Security Now Episode 911 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security. Now. Steve Gibson is here. We'll answer the musical question. How long were bad guys? Inside GoDaddy's Network? We've got some good news for our sponsor. Bit Warden and its customers. And then he is gonna talk about chat, G P T. How useful would chat g p t be at detecting malware? It's all coming up next on Security Now.

... (00:00:26):
Podcasts you love.

From people you trust. This is is TWiT.

Leo Laporte / Steve Gibson (00:00:36):
This is Security now with Steve Gibson. Episode 911. Recorded Tuesday, February 21st, 2023: A Clever Regurgitator. Security now is brought to you by Drata. Too often security professionals undergo the tedious, arduous task of manually collecting evidence with Drata. Say goodbye to the days of manual evidence collection and hello to automation. All done at Drata speed. Visit to get a demo and 10% off implementation. And by ACILearning. Tech is one industry where opportunities outpace growth, especially in cybersecurity. One third of information security jobs require a cybersecurity cert To maintain your competitive edge across audit IT and cybersecurity readiness visit go dot

Thanks for listening to this show. As an ad supported network, we are always looking for new partners with products and services that will benefit our qualified audience. Are you ready to grow your business? Reach out to advertise at twit tv and launch your campaign. Now it's time for security. Now the show where we get together and talk about security right now. Steve Gibson is here. Hello, Steve. You think that's how we came up with the name Leo? I think that's, I don't know. Might have been. I don't know. Well, it was better than security yesterday. Oh yeah, that was, that's, you know, that's has been security. Nobody cares about that. We don't want that. Yeah. Nope. So we're here to answer some questions as we've been doing so far this year. One is how long were bad guys inside GoDaddy's Networks? Oh what important oral arguments is the US Supreme Court hearing today and tomorrow?

What has Elon done now? What's bid warden's welcome news? What's meta gonna begin charging for? Should we abandon all hope for unattended I OT devices? Are all of our repositories infested with malware? How would last Tuesday's monthly Patch Fest go anyway? Why would anybody's an image? What can you learn from TikTok that upsets Hyundai and Kia? Oh, <laugh>. Oh. And are there any limits to what Ja Chat G p T can do, if any? We're gonna find out by the end of today's 9 1 1 Emergency Podcast. I'm gonna give you the short version so you don't have to listen to the whole thing. A long time. Gonzalez versus Google tweet Argon two verification. Yes. No. Yes. Yes. How about that, <laugh>? Very nice. Very, very nice. Very good. <Laugh>. We will get to the actual answers. We'll see you next week, <laugh>, if only we're that simple. In just a moment, we also have a very good picture of the week that you can decipher on your own.

But first, let's talk about [inaudible] our sponsor for this segment of security. Now is your organ. I, these, we've got questions for you from drta. Is your organization finding it difficult, difficult to achieve continuous compliance as it quickly grows and scales? Did you know, Steve? I mean, I, this is kind of a newer area to me. I didn't realize how big a deal compliance was for security professionals, you know, proving and more so in the future. Yeah. It's getting more and more. So we're heading, we're heading toward regulation land. Well, yeah, that's the thing. I mean, you gotta comply with various regula regulatory frameworks. You have to prove to partners and clients and customers that you're secure, probably your investors, investors. It becomes more and more important. What I didn't know is that a lot of companies are doing this manually. If manual evidence collection is slowing your team down, you need to know about drta a leader in cloud compliance software.

G two crowd says Soda streamlines your SOC two, ISO 27 0 1 P C I D ss, G R HIPAA and other compliance frameworks providing 24 hour automated continuous control monitoring. So you and your team get to focus on the important things, scaling securely and let DRA do the proven. That should be their slogan, but they don't want it with a <laugh>. Let draw to do the proven with a suite of more than 75 integrations. Draw integrates so, so seamlessly with your tech stack. I mean, it supports aws, Azure, GitHub, Okta, CloudFlare, on and on, on countless security professionals for companies like Lemonade. That's big insurance exchange. They, I mean, you can bet that security is, is a big part of their job, right? Notion Bamboo hr, they've got social security numbers. They need to prove to their clients that they're keeping them secure. They've shared how crucial it has been to Haveta as a trusted partner in the compliance process.

And another another point that might help, you know, prove to you Thatta is all that, is that they are backed by S V C I. Who's that? Well, that is a venture fund. Angel investors that are all CISOs and, you know, from some of the mo most influential companies in the world. I mean, if no, if <laugh>, nobody knows better than a ciso how important this is. They put their money in and said, yeah, we need daadada allows companies to see all of their controls, easily map them to compliance frameworks. So you'll have immediate insight. One thing will save you money right away into where there's overlap, right? Companies can start building a solid security posture. They can achieve and maintain compliance. They can expand their security assurance efforts. The key though, is draw to, it's automated. It's dynamic policy templates. Support companies new to compliance help alleviate hours of manual labor.

 Their integrated security awareness training program helps keep your team up to date Your staff. You know, they're the front lines. Aren't they safe and secure? They're automated reminders. Ensure smooth employee onboarding. They're the only player in the industry that builds on a private database architecture. But seems to me that's gotta be table stakes for this business. It means your data can never be accessed by anyone outside the organization, right? Customers receive a team of compliance experts. You'd be surprised how many people don't do that. Tara does. Customers receive a team of compliance experts, including a designated customer support success manager? Your success is so important to them. They actually have a team of former auditors. They've conducted more than 500 audits. They're available. You can call 'em up for support for council to help prep you for your <laugh>, your upcoming audit. They will make sure that there's a consistent meeting cadence with you andrada.

So they keep you on track. No surprises, no barriers. They'll, they even do, preta does pre-audit calls. So you're, you're fully prepared for when the audits begin with drta, D R A T, aada with Strata's Risk Management Solution. You can manage end to end risk assessment and treatment workflows. You can flag risks, you can score them. You can decide whether you're gonna accept them, mitigate them, transfer them, avoid them. Draw to maps, appropriate controls to the risks. Simplifying risk management, automating the process. You you get an idea. You need this. Right? Andrada Trust Center provides real-time transparency into security and compliance postures, which improves for you, improves sales security reviews, gives you better relationships with customers and partners. Investors, like you said, Steve, say goodbye to manual evidence collection. Say hello to automated compliance by visiting, bringing automation to compliance. Atda speed.

 Get a 10% off when you ask for a demo. But make sure you use that address cuz I, I want them to know you saw it on security now. Trada.Com/Twit. All right. Picture of the week. So today's picture of the week, or this week's picture of the week was actually taken by one of our listeners who was oh, up in the attic of some sort of charitable organization. Maybe his church. I don't quite remember now what, what he said. But this was a, he was wor working on fix fixing their dish network installation, Uhhuh Uhhuh. And when, when he saw the ground wire attached to a nail that was nailed into some wood, okay, he thought, okay, I gotta take a picture of this and share it with the security now audience. Because here we have another weak understanding of the goal of grounding.

Where's the other wire go? It, it's not clear. It goes, wanders off somewhere. And you know, what occurred to me was that maybe whoever it is who installed this thought maybe that the, the electrons would pay attention to the color of the insulation <laugh> because it's green. You know, if they, if they realize that it was a green, a green wire, traditionally in electronics, electricity, you know, green is ground. So they go, oh, everybody over this way. Of course, the problem is when they get over to the nail, which is stuck into some wood wood is, you know, a very good insulator. So it's a little bit like sticking the wire into that pale of dirt, which is, you know, one of our all-time favorite pictures. So anyway, thank you very much to our listener, mark for you know, thinking of us when <laugh> Winnie, he thought, what's wrong with this?

What's wrong with this dish Network installation? Don't you love it? The, when, when they see stuff like this, they think of you immediately, right? <Laugh> Senator Steve. Okay, so I titled this one Gone Daddy. Last Friday, God Daddy revealed a rather astonishing bit of news. Its network and organization had suffered a multi-year security compromise that had allowed attackers, attackers who to this remained to this day, remain unidentified to exfiltrate the company's source code customer and employee login credentials and install their own malware, which redirected customers' websites to malicious sites for years. Years, yes. Years. So you know, they're, they're big, right? They have got nearly 21 million customers. They're the number one registrar in the world. Years. Their last due revenue was nearly 4 billion. So, you know, many years ago when I was making my move away from Network Solutions, I gave GoDaddy some consideration.

 It is the choice of a very techy friend of mine whom we both know Mark Thompson. Maybe cuz he's in Arizona and I think that's where they're based also <laugh>. But for me it just looked too bubble gum. They're terrible and commercial. I'm not surprised to hear this. Yeah, we, we buy our certs from them cuz they're cert prices are so cheap for the, for the, you know, e ev certs, right? But I mean, that's a cert that doesn't, you know, that's our security, not theirs. Yeah. So anyway you know, what I want from my domain registrar is stayed stodgy and stoic. I don't want a domain registrar that looks like romper room. And as I was, as I was put putting that in the show notes, I thought, I wonder how many of our listeners will relate to Romper Room <laugh>. You know, I'm getting to, I think I'm beginning to date myself here a little bit.

