sharp cutting tool on you snip right through there on your person, then yeah, that's true. Okay, so we are back to protecting the children, and I'm not making light of that at all.
(00:12:38):
See, Sam, as we know, child sexual abuse material and online exploitation of children is so distasteful that is difficult to talk about because that requires imagining something that you'd much rather not. But it's that power that gives this a bit of a Trojan horse ability to slip past our defenses, or at least past the politicians. Because there's also a very valid worry surrounding, you know, this whole issue that once we've agreed to compromise our privacy for the very best of reasons protecting children, our government or a foreign government or law enforcement might use their then available access to our no longer truly private communications against us. Now, nowhere in the EU pending legislation, this pending surveillance legislation that I'll, that I'll get to in a second is there any mention of terrorists or terrorism? But it's been voiced before, and you can bet that it will come marching out again.
(00:13:49):
And once everyone's communications is being screened for seductive content that might be considered grooming, you know, photos that might be naughty and other content that some automated bot thinks should be brought to a human's attention, then what's next? So this is, you know, this is, this is the very definition of a slippery slope. Document number 5 2 0 2 2 PC 0 2 0 9 is titled proposal for a regulation of the European Parliament and of the council laying down rules to prevent and combat child sexual abuse. Okay? First of all, it won't prevent it, right? Nothing will, what it will do is drive that material to seek other channels. And that's not a bad thing. And I agree that it would likely combat the problem, though, you know, again, prevention, okay, to some degree, right? The question is, is this the best solution? And what real price are we paying to make that possible?
(00:14:58):
And of course, what could possibly go wrong? So what is essentially happening is that the EU is taking the next step over and ignoring the loud and recently polled objections of 72% of European citizens, EU legislators are preparing to move their current content screening internet communications surveillance, which until now has been voluntary and as a consequence, somewhat limited in its application to mandatory and therefore universal. Okay? So now just to recap a bit about how we got to where we are now. Three years ago in 2020, the European Commission proposed temporary legislation, which allowed for the automated internet communications surveillance for the purpose of screening content for C S A M child sexual abuse material. The following summer, on July 6th, 2021, the European Parliament adopted the legislation to allow for this voluntary screening. And as a result of this adoption, which they refer to as an e epri, Deion, in other words, creating a deliberate exception to EPRI for this purpose, US-based providers like, you know, gmail, outlook.com, and, and meta Facebook began voluntarily screening for this content on some of their platforms.
(00:16:33):
Notably, however, only those very few providers did anything. The other providers of, for example, explicitly secure secure communications, you know, telegram signal, they've not done anything. And so last summer on May 11th, 2022, the commission presented a proposal to move this internet Surveillance from this is gonna no longer gonna be temporary and is no longer gonna be voluntary. It will be becoming mandatory for all service providers, as we noted when this was last discussed in the context of Apple's hastily abandoned proposal to provide client local image analysis by storing the hashes of known illegal images on the user's phone. The content to be examined includes not only images, but also textual content, which might be considered solicitors of minors. You know, that's that grooming term. And most controversially, all of this would impact every EU citizen, regardless of whether there was any preceding suspicion of wrongdoing. Everyone's visual and textual communications would be and apparently will soon be surveilled.
(00:17:55):
Interestingly, the legality of this surveillance in the EU has already been challenged. And according to a judgment by the European Court of Justice, the permanent and general automatic analysis of private communications violates fundamental rights. Nevertheless, the EU now intends to adopt such legislation for the court to subsequently annul. It can take years by which time the mandated systems will be established and in place. Currently, meetings and hearings are underway. They're gonna be going on through the, through the rest of the year. A parliamentary vote is being held next month in March, followed by various actions being taken throughout the rest of the year as required to move the, you know, the sure passage of this legislation through a large bureaucracy. Why? Sure. After all, how does any politician defend not wishing to protect the children? I've read a great deal of this proposal, and it has been clearly written to be rigorously defensible as a Child Protection Act period.
(00:19:16):
So how do you stand up and vote against that? It shows every indication of being adopted with this surveillance set to become mandatory in April of next year, 2024. So some pieces from this legislation, by introducing an obligation for providers to detect report block and remove child sexual abuse material from their services, the proposal enables improved detection, investigation, and prosecution of offenses under the child's sexual abuse directive. Another piece, this proposal sets out targeted measures that are proportionate to the risk of misuse of a given service for online sexual abuse and are subject to robust conditions and safeguards. It also seeks to ensure that providers can meet their responsibilities by establishing a European center to prevent and counter child sexual abuse. Further, you know, here and after referred to as EU Center, to facilitate and support implementation of this regulation and thus help remove obstacles to the internal market, especially in connection with the obligations of providers under this regulation to detect online sexual child sexual abuse, report it and remove child sexual abuse material.
(00:20:53):
In particular, the EU Center will create, maintain, and operate databases of indicators of online child sexual abuse that providers will be required to use to comply with the detection obligations. Okay? Why mandatory? They say the impact assessment shows that voluntary actions alone against online child sexual abuse have proven insufficient by virtue of their adoption by a small number of providers only of the considerable challenges encountered in the context of public-private cooperation in this field, as well as of the difficulties faced by member states, meaning EU member states, in preventing the phenomenon and guaranteeing an adequate level of assistance to victims. This situation has led to the adoption of divergent sets of measures to fight online si child sexual abuse in different member states. In the absence of union action, legal fragmentation can be expected to develop further as member states introduce additional measures to address the problem at national level, creating barriers to cross-border service provision on the digital single market.
(00:22:20):
And as to why they think this is a good thing. These measures would significantly reduce the violation of victim's rights inherent in the circulation of material depicting their abuse. These obligations, in particular, the requirement to detect new child sexual abuse materials and grooming would result in the identification of new victims and create a possibility for their rescue from ongoing abuse leading to a significant positive impact on their rights in society at large. The provision of a clear legal basis for the mandatory detection and reporting of grooming would also positively impact these rights. Increased and more effective prevention efforts will also reduce the prevalence of child sexual abuse, supporting the rights of children by preventing them from being victimized measures to support victims in removing their images and videos would safeguard their rights to protection of private and family life privacy and of personal data.
(00:23:31):
Okay, so this is clearly something that the EU is focused upon and is committed to seeing put into action to be in effect in the spring of next year, 24. And apparently the EU has a legal system, much like the one which has evolved or devolved here in the US where the court system has been layered with so many checks, balances, and safeguards against misjudgments that years will then pass while challenges make their way through the courts. Meanwhile, this is mandatory starting in April. Conspicuously missing from any of this proposed legislation is any apparent thought to how exactly this will be accomplished from a technology technological standpoint, which of course is what interests us. You know, if I have an Android phone, whose jo, whose job is it to watch and analyze what images my camera captures, what images my phone receives, what textual content I exchange?
(00:24:44):
Is the phone hardware providers is, you know, is it the phone hardware provider's job or is it the underlying Android OSS job? Or is it the individual messaging application? It's difficult to see how Signal and Telegram are ever gonna capitulate to this. And is it the possession of the content or, or the transmission reception and communication of the content? You know, can you record your own movies for local use? Never with any intention to do anything else with them. The proposal establishes and funds this so-called EU Center to serve as a central clearinghouse for suspected illegal content and providing the, in some fashion, the, the, the samples against which material that is seen on devices, on consumer devices in the EU is checked against. So when an EU based provider somehow detects something which may be prescribed, the identity and the current location of the suspected perpetrator, along with the content in question, will be forwarded to the EU Center for their analysis and further action, if any.
(00:26:13):
Wow. So as I've been saying for years, this battle over the collision of cryptography and the state's belief in its need for surveillance is gonna be a mess. Mm-Hmm. <affirmative>. And it's far from over. So Leo it moves forward. I, it makes me really think about the long-term consequences of that. And if I were Apple or Google or Samsung or, or I would be fighting this tooth and nail, because in the long run they're gonna be forced to res to enforce it, essentially. Right? To compromise their their they're gonna have to do something. Yeah. And and once they, if they do, then you're gonna see a migration away from their platforms to non-pro proprietary open platforms so that people don't have to sub subjugate themselves to this. So I think it hurts them badly first because they're gonna have a battle over how to enforce it.
(00:27:15):
Apple's already turned on advanced data protection in the us which is so, and here's another question and, and, and now globally, it went global a couple weeks ago. Okay? Well's with, with iOS 16.3, they'll be, it's now universal. They'll be, you know, non-compliant in the U And then there's the other question is, they haven't done this yet, but how long before they then make it illegal for me to encrypt everything, right? Because they're gonna stop the vendors. But what if I decide, well, I'm gonna figure out a way that I'm gonna pre internet, do what you call pie, a pre-internet encryption of everything. Am I now def found guilty because I must be hiding something? I know. I think it pushes people into a position where they do have to now start being responsible for their own encryption. They only choose end-to-end encrypted choices.
(00:28:09):
It's gonna end, end up driving people underground and in the dark. Not just criminals, but everybody who wants privacy. I think the a the, the, the long-term implications to this are, are bad all around. I know. And, and so, you know, from a techno technology standpoint, we have signaled and telegram. There's just no way that Moxi is gonna compromise right? Signal in order to allow the e like, and, and be responsible for having a, a connection to the EU center to get a database of things it has to check its users' message against. And that's why I'm saying will not happen. The burden of this is ending up on Apple and Google because, and Samsung, because what they'll have to do is take them out of the store. They'll have to say, well, we can't have signal in the App store, and then they can, then we've washed our hands of it.
