SN 778: BootHole - Twitter Hackers Arrested, Garmin Hackers Get Ransom
It's time for security now, Steve Gibson is here, Fire Fox seventy-nine is also here. Steve has some new features we'll talk about the twitter hack. They got him three kids, one seventeen years old. We'll also talk about a real problem with security with tore that they don't really even seem to care much about an a flaw with grub to it's all coming up next unsecurity now. Security now comes to you from twits last past -Tudios. Securing every access point in your company does not have to be a challenge. Past unifies access authentication to make securing your employees simple and secure. Even when they're working remotely check out last past dot com slash twit to learn more. Lou. PODCASTS, you love from people you trust. This is. This is security now with Steve Gibson, episode seven, hundred, Seventy, eight, recorded Tuesday August, fourth, twenty, twenty booth hold. This episode of security now is brought to you by last pass. Allow your remote workforce the ability to do their best work without jumping through hoops to ensure your businesses security with last past visit. Last past dot com slash twit to find out how they can help you. And by worldwide technology, worldwide technologies advanced technology center is like no other testing and research lab. A proving grounds that could quickly turn a data sheet into a fact sheet where you could try before you buy better, yet you can access it virtually. So you and your team can have twenty, four, seven access visit www dot com slash twit to learn more and get insights into all offers. By Melissa like expired milk. Thirty percent of your customers data goes bad every year that's money down the drain visit. Melissa's develop reporter for free access to data quality API's demos and Code Samples Freshen up your soured data today with one thousand records clean free at Melissa. Dot. com slash twit. It's time for security. Now, showing cover the latest in the security world with Mr Steve Gibson. Hi Steve. Elio great to be with you again. For, our closing in on the end of year fifteen. Episode Seven, seven, eight and I think it'll be seven eighty. It's about two weeks from now is when we lap ourselves. Closing out your fifteen and beginning. On sixteen out. so forgive me, but I told my team Steve doesn't WanNa cake or balloons. Confetti or anything like that. Correct. Seems like we don't celebrate my anniversary sixty fifth birthday occurred toward the end of March in the middle of. Cova. Land? This is the weirdest birthday. So Yeah, Mine's in a couple in a year from. Your from November. Wow, you are. You are correct? No cakes. Thank you very well, know cakes. No more Tend nothing's GonNa. Talk, we're going to talk about boot whole. which is. It's a little reminiscent of Specter in meltdown inasmuch as the cure is in some cases worse than the problem, as we'll see but we're going to start by talking about the recent update to fire Fox seventy, nine one. Sort of. Okay. New Feature. Not much else changed. We're going to check back on the twitter hack with news of and and I was like well with news of the identity of the accused purpose, and that's alleged identity. So we don't know for sure The so-called mastermind is a juvenile. So we're we're respecting that We also have more information about the garment ransomware hack. Some additional information has come to light from primarily, thanks to bleeping computer's. Digging and their access to some insiders who've been feeding them some interesting tidbits. We. Also, GonNa take a look at the behavior of another Gris disgruntled vulnerability researcher. And consider some aspects of the ethics of vulnerability disclosure that we have really talked about. Before. We're going to examine what has now become zooms bug of the week. And the consequences of Microsoft's removal of all S. H., A. One signed downloads from their site. Unless you're a bit of a pack rat that could that could pose some problems also Q. Nap. Nass. Network attached storage devices are still suffering from escalating real trouble and neglect by their owners. Will touch on that I'll check back in with a little bit of update on ongoing work with spin right and sort of deal with some of our listeners, questions quickly and then we're gonNA. Take a look at what is arguably or I guess in arguably, no. One's arguing about it. We biggest security event, which is the discovery of this boot security bypass for Lennox, which was named boot whole by its discovers. Oh, and just a an interesting picture of the week that I. Just I. Don't want to Belabor the point but boy, it's a rather. that. I want to just to make sure our listeners were aware of. So I think another great podcast for our listeners as always mistress eve Gibson. we will get to your picture of the week and more in just a second, but first