I see Stevie <laugh> and I see Lori. I used to know Miss Nancy, our local romper room lady, actually. So anyway, I, you know, I, from a, from a registrar, I don't want entertainment and upselling. I just want something solid. Anyway, as we know, I chose Hover and I've been very happy. And just to be clear, my choice was made years before Hover became a TWI sponsor. So it wasn't like, you know, yeah, it wasn't after the fact. So, in a filing Thursday, last Thursday with the s e c, you know, our US security is an exchange commission. Godaddy admitted that three serious security events the first occurring three years ago in 2020, and the way they put it, you know, somehow lasting through 2022 were all carried out by the same intruder. Now, okay, that, but, but they're also saying, but we don't know who, but we know it's the same.

So I'm like, what? Anyway, they wrote, quote, based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code relating to some services within GoDaddy. And they said that their investigation was still ongoing. The most recent event occurred last December. So just, you know, three months ago when the threat actor gained access to the hosting servers, GoDaddy's customers used to manage websites hosted by GoDaddy that they got into their C panel HO hosting servers. The threat actor installed malware on the servers that quote intermittently redirected random customer websites to malicious sites because you know, that's what you want from your registrar. Godaddy was unaware of the presence of this malware and learned of it from their customers <laugh>, who were complaining that visitors to their sites were occasionally being redirected elsewhere.

So, <laugh> GoDaddy said, we have evidence, and law enforcement has confirmed that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy Go. They said, according to information we've received, their apparent goal is to infect websites and servers with malware for fishing campaigns, malware distribution, and other malicious activities. Now, okay, saying hosting services like GoDaddy, you know, that sort of begs the question whether other hosting services have been similarly affected. If so, you know, which ones, and by whom those questions remain unanswered. It appears that the first of several intrusions took place in March of 2020 when, so fully, you know, three years ago when a threat actor obtained login credentials that gave it access to employee accounts and the hosting accounts of roughly 28,000 of GoDaddy's customers. Fortunately, those ho those hosting login credentials that were obtained, those for the 28,000 customers did not also provide access to the customer's main GoDaddy account.

Otherwise, damage would've been more severe. That first breach was disclosed two months later in May of 2020 in a notification letter sent to the affected 28,000 customers. The company said on Thursday, it's responding, get this responding to subpoenas related to that incident that the Federal Trade Commission issued in July, 2020 and October, 2021. So there's doesn't even be any big hurry over in GoDaddy land to, to do much of anything. Then GoDaddy discovered another incident in November of 2021. Two months after the threat actor obtained a password that gave access to source code for GoDaddies managed WordPress service. So beginning two months earlier in September of 2021, this unauthorized party used their access to obtain login credentials for WordPress admin accounts, FTP accounts, and email addresses for 2.1 million current and inactive on his previous managed WordPress customers at GoDaddy. And these were not the first of GoDaddy's.

Many problems through the years security lapses and vulnerabilities have led to a series of suspicious events involving large numbers of sites hosted by GoDaddy. For example, back in 2019, a misconfigured domain name server at GoDaddy allowed hackers to hijack dozens of websites owned by Expedia, Yelp, Mozilla, and others, and used them to publish a ransom note threatening to blow up buildings in schools. The d n s vulnerability, which was exploited by the hackers, had come to light three years earlier. Yet GoDaddy never took any action to mitigate the risk. You know, again, this is, this is not the registrar you want. Also, in 2019, a researcher uncovered a campaign that used hundreds of compromised GoDaddy customer accounts to create 15,000 websites that published spam promoting weight loss products and other goods promising miraculous results. So, okay, so, you know, pushing back from this a bit, you know, the one question I had was how it was that GoDaddy could assert through the, you know, these more recent three attacks, spanning the same number of years that they had been repeatedly plagued by a single threat actor, yet somehow have no idea who this individual or group is.

So I did a bit more digging and I found that in their 10 k filing with the S E c, they stated that the most recent December, 2022 incident is connected to the two other security events they suffered in March, 2020 and November, 2021. Okay. Connected. How this reminded me of what we recently saw from last pass, where we were told that the second attack, the one, remember, where all of our backed up LastPass vaults were stolen was enabled by the initial intrusion. Mm-Hmm. <affirmative>, that was worrisome since it suggested to us that last pass had not fully cleaned up after the first intrusion in the GoDaddy case, they appear to be stating that they know that it's the same threat actor because information presumably obtained during the initial intrusion three years ago, back in 2020, ah, was subsequently used in both 2021 and 2022. Unfortunately, this suggests, as with last pass, that post intrusion cleanup may have been minimized.

And boy, given their track record and their apparent negligence based on the actions that we've seen, who would be surprised by that? But in, in any event, the cleanup was ineffective. A full post intrusion cleanup means that nothing that an intruder could possibly have obtained remains valuable once the cleanup is concluded. We know that didn't happen in the case of last pass, and that also appears to have been the case for GoDaddy. You know, as we've had occasion to note on this podcast, Leo, and you and I have talked about it years ago, once malware has had access to a system, you can never fully trust it again. And I should really remove the qualifier fully. You know, you cannot trust any system after it's been compromised cuz you just don't know what could have been done. You know, these days we have malware burrowing into our motherboard firmware to maintain persistence even across wipes and complete reinstallation.

You know, so the only course of action then is to reflash the firmware, wipe the drives, rebuild from scratch, and change everyone's access credentials. You know, yes, this is a huge nightmare in the case of a large sprawling enterprise, but there's really no choice after GoDaddy's initial 2020 breach. Either something lingered in a system that was never found, you know, some latent advanced persistent threat presence, or they failed to rotate all of the keys and login credentials across the entire enterprise. Something remained either malware tucked away in an unexamined corner or someone's credentials that were never changed. Thus, the same guys came back later for another dip and <laugh> and a year later for yet another one. Wow. okay. Today and tomorrow the US Supreme Court will be hearing initial oral arguments. And Leo, you in your quick summary of the podcast, you properly named <laugh> the first of the two cases.

Cons, solids versus Google. Yeah, I listened all morning. It went on and on and on and on and on and on. Yeah, well, those attorneys do. Yeah. anyway, they're the US Supreme Court's hearing oral arguments in a pair of cases, which will open the door to allow the court to reexamine the now famous and infamous section two 30 of the Communications Decency Act, which was passed into law by Congress 27 years ago back in 1996. There are a crucial 26 words from Sector two 30 of that law that are what enable our internet's media companies to remain unresponsible and some would say irresponsible for the content that their users post online for consumption by others. Those 26 words are, quote, no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

26 words. And they mean this Es essentially this blanket protection provides that none of today's media companies, you know, the way this has been used to, to, to thwart any attempts at at civil liability is none of today's media companies can be held responsible for the content that's being served by their technologies. Thus, it serves as powerful and what has now become crucial protection for them. But many mo many wonder whether it might have been taken too far. The specific question that the cases address focuses upon the content promotion algorithms used by Google, for example, for YouTube and also Facebook, Twitter, and others to provide their users with, you know, more relevant content. So the question may be whether our social media companies have actually crossed the line to become publishers of this content, the moment they involve themselves in that content's deliberate selection and promotion, even if that involvement is entirely algorithmic.

The argument then is that they're no longer acting as passive repositories of user provided content, and that the selections made by their algorithms are ultimately motivated by profit. There, there's a cybersecurity law professor Jeff Kaif he's with the US Naval Academy, who wrote an entire book on section two 30 titled the 26 Words that created the Internet. And in some reporting by the Washington Post early last October, which is when the Supreme Court decided that they would hear the two cases, which are now before them, and for which they're now hearing these oral arguments today and tomorrow. Tomorrow is, is about Twitter. Today is about Google, the and and YouTube. They quoted Professor Kaif saying the entire scope of Section two 30 could be at stake depending on what the Supreme Court wants to do. And you know, although the stakes could not be much higher the way these things go, we won't have a decision anytime soon.

Probably not till way later in the year, like toward the end of the year at the earliest, but this will certainly be one to watch. And for their part, the plaintiff's attorneys say that applying the sweeping civil immunities created by Section two 30 to algorithmic recommendations incentivizes the promotion of harmful content. And that Section two 30 denies the victims of such content, any opportunity to seek redress when they can show those recommendations caused injuries or even death. So this'll be very interesting, and I forgot light le where you come down on two 30. Oh, I'm <laugh> well, let me put it this way. You like the chatroom <laugh>, you like the discord, you like your forums, you like our forums, you like our maan. If two 30 is overthrown, all of those go away the world as we know it. Yeah. All of 'em go away because right now I can't and you can't be sued for anything anybody posts on those forums even if it's defamatory or whatever, they're liable for it, not you which is reasonable, right?