(00:29:01):
But Signal will continue to be distributed underground. And if you are, and this is what I'm saying is ultimately if you care about privacy, you're gonna run an open platform that you control, that you put your own software. You're not gonna be relying on an Apple store or an Android store. And well, it, it goes, it goes a little bit further though, because, because the Apple could be compelled to do the filtering before Signal gets it. Remember that signal is No, no, no, I understand. You can't use an Apple device, is what I'm saying. The burden will end up being on Apple and, and Apple will, if they comply, which they probably will have to in the long run, lose customers like you and who will say, well, I'm gonna use Signal, I'm gonna do encryption and it ain't gonna be on a device where I can't. So you're exactly right. That's why I'm saying this is who should be fighting this tooth and nail right now? It's Apple and Google, because this is, this is gonna be a, not only a burden on them it's gonna require them to reverse things they've been doing, but also it's gonna lose some customers. I don't know. Do most people care enough about this? That they would actually seven, you said 72% of the EU is against it. They're saying, yeah, we do not want this.
(00:30:14):
See, I think you can't stop encryption, right? You can only stop it on commercial platforms. You can, math has already escaped. Yeah. So, so they can't stop it. They can only tell companies, internet service providers, carriers, cell phone manufacturers to do it. So then we just say, well, I think that just creates a brisk market <laugh> for Yeah. Well, remember I was all geared up to do a product called Crypto Link. Yeah. Years ago you didn't want it. And I, I saw the handwriting on the wall. Yeah, you want that. It's taken, it's a much slower March. But I didn't want to be, you know, in a position where, you know, where governments are saying you, you know, we have to have a backdoor to your secure communications table. Many years ago about 20 years ago, I there was a documentary which is since been suppressed about hacking in which I gave an interview and I said, really, it's gonna be the hackers that are the freedom fighters.
(00:31:06):
They're gonna be the ones who are gonna be protecting us from governments and corporations who are gonna want to invade our privacy take over our lives. And that open source software and hackers, people who know how to use it, are gonna be the heroes. They're gonna be the heroes. We we're gonna, it's gonna be up to us to protect ourselves. I don't think we should all turn into the uni bomber, but at the <laugh>. But I think we are all gonna have to embrace open software cuz they can't stop open software. No, that's very, very So that, so that, that would mean hacking an Android device in order to side load your own, your own. Not necessarily. They're already guy companies like Pine that make phones that are not Android or iOS, they run Linux. Ah, okay. So I th they're not very good <laugh>.
(00:31:55):
I keep buying them in hopes and they're terrible. But this will stimulate their development and eventually just as you can buy an o a computer that, you know, you don't have to have you know, TPM on a computer, you can buy a computer that is not you know, locked down. Locked down, yeah. And put open stuff on it and control it. And that's what's gonna happen. I think, at least for people who care, maybe that's a tiny minority, and obviously that is the, like, you know, a a diminishing minority. I mean, maybe they'll, you know, they'll, you, you, you know, once upon a time, you know, uncle Willie was asking his, his, his nephew who was the geek, you know, what was the best computer to buy and, and what should he do? So maybe it'll be like, Hey, I heard about, you know, yeah.
(00:32:42):
Governments are spying on everybody with their phone, you know, junior, what, what phone should I get? And then, you know, junior will know. Yeah. Cause he's in college and he is up on all this stuff. Yeah. There'll be a brisk market and open hardware and software, I think, and then you've com The sad thing is then you've completely lost control <laugh>, you know, the EU just can, well, you know, there's nothing they can do about it. Yes. And, and it will be, as we've already seen, it'll be the bad guys that are driven to that platform. Yeah. And sadly, the, I mean, there is a level of false positives that occur with this. There are images which, you know, someone who's sitting there clicking a buttons snapping through images in, or, you know, the, the, the, the human capture person is sitting there saying, whoa, what's that?
(00:33:29):
And, you know, go, you know, go question this person. I mean, it's gonna be horrible. Yeah. If that's happening. Yeah. I, you know, it's always, I've always felt like there would come a time when this stuff was, this tech computer technology was too powerful and that governments would want to try to control it and shut it down. And that there would always be a group of us. They're called hackers, but there would always be a group of us who said, no, no, we're gonna keep it open. We're gonna keep it ours, and we're gonna keep their prying eyes out like, like neo in the matrix, like the matrix, who, you know. Yeah. yep. Wow. And they're, and they're pushing us that way, you know, it's too bad. Yeah. Yeah. Okay. So 30,000 patient records online this interesting and sobering cyber hacking news caught my eye and raise an interesting question.
(00:34:20):
Okay. First I'll share the story. And then the question that it brought to mind the news was that French authorities have detained a 25 year old Finnish national who is accused of hacking the Vesto psychotherapy center for regions. We'll see, this hack of vesto is considered to be one of the worst in the country's history. Okay? Now, it occurred back in 2018 and 2019, so I guess this kid was what, 20 years old then. When he, he allegedly stole the personal medical records of the clinic's patients and attempted to extort the clinic to put pressure on the company. The hacker leaked extremely sensitive client files on the dark web. When that failed, he sent emails with ransom demands to more than 30,000 of the clinic's patients asking them each, asking them each for 200 euros. Oh my God. And threatening to publish their medical records if they did not pay up.
(00:35:30):
Oh boy. Finish authorities formally identified the hacker in October last year when they issued a European arrest warrant for his arrest, and they detained him last week. Okay? So this is brazen and bad, right? The hacker obtained extremely sensitive personal medical information and chose to use it to both extort the clinic and it's past patients, all 30,000 of them. And it was that number of files and patient histories that raised my eyebrows. 30,000. Okay? No matter how large and busy this clinic might be, they cannot be currently treating 30,000 patients. And, and in fact, you know, there are 260 working days a year, five times 52. So if the clinic averaged 10 new patients per day, which seems like a high side number, 30,000 patient records would be 11 and a half years worth of patient files at the rate of 10 per day, you know, I'm sure there's some requirement for retaining medical files for some length of time.
(00:36:45):
You know, HIPAA regulations have that here in the us but even so, they certainly don't need to be kept in hot online storage. If it was burdensome, expensive to store all that aging data online, that it would not be stored online, cuz it doesn't need to be. It would be spooled onto some form of offline cold storage, still indexed and available if needed, but offline and therefore not available to remote online attackers. This is one of the things that we're gonna need to get much better at handling as a society. Excessive data retention is a problem, and it's exacerbated by the reality that's storing data cost next to nothing. So why not store it on the off chance that it might be useful for something, you know, it doesn't delete itself unless you actually create some technology so that it does. But no one seems to do that.
(00:37:46):
The problem is, even if all that old data was of no use to the clinic in this instance, it was certainly useful to the hacker who obtained a far larger pile of extort victims as a consequence. So, you know, it's unclear how we move past this, where we are stuck. Now, there needs to be some form of incentive for inducing deletion, or at least for the migration of old records into offline archival storage for varying periods of time. And such records should be destroyed once their retention period has lapsed, you know, but should was the strongest word I could find. I, I dug into medical records, re re retention legislation and requirements. You know, I couldn't find any clear requirement under HIPAA for mandatory deletion. It's not there. So if an organization acts irresponsibly, it's not clear whether they would be in any legal jeopardy, at least in the us you know, <laugh>, God help you for the e if you're in the eu. But still it just, it's clearly, you know, and we've talked about data retention before. It is a real problem.
(00:39:13):
Dot dev, it turns out, to my surprise, is always https. Hmm. I, I, I know mm-hmm. <Affirmative>, I encountered something the other day that, that I didn't realize had happened. I was over at hover registering spin right.dev, because I thought it might come in handy since I'm planning to be spending the rest of my act of coding life on what promises to be a very exciting and worthwhile project. So as I was checking out, I was presented with a pop-up confirmation notice, the likes of which I had never seen it read, and it was number three of things I had to check off. It said T l D info for.dev. And of course, TLD stands for top level domain, and it says, registration of.dev domains is open to anyone. You should be aware that.dev is an encrypted by default T L d by virtue of being inscribed in the H S T S preload list found in all modern web browsers.
(00:40:30):
Websites hosted on.dev will not load unless they are served over https s wow. I e have a valid SSL certificate installed, and I had to check, I have read and understand the requirements for.dev domains in order to proceed with the purchase <laugh>. Isn't that cool? Yeah. So star.dev is permanently preloaded into the H T T P strict transport security. That's H S T S list for all modern web browsers. Okay, now before I go any further, let me quickly review H S T S. As I just said, it's stands four H TT p s strict transport security. H S T S is an H T T P response header, which web servers can send to browsers telling them to treat the site with strict transports security. This means to only use secure HTTPS s TLS connections no matter what. If the browser receives a non-secured H T T P link, the HS t s status instructs the browser to automatically upgrade it without asking anybody else to https s the header specifies a max age, which tells the browser how long this security upgrade directive is to remain.
(00:42:10):
In effect, it's also possible to add and include sub-domains parameter, so that everything below that root domain will also be covered. The first time a site is accessed using https s and the site returns, the strict transport security header, the browser records, and cashes this information so that all future attempts to load that site using H T T P will automatically be promoted to using https s instead, when the expiration time specified by the strict transport security header elapses, the next attempt to load the site via H T T P will proceed as normal instead of automatically using https s whenever the strict transport security header is delivered to the browser. However, it will update the expiration time for that site. Essentially, you know, continually pushing it forward so sites can refresh this information and prevent the timeout from expiring should it be necessary for some reason, to disable strict transport security.