word from this segments sponsor, and of course, as you know, we're here in the. Studio. Thanks to last pass. We are they. They're keeping the lights on pretty much for our twit network networking for security now, but it's also I think keeping US secure and I really appreciate that. Thank you. Last pass when last past surveyed global it decision makers not so long ago. Ninety, six percent of organizations said the fact that their workforce is now remote. Has, seriously impacted their identity and access management strategy. Of course, it has, of course, it has you know you are tr zero trust now everywhere because who knows who that is logging in to your most precious resources, your bank accounts, your websites, your customer databases. Well, if using last past, you know because that's one of the things last pass really does it help you manage identities and promote good security behaviors while your employees are working from home? With last pass, you get, of course secure password storage es to fifty six bit encryption. Your employees have their own fault for storing every APP and web logging they use. Actually it's so safe, and so secure I treated as my secure enclave I. Use my last pass to keep my driver's license, my passport, I always have it because last passes on every device I carry. So whether you know when I was traveling, I always have a copy of. Of the passport on here, my driver's license socials, medical information, everything I wanNA keep. That's very private, but I wanNA keep at hand last past, never decrypt anywhere. But on device and they never transmit your master password anywhere. It's never sent back to last pass. Last pass has a lot of features to make a remote work a lot easier for instance, password sharing. When your employees we're in the office, they could wander over and whisper a password or write it on posted. You know come to think of it. That wasn't such a good idea. You definitely don't want him sitting it through texts. Putting it in they were slack channel. You'd like them to use secure password sharing, and that's what last past does it easy for employees to share loggins, but keep access to the corporate data safe. Maybe some somebody over twitter to think about that for a change, they were putting the credentials for the twitter God mode in their slack channel. It's exactly what last pass eliminates. Your log loggins are better effect. The Poise love it. Because it's everything's easier. You capture and fill every credential. You don't disrupt the workflow, you add a new password, it captures. It says you want me to say this, you say, yes, the next time you're there, it says fill it in. Yes. Centralized control for your it department. That's very important. You can enforce policies we do for instance requiring. I would suggest you do that to last pass. Makes it easy get actionable insights into employee passer behavior from an Admin Dashboard. Exactly who's using what, when, and where, Oh, and by the way when new employees come or old employees go? It's very easy. To manage your users, the I've done it. Myself Add and remove users automate user management with direct TV integration. You can add in one place in automatically propagates the last pass. No matter where your employees work, they'll always have their passwords with them, but they'll always be secure. I can go on and on I. Often do I'm such a fan I'm such a believer I'm such a supporter been using it for twelve years. We've been using it it for five. You gotta get it last past dot com slash twit, let your remote workforce focus on their work without compromising your businesses security secure remote workforce with less go to last pass dot com slash twit. Thank you. For keeping our lights on. Thank you for helping us by using that address in getting your last past setup. Last pass dot com slash twit. And now back to Steve Gibson and I like this picture of the week. This is really goods. So. Our list are longtime listener. Certainly know that I, sort of glommed on to the the potential. Of. Vitamin, D years ago, I surprised you one Tuesday or maybe we are back recording on Wednesdays and I know I'm no probably. By like say well, we're not gonNA talk about security. We're GonNa talk about something different and anyway Of course, that was the now famous vitamin D podcast where I went through all the biology and what appears to be the the nature of of the importance of it. I, also talked about it early. This year at the beginning of cove it because. It's known to have an important. Intersection with immunity and? This is a year where we need all the immunity week and get. The problem of course, is it. It is. It almost cost nothing at a a strong proper dose for a year for a person is like fifteen dollars for three hundred and sixty little drops of sunshine. I called them. Anyway, the point is that. Because it costs