Furthermore thanks to section two 30, if you take something down on your forums and because it's, you know, racist hate speech, that person can't sue you either. And that's really important. It's the right both to publish and to moderate and not be liable. And because it's it's such, it's so it's codified into law that way. You don't even have to go to court, you know, the justice, the judge would immediately say, no, I'm sorry that he's protected by two 30. So if they strike it down or even weaken it in any way you know, it's not Google and Facebook and Twitter who are gonna suffer. They can defend themselves. They have lawyers by the Fistful. It's, well, so in this case, you and me case, we're glad that the Supreme Court has a conservative bias at this point in time.

Well, right. They don't have a conservative bias. That's a misnomer. They're not originalist, they just make up whatever they want <laugh> and then, and then find, and then find something to justify it. I would be much happier if they were. Yeah. But remember this is a 1996 law. Ron Widen wrote it and he was very, very smart guy. Yeah. And it was, it was, it was while they were passing the Communications Decency Act, he said, you know, this could really screw up the internet. We need to provide you know safe harbor Objection. Yeah. Yeah. And so it's very, very important to the internet. I, you know, that you, you quoted the exact right book, Jeff KO's book is often referred to on this week weekend. Google, Jeff Jarvis is a big fan of it. I've read it. It's a very, very good book, and you read it and understand it.

I listened to the arguments this morning and it, and you ever can tell with the oral arguments in front of the Supreme Court because justices will sometimes play devil's advocate. Their actual opinions aren't always on display. But I was pretty encouraged by the questions they asked the council for the plaintiff. And and I I think they get how important it is. They, even one of the justices even said you know, this could have a real impact on the economy. And then justice Kagan, who's who I love and was very funny, said, you know, you don't have the smartest internet brain sitting in front of you right here, so you better explain this to us. <Laugh> <laugh>, it was, it was good. So why, why did they even d choose to take it up last October? They could have let the ninth Court decision stand because it upheld the section two 30 rights.

Right. It was appealed. And you're right. That's the question is why did they take it up? And I think, you know, there, there probably is some reasonable discussion around this. What they're really battling over not is not so much the right to publish or the right to moderate, but, but whether a recommendation algorithm right, is, is in some way now editorializing. And at first, I, I'll be honest with you, when, when I first read the facts of the case, I said, well, you know, that's actually a good point. You know, in a way Google is algorithm is choosing what to show. Isn't that con isn't that Google creating content? But I've since seen the light and been persuaded by a lot of smarter people than I, including Kathy Gallis from Tector who were trying to get on the show tomorrow. She wrote an amicus brief for this.

They also allowed multiple anonymous redditor monitors. Reddit monitor orders to file an amicus brief as did the EF F. Unfortunately both the White House and the right, Josh Hawley and and Ted Cruz want this to be struck down for different reasons, you know, but the wiser heads point out that it's all algorithmic. If you have a search engine and you go to the search engine, what's on top of the search unless it's completely chronological, is algorithmic. The only reason that we all switched to Google, well, well away from Al from Alta Vista. Yeah, exactly. When Google appeared and the Redditors say the Reddit moderators say, no, we use algorithms to help us. Moderate algorithms aren't inherently bad. You might have an algorithm that's optimizing for profit that as a result surfaces more controversial videos. But that's not the same thing as writing an article saying, I think ISIS is fantastic.

It's, and, and, and so it's very risky, and I certainly hope the judges don't do this to slow slowly per away at two 30. It's only, as you say, it's only 26 words. It's right. And it is black and white at the moment. It's very clear. It's, I think, one of the best written laws ever. It's, it's, it's kind of like a constitutional amendment. It's precise. It's, it's, it's, it's broad enough to have lasted 20 years, 30 years. And but at the same time, it, you know, it's, it's, it's clear and I think its intent is clear, and I'm hoping that the court does not override what was clearly the intent of Congress when they wrote that law. Yeah. So let's cr yeah, let's cross your fingers. I dunno if they're conservative, but let's hope they make the right choice.

 So the Verges headline was, it's official Twitter will now charge for s m s two factor authentication. Only Twitter blue subscribers will get the privilege of using the least secure form of two factor authentication <laugh>. And they were having fun with this. The, the Verge continued. Now it's official. You can pay for the privilege of using Twitter's worst form of authentication. In fact, if you don't start paying for Twitter blue $8 a month on Android, 11 a month on iOS, or switch your account to use a far more reliable authenticator app or physical security key, Twitter will simply turn off your two-factor authentication after March 20th. The writer adds he says, I know which one I would choose good riddens to SMS is my feeling given how common sim swap hacks are these days. He says, heck, Twitter's own Jack Dorsey was successfully targeted by the technique four years ago.

You don't want someone to get access to your accounts by proving they are you simply because they've stolen your phone number. That's how Twitter is trying to justify this change too. But I wouldn't be surprised if there's a simpler reason. It costs money to send SM s messages and Twitter does not have a lot of money right now. The company had been phasing out s m s even before Elon Musk took over. Twitter's own transparency data shows that as of December, 2021, only 2.6% of Twitter users had two factor authentication turned on, and 74% of those users were using s m s as their two factor authentication method. Okay, so here's what Twitter posted and explained last Wednesday. Their blog was titled An Update on Two Factor Authentication using s SMS on Twitter by Twitter Inc. We continue to be committed to keeping people safe and secure on Twitter.

And a primary security tool we offer to keep your account secure is two factor authentication. Instead of only entering a password to log in, two FA requires you to also enter a code woo-hoo, or use a security key. This additional step helps make sure that you and only you can access your account. To date, we have offered three methods of two fa, text message, authentication app, and security key. While historically a popular form of two fa unfortunately we have seen phone based phone number based two FA be used and abused by bad actors. So starting today, we will no longer allow accounts to enroll in the text message s m s method of two-factor authentication, unless they are Twitter blue subscribers. The availability of text message two FA for Twitter blue may vary by country and carrier non Twitter blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another after March 20th.

We will no longer permit non Twitter blue subscribers to use text messages as a two-factor authentication method at that time. Accounts with text message two-factor authentication still enabled will have it disabled. Disabling text message two factor authentication does not automatically disassociate your phone number from your Twitter account. If you would like to do so, instructions to update your account phone number are available on our help center. Finally, we encourage non Twitter blue subscribers to consider using an authentication app or security key method. Instead, these methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure. Okay, so some other reporting I found stated that Twitter took this step because SMS two factor authentication was being abused by fraudsters who would establish accounts using something called application to person or a two P premium telephone numbers.

Then when Twitter would send to factor authentication text to these numbers, the fraudsters would get paid. So it would cost Twitter much more money than just a regular SMS to regular people. Estimated losses were claimed to be around 60 million a year from this. Okay, so of course everyone's piling on Elon these days and his decisions that Twitter have been a source of controversy, 74% of 2.6% is 1.95%. So as of the end of 2021, when we had those stats, 1.95% of all Twitter account holders were using SMS based two-factor authentication. Now, on the other hand, that's three out of every four of the Twitter users who use any form of two-factor authentication. We're using sms and the use of any form of two-factor authentication certainly prevents some amount of abuse. And even though s SMS is not, we know the best solution, it's still better than having none.

And using it doesn't create any new vulnerability where none existed before unless I guess you were de like become dependent upon it and like had a crappy password because figured, oh well two-factor authentication will protect me. You know, so it's no not something that can be relied upon, you know, nearly as much as one-time passcodes or security keys. So I don't think this is great news because it seems to me that it might end up causing Twitter users to simply disable all use of two-factor authentication without upgrading their existing s m s. You know, least of the three good authentication methods to one-time passcodes or security key at around 450 million monthly users of Twitter, that 1.95% who have been using SMS based two factor authentication is eight and a quarter million SMS users per month. So that likely adds up. And I can see Elon wanting to cut cost and you know, if there's, you know, if there's no way for Twitter to determine whether the phone numbers being registered are paid to send numbers, then I suppose he doesn't have much choice.

On the other hand, a great many other large social media organizations offer SMS based two factor authentication and they don't appear to have any similar problems. In any event, I hope that those who need some form of authentication will move to passcodes at least, rather than just putting off, you know, all extra authentication when Twitter kills two-factor authentication a a month from now. I think it's actually on March 20th, so a month from yesterday, we have some good news. We knew it was coming, it has actually happened and I've see, I've seen texts or tweets rather speaking of Twitter from our listeners, wondering if they should move yet maybe is the answer the Argon two memory hard woo pbk d f Yep. Which promises to be far more resistant to brute forcing is now available from Bit Warden and is present on some bit warden clients, and that's the key word before switching to it.