(00:43:24):
Setting the max age in that header to zero over an H T T P S connection, of course, will immediately expire the strict transport security header, allowing access then via H T T P. But all this cleverness still leaves us with one problem. What about the very first time a browser visits a site? If that visit were initiated, for example, by following an H T T P link, maybe from a malicious email, the initial connection will be insecure in plain text unauthenticated and susceptible to interception and on-the-fly modification of the traffic. Even if the web server is sending out H S T S headers, they could be stripped from the insecure connection so that the browser never receives them. The solution to this problem, this first contact problem is the H S T S preload list. All modern browsers carry a large list of web domains, which have previously proven to be H S Ts capable by offering https s TL s connections, redirecting any H T D P request over to HT dpss, and sending an H S T S response header with an expiration time of at least a year.
(00:44:59):
Those are the requirements in order to qualify for inclusion in the browser's master list. If all of those criteria are met, the domain qualifies for permanent hs t s registration at that point. The hsts preload site, you can go to hsts preload.org, can be used to submit a domain for inclusion in the global browser. Hsts preload list grc.com has been on that list since the list's, earliest days when we first discussed this on the podcast many years ago. And once on that list, any attempt to ever connect to port 80 will be redirected by the browser. Just be to just ignore that and go to port 4 43 for the establishment of a TLS connection period. Okay, so with that bit of a refresher, just imagine the number of domains, the dot coms that like grc.com is one. How many more that must be on the list with those common top level domains.com, you know, and the others, as I said, grc.com has always been there, but so, but so much so, so must be an incredible number of other domains.
(00:46:29):
What's so super cool about the idea that.dev top level domain is by universal agreement, all https is that it avoids any need for subdomains of.dev being on the list instead of needing to have a list that enumerates all of those domains. Like, for example, spin wright.dev, there's only one entry on the list. Star dev down at the bottom of that hsts preload page. It talks about this, it says under the heading T l D preloading, it, they, they say owners of G TLDs, you know, global top level domains, ccTLDs or any other public suffix domains are welcome to preload H S T S across all their registerable domains. This ensures robust security for the whole T L D and is much simpler than preloading. Each individual domain may finish ple, please contact us if you're interested or would like to learn more.
(00:47:47):
So not only is this much simpler, but it is vastly more efficient since pretty much now everything, you know, needs to be https s these days. Anyway. It's such a cool idea when a new T L D is created to simply declare the entire thing as HS A as h t dpss only, and place that single entry star dot whatever onto the global browser preload list. So much better than needing to have every sub-domain needing to do that individually. A and everybody's protected, even if they don't do the, the whole H S T S header routine. Okay, so I thought, what else might be on the list? I posed that question to the gang who hangs out in GRCs Security Now news group, noting that it would be possible to pull the current list from the open source chromium repo and run a regular expression on it to extract only top level domains.
(00:48:53):
One of our very active contributors, Colby Boomer, who actually, he's the one who got me into GitLab and has been helping incredibly to keep our GitLab instance organized during all this spin right work, he stepped up, grabbed, parsed, and filtered the current chrome chromium H S T S file. And sure enough, the.dev domain has a great deal of company. There are presently 44 0 top level domains in the global browser hs t s list, meaning that any subdomain of any of those top level domains will only be accessible by web browsers using authenticated and encrypted TLS connections. Okay? In alphabetical order, they are Android no. And so in every case, this is, you know, something.android, right? App, Azure Bank, Bing Boo Channel, Chrome Dad Day, dev, eat esque as in Esquire, E S Q, fly Fu Glee, g l e, that's gonna register. Steve, I fu <laugh>, same people register.
(00:50:16):
Steve Boo, I guess I bet it's taken. Gmail, Google Hangout, Hotmail ing insurance, meet Meme, Microsoft Move, M O V, new Nexus, office page, PhD, play Prof, P R O F, RSVP search, Skype, windows, Xbox, YouTube, and Zip, huh? Okay, so zip, so do.dev is there, along with 39 others, we see that Google and Microsoft who each own several of their own TLDs have placed them on that list. And why not, you know, as desirable as it would be to be able to place.com, dot org, dot net.edu.gov, you know, the original bunch onto this list or, or really just to abandon HTTP for user client web browsing altogether. I don't see how we're ever gonna get there from here. You know, doing so would immediately make any http only sites inaccessible, and that's not something I can ever see happening in our lifetimes, but what I think must be happening, because no, come on, FU and Glee, <laugh>, these just are new and right, and dad.
(00:51:43):
Exactly. Yeah. And that's the point. Any new registration of A T L D is probably a automatically saying, put us on the, the h the, the, the global H S T S list for the entire T L D. Why not that way? You're just saying to anybody who wants to set up a web server, great love to have you, happy to take your 40 14 95 per year to maintain registration for you. Oh, by the way, you can only use, you're gonna have to get a certificate, but of course, that's free now too. W with less, with less encrypt and the Acme protocol or even didn't, I think DigiCert is now doing the same thing. So, you know, the, the, it's, it's no longer the case that that's a problem. So yeah, let's make it mandatory. Anyway, I just never knew that. I thought that was very cool.
(00:52:35):
And Leo, we're next gonna talk about the changes Chrome is making in their release schedule, but I need to take a sip of a drink first. Indeed, you do. And this would be an excellent time for me to talk about the 13 email threat types that are lurking around every corner. Our sponsor for this section of security now is Barracuda. In a recent email trends survey, 43% of the respondents said they had been, had been victims of a spearfishing attack. Even more scary, only 23% said they have dedicated spearfishing protection. If you don't have it, that means you're relying on your employees to be smart enough to see it, recognize it, and ignore it. Maybe you wanna think about protecting yourself better than that. How are you keeping your email secure? Barracuda has identified 13 different types of email threats and how cyber criminals use 'em every single day.
(00:53:36):
Phish, of course, conversation hacking. Yeah. ransomware, 10 more tricks to steal money from your company, personal information from your employees, your customers, your patients. Are you protected against all 13 types every day? Email cyber crime is becoming more sophisticated, and those attacks are more difficult to prevent because these emails are, you know, they, they use social engineering. They use, you know, strong emotions like urgency and fear to prey on victims. Your employees social engineering attacks, including spearfishing and business email compromised cost businesses a lot on average about it's $130,000 per incident. And it, you know, it's always tied or often tied to something your employees are kind of already thinking about. When the, at the beginning of last year when the demand for COVID 19 tests ramped up, Barracuda researchers saw a massive increase, 521% increase in covid 19 test related phishing attacks because they know, you know, employees got in their mind that maybe there's some, some anxiety about that.
(00:54:46):
It's much more likely they're gonna click without thinking. And that is the end of the line for your business cryptocurrency, when, you know, that's a constant topic. When the price of Bitcoin increased, you know, what was it 400% between October, 2020 and April, 2021, impersonation attacks taking, you know, taking advantage of that increased 192% in that period. In 2020, the internet crime Complaint Center, IC three received 19,369. Business email compromise or email account Compromise complaints adjusted losses over 1.8 billion. That's an, that's enough stats. Let's, let's talk about what you are gonna do to protect yourself against this. You might say, well, I we secure email at the gateway, right? Sure, that's fine for ransomware or spam, maybe, you know, inbound viruses, it's not gonna work against targeted attacks, spearfishing attacks, attacks, you know, emails that seem to come from a company management to named employees.
(00:55:51):
You know, protection. You need protection at the inbox level. And that's hard. That's really hard to do, and it's gonna need AI and machine learning to adjust as attacks differs. You know, these threats are very sophisticated and, and it costs the bad guys nothing to try new approaches. So they evolve very quickly. Here's probably the first step for you. Get a free copy of the Barracuda report. It's called 13 Email Threat Types to know about right now. They update it constantly. As you know, they're always out there looking and finding these new threats. So they're, they're very aware of what, what's going on right now. In this report, you'll see how the cyber criminals are getting more and more sophisticated every day, and what you can do to build the best protection for your business, your data, your customers, your people with Barracuda, find out about the 13 email threat types you need to know about and how Barracuda can provide complete email protection at the inbox level for your teams, your customers, and your reputation.
(00:56:55):
Get your free ebook, barracuda.com/securitynow, B A r r A C u D a barracuda.com/securitynow, barracuda your journey secured, remember secured and use that address so they know you saw it here. Barracuda.Com/Security. Now, Steve, so we were just talking about the idea of staged releases of software updates to minimize the fallout from previously undetected problems. As a matter of fact, given the number of wacky problems I've been encountering with Spin, right, as our early pre-release testers find evermore bizarre machines to torture it with <laugh>, I've decided that the only same thing for me to do will be to inform everyone here who's following this podcast when and where it's available in final Beta, and then in final release, you know, anxious as I am to inform spin right's entire broader user community of what has grown to become a major free upgrade. I am gonna wait a while to see, you know, how much a more local larger release that's smart.
(00:58:09):
Yeah. goes yeah, especially because these are, these are the more sophisticated listeners that yes, they're, they're gonna be the great, great people to try it out with and let you know. Yes. And, and I, I can say, go to the forum and they'll be able to get online and communicate that's smart and so forth. Yeah. So, yeah. And there, you know, people have waited 18 years. They couldn't wait another month or two, so, yeah. And apparently Google has decided to do the same with Chrome. Back a few days before Christmas, they posted the news change in release schedule from Chrome one 10 with a subhead from Chrome one 10. An early stable version will be released to a small percentage of users, and of course, <laugh>, as I just said, I can relate to that. Chrome is just about at one 10.