nothing there, it's difficult to get money for research. So. A big drug companies making rich. Exactly. Yeah. Yeah. You you're not. You know having the the the the White House funding the production of vitamin. D. We already have. You know you could argue you get all you need from the Sun, but there actually is some correlation between the amount you have in your bloodstream and your proximity to the equator So that's one factor I'm accents twenty different groups of patients who? As course of at ESA consequence of this past year of covert nineteen health crisis happened to have their serum vitamin D levels tested were pulled together in sort of an ad hoc steady I have the the link in the show notes to the source PDF. That's got a which this is just one of many charge, but this is the most dramatic of them This shows their correlation, and as we know correlation is not causation. But this is if nothing else, I opening that correlates from these twenty studies whose results were aggregated. It shows first of all in this sort of bluish line that there was. No. Age Difference over the span of Vitamin D concentration. It's pretty much sixty, sixty, five years of age regardless so that so age wasn't a factory here, but the red line shows a breathtaking. Correlation In you know given all the caveats steadies. Varying levels of control. Obviously, this is not a random sample. These are people that were already in trouble such that they had their blood drawn and so forth. So without without understanding showing a very clear. Connection between the measured vitamin D concentration and their ultimate consequences. That is in this, the covid nineteen death rate as a function of Vitamin D. So. Enough said Vitamin D is good do your own independent research. If you're interested Click the link to the PDF, there's lots of all the information about how this data was gathered is there at the end is a whole bunch of additional backup material from the NIH and other health organizations to to substantiate it. So just wanted again not to spend more time on this, but this was Very powerful information for what it's worth. I, just didn't want to go unobserved. What do you do? How much vitamin D you take five thousand I you a day. That's what I'm doing too. Yeah. Yep. I think that it. If you're uncomfortable with that maybe four thousand, but you know the the RDA is four hundred and that is just get you off the ground. That's that's not gonNA. Do it. I mean it will prevent you from dying of scurvy and some sort of you know acute vitamin D shortage, but it isn't. It's very different. I, mean, and that's one of the problems with the RDA is it was we we call it the recommended dietary allowance. It was meant to be the minimum. You need of different things to keep you from having disease as a consequence of a shortage. That's there's a big margin between what's enough to keep you from dying and and what you should have for brimming health. There's always always known vitamin D was that rickets if you don't have vitamin, D. that's why they put it in milk as a sub. So we always known that, but but there seems you've you'd go listen to Steve's whole show on vitamin D because it really is an eye opener and this isn't the only place. I've seen this kind of indication that help having a good vitamin D. level, not a deficiency anyway is Is Important for Cova survival. Right, and in fact I'm glad you said that because I am you know I'm not wanting to talk about it all the time but I to constantly seeing in the main. Mainstream press is this or that study saying the about you know connecting vitamin. D. Levels to Cuvette outcomes. So I I. When I finally saw this this report that pull it all together and his brother breathtaking chart I thought. Okay. I. Just I need to take a moment to to an, you know the competition for today's picture. The week was the boot whole logo, which is just wonderful, but we got a whole. Okay, well. That's A. Big Hall. Yes. Indeed you take vitamin D three. Yes you want d three You know doctors best now now? You know anybody who Yeah. In fact now is actually what I'd take. So it's a little bottle because. Of his people. Yes. Even for people who are not pill-takers, this will not be a province little tiny bit of a hormone because it's not actually a of vitamin that is very diluted in olive oil You know because because it is a fat soluble. You do not want to take more than five thousand I you a day unless you're having your blood watched by Dr. Back. When we talked about it, vitamin D wasn't even being tested and now because the. Medical. Community is beginning to catch on. They're actually taking a look at. And it's four cents a pill, the one. Exactly. Yeah. Okay. So yes. Yeah. I. Mean. If if if you wanted to do one thing for the health of yourself and your family I would say you know vitamin D as at a useful level. O