Since the switch must be made system-wide per user, you'll need to wait until and make sure that all of the platform clients, the bi, the the Bit warden platform clients you use have been upgraded to support Argon two, which is and just the record 20 23 2. That's the version you need. Exactly. That's the one you want. Yeah. 20 23, 2. I have it on my iPhone. I don't yet have it on Android. And you, but you even have to have it on wherever you use it, on your desktops, on your plug-ins and all that. Yes. It's gotta be in your browser extensions. Apparently it's not, not quite there yet. You'll be blocked, right? If you, you won't be able to use it. If it's correct, you will not be able to authenticate on that new device. Right. six days ago bit Warden employee named Ryan he posted to Reddit.

He said, for those curious as to why not everything is rolled out at once, each browser extension and mobile app needs to go through an approval process with their respective app stores. Please be patient. Usually the approval process takes about a week. So, you know, this is fresh news, but it's coming soon to bit warden platform clients near you. That that's the good news is that Bit Warden has approved the poll request, added it, and it is in the new version. Just wait till you get the new version. You will. And right, and if you got, if you have it in iOS, then that's, that's Yeah. Sig, that's significant. Yeah. I just got it a couple of days ago in iOS. I've been watching with great interest of, as you might imagine, and I will switch as soon as I can do that safely.

Yeah. So mark Zuckerberg posted an announcement about some, a little change in meta he said Good morning and new product announcement. This week we're starting out, we're starting to roll out Meta verified, a subscription service that lets you verify your account with a government Id get a blue badge, get extra impersonation protection against accounts, claiming to be you and get direct access to customer support. This new feature is about increasing authenticity and security across our services. Meta verified starts at $12 per month on the web, or $15 per month on iOS. Yeah, we'll be roll. I know <laugh>. Yeah, we'll be, that's exactly my feeling. He says we'll be rolling out in Australia and New Zealand this week and more countries soon. So, okay. Facebook is adding paid identity verification and more So elsewhere in their announcement they wrote, some of the top requests we get from creators are for broader access to verification and account support in addition to more features to increase visibility and reach.

Since last year we've been thinking about how to unlock access to these features through a paid offering. With meta verified, you get a verified badge confirming you are the real you and that your account has been authenticated with a government id. By that, by the way, by, I was also also mentioned that, I don't think they say it here. You have to be using your real name on your Facebook page, not some random handle. Also you get more protection from impersonation with proactive account monitoring for impersonators who might target people with growing online audiences. Third, help when you need it with access to a real person for common account issues. Fourth, increased visibility and reach with prominence in some areas of the platform, like search comments and recommendations, and finally exclusive features to express yourself in. Unique we ways, and we don't know what those are.

So first of all, I reacted exactly as you did, Leo, 12 bucks a month for on the web and 15 bucks a month on iOS strikes me as really expensive. It's not a one-time verification fee, which would seem reasonable. This is an ongoing cost, you know, $144 a year or $180 a year under on iOS. And so, you know, I I expose this not for everyone if, you know, if someone uses Facebook as a major platform, that I could see how it makes sense to pay something to obtain spoofing pro prevention and apparently higher visibility in search ranking results. But yeah, we don't get ad free though, right? I mean, it's not like, yeah, you only pay us seven bucks and you get ad free. I don't <laugh>, you know, I don't, I don't really understand. And it's not for businesses, it's only for individuals. It's very strange, right?

You're correct. That's not available for, for, for businesses. Yeah. Yeah. They, they said at this time, so, well, we'll see, we'll see it. It's not gonna generate 10 billion a year and that's what Mark's spending on VR right now, so, no. Yeah. M Coft a company, we've spoken up off of that name. Yeah. this, they, they basically provided us with a reminder of why simply having code signing is not and should not be sufficient to have antivirus and download protection warning silenced. So the antivirus publisher m Coft has put out a public service announcement warning that threat actors are currently using fake m coft code signing certs to sign their malware. This results in attacks appearing to come from MCI soft's products, as well as to slip past anything that refuses to run unsigned software. So at some point, I think what's gonna happen, you know, code signing will become necessary but not sufficient at the moment.

It's entirely optional, but mostly is there for user assurance. And, you know, I'm signing all of my apps now because it just seems like a good thing to do. I know that when I'm some, some, sometimes I'm digging around on the internet looking for some obscure thing because, you know, a part of my life is still tied to Doss. When I, you know, if I see something on some download site, I will check to see if it's signed because although not as, as this, as this little warning reminds us, it's not absolute assurance, but it's sure better than ha not having something signed. So and it does, it does it certainly if nothing else, it sends an it, it's a, it's a, a signal that AV and systems like Microsoft Defender, you know, can add to their, to, to, to the conglomeration of other signals to decide, you know, what level of warning they wanna provide the user. <Laugh>.

Okay. Ddos attacks are always resource depletion or re resource consumption of one kind or another. Today's modern DDoS attacks are typically no longer floods of TCP sin packets like they were in days past. Those now seem quaint by comparison. Modern attacks are aimed less at consuming or clogging raw bandwidth than at asking web servers to generate more pages per second than they possibly can. Since modern websites are generally the front facing surfaces of a complex content management system on the backend, which is driven by some form of SQL database individual HTTPS queries have become much more computationally intensive than yesterday's serving of static webpages. The previous contemporary style DDoS attack blocking record was set by Google Cloud, which last June reported blocking an attack rate of 46 million H T T P S requests per second. But that was then. Now last week, CloudFlare has reported that it successfully f funded off an attack that was 35% greater than that mitigating a now new record breaking and now setting H T G P S DDoSs attack of 71 million re request per second. That's a lot of bots spread around the world, all concentrating their fire onto a single target.

There are a growing number of strong website DDoS defenders. They include Akamai DDoS mitigation, A W S Shield, cloud flares, DDoS protection, Google Cloud, F five S DDoS, hybrid Defender, Imperva DDoS protection, and Microsoft's Azure DDoS protection. Websites that pay to be located behind them are able to remain online even during an attack of such scale. That alone is somewhat astonishing and an attack of this scale would utterly obliterate any other site that's simply on the internet. The mitigation of attacks of such scale while avoiding collateral damage to nearby resources requires carriers of the attacking traffic, which are is bound for a site under an attack to block all traffic as far away upstream from the target as possible to prevent that traffic's aggregation as it moves from router to router approaching its destination. If we picture the internet as a highly interconnected global network of individual routers, which is exactly what it is, each one forwarding traffic towards its destination, a useful overlay for this is the image of a great funnel where incoming traffic is being funneled toward its target in the model of a funnel.

The closer we approach the funnel's neck, the greater the traffic burden becomes. Since the physical implementation of this traffic movement are individual routers, the best defense against too much traffic is to cause attacking traffic packets to be dropped far out at the funnel's mouth. But doing this effectively inherently requires a large traffic provider. If the provider's network is not sufficiently large to allow the incoming traffic to be blocked before it has the opportunity to concentrate, then the provider's aggregation routers would be swamped themselves before it even gets to the user's web server. And many other of the provider's customers who are also being served behind those aggregation routers would have their access, their site access impacted by the collateral damage caused by a failure of the packet transport fabric. An organization of CloudFlare size to name just one has the advantage of operating at global scale. And when we're talking about handling attacks of this size, the network size is not only an advantage, it's a necessity. Since attacking bots are also globally spread traffic bound for one customer's website will be entering the network of a global carrier such as CloudFlare at many peering points across the globe. So the moment an attack is detected, all of the providers edge routing infrastructure can be informed of the attack and switched into an attack mitigation stance.

We talked many years ago about the sheer brilliance of the Internet's design and you know, with the original concept of autonomous packet routing being at, at the, at the heart of this, that the original concept has withstood the tests of time. Insane growth in usage and application stands as a testament to those who created this system so long ago. But it's great weakness is that it was never designed to withstand deliberate abuse. The idea that someone would flood the network with attack traffic was something that this system's gifted designers could never have anticipated. Even so the Internet's basic architecture has been adaptable to incorporate such protections over time. So wow, hats off to them.

And Leo drinks up for me. <Laugh>, we use we do have DDoS. I actually shouldn't talk about our DDoS mitigation, should I? But we use it. We and it's not CloudFlare, how about that? <Laugh>? We might be using CloudFlare, we use somebody else. There are a number of people that do this. People with big fat pipes, basically. Yep. That's the key. It's no mystery though. Anyone can check to see where the track Oh, they could tell they send to you. Yeah, I guess you're right. Come to think of it. So we use aws, they have a very good DDoS protection solution as well. Let's check AWS Shield. Yes, you mentioned it and now I can tell the world we use it. <Laugh>,

Our show today is brought to you by our great friends at ACI Learning IT Pro for years supported this show since they're, since they started in 2013, and we've supported it pro right back. They've now partnered with ACI learning to bring you the best way to learn it for decade. Now. Our partners at IT pro brought you entertaining, engaging content so that you can learn it level up your career organization or get that first job at I at it. Now that IT pro is part of ACI learning, you can expect an expanded reach production capabilities second to none, the content and the, and the style of learning you want at any stage in your development. Now, I say style because while IT pro of course focuses on remote learning, ACI also has hubs where you can go and learn from instructor in person. They also have the practice labs.