(00:59:02):
Yesterday the Chrome beta channel was updated to one 10. There are four channels which stage the progressive rollout of each new major release. The most bleeding edge is the Canary Channel, followed by the dev channel, then the beta channel and then finally the main release channel. So one 10 where they're gonna start, you know, staggering staging. The release is just went into beta yesterday. Its next move then will be to release, and that's where the timing will be changing a bit. What Google is now explaining is that one 10 will be appearing more slowly in the release channel than before they wrote. We are making a change to the release schedule for Chrome from Chrome one 10. The initial release date to stable will be one week earlier. This early stable version will be released to a small percentage of users with the majority of people getting the release a week later at the normal scheduled date.
(01:00:08):
This will also be the date the new version is available from the Chrome download page. By releasing stable to a small percentage of early users, we get a chance to monitor the release before it rules that rolls out to all of our users. If any showstopping issue is discovered, it could be addressed while the impact is relatively small. So again, if you think about <laugh>, the number of Chrome users, there are it's just an unimaginable number. So, yeah, I, I think that makes absolute sense not to have everybody having the same problem all at once in the world. We've been tracking the gradual increase in accountability for cyber intrusions and data breaches with more recently IT employees even increasingly being held accountable. And another bit of just surfaced news, we learned that Russia is moving forward with its own legislation to impose major fines and even prison sentences for IT administrators and their managers following major data breaches.
(01:01:16):
Yes you know nothing encourages the quick and full public disclosure of data breaches more than the prospect of some prison time at the other end. Now, the idea first surface last may in Russia, and once this legislation is passed, the Russian government will be able to find individuals anywhere from thir 300,000 to 2 million rubles. Now, of course, 300,000 rubles won't buy you very much maybe a Russian car that's $4,200 equivalent up to 2 million rubles, which is 28,000. Or, and, or imprison them for up to 10 years if their companies get hacked and user data is stolen. Now, okay, that's <laugh>, that's brutal. I, I'm all for accountability. But this could well devolve into shooting the messenger rather than the source of the message. You know, sure, there could be misconfiguration that it should have known better and done more to secure, but there are also plenty of zero day vulnerabilities that no one should be held to account for, you know, more than the original source of the vulnerability, which is where the zero day came from in the first place.
(01:02:42):
I'm not gonna dwell upon this further now because this week's primary top topic winds up posing some serious questions about accountability. In this case, the, the VMware ES X I issue, but this additional news demonstrates that we are continuing to see, and not surprisingly, mounting pressure to hold someone accountable for cybersecurity incidents. And this isn't over by a long shot. I had to shake my head at this little piece. There's a new scam that's growing in popularity in the cyber underground where there are templates for carrying it out. Generically they're known as crypto drainers. They're custom fishing pages that entice victims into connecting their crypto wallets with an offer to mint NFTs on their behalf. And of course, this is where we all collectively chant in unison, what could possibly go wrong, go wrong, to no one's surprise other than the hapless victims.
(01:03:54):
As soon as victims attempt to mint NFTs, the crypto drainer page siphons both the user's cryptocurrency and the desired N F T into an attacker's wallet, according to the name is kind of a giveaway, the crypto drainer game. Crypto drainer. Yeah. I wanna, I wanna sign up for the crypto drainer page. <Laugh>. Yeah. What could possibly go wrong? What could possibly go according to recorded future? There are several crypto drainer templates currently being advertised on underground cybercrime forums, and they're growing in popularity, of course. Okay. Now, apparently it's the, it's the Bible's Proverbs 2120, which is the original source of the expression, A fool and his money are soon pardoned. Now, Steve, I didn't know you were so up in the Bible. Oh, honey, I'll tell you, there's nothing you can't, there's nothing you can't find on Google. Oh, yeah, good. I didn't, I didn't even, I didn't even at chat, G p t <laugh> now that proverb, however, speaks of wealth being capriciously spent in this case, of course, the outcome is the same.
(01:05:06):
And you've really gotta wonder that there are people willing to connect their wallets to some random page on the internet, which states, you know, will mint NFTs for you and auto deposit your profits into your wallet, because Sure. You know, you can trust us in our broken English <laugh>. Oh, God. Okay. Unfortunately. And Leo, remember Proverbs 21, 20, 21 20. Wow. I'll keep that in mind. Yes. the Taiwanese NAS network attach storage vendor, qap, is back in the news. And you know, with, with them the news is never pretty. This time, qap has recently patched a sequel injection vulnerability tracked as C V E 20 22, 27, 5 96. That's the end of the good news <laugh> of this story. A week later, census, C E N S Y S, that's that newer I O t search engine group census says that roughly 98% of the 30,000 qap NA devices it currently tracks remain unpatched.
(01:06:25):
What? Yes. <Laugh>. Oh, yo, nobody patches. They're qap masses. It's not, it's just sitting in a closet and Yeah, exactly. That's 98. Oh, 98% of 30,000 are unpatched and turns out because it's trivial to exploit, and the exploitation process does not require any authentication, census expects the vulnerability to be quickly abused by ransomware gangs, as has happened many times previously, like all the many times we've talked about this before. And the number of vulnerable devices could possibly be much higher since census said that there are another 30,000, sorry, 37,000 QAP systems online for which it could not obtain a version number, but which are also likely vulnerable as well. So maybe 98% of 67,000 QAP devices. Okay. And speaking of NASA's, I just wanted to give a shout out to sonology. I own one and I've just p ordered another. They're back ordered right now, and I'm not surprised because damn, they are amazing.
(01:07:45):
Oh, I'm glad to hear you say that. Yeah, I am so impressed. Yeah, I had been running a pair of co-located Drobo, which we're running just fine, but the oldest one of the pair, which is now more than 10 years old, started acting a little flaky and it finally went belly up. Since the company's Dro O's future is a bit uncertain, I decided to switch to Sonology, which I kept hearing about, and oh my God, what a fabulous experience. The, what I got are the DS four eighteens. It only has four bays as opposed to the Drobo five. But my storage needs are not excessive, and the management experience is so good. Since I have two work locations, I plan to use their integrated sonology synchronization system to have, have the two boxes mirror each other, and then I'll be keeping my local work synchronized locally.
(01:08:44):
Anyway, I just wanted to say, for what it's worth, just one user's experience of Sonology. It's been 100% positive, and I am, you know, these guys, they, they should have the market because they've done it right. And I know you feel the same. Oh yeah. I have three of 'em. I love them. Yeah. to no one's surprise, after the vulnerability intelligence company V Check analyzed more than 25,000 entries from the N I S T vulnerability database that contained C V S S ratings from both NIST and the product vendor, V check discovered that more than half of those analyzed 14,000 of the 25,000 vulnerabilities, huh. Had conflicting scores where the vendors and NIST had assigned different ratings for the vulnerabilities severity. Imagine that. Vick says that despite the large number of entries, most of these came from 39 vendors whom they did not name suggesting that some companies are intentionally downgrading the severity of their own vulnerabilities.
(01:10:08):
And the trouble with this is, you know, not just public relations, which of course is why they're trying to, you know, that's what's driving them to, to falsely claim things are less serious than they are at the high level. The vulnerability ratings are actually being used to set patching priorities. You know, you, if you can't patch everything, patch the bad things. So it's natural to patch the most important problems first. You know un And so intentional vulnerability downgrading messes with the ability to do any of that correctly. And now we have some numbers, 58% of, of, of the, the 25,000 where there are private listings and public listings, you know, like official listings. The 39 of the companies who are doing this are saying, eh, we don't think it's as bad as everybody else. Okay. as a consequence, I think of the fact that we've been talking about passwords a lot in the last, actually all year.
(01:11:10):
So, so far all, all of the interesting questions that I ended up finding in my mail bag were about that. I have four. Simon Locke tweeted, he said, dear Steve, what? O T P off, I'm sorry, what? O T P app. I already gave away the answer. <Laugh>. What O T P app can you recommend or what do you use? Mostly, I think, for iOS, but if it also does Android, that would be nice. Cheers, and thank you for a lot of great hours listening to security now. Okay, so the one I've chosen after poking around with them a bit is the iOS app, O T P off. For those who have settled upon something else, the fact that you have settled upon anything and are therefore using one time passcodes is far better news than which one you've settled on. I'm not saying that it matters much at all.
(01:12:05):
So, you know, I'm no in no way suggesting that O T P off my choice is superior to x y, XYZ off. It's just the one I like. It's interfaces clean, it synchronizes among all of my I I devices through iCloud. I can unlock it with my face or, or touch it pastes the code to the clipboard, which makes transcribing it simpler. And I like the fact that it has a customizable widget that allows me to have a subset of the passcodes I most use appear on the iPhones notification center for even easier access, but it's definitely iOS only, so it won't do the cross-platform deal o over to Android. Oh, and it also allows encrypted backup to a documented file format. It's published by some German guy and he he feels German. I'm impressed with the app's author. So that's who you want to document a format, to be honest, <laugh>.
(01:13:04):
That's right. It's, it is going to be like this <laugh>. That's right. No, it's, it's like a no nonsense solution. It's beautiful. O T P author. I'll have to check it out. O t P off. I really like it. Via dm, I received, hi Steve. I've been following your podcast for more than two years, and I love it, even though I'm not a cybersecurity or even an IT professional, I've learned a lot. I, I think he's maybe an ophthalmologist. Anyway, b b based on his Twitter dm he said, I have a question regarding your favorite two factor app, O T P oth. Would you be able to explain how does the syncing via cloud work for it? I'm syncing it via iCloud, but don't necessarily see a file there. If theoretically my iCloud was compromised with someone, be able to get hold of my O T P off tokens and get access to all my two-factor authentication codes.
(01:14:02):
Thanks in advance. Okay. So app data stored and linked through iCloud is not like iCloud drive with, you know, desktop documents, downloads, et cetera, folders. Icloud Drive is an app that deliberately exposes those shared resources by comparison, app data is registered by the app and is never seen by the user. You only get to see like how much an app is using of your iCloud space. If, if you go and, and, and analyze the way memory's consumed. Essentially apps are able to use iCloud as their own secure synchronization service, which is private with within that app. An Apple does not have the keys to that app data. They only exist in the user's devices. So I'd say that it's as unlikely as possible for iCloud app data to be compromised. But if you were really worried about, you can flip that switch off being, as you said, and I agreed Leo, this German guy, he said, well, maybe they don't want iCloud sync.
(01:15:14):
Fine, turn it off. And I'll bet you dollars of donuts that he deletes it from the cloud before. You know, as part of that, Mark Jones tweeted, Steve, you continually reinforce time-based authentication and discredit the now exceedingly common SMS message as a second factor. Amen. You've never touched an option that I'm seeing more and more frequently. I now have services asking me to validate via their app on my mobile device. Google just asked me to check my Google app on my phone before letting me log on a Windows machine. That is after I've set up Google Authenticator as my second factor, apple does it too. I've never seen an analysis of the security of this new model. What are your thoughts? Okay, if a giant company like Google or Apple has the luxury of requiring you to run their app on another device and to respond to its authentication prompts, then I think that's nearly as secure as a time varying passcode.
(01:16:30):
And it certainly beats the crap out of s m s because everything does. I say that it's nearly as secure because really the only way to improve upon our current six digit standard would be to increase the number of digits. And that's not necessary. Since this, you know, the right answer changes every 30 seconds. The seductive beauty of the time varying code, which only requires that both ends agree on the time of day and date, is that nothing is sent to your authentication device. The system is open loop. The authenticator can be offline and without any radio. Like, remember those original L c D footballs that we had back before smartphones when we first, when O T P, you know, this notion of a a six digit varying code first appeared that time varying code, which is driven by a shared secret cryptographic key is really the perfect solution.
(01:17:38):
The one downside with a vendor's authentication app, ooh, except I, I should give myself a caveat there. I didn't think of it last night. And that is interception that we are seeing that that second factor authentication of this kind is being intercepted because the channel back to the server is through the web browser. So if you're not actually where you think you are and you know, you could be at a spoof site the spoof site was just asked for a two factor code, it forwards that request to you, your on, on your browser. You go to your app, give it the six digit code, the spoof site gets it and logs in and is doing this behind your back. So that, you know, that is a problem with our six digit time varying codes, which the, the, the Apple and Google and whomever standalone authentication app doesn't have.
(01:18:35):
Cuz they are talking to their app on your phone, which they've established a relationship with. And when your phone lights up then you know it's from them. Except one downside with the vendor's authentication app, which can push notification requests is notification fatigue, which we've talked about before. Attackers are refining this now to a science timing. Their spoofed authentication requests for the time of day when it's user would be expected to be logging into their remote services. Or sometimes just using more brute force approaches, fatiguing the user by prompting the user over and over and over until they just give up and accept the authentication, authentication request and allow the bad guys in. So yes specific vendor closed loop authentication beats s m s as I said, because everything does. And as long as you are giving your six digit code to the proper site, the site you think you are, and not something a spoofed fishing site, then no, nothing beats the, the openness of a one-time passcode.
(01:19:51):
And finally, Dan Stevens, he tweeted, hi Steve, in the last security now episode 9 0 8, you and Leo discuss extensively the rules for creating secure passwords in a way that can be reconstructed from memory. How complicated. What if you forget what the rules are, maybe you've said this before, but my advice would be use a password manager with a completely random master password at good length and write it on a slip of paper and keep it somewhere accessible and safe. Refer to the slip of paper whenever you log into the password manager. And eventually for most people, the random password will stick in muscle memory, at which point you can destroy the slip of paper for extra security. Is this not a whole lot simpler? Not simpler, but definitely better. I, I agree completely. Yeah. But there are places where a password manager cannot reach when I'm logging into my servers or when, or even into my Windows desktop, I don't have access to a password manager.
(01:21:02):
It's true that I could open the manager on my phone and carefully transcribe a long and complex password. But the threat model for local login to my desktop or remote login to a network service that no one at any other IP than mine can even see is different from logging into random internet websites. So Leo uses an approach that he likes, and I had the phonetic made up word approach that I like. The important thing to appreciate, I think, is that there is no one right answer nor a best answer. Anyone who's been listening to this podcast will have been exposed by now to the fundamental theory of password cracking and password entropy. And we've tossed around many different systems and schemes for creating passwords. So the right answer is any answer. The key is that you've given this some thought and will arrive at an answer and you will hopefully have arrived at a system that creates strong passwords that are also workable for you, depending about who you are and what your goals are.
(01:22:16):
And I think we are closing this topic for, you know, I mean his way's definitely better. I mean, you truly random password. The problem is, I, you know, I, I can't be getting a slip of paper out every single time. I, I log into my password manager all the time. I mean, it's just part of the deal. And I'm gonna like you to keep this in my wallet and, and and you do. Cuz I hardly ever log into my password manager. Oh, all the time. Constantly. Okay. For a variety of reasons. I mean, I'm using it in a lot of different systems. Oh, okay. Your password, you're using bit warden. Right. It doesn't time out. I've said it to time out. So if I'm not using it after a period of time, it times out as it should. And so, you know. Yeah.
(01:23:01):
And so I know I'm in a, in a locked environment, no one else has access to my machine. Right. And so, and, and, and the machine itself has a very strong authentication system who, which is protecting, you know, its access. They can't even machine crypto, blah, blah, blah. Yeah. I could probably do that with the machines. The mobile devices use biometrics, so Right. I don't often have to enter it, but I still from time to time will have to enter it. Yeah. it's just not, so to me it's not practical. Carry a slip of paper around with my master password <laugh>. I don't think it's secure either, by the way. Yeah. And I often have my wallet at the o at the other side of the house. Right. Too. So, you know, so I, you know, I look, I have a long password. Maybe, you know, 30 some characters of completely random stuff would eventually be memorized, but in the meantime it's a pain in the butt.
(01:23:50):
I feel like I've come up with a system that generates as close to a random password as you can get. I mean, it's not truly random cuz it's based on a phrase, but the, but that's pretty random. I, you know. Yeah. I'm not too worried about it. Yep. Again, I think to each their own ev No, the important thing is, think about this. Well, certainly everybody listening to this podcast is, you know, not only is tired of thinking about it, they're tired of hearing about it. So we're done now <laugh> enough now I'm trying to figure out how I can get my secret keys out of ay so I can move him over to your choice, which I like by the way. I, I I just downloaded. I've been playing with it a little bit. It's, it's, it's good. I think you're right. I think it's a nice one.
(01:24:34):
I like the problem with Oy. The reason I like Oy is cuz it backs up my secret keys to the Authy server so I can put it on multiple phones. I don't want to re, you know, it used to be you'd have to reset up Google Authenticator from scratch every time. Yeah. But your, your solution is a perfect intermediate. O T P auth lets you back it up to a file in some secure place. It's encrypted and then I can download it and un unencrypted and then I import it and I'd be set. So I think this is a, I prefer this then to trusting Twilio with it. So I, you know, I think I'll probably if I can figure out how to get those OTP seeds out, <laugh>. I think there are ways, but we shall see. They don't listen. Let's, let's take our last break.
(01:25:13):
Yes. And then we're gonna talk about how ES x I fell. Let security now is brought to you by thinks Canary. Let us talk first though, about what to do if your security falls. And you know, unfortunately, often you don't know it. On average companies go about 91 days before they realize they've been breached. We've been breached. That's three months. The bad guys have to wander around exfiltrate what they want, find all your weaknesses, mock your c e o, and then trigger the ransomware. See, if you had this little thing, you wouldn't have to worry about this. This is the thinks canary like a canary in a coal mine. They even have a little canary logo on it. The thinks canary is a honey pot, not just any hu about the best darn honeypot anywhere in the world. This little device looks like it's about the size of a portable hard drive.
(01:26:11):
You know, a little u USB hard drive. Three minutes is setup and you've got on your network visible to all. Could even be in your in your directory, your active directory. A device that is not, doesn't look vulnerable to the bad guys, but looks very valuable. For instance, this is set up as a sonology nas and I mean, thinks does it right this canary, the Sonology NAS has a Mac address that would be appropriate for a sonology, and you's got a Sonology Mac address. When you try to, when you hit it and you log in, you're gonna get a absolutely authentic looking DSM login that's just indistinguishable from the real thing, except it's not. It's a honey punt. And the minute a bad guy touches it, you get an alert, you find out, you know, that is awesome. No ongoing overhead, nearly zero false positives.
(01:27:04):
This canary is not gonna squawk unless somebody actually tries to get into it. You'll be able to detect attackers the minute they start snooping around. It's no wonder why things Canary Hardware. They also have VMs and cloud-based canaries are deployed in loved in all seven continents. Go to canary.tools/love. You can see some of that love spread around when, when you get into a network. And by the way, the Canary guys know this because they have for the last couple of decades, taught companies, governments, militaries, how to attack computers. They're hackers. So they know exactly what they would do if they were to get into your network. They start looking around for juicy content. They browse active directory for file servers and look for file shares looking for documents. They try to fault passwords against network devices and web services. They scan for open services across the network.