They have the tests you take before you take the test. All the tools you need to get that first job in it or to level up in it, whether you're at the beginning of your career or looking to move up in your sector. ACI learning is here to support your growth, not only in it, but also in cybersecurity and audit readiness. Now they have Audit Pro as well. One of the most widely recognized beginner certificates. We've talked about it many, many times. Compt is a plus cert, I think a lot of our listeners have plus certs. That's probably how they got into it. Compt courses with IT pro from ACI learning make it easy to go from daydreaming about a career in it. Heck, if you're listening to this show, you probably know more already than most IT people. You're ready to get a job in it, but you gotta get that cert, and that's how you launch that career.

Earning certs open doors to most entry level IT positions and supplies potential promotions for those already in the field. We also know that cybersecurity certs are even more important if you're already in it, but you want to get into cybersecurity. About a third of information security jobs in cybersecurity, one third require a cert. So that's important to know. You need that cert to get that first job. But if you want to become a cybersecurity pro, you need, you need that cybersecurity cert. And that makes sense. Employers want to see that you've not only got the knowledge, but that you put in the time the study, the work to become adept in that field. That's, that's kind of what that cert tells them. And let me tell you, organizations are desperate right now for cybersecurity talent. The skills gap in cybersecurity's growing every single day.

The average salary right now for cybersecurity professionals, this is the average, is $116,000 ACI learning's, information security analyst and cybersecurity specialist programs can get you even more. Get certified, get a great job. The gap is huge. Last year, the global cybersecurity workforce gap increased by increased by 26.2%. It's more than a million unfilled cybersecurity jobs, great jobs waiting for you. A c I learning offers multiple cybersecurity training programs that can prepare you to enter or advance within this exciting industry. The most popular cybersecurity certs offered, they have se quite a few, but the, the big ones are the C I S S P. How many of you have that? EC Councils certified Ethical Hacker. That's the one I've always wanted. Certified Network Defender. Cybersecurity Audit School. We're just talking about auditing, right? There's a huge need for people with the audit capabilities and cybersecurity frameworks.

Gotta know how to use them. You're probably gonna take multiple courses to get any one of these certs. There's a lot to learn, but boy, why not do it the right way with aci learning where and how you learn really does matter. ACI learning offers fully customizable training for all kinds of learners. You might like it in person. They've got that Yeah. On demand. They've got that remote live remote, they've got that too. Take your learning beyond the classroom, exploring everything. ACI learning offers it pro we know, we already know how great they are. The Audit Pro that includes enterprise solutions. They've got webinars, they have a great podcast. If you haven't heard it, the Skeptical Auditor Podcast. Practice Labs and mention those. The learning, or you can go in and in person. They've got a partnership program too. Tech is one industry where opportunities are outpacing growth in a, in a big way, especially in that cybersecurity area.

So if you're already in it, think about cybersecurity. If you're not in it, that might be a focus for you. If, if you listen to this show, it probably already is something you're interested in, right? One third of information security jobs require a cybersecurity certification. Where are you gonna get it? Where are you gonna get it? ACI learning, yes. To maintain your competitive edge across audit IT and cybersecurity readiness, visit the website. Go go dot aci That's go dot ACI We also have that offer code. Still have it TWIT 30, TWIT three zero. That's, that's gonna get you 30% off. 30% off a standard or premium individual IT pro membership. It is a resource for everyone. This is your chance to get a great job to improve your work prospects. Go. There's no reason in the world not to do this. I, I'm telling you, if you listen to this show, you're ready baby.

We thank them so much for supporting security now and supporting all of our security Now listeners too, I might add in and if you wanna support us, make sure when you go there, you use that slash twit and the offer code TWIT 30. Okay, I'll say it one more time. Go dot aci That's part one. And the offer code TWIT 30, TWIT three zero. All right, Steve, on we go. Speaking of DDoS attacks I've often worried out loud here, you know, for at least the last couple years about what would happen when malicious actors finally got around to focusing their evil intent upon and commandeering for their nefarious needs. The truly countless number of internet connected, low end, low-end iot OT devices. Well, those worries are beginning to manifest. Last year from the summer July through December of 2022, Palo Alto Network's Unit 42 researchers observed a mii botnet variant known as V three g4, predominantly leveraging I OT vulnerabilities to spread v3.

G4 targets 13 separate vulnerabilities in Linux-based servers and Linux-based I O T devices. The devices are commandeered for use in DDoS attacks. The malware spreads both by brute forcing weak or default telenet and SSH credentials. And by exploding known but unpatched firmware coding flaws to perform remote code execution on the targeted devices. Once the device is breached, the malware infects the device and recruits it into its botnet tribe. And you know, this is exactly what we've been worried about for years. Though it makes no rational sense at all. We know how difficult it is to even update big iron systems that need to be kept current where there's a well-established notification and patching infrastructure in place to support that. Just look at the recent VMware ESS E ES X I fiasco. Those systems should have been readily updated, but as we know, they weren't, compare that to some modern or to some random IP camera, which was long ago installed and has since been forgotten.

What about patching it? Good luck with that. We can't even keep our servers patched today, as I have often lamented. We have a literally uncountable number of gizmos and gadgets attached to the internet. Why? Because we can, while most of those in our homes are safely tucked away behind the one way valve of our net routers and also hopefully on their own isolated network, where possible a great many due to their role and application have deliberately been given access to the public internet. In the present case of V three G four, unit 42 tracked three distinct campaigns. Unit 42 believes all three attack waves originated from the same malicious actor because the hard coded command and controlled domains contain the same string. The shells downloads are similar and the botnet clients used in all attacks feature identical functions. Yeah, that'd be enough to convince me.

Okay, so what does V three G four attack? It exploits one of the 13 vulnerabilities. There's a C V E 20 12 48 69, which is a free pbx elastics remote code execution. There's a G victorious remote command execution. There's a C V E 20 14 97 27 Fritz Box webcam, remote command execution, Mitel A W C, remote command execution. There's a C V E 20 17 51 73 gut Brook IP camera, remote code execution. Also a 2019 15,107 web command injection. S Spree commerce arbitrary command execution, F L I R, thermal camera, remote command execution, A 20 20 85 15 DRE Tech VOR remote command execution, also same year 15 4 15 DRE Tech VOR remote command execution. Also in 20 or in 2022 last year, 2022 36,267. Air span air spot remote command execution. Atlassian Confluence remote command execution C data Web management system command execution, 13 in total. And notably some of those CVEs were from 20 12, 20 14, 20 17, and 2019.

There's no reason to imagine that any of these problems will ever be repaired. And why would they be? The device is apparently working just fine, and who even knows whether the company that created it still even exists. A new trend we've observed is that companies are formed on the fly by pulling together the you know, the individual required resources. Decis devices are designed, they're manufactured, they're sold. Then the entire briefly assembled organization dissolves returning back to its original component parts. There's no one to call for updates. There's no follow up, there's no accountability. There's no aftermarket after sales support, yet an internet connected gadget can now harbor hostile code and be used probably throughout the rest of its long service life as one more tiny cog in a massive and untraceable global attack launching platform. That's where we are today. Again, in the case of VG 64, I mean V 360 4, after compromising the target device, a Mii based payload is dropped onto the system and attempts to connect to the hard coded command and control address.

Once running, the bot terminates a large number of known processes from a hard coded list, which includes other competing botnet, malware families. Hey, I, I'm here now. You guys get out. You know, now there's a new king of the hill. A characteristic that differentiates V three G four from most other mii variants is that it interfa, it interlaces the use of four different malware X or encryption keys rather than just one. This was clearly an attempt to make static analysis, reverse engineering of the malware's code and decoding its functions more challenging, as I briefly noted earlier, when spreading to other devices, the botnet uses a till net SSH brute forcer that tries to connect using default or weak credentials. And those 13 known vulnerabilities once set up and running with a connection to the botnets command and control, the compromised devices are then given DDoS commands directing their attacks.

This variant offers T C P U D P SIN and H T T P flooding methods. The Unit 42 guys suspect that V three G G4 sells DDoS services to clients who want to cause service disruption to specific websites or other online services through, although the front end DDoSing service associated with this botnet has not been identified at the time of unit 42 s report. So, you know, this is what was expected for a number of years, was that eventually people were gonna get around to getting serious about taking over our I O T devices and enlisting them in DDoSs attacks. And we're now seeing a classic perfect example of that happening.

So week after week, I encounter news of malware staes being found on this or that, or sometimes all popular code registries and repositories. An example of such a piece of news from last week is that checkpoints research team detected 16 malicious JavaScript packages uploaded on the official NPM registry. The researcher said that all packages were created by the same author and were designed to download and run a hidden crypto miner on a developer's system. The, the packages pretended to be performance monitoring, so you'd expect them to use your, your computer's resources in order to, to determine how well a a, a package is running. It, however, stays around afterwards, unbidden to crypto mine in the background. All 16 other packages have since been removed from the n npm registry. Anyway, so I just wanted to say that this is a constant flux. It's like that week after week, endlessly.