(01:28:01):
When they encounter one of these, the services on offer are designed to, shall we say, solicit further investigation. They're juicy, at which point the hackers have betrayed themselves because your canary notifies you of the incident. It's not just the hardware here, as you heard. There's, there's VMs, there's cloud-based, and every canary can make Canary tokens. In fact, you actually can get these from the Canary site as well. But I like it because they come from an internal IP address. So I create these files, these canary tokens, PDFs, doc files, spreadsheets. I give them provocative names and I scatter them around. They're like little trip wires on our network. If a bad guy says, oh, what's this employee payroll information dot xls file and tries to open it, hello? Like an air. He goes, Hey, hey, hey, hey, Leo, Leo, Leo <laugh>, somebody has hit that file.
(01:28:55):
You can be notified via email by s m s. They support slack hooks syslog. If you still use Syslog, you know, sometimes the old stuff's the best stuff, right? You can get it any way you like it. It will notify you there. Somebody has hit this file at this location or this hardware at this location. They can be a Linux server that can look like a Windows server. It can have lit up like a Christmas tree. Every server service turned on, or just some judiciously juicy services. It's so fun. You can make one a a router, make one a skate a device. When you go into the interface, you'll see there's all sorts of, you know, ways you can configure this. There are hardware based birds like the one I'm holding in my hand here. There's virtual, there's cloud-based birds. You can configure and deploy canaries throughout your entire network.
(01:29:47):
Again, no overhead, no false positives, just alerts when it really matters when intruders are actually present. Even customers with hundreds of canaries. And that's not unusual by the way. Big banks, casinos, places like that receive just a hun handful of events every year. I, I hear from this canary, I've heard from it once, and it was a good reason I heard it. There was a device somebody put on our network that was scanning all our ports and scanning all our devices. When you get that incident and you go, I know you'll get the information you need look at the Canary Dot tool slash Love. For instance, a principal security engineer of a F 50 Fortune 50 company says, quote Canary has helped us detect and mitigate several incidents that could have turned into catastrophes. You don't want to be a headline on this show, folks. He said, an alert fired by their cloned site token allowed us to identify and force a takedown of several doppelganger domains that were purchased by bad actors for the purpose of launching Phish attacks against our employees and customers. Yikes.
(01:30:57):
He said, I cannot recommend this product enough. You don't know what you don't know, but Canary helps. You know what you need to know when it matters. That's a catchy slogan. <Laugh>, you don't know what you don't know, but Canary helps. You know what you need to know when it matters. I couldn't have said it better myself. You may have heard about the circle CI compromise recently. Most users found out about the incident directly from their thanks Canary. How about that Canaries work and they continually prove it. Canary tools slash twit and I got a good deal for you if you use the offer code twit. And then how did they, how'd you hear about us box or get 10% off the price for life? Now the price of course is gonna vary depending on how many canaries you need. You can scatter them around a couple handful.
(01:31:49):
We've, I won't say how many we have. We have a handful, some, as I said, some people have many, many more. But just as an example of pricing example, cuz I like to be clear and you, you know, you know what you're gonna get. Let's say you want five of these. That's 7,500 bucks a year. You get the canaries, you get your own hosted console where you set the canaries up and you check on how they're doing. You get upgrades, you get support, you get maintenance for that whole year, one price and 10% off. If you use the offer code twit, if you sit on the canary, somebody steps on it cuz it's a little, little guy. You know, if you pour your coffee into it, don't worry. They just send you another one right away. Even better. We know you're gonna love it, but if you didn't, if for any reason you were not happy, you can return your canaries with their two month money back guarantee for a full refund two months.
(01:32:42):
There's no risk. There's a lot of risk if you don't have them. There's no risk of trying 'em out. In all the years the canary has offered a money back refund guarantee. You wanna know how many times people said, yeah, I don't like this. I want my money back. You know how many times in, in all those years, zero <laugh>, they could make it a f a a a six month guarantee zero because nobody gets one of these and says, oh, I don't like it. This is the best thing you'll ever get. It's, it's <laugh>. No it's hysterical. I couldn't believe it when they told me that. I went, what? No, none. Zero, Nope. Canary.Tools. C a n a r y.tools/twit. Don't forget the twit in the offer code box. You know, how'd you hear about us Box for 10% off forever. This is just a must haveve.
(01:33:33):
Everybody, everybody needs a little help from your canary. Put it in your coal mine. Canary.Tools/Twit. Can you believe that? Nobody's ever said, yeah, I want my money back <laugh>. In fact, most likely what happens is they get five and they go, you know, can we get five more? Can we get 20 more? We think we need 'em all over the place. Canary.Tools/Twit. All right, Steve, let's get to this VMware VMware exploit here. Yeah. Today's sad story involves VMware's ES X I ES X ES X I is VMware's hypervisor technology that allows organizations to host several virtualized computers running multiple operating systems on a single physical server. The solution's grown very popular among cloud hosting infrastructure providers because, you know, it's one of the good ones. If by any chance you are two years behind in patching with a publicly exposed instance of ES x I, please, we've, we've told you about Canaries.
(01:34:49):
Stop listening to this podcast right now. Go patch. If you're using a cloud provider instance, you should immediately perform a proactive version check. In fact, you could use GRCs Shields up service to make sure that, that your Port 4 27 is closed to the public. And if you wanna watch which sure to become a honeypot feeding frenzy, place an instance of the open S L P service on port 4 27. Stand back and get ready. What's going on? Is that over this past weekend, just two days ago, a new ransomware strain being tracked as E S X I ARGs and we'll explain the name in a minute, swept through and encrypted several thousand unpatched VMware ES X I servers. And here's the heartbreaking bit. The entry point to all of these systems was an unpatched vulnerability more than two years old, well known w no long since having been identified being tracked as C V E 20 21, 20 1,974, for which as we'll see, there's also a publicly available proof of concept, which made it easy for the bad guys to, to hack these VMware ES X I servers.
(01:36:24):
Okay, so we'll get back to this weekend's attack in a minute. Let's first get some perspective on all this by turning back the clock to the fall of 2020. Back on March 2nd, 2021, Lucas Leon, a researcher with Trend Micros Zero Day Initiative, authored a blog posting titled Pre-auth Remote Code execution in v VMware, E S X I. And this was in March. Once he was finally able to talk about this publicly, which was about six months after he first informed VMware of what he had found. So in his posting March 2nd, Lucas wrote last fall, I reported two critical rated pre authentication remote code execution vulnerabilities in the VMware ES XI platform. Both of them reside within the same component. The service location protocol, s l P service. In October, VMware released a patch to address one of the vulnerabilities, but it was incomplete and could be bypassed.
(01:37:41):
Vmware released his second patch in November completely addressing the use after free portion of these bugs. The use after free vulnerability was assigned c v E 20 20 39 92. After that, VMware re released a third patch in February completely addressing the heap overflow portion of these bugs. The heap overflow was assigned C v E 20 21, 20 1,974. That's the one that is the trouble. This blog, he says, takes a, takes a look at both bugs and how the heap overflow could be used for coda execution. Here's a quick video demonstrating the exploit inaction. Okay, so that was what he posted March 2nd, 2021, nearly two years ago. And then his blog post proceeds to demonstrate and provide descriptions, details and pseudo code of the critical portions of the homegrown open s l p server that VMware had running in their E ES X I server while continuing to be responsible.
(01:38:56):
Lucas disclosed all of the juicy details a month after the trouble was finally patched. So they finally patched in February, 2021. Vmware did. Lucas waited a month and then, you know, he did his blog posting, didn't do a proof of concept publicly, but you know, did reveal what he had found. When Lucas is describing the heap overflow bug in question, this is the, you know, the, the, the one e ending in 21,974. He notes, he says, like the previous bug, this bug exists only in VM wears implementation of S L P. As I noted, the balance of this posting provides su of, of his posting, provides pseudo code, a VMwares code, and walks the reader step by step through a theoretical exploitation process. Lucas implemented it as shown in the video, but being responsible, he deliberately stopped shorter providing a working proof of concept.
(01:39:57):
At the end of his step-by-step explainer, he notes quote, if everything goes fine, you can now execute arbitrary code with root permission on the target ES X I system. He says in ES x I seven, A new feature called Demonn sandboxing was prepared for S L P. It uses an app armor like sandbox to isolate the S L P demon. However, I find that this is disabled by default in my environment. And as this week's news demonstrates all through, clearly Lucas was not alone in finding that sandboxing was not present or enabled. He concludes with VMware ES X I is a popular infrastructure for cloud service providers and many others. Because of its popularity, these bugs may be exploited in the wild at some point. To defend against this vulnerability, you can either apply the relevant patches or implement the workaround. You should consider applying both to ensure your systems are adequately protected.
(01:41:08):
Additionally, VMware now recommends disabling the open s l P service in ES x I if it is not used. So yes, adding insult to injury, we also have the old security bugaboo of a service, which turns out to be readily exploitable, which is running by default unbidden, even if there is no need for it in any given deployment. Yet, there it is not even a back door. This is a front door. Now, being a responsible researcher, as I said, Lucas' job was now done. He found a problem privately and responsibly notified its publisher in this case, discovered that it hadn't been fixed once or twice, but finally the third attempted patch worked. So Lucas Dallas moved on to examine and improve the security of other software, which would benefit from his scrutiny. But of course, other people have other interests. Nearly three months after Lucas' posting on May 24th, 2021, a hacker by the name of Johnny Yu extended Lucas's work, essentially pushing it across the finish line.
(01:42:23):
Johnny wrote, during a recent engagement, I discovered a machine that's running VMware ES X I 6.7 0.0. Upon inspecting any known vulnerabilities associated with this version of the software I identified it may be vulnerable to E S X I open s l p Heap overflow, c v E 20 21, 20 1,974. Through Googling, I found a blog post by Lucas l Leon of Trend Micro Zero Day Initiative. The security researcher who found this bug. Lucas wrote a brief overview on how to exploit the vulnerability, but shared no reference to a proof of concept. Since I couldn't find any existing proof of concept on the internet, I thought it would be neat to develop an exploit based on Lucas's approach before proceeding. I highly encourage fellow readers to review Lucas's blog to get an overview of the bug and exploitation strategy from the discoverers perspective. So here we have a textbook example of the way we get from something doesn't look right here to here's how to exploit this.
(01:43:39):
If you ever encounter a server with it unpatched, the two year old vulnerability allows threat actors to execute remote commands on any unpatched E X I server through VMware's own implementation of the open S L P service on Port 4 27. What's open? S l p? The project has its own website, which describes this as quote, service location protocol is an internet engineering task force, you know, I E T F standards track protocol that provides a framework to allow networking applications to discover the existence, location, and configuration of network services in enterprise networks. The open S L P project is an effort to develop an open source implementation of the I E T F service location protocol suitable for commercial and non-commercial application. While other service advertising and location methods have been invented and even widely consumed, no other system thus far has provided a feature set as complete and as important to mission critical enterprise applications as S L P.
(01:44:48):
So I've never looked at it closely, I don't know about it. It looks like, well, for some reason VMware decided they wanted to add it. They apparently rolled their own and it had some problems. So you know, and not only is it often unused and unneeded, but it's running by default. So until, and unless patched, it offers a way for criminals. You know, how many criminals so far is everybody sitting down? More than 3,200 VMware, 3,200 individual VMware, E S X I servers were hacked over the weekend. What first report came just over the weekend? Yes. <laugh>. Oh God. From First Reports came in on Friday and then they increased 3,200. Okay. this is this E S X I ARGs ransomware campaign. France is the most affected country followed because they have a hosting provider who unfortunately seems to really like to have old versions of E S X I for their customers.
(01:46:03):
France, followed by the us, Germany, Canada, and the UK in declining numbers. And we have the ransom note. If you the homepage of the web server that E S X I publishes will say after the attack, how to restore your files in looks like heading, you know, H one in H T M L security alert. Three exclamation points. We hacked your company successfully. All files have been stolen and encrypted by us. If you wanna restore files or avoid file leaks, please send 2.0 3 4 4 1 3 bitcoins to the wallet and then a Bitcoin address. If money is received, encryption key will be available on tox id. And then they provide a public key we'll talk about in a second, and then attention three exclamation points. Send money within three days. Otherwise, we will expose some data and raise the price. Don't try to decrypt important files.
(01:47:13):
It may damage your files. Don't trust who can decrypt. They are liars. No one can decrypt without key file. If you don't send bitcoins, we will notify your customers of the data breach by email and text message and sell your data to your opponents or criminals Data may be made. Release note, SS h is turned on. Firewall is disabled. So that's not a note that you want to receive on your coming from your server. And more than 3,200 VMware servers are now, or were broadcasting that. Note that 2.0 3 4 4 1 3 <laugh> bitcoins is, you know, Bitcoin value fluctuates, right? It looks like at the time this happened, it was about $50,000. So they're asking for about $50,000 per instance. The logic must be that since it was a collection of hosted servers running inside the VMware hypervisor that was taken down not an entire enterprise. This isn't worthy of hundreds of thousands of dollars in ransom payment.
(01:48:30):
And since the attackers have left more than 3,200 of these ransomware notes, they presumably expect to receive many smaller payments rather than one big score in the US. Cybersecurity officials at CISA have confirmed that their investigating the e ESX I ARGs campaign as CISA spokesperson was reported, saying that CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed. Any organization experiencing a cybersecurity incident should immediately report it to CISA or the F B I. Now, the standing advice, of course, is always do not pay. And in this instance, that seems a little extra warranted because it turns out that the Bitcoin wallet addresses appearing in the ransom demands are not 100% individualized. Wallet reuse has been detected, but still there are a great many of them since the ransom note is left behind on a public facing web server, and it always follows the same pattern.
(01:49:38):
Researchers have been scanning the net for infected machines. That's how we have a account and compiling lists of the Bitcoin wallet that appearing in the ransom demands. I have a link in the show notes to a GitHub page that's maintaining a growing list of detected addresses. And I think there were like 700 some last time I saw, but it wasn't super current. And somebody did do a sort by the address and was seeing doubling of the use. So it looks like the, the bad guys didn't want to create an individual bitcoin wallet for every single one of these 3,200. I mean, you know that there's only so much time. It's, they're, they're so busy you know, infecting and taking over all these vs. But where SSI servers and, and they've shared the wallet, they, how do they know you paid? Ah, precisely.
(01:50:33):
There is a way although I don't know how unique, well, there, there is a way. I'll explain a second. The ransom note refers to a talks ID and Leo, this kind of comes back also to our conversation at the beginning about the eu surveillance intentions. The tox id is shown in the demand and provides a very long heck string tox is an interesting open source end-to-end encrypted peer to peer instant messaging system that uses no centralized servers. So it boasts that it cannot be shut down. I have not examined it closely, so I can't say whether or not it could be blocked, but it's a perfect example of the trouble that the EU or any other bureaucracy is gonna have when they attempt to tighten the screws on the legal and illegal use of encrypted communications. As we've always said, the math has already escaped.
(01:51:36):
There are an infinite number of ways to communicate with unbreakable encryption. It's true that stomping on the mass market solutions will catch those who are unaware, but history also shows that awareness follows very quickly. Anyway, a tox ID is used to identify peers on the network, and the system is simplicity itself. The tox ID is simply the 2 56 bit, thus 32 bite static public key of the other peer on the network to which you wish to communicate. This means that a packet of communications can be encrypted with a random nos that NS can then be encrypted using the recipient's tax id that is a recipient's tax ID public key. And it can then be sent on its way only the party with the matching private key will be able to decrypt the nos and then use that decrypted nos to decrypt the message payload. So a victim sends, Hey creeps, I just paid you your $50,000 in Bitcoin.
(01:52:52):
It went to the following wallet at this time of day, please send me the decryption instructions and destroy our unencrypted virtual machines that you stole. And then of course, they kneel down to pray because, you know, who knows Well they're ever gonna see. Well, we know the decryption key that they think they bought. You know, bad guys are honorable and can be counted on. That's right. To keep their word. That's right. So by far the most impacted are the customers of hosting provider O V H cloud based in France. While it's tempting to blame them for the misery that their customers are suffering, it appears that all O O V H providers are I'm sorry that the it it appears that all that the O V H provi the cloud service is providing are bare metal servers onto which the VMware E S X I hypervisor is installed.
(01:53:51):
It's difficult to understand why such an outsized proportion I think it's like 44% of all of the compromises is this one provider. So it's hard to understand why such an outsized pro proportion of impacted E ES X I servers are within O V H'S cloud. It might be that O V H offers initial setup services and that, you know, over the course of many years, they set up their ES X I servers on behalf of their customers, which were never then patched or upgraded. And who knows how recently may, maybe even o o VH didn't bother updating beyond the 6.5 6.7 server that has the problem. I don't have any experience with the ES X I upgrade process. But I did note that VM VMware's page describing the process of upgrading ES x I was last updated yesterday, huh. So it appears that there's a sudden demand for information about how to get away from the old and buggy version six s and the early version seven s patches to an existing system appear to be far more easily applied and that would've solved the problem two years ago.
(01:55:05):
But many thousands of ES X I admins never bothered in a statement to TechCrunch. A VMware spokesperson said the company was aware of reports. You think that a ransomware variant dubbed ES x I ARGs quote appears this is the spokesperson quote, appears to be leveraging the vulnerability identified as C V E 20 21, 20 1,794 and said that patches for the vulnerability were made available to customers two years ago in VMware's security advisory of February 23rd, 2021. She goes on to add that quote, security hygiene is a key component of preventing ransomware attacks and organizations who are running versions of ES X i impacted by C V E 20 21, 20 1,974 and have not yet applied the patch should take action as directed in the advisory.
(01:56:11):
Okay, so as we know mistakes happen, this is all complicated stuff, which we haven't yet figured out how to create securely, but as much as I have infinite understanding for mistakes, I'm unforgiving about deliberate policy decisions. Someone somewhere made the policy decision at VMware to have this homegrown open S l P server that apparently few people actually need running by default opening Port Forest 4 27, then listening for and accepting incoming unsolicited connections from the public internet and all that. As I said, while the service was typically unneeded, unwanted, and unused, minimizing a systems attack surface should be taught and probably is during cybersecurity 1 0 1. Yet that basic lesson was ignored here with catastrophic results. Okay? However, the good news is it appears this policy was changed for the better. Several years ago, though only after all of the servers being attacked had been deployed in a blog posting yesterday.
(01:57:28):
VM wears Edward Hawkins, whose title is high profile product incident response manager. And yes, Edward, this would qualify as a high profile product incident he wrote. We wanted to address the recently reported E S X I ARGs ransomware attacks, as well as provide some guidance on actions concerning customers should take to protect themselves. Vmware has not found evidence that suggests an unknown vulnerability. A zero day is being used to propagate the ransomware used in these recent attacks. Most reports state that end of general support, which they call E O G S and or significantly out of date products are being targeted with known vulnerabilities, which were previously addressed and disclosed in v VMware security advisories. Those are VSAs. You can sign up for email and RSS alerts when an advisory is published or significantly modified on our main VMs. A page. With this in mind, he finishes, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. In addition, VMware has recommended disabling the open S L P service in E S X I in 2021 E S X I 7.0. U2 C and E S X I 8.0 GA began shipping with the service disabled by default.