I'm mentioning it this week because, you know, I don't mention all of this happening every single week in one form or another. Sometimes it's N P M, sometimes it's pi, sometimes something else. Basically, wherever security firms are looking, they are now finding malicious packages. So I just wanted everyone to be aware that there is this constant flux of malware dribbling into the open source ecosystem. It's now another one of today's realities. It's used everywhere too, this package management system. And on max we have home brew. Every linnux distro has a package manager that downloads stuff. And security is really a, is afterthought. You know, I I use a package, it's, man, it's, oh, hey, it's free, it's free. Grab this, grab, download, grab, grab this, you know, grab that. And the other thing is sometimes when you install something, it comes with this massive list of dependencies.

Right? Right. Because, you know, so those all download and install, right? Exactly. Right. You know, I, some of the package managers I use on Lennox give you a chance to review the changes ahead of time, but even then, most of us just go, yeah, yeah, yeah, whatever, Leo, it's like a license agreement. It's like, oh, yeah, fine. So it's, it's page after page, but what button do I push of code of make file code and, you know, weird code and who, I dunno who, and ain't nobody got time to read that. Nope. So I'm not surprised. I think we've gotta solve this though. They're gotta find a way to fix this somehow. Yeah. And, and the, you know, the, the problem is when you talk about closing it, well, can't closing it is aga is against the spirits of it being open. Yeah. Which is the whole point, right?

I don't know how you do this. Yeah. So Patch Tuesday, that was last Tuesday many well-known publishers were got in on the action. The industry was made aware of security updates released by Apple, Adobe Git, Microsoft, and S sap, the Android project, open SSL and VMware also released security updates. Last week, Microsoft patched 88 0 vulnerabilities including three zero days. And Apple got a lot of attention releasing security updates that included a patch for an actively exploited Safari web kit zero day vulnerability. So everyone was told, you know, don't delay on that one. We know that the sometimes crucial mistakes many large and small organizations make is in ignoring these fixes. You know, if everyone kept their software patched, we'd be seeing many fewer widespread problems such as that VMware E ES X I debacle, which is still ongoing by the way, more than 500 newly compromised systems just last week.

So still happening, but slowing down as it turns out. However, and this is one reason that at least enterprises need to be a little careful. It wasn't all smooth sailing with this month's security updates, Microsoft has stated that some Windows server 2022 virtual machines may no longer boot. After installing the updates released last week, this issue they said only impacts VMs with secure boot enabled and running on VM VMware's vSphere ES X I 6.7, U2 and U three or VS. Square vSphere, E ES X I 7.0 point anything the culprit is patch KB 5 0 22 8 4 2, which if installed on guest virtual machines running Windows server 2022 may no longer start up. Vmware and Microsoft are working to determine the cause. Interestingly, even though Microsoft says that only VMware ES X I ivms are affected, some admin reports point to other hypervisor platforms, including bare metal also being impacted by this issue.

So again, end users should you know, upgrade enterprise users are always gonna have to be on guard. Last Friday, Samsung announced a new feature for, at the moment only its Galaxy S 23 series smartphones called Message Guard. Now the details are sketchy and it sounds like it resembles Apple's blast door technology, which Apple introduced back with iOS 14. Both technologies message guard which is Samsung's and Blast Door Apples are image rendering sandboxes. We've often talked about the difficulty of safely and securely rendering images because image compression encodes images into a description that must later be read and interpreted in order to recover a close approximation of the original image. It's those image decompressing and rendering interpreters that have historically harbored subtle flaws that malicious parties have leveraged to create so-called zero click exploits, meaning that all the phone needs to do is display an image in order to have it taken over by a remotely located malicious party.

So Samsung now has this technology added, added to its S 23 series, and it has said that it plans to expand it to other galaxy smartphones and tablets later this year that are running on one UI 5.1 or higher. The addition of these technologies represents a maturation. I think, of our understanding of the problems we face. It is so easy to imagine, and every developer does that. Any problem that's found will be the last one that will ever be found. And of course, that's true right up until the next problem is discovered. Experience shows that we're not running out of such problems anytime soon, if ever. Hey everybody. Leo LaPorte here. I am the founder and one of the hosts at the TWIT Podcast Network. I wanna talk to you a little bit about what we do here at twit because I think it's unique and I think for anybody who is bringing a product or a service to a tech audience, you need to know about what we do.

Here at twit, we've built an amazing audience of engaged, intelligent, affluent listeners who listen to us and trust us when we recommend a product. Our mission statement is twit, is to build a highly engaged community of tech enthusiasts. Well already you should be, your ears should be perking up at that because highly engaged is good for you. Tech enthusiasts, if that's who you're looking for, this is the place we do it by offering 'em the knowledge they need to understand and use technology in today's world. And I hear from our audience all the time, part of that knowledge comes from our advertisers. We are very careful. We pick advertisers with great products, great services with integrity, and introduce them to our audience with authenticity and genuine enthusiasm. And that makes our host Red Ads different from anything else you can buy. We are literally bringing you to the attention of our audience and giving you a big fat endorsement.

We like to create partnerships with trusted brands, brands who are in it for the long run, long-term partners that want to grow with us. And we have so many great success stories. Tim Broom, who founded it Pro TV in 2013, started advertising with us on day one, has been with us ever since. He said, quote, we would not be where we are today without the TWIT network. I think the proof is in the pudding. Advertisers like it Pro TV and Audible that have been with us for more than 10 years, they stick around because their ads work. And honestly, isn't that why you're buying advertising? You get a lot with twit. We have a very full service attitude. We almost think of it as kind of artisanal advertising, boutique advertising. You'll get a full service continuity team, people who are on the phone with you, who are in touch with you, who support you from, with everything from copywriting to graphic design.

So you are not alone in this. We embed our ads into the shows. They're not, they're not added later. They're part of the shows. In fact, often they're such a part of our shows that our other hosts will chime in on the ads saying, yeah, I love that. Or just the other day one of our hosts said, man, I really gotta buy that <laugh>. That's an additional benefit to you because you're hearing people, our audience trusts saying, yeah, that sounds great. We deliver always overdeliver on impressions. So you know, you're gonna get the impressions you expect. The ads are unique every time. We don't pre-record them and roll them in. We are genuinely doing those ads in the middle of the show. We'll give you great onboarding services, ad tech with pod sites that's free for direct clients, gives you a lot of reporting, gives you a great idea of how well your ads are working.

You'll get courtesy commercials. You actually can take our ads and share them across social media and landing pages that really extends the reach. There are other free goodies too, including mentions in our weekly newsletter that sent to thousands of fans, engaged fans who really wanna see this stuff. We give you bonus ads and social media promotion too. So if you want to be a long-term partner, introduce your product to a savvy engaged tech audience, visit Check out those testimonials. Mark McCreary is the CEO of Authentic. You probably know him one of the biggest original podcast advertising companies. We've been with him for 16 years. Mark said the feedback from many advertisers over 16 years across a range of product categories, everything from razors to computers, is that if ads and podcasts are gonna work for a brand, they're gonna work on Twitch shows.

I'm very proud of what we do because it's honest, it's got integrity, it's authentic, and it really is a great introduction to our audience of your brand. Our listeners are smart, they're engaged, they're tech savvy, they're dedicated to our network, and that's one of the reasons we only work with high integrity partners that we've personally and thoroughly vetted. I have absolute approval on everybody. If you've got a great product, I want to hear from you. Elevate your brand by reaching out Break out of the advertising norm. Grow your brand with host red ads on Visit for more details, or you can email us, if you're ready to launch your campaign. Now, I can't wait to see your product, so give us a ring.

Okay, so it turns out that millions of Hyundai and Kia autos, which is to say approximately 3.8 million Hyundai and 4.5 million Kias are vulnerable to being stolen using just a bit of technology. And that indeed, once the method of doing so, became common knowledge in some circles, Los Angeles reported an 85% increase in car thefts of those two brands. And not to be outdone in the car theft category, Chicago saw a ninefold increase 900% in the theft of those cars. Okay, so first, how was the news spread, believe it or not, by something being called a challenge, which has been heavily promoted on TikTok since last summer July, 2022. Tiktok presented instructional videos showing how to remove the steering column cover to reveal A U S B A format connector, which can then be used to hotwire the car Hyundai's. In Kia's First low tech response, which began last November, was to work with law enforcement agencies across the United States to provide tens of thousands of steering wheel locks.