(01:59:12):
What is that about horses having left the barn? But still this was clearly the correct policy change in O V H's first posting last Friday. The third, they, they observed, they said the attack is primarily targeting E S X I servers in version before 7.0 U three. I apparently through the open s l p port 4 27, right? So the moment VMware changed their policy turned off that unneeded service and closed that port. Their services were no longer, their systems were no longer vulnerable. Now there's some confusion about what files are encrypted. The encryption code has been found now and analyzed. So we know that it targets all files with the extensions dot vmd K, which is the mother load, as well as vmx VMX F vm, S D vm VM SN vs. WP VMSs dot nv ram and v a m. We know that the encryption appears to use a variant of the cipher used by the Babu ransomware whose source code was leaked and became public, thus allowing it to be, you know, offshoots to be created.
(02:00:37):
And this appears to be one. And we know that the encryption was done right. There is no easy decryption path without obtaining the key in that regard. The ransomware note was correct. The ransomware obtained its name E S X I ARGs because for every file that it encrypts and it doesn't need to do many cuz this is a virtual machine, right? It just needs to encrypt the container. For every file that it encrypts with those extensions that I mentioned, it leaves behind that encrypted file dot ARGs, which is the you know, containing the, the specific per encryption data that is needed to direct the files eventual restoration. There was some initial news that the big master virtual machine image, the big VM DK file, was not being encrypted, which would've allowed for the recons reconstitution of the system without paying the ransom. All of the other little pointer files could have been fixed apparently.
(02:01:37):
But every, you know, e everything we're seeing suggests that maybe that was a one-off or a low probability incident. In another bit of good news, it may be that the claim of exfiltration and subsequent public exposure is an empty threat. One victim posting on bleeping computers forum about their own post attack forensic analysis wrote, our investigation has determined that data has not been exfiltrated. In our case, the attacked machine had over 500 gigabytes of data, but typical daily usage of only two megabits. We reviewed traffic stats for the last 90 days and found no evidence of outbound data transfer. Of course, that's not definitive for everyone, of course, but, you know, another interesting data point, okay, with all this said, I was left with one other thought. Why were the bad guys allowed to find and exploit this? This problem has been waiting for discovery for two years.
(02:02:51):
While VMware knew that they had a serious remotely exploitable remote code execution vulnerability. We know they knew that this was a critical remote code execution vulnerability affecting all of their E ES X I servers at the time. Zdi Lucas would certainly have shared his own private proof of concept exploitation demo with them, though he never released it publicly. And as we know, they proactively change their policy to no longer have their open S L P service running and exposed by default. So there's proof of awareness. Big, slow, lumbering bureaucratic. National governments are now proactively scanning their own nation's networks, checking the version of the systems that are publicly exposed. Why isn't a leading high-tech Silicon Valley superstar like VMware, who produces highly sophisticated public facing internet servers, servers proactively scanning their own customers to protect them from the known potentially catastrophic consequences of using the software they publish and sell?
(02:04:08):
I was unimpressed by VMware's spokesperson blaming their customers for not patching when VMware is entirely able to know who has patched what and when VMware is certainly capable of scanning the internet looking for and checking the security of their own server technology. One of this podcast's ongoing questions and explora and explorations is about the post sales responsibility of massively profitable private enterprises whose license agreements state that they're gonna take your money and plenty of it to support their growth. But what you get in return is whatever they feel like providing and they're not gonna be in any way responsible for what might happen to you afterward as a result of your use of their products for which you paid good money regardless of what happens. Can you imagine the chaos that would ensue if automobile makers were able to sell their multi ton vehicles under these terms?
(02:05:18):
Or how about Boeing? Sure. Buy one of our big new shiny passenger jets. We had a bunch of very enthusiastic summer interns design the avionics for it, and they mostly seem to work. Now cyber threats are real and growing, but the software industries perverse and unique, utter lack of accountability for its own failings removes the only incentive for improvement that's been shown to work. Vmware never bothered to protect their own customers because it's been established that it's their customer's fault for not proactively patching the buggy software that VM VMware sold them in the first place. That famous definition of insanity is continuing to do the same thing and expecting a different outcome. Well, things are gonna keep getting worse unless we make them get better. So far, there's not even a hint of anything like that happening.
(02:06:29):
I'll finish on a happier note. We have the chat, G P t, astonishing reply of the week, courtesy of one of our listeners <laugh>, and this is really becoming interesting. Somebody said to chat G P T, please analyze and provide a description of the function of code that follows this statement. Okay, so this is a person who like, I don't want to say they're lazy. They're maybe they're gonna turn out to be smart. They've, and, and they're, and and we see here in this quoted question, the code. So it starts out script source and it's got a U R L to Google APIs, Ajax lives jQuery 3.61, jQuery, you know, men js, so it's a ified JavaScript, so it loads that. Then the actual script in question, which you can, there's a a couple of arguments in, in in the clear, but most of it is gibberish.
(02:07:41):
It's all been scrambled and encrypted, you know, ified and and obscured so nobody can see what's in there. And you see little bits. There's a return in the statement. There's a parse integer and another one and, and a few. So anyway, it's gobbly gok, right? Astonishingly, this guy says, please analyze and provide a description of the function of code that follows the statement. Ja chat. G p T says, and I kid you not, the code appears to be obfuscated JavaScript code that makes an AJA request to the internet I'm sorry, a request to the U R L and then it gives the u r l, which it has de obfuscated. The payload of the request contains an email address that is passed as a parameter. The response of the request is written to the document. The purpose of the code is unclear, but it may contain malicious content such as a, such as a code that performs unauthorized actions on the client side or collects in exfil traits. Sensitive information I speaking says chat, G P T speaking in the first person. I would advise against running this code as it may pose a security risk to your system and data.
(02:09:06):
Leo, I don't know, I think it's smart <laugh>. I am astonished <laugh>, once again, I am astonished and I do see something happening. I've seen some tweets which are a little concerning because people are starting to ask Ja chat g p t for help. I mean, they're like, they're one of the things that needs to be reinforced about this is it is often wrong. Yeah, it is, it is not. I mean, maybe it's like asking Uncle Benny who's, you know, got a little bit of the, you know, we're not sure about hims <laugh> this thing, you know, it's, it's always sounds authoritative and so it's like it's selling its own answers, but sometimes it's just like way off. So you know, we, we should, you know, just remind people yes, you know, you can use it as, as Rob did to create a template for some code he would've never written.
(02:10:13):
If he had to do it himself, he had to go in and fix it though, you know, it was broken in a bunch of places and, and I'm not letting it get near spin, right? Mm-Hmm. <affirmative>, but for, but for what it's worth it's worth something. And boy, I do think it's found its home in search engines. Leo, the idea that this thing could, you know, could, I mean it is a search engine essentially, but, but stick that on the front end and we might really see search take on a whole new form. Yeah, Microsoft announced today, they're gonna use it with Bing and their edge browser and Google's got something they're gonna announce, I think tomorrow. So we shall see. It's exploding right now. It is just astonishing. Yeah, I, I know, as I said, as I said last week, we're on the brink of something.
(02:10:59):
I don't know what, nobody knows what I think this is, you know, still early days, but, but we need to be careful not to, you know, think that it actually has right answers to everything, even though every answer sounds amazing, right? Well, we live in interesting times, as they say, and you make it a much more interesting, and we thank you for that. Steve joins us every Tuesday to do this show about one 30 Pacific, four 30 Eastern, 2130 U T c if you want the freshest version of security now you can watch it here live at those times. The stream is at live. Do twi tv, audio or video after the fact. We've got on-demand versions of the show at twit tv slash sn or on YouTube. Steve also has copies of the show, forgets he has, you know, the 64 Kilobit audio, but also two unique versions we don't offer.
(02:11:51):
But he offers, which is the 16 kilobit audio for the bandwidth impaired. He also has nicely written transcripts by Elaine Ferris that you can read along as you listen or use to search and all of that@grc.com. While you're there, pick up a copy of Spin, right, the world's best mass storage, maintenance and recovery utility now in its 18th year <laugh>. Soon the new one will come out. Brand new spanking fresh spin, right? 6.1 and you'll get a copy of it if you are a, a spin right purchaser. So go out and get 6.0 right now and, and be ready for 6.1. Lots of other free stuff there. Grc.Com feedback. You can leave at grc.com/feedback or on his Twitter, his dms are open at sg grc and I think that wraps it up for the day, Mr. G, have a wonderful day. We'll see you next time on security now Rado. Bye-Bye.
Ant Pruitt (02:12:50):
Hey, what's going on everybody? I am Ant Pruitt and I am the host of Hands On Photography here on twit tv. I know you got yourself a fancy smartphone, you got yourself a fancy camera, but your pictures are still lacking. Can't quite figure out what the heck shutter speed means. Watch my show. I got you covered. Want to know more about just the i i o and exposure triangle in general? Yeah, I got you covered. Or if you got all of that down, you want to get into lighting, you know, making things look better by changing the lights around you. I got you covered on that too. So check us out each and every Thursday here on the network. Go to twit tv slash hop and subscribe today.
... (02:13:35):
Security Now.