You know, a big red steering wheel locking bar has the advantage of letting TikTok watching car thieves know that even if they're able to enter and start the car aiming, it will still present a problem. The fundamental problem surrounds a coding logic flaw that allows the turnkey to start system to bypass the engine immobilizer, which is supposed to verify the authenticity of the code in the keys transponder to the car's E C U. In other words, no key is needed. This allows car thieves to activate the ignition cylinder using any SB cable to start and then drive off with, with the car. Hyundai wrote quote in response to increasing thefts targeting its vehicles without push button ignitions and immobilizing anti-theft devices in the United States, Hyundai is introducing a free anti-theft software upgrade. Well, that's nice of them to prevent the vehicles from starting during a method of theft popularized on TikTok and other social media channels.

Okay, so the software upgrade will be provided at no charge. <Laugh>, you better believe it for all impacted vehicles with a rollout which began last Monday, so a week ago yesterday, initially to more than 1,000,020 17 through 2020 Elantra 2015 through 2019 Sonata and 2020 and 2021 venue cars. All of the rest of the affected autos, and there were too many of them to list here, will be upgraded through the summer of this year. The upgrade will be installed by Hyundai's official dealers and service network throughout the US and is expected to take probably less than an hour. Eligible car owners will be individually notified. Hyundai's announcement explained that the upgrade modifies the turnkey to start logic to kill the ignition when the car owner locks the doors using the genuine key fob after the upgrade, the ignition will only activate after the key fob is first used to unlock the vehicle, meaning that you can't break in first.

That was the missing interlock, which facilitated this hack in the first place. So the question remains though, you know, without a big red steering wheel locking bar, how would thieves without wheels know that your particular Hyundai or Kia is no longer vulnerable? Hyundai's a is solving this dilemma by supplying its customers after they get the upgrade with a convenient window sticker. And I would love to see what the sticker says, you know, like upgraded, so the TikTok hack no longer works bother, can put blue in the USB port. Would that <laugh>, would that help? That's just Well, and and the problem is you're, your car's gonna get broken into before the guy, the bad guy is put a sign in the window that says glue in the USB port. Do not attempt. Yeah. So Hyundai's providing a sticker and I would love to see what the sticker says.

You know, I'll show you this sticker, we just got it. Best Buy. You're gonna like this. Remember to turn your computer off before 3 14 0 7 on 1 19 20 38. <Laugh> <laugh>. I should send that to you. That's brilliant. As a picture of the week. I just saw this. That's brilliant. <Laugh> Hyundai's got a sticker that says what? That's software upgraded. What? You won't, you won't, I bet you won't be able to steal this car or something, but I mean I bet it doesn't work. What's it gonna, is it really gonna prevent that? I don't know. Well, they're really gonna put a sticker in the window. You know, and, and, and so, but it only works for some, unfortunately, there are some models that completely lack the engine immobilizer technology. Ah, see and so that's are enabled. Yeah. Yes. They cannot receive the software fix. Okay. Which, you know, updates the missing immobilizer logic.

Yeah. So to address that problem, Hyundai will cover the cost of steering wheel locks for their owners. And, you know, this is the definition of clu. You know, so far all of this talk has been about Hyundai, but as noted, Kia has a similar problem. Yes, same Kia. Same company has yeah. Has promised to start the rollout of its software upgrade soon, but hasn't yet announced any specific de dates or details. The US Department of Transportation was the source of those stats about the number of affected vehicles, and also noted that these hacks have resulted in at least 14 confirmed car crashes and eight fatalities. Oh no. So what do you wanna bet that product liability and personal injury law firms are already rubbing their hands together over this quite significant screw up. Wow. Okay. Who says TikTok isn't useful? That's what I say. <Laugh> <laugh>.

So the astonishing success and the equally surprising performance of Open AI's Chat, G P T three large language model AI means that a new phenomenon will soon be entering mainstream use. Leo, I'm gonna take a sip of water. Why don't you tell our listeners? Oh, good. I will, I'll tell you about Club Twit while we get ready for, I'm dying to hear Steve's ta taking all this, this will be fascinating. We've been talking about nothing else on all the shows for the last couple of weeks. It's a, it's a hot topic, but what gave our podcast the name today a clever regurgitator. I figured that as much. Yes. There have been lots of names for chat. G P t <laugh>, including mans, what is it? Mansplaining Machine. A Spicy autocorrect. But I like the Regurgitator. That's good. That's good. You like this show.

Would you like to hear this show without any commercial interruptions, including the one you're about to hear? I got a solution for you. Join the Club Club twit. We thank our Club TWIT members for making this show and all the shows we do possible. I don't know if you've noticed this show is short and ad. Many of our shows have no ads at all. You probably saw articles in the New York Times and elsewhere saying the podcast advertising is falling off a cliff. I don't know if that's because of a bad economy or because there's a million new podcasts every minute, but it is getting harder and harder for us to sup to support this network, this show and all the other shows we do through advertising. I wanted to do that. That was the, that's, you know, that's what we've been doing for the last 15 years.

But there is another way. And then in the long run I kind of like this way better. And that's getting you the listeners to support what we do. That's why we created Club to Lisa created it. We're on our second anniversary in a couple of months, which is pretty great. She did a lot of research. She said, I don't want this to be too expensive. So we've priced it less than anybody else. It's a buck less than Twitter's blue check. It's five bucks less than a blue check on Facebook to seven bucks a month, 84 bucks a year. You get ad free versions of all the shows cuz you're giving us money. We don't need to advertise to you. But you get a lot more, you also get access to the Fantastic Club TWI Discord, which is a place you can go hang.

I'm more and more thinking Discord. <Laugh> is a great social network, the best social network. And I tell you when it's just Club Twit members in there, it's so much fun. It's more than just, it's more than just the shows. Cuz you, we do have chat sections for all the shows, but there's, there's all the topics geeks are interested in from beer, wine and cocktails to automobiles. We've got Stacy's book club, ham radio, movies, tv, music, travel. It's all in there. I hang out in the coding group all the time. We've got some great coders in there with lots of good conversations going on. I mean, and I mean real conversations. So the Discord is another benefit. You get that too. You also get the Twit plus feed, which includes shows we don't put on the regular twit feeds. Shows like Micah Sergeants, hands on Macintosh and Paul T's Windows Weekly.

We've got Stacy's book club, the Untitled Linux show, the GIZ Fizz, lots of other stuff. We do special events. Lisa and I did an inside Twitter a couple of weeks ago. All of that on the TWI plus feed. So ad free versions of all the shows, access to the Discord many of the hosts are also in there. You also get the TWI plus feed seven bucks a month. But here's the most important thing. You can feel good because that money really helps us keep the lights on, keep the staff employed. We use it to generate new shows. That's why we have this week in space. The club helps foster it. We grew it in the club. Once it got to a certain size, we were able to put it out to the public. That's the plan. It's right now I think we have about 6,000 users.

That's less than 1% of the whole audience. If we got to about 5% of the whole audience, you wouldn't hear any more ads. We could just, you know, it would simplify life for all of us. That's all it would take. You don't all have to pay, just, just all I'm asking, you know, who you are. If you can afford seven bucks a month, twit help us out a little bit. That's all. I'm not gonna beg you, this isn't public broadcasting, but maybe, maybe we could be if we, if we g if we, we did it right. Tweet that tv slash club twit and also gives Steve a chance to quiff a fine beverage and continue on <laugh> talking about chat G P t. Okay, so as I started to say, the astonishing success and the equally surprising performance of Open AI's chat, G P T three large language model AI means that a new phenomenon will soon be entering mainstream use.

I think that's absolutely clear right here on this podcast. Thanks to Rob Woodruff's inspiration to enlist chat G P t in assisting him with authoring that LastPass vault de obfuscating PowerShell script. We've all witnessed firsthand just how significant these coming changes will be. And anyone who's been following the news of this may have, you know, continued to be somewhat astounded by what this technology appears to be capable of accomplishing. I think that the most accurate and succinct way of describing what we're witnessing is that it is astonishing to see the degree to which a neural network using large language modeling as exemplified by chat G P T is able to simulate intelligence. And I think that is the key concept to hold onto chat. G P T is not itself in any way intelligent. It is a clever regurgitator of intelligence. One of the dangers which we can feel present is that this turns out to be a surprisingly subtle yet crucial distinction, which is guaranteed to confuse many if not most people who casually interact with this mindless bot after absorbing the historical global output of a truly intelligent species.

Namely man, we have an automaton that's able to take our entire historical production all at once as a whole and quickly select from that massive corpus the right thing to say. It's able to choose it because that right thing has been expressed before by man in thousands of different contexts. So it appears intelligent because it's mimicking an intelligent species. A parrot in a cage who says Polly wants a cracker is more intelligent because it really does want a cracker <laugh>. Although, although chat G P T may be induced to express a desire that's still nothing more than mimicry since it has previously absorbed all of humanity's past expressions of desire, it doesn't ever actually want anything because there's not any act, there's not actually any it there at all to do any wanting. Again, I come back to yes, what it does is astonishing, but that's only because it is the first thing we've ever encountered that's able to convincingly sound like us.

But that's all it's doing. It's sounding like us. The parrot in its cage is extremely limited in its ability to sound like us. A sufficiently large language model, neural network is potentially unlimited in its ability to sound like us. And if we can be certain of anything, it's that this simulation will be improving over time, especially now that this technology has left the lab and that capitalistic forces of commerce will be driving and funding further advancement. But nevertheless, in no way should sounding like us ever be confused with being like us. A high fidelity recording of PAV may sound exactly like Pavarotti, but it isn't Pavarotti, it's just a recording. Okay, so what got me started on this, it was an interesting experiment by some researchers at the company, any run who wanted to explore an aspect of chat GT's limitations. They wanted to see whether chat GPTs otherwise impressive capabilities might extend to analyzing real world malware.

If so, it might make security researchers lives more productive by allowing them to dump a load of code in a chat G P T and have it figure it out their blog posting begins. Quote, if chat G p T is an excellent assistant in building malware, can it help analyze it too? The team of malware sandbox decided to put this to the test and see if AI can help us perform malware analysis. Lately there's been a great deal of discussion about malicious actors using chat G P T, the latest conversational AI to create malware. Malware analysts, researchers and IT specialists agree that writing code is one of chat G P T's strongest sides and it's especially good at mutating it. By leveraging this capability, even wannabe hackers can build polymorphic malware simply by feeding text prompts to the bot and it will spit back working malicious code open AI release chat G P T in November of 2022.

And at the time of writing this article, the chatbot already has over 600 million monthly visits. It's scary to think how many people are now armed with the tools to develop advanced malware. So going into this, our hopes were high, but unfortunately the results weren't that great. We fed the chatbot malicious scripts of varying complexity and asked it to explain the purpose behind the code. We used simple prompts such as explain what this code does or analyze this code. Okay? And then they go on with examples. The short version of what they discovered is that chat G P T did remarkably well when the researchers gave it toy code to examine and it really did surprisingly well on that. But as the complexity of the testing code increased, there was a sort of complexity cliff they ended up going over after which chat g p t collapsed completely.

And knowing what we know now, isn't that exactly what we would expect as a, as a large language model? Neural network chat G P T is not in any way, even the tiniest bit sentient are limited language, parrot is more sentient. So chat G P T is unable to understand anything at all. That means it's not it. That means it's not going to be great at the true problem solving that reverse engineering complex malware code or any code requires. But reverse engineering code is very different from writing code. Thanks to the explosion of open source software chat. G P T has previously ingested all of the source code on the internet. That's a massive amount of real working code. And as we understand it is able to select, regurgitate and rearrange the code that it has previously encountered. But when it's asked to produce code that it hasn't previously seen, that's where things start to become fuzzy and where it starts making mistakes.

Since again, it's not really understanding anything about what it's doing, it's simply searching for a matching context. Amid all of the world's previously written code last week, I was corresponding with two of the sharpest minds I've ever had the privilege of knowing. And I was talking about the idea that I previously shared here, which is that I think one of the things chat GPTs surprising success at Mimicry teaches us is that a good portion of the vaunted human intelligence we make such a big deal about having is mostly just repeating what we've previously encountered and anticipating what's gonna come next based upon what came next in the past. Here's what I wrote to these two friends. I said, if I look back over my creative life, there have been a few moments that I would say were truly inspired invention, where I created something from nothing, something that was actually new, but far and away. 99.99999% of everything I do and have done has been wholly derivative. As it happens, I obtain immense satisfaction and even some joy from endlessly solving combinatorial puzzles. Thus, I love electronics and coding.

Okay, so to wrap it up, I thought it was interesting and not at all surprising that whereas chat G p T can perform quite well at recombining what it's seen in the past to produce new and nearly functional code in the future, it is not going to be able to understand and explain the detailed operation of some piece of purpose written malware that it has never encountered before. Though chat g p t was initially a surprise, and though I'm sure that this technology is gonna continue to improve over time, I believe that we now have a good foundation for understanding what it can and cannot do. And at least for the foreseeable future, it is at most a very clever regurgitator. There's a good piece I'd recommend people to by Steven Wolfrem over on Wolfrem Alpha in which he's, it, it's called I think, how chat g p t works and for the slightly mathematically inclined, I think it'll be very interesting.

He, you know, he talks about the initial kind of first approximation of how it works, which is basically autocorrect using weighted values to predict the next word. It's a little more sophisticated than that, but it's essentially predicting the next chunk based on the statistical model. And it's quite interesting highly recommended, but yeah, I mean, it's not, it's not sentient at all, obviously. And when, and it's too bad because a lot of the press's focus was, especially with the, the Bing Chat, which is based on the new Chappy G gt PT G P T four model. They were, you know, they were just needling it until it went crazy and they're going, you see <laugh>, you see <laugh>. And it, and it did feel like, you know, if it says I love you or I hate you or you know, I won't hurt you unless you hurt me.

It sounds sentient, but it's honestly, it's really lost its marbles. And Microsoft's response to that was, well, after five questions we're gonna reset. You can start over. You can't needle it to, into the point of insanity. So Leo, I I really do think we should not give it the nuclear launch codes. No, probably not. And, and, and I I think resetting it after five questions, sensible sounds a good idea. Sensible. And I hope that, you know, this is a, like maybe enough of a little bit of a freaky yet still benign wake up call, right? That, you know, we are, we're not in the future gonna give anything the nuclear launch codes. I think it helps us after the initial wave of wow, understand a little bit more about what this is. It may pass the touring test, but this is why the touring test was a bad idea to begin with.

That is not a measure of success really in a a general artificial intelligence. We're still a long way off from that. Yeah, but don't give it the nuclear coats. <Laugh>. Yeah, there are gonna be a lot of people who are gonna have long conversations into the middle of the night, you know, treating it like a therapist and a there are and a beat and a yeah. It's like, it's like Eliza. Yeah, it's like a good Eliza. Yeah. Eliza was dopey, but this is surprisingly good, at least for the first hour or so. It really starts to get wacky after a little while. Steve can go two hours and be coherent by the end. It's amazing. He's much better than Chad. G p t Steve's website. Grc.Com is the host of many fine things including Spin, right? The world's best mass storage, recovery and maintenance utility, currently 6.0, 6.1 s on the way.

You'll get it for free if you buy. Now. that's Steve's bread and butter. He offers a lot of other free stuff there, including shields up and so forth, password haystacks lots of information. We talked the other day. Somebody was talking about your d n s benchmark program and, and what's the in control the Windows 10 to Windows 11 tyer. We were talking about that on Sunday on Ask the Tech guys. Lots of great stuff there, including this show. Steve has the audio versions, but a couple of interesting versions. He has a 16 Kilobit audio version. Sounds a little scratchy like it was recorded in the 1890s, but it's the smallest audio version available. He has the 64 Kilobit full version. He also has a transcript, which he's commissioned from Elaine Ferris, who not only shoes, horses, but is a darn fine court reporter.

She puts all the words in the right order miraculously so, and never complains about you know, wanting to kill us. So get those transcripts. They're good for searching or reading along as you listen or get the 64 or 16 Kilobit audio at Steve Site. We have 64 Kilobit audio and video, oddly enough at our site, TWI tv slash sn. There's also video on the Security Now YouTube channel that's a fully dedicated YouTube channel. That's probably the best way to send somebody a snippet. I know for this show especially, a lot of people say, oh, I gotta send that portion off to my friend Joey. He was, we were talking about this or whatever. If you do it on YouTube, that makes it very easy for anybody. Even if they don't get the podcast to, to hear a little bit or see a little bit of the show.

 You can watch us do it live as well. All, all you have to do is tune in every Tuesday around one 30 to 2:00 PM Pacific. That's four 30 to 21 4 30 to seven 30 Eastern, 2130 u t live tweet TV's the livestream. Of course you can chat along with us in our irc. Yes, we still use IRC after all these years. The IRC channel is now almost 30 years old. I should figure out when it was first started. So early nineties. So we've been doing it for 30 years. IRC was on, was just a child when we started. Now it's an old man, irc TWI tv. A little more modern, a little more Giffy is the Discord. If you're a club twit member chat there. We're chatting along As we listen get the, get the programs after the fact, that's fine too.

And and then you can comment. Steve's got some great, this GRC forums. We have our own There's also a Mastodon instance at Those are free and open to all supported by the club members, but still free and open to all. I guess that's pretty much everything you never need to know about security now, except that we'll be back next week and I hope you will too. Bye Steve. Thanks Leo. See you next week. It was the last day of the month. Last day of February. That was fast. Yeah, it was <laugh>. 

Jason Howell:
If you love all things Android, well I've got a show for you to check out. It's called All About Android and I'll give you three guesses. What we talk about. We talk about Android, the latest news, hardware, apps. We answer feedback. It's me, Jason Howell, Ron Richards, win Toit Dow, and a whole cast of awesome characters talking about the operating system that we love. You can find all about

... (01:51:28):
Security Now.

All Transcripts posts