N and really young kids audit probably take less maybe two thousand. Folks who don't get any sun and yes, don't converted very well with their skin. Kids can go out and get some sun and they'll make. Yeah. Yes. Okay. So no big news on the Fire Fox front, the biggest new feature. Is. A credential export which was added to fire foxes built in lock wise passenger manager. This exports the Fire Fox database into a CSV formatted text file, which you could drop into a spreadsheet or import it into some other password. Why they say they did this. And of course, it goes without saying that while. In text form, it's readily discoverable by anyone or anything scanning your machine. So if you were to do that storing it in a password protected seven Zip Archive, which I think is probably the best of the of the Free Zip things seven ZIP is very popular A. Good protection because Yes for Awhile, the password protected zip files were. Not. So strong, but this newer a joke. Yeah. Seven Zip. Did it right? They derive a two hundred and fifty, six bit eighty es key from a password based key derivation function, which uses a high interational count. After brute forcing delay and we're GONNA be talking about brute forcing here. Before long because it's another mistake that zoom made. To run an essay to fifty six hash, so you do need to pick a good password But if you do that with seven Zip and its encryption you should be safe to get to keep your passwords exported in that encrypted form, and I'll just note that you know I'm still using last pass under fire Fox because I also use it under chrome and under edge and under safari and across all platforms. So you know. It's worth noting that fire Fox has a built in password manager, but you know maybe as A. Backup you know. It would be useful. So. Anyway. That's the news on on Firefox seventy-nine, not not much there. So I, heard you talking about it on Mac break, and so I just wired a touch on this. We have learned more about who's behind who is believed to be behind the twitter hack. And you know not some four. Powerful state-sponsored cybercrime gang, just A. we believe a seventeen year. Old Kid His name is all over the tech press. I heard you not wanting to say it on on, Mac. Breglio. So but I do have it in the show notes. To find it I mean. Yeah. You know I come from the School of journalism where you don't say the names of miners were accused of crimes, but apparently nobody else does that. So the AD the local Florida news channel. WFL talks Tim right away. They outed him as Graham Clark from Tampa Bay Florida. We. So they also. Suitably creepy, picture. Of Him. I know in fact in fact before. I reduced in size I. Actually had in the show notes. He looks a little bit like spock at so. got kind of a pointed ear. Is Little bit creepy. And, it's interesting too that his nick is Kirk. So Oh, maybe. Two Years Yeah. So Anyway the the the sad thing is this guy's life is now seriously sparked up. Yeah. He's been charged with felonies relating to computer communications and organized fraud for scamming hundreds of people using compromised account according to a press release from Hillsborough State Attorney. Andrew Warren's office. This guy Grab Clark. Now. Faces Thirty Felony Charges? So we have one count of organized fraud involving more than fifty thousand dollars, seventeen counts of communications, fraud of over three hundred dollars. One count of fraudulent use personal information. For an amount over one, hundred, thousand dollars or thirty or more victims. Ten counts of fraudulent use personal information and one count access to computer or electronic devices without authority and scheming to defraud. So in total thirty counts of felony charges, all of those felonies. So I mean I do feel like unfortunately, there's there's sort of a bit of. overreaction I, I, mean I get it that. This was not good and certainly that the law enforcement wants to send a message like don't do this even if you can Initially, the the initial announcement didn't indicate whether Clark had any partners in crime, but a few hours after the press conference announcement, the world learned that the US. DOJ had also filed charges against two other suspects believed to have helped Clark in this hack. The first of those was identified as Mason Shepherd who who's known as chair Juan nineteen years old living in Bognar Regis in the UK and the other is identified as Nima Fazackerley. Also known as Rolex twenty, two year, old residing in Orlando Florida. The US Attorney Anderson said there is a false belief within the criminal hacker community that attacks like the twitter hack can be perpetrated anonymously and without consequence today's charging announcement demonstrates thus I think an example has been meeting is being made. That, the elation of nefarious hacking into a secure environment for fun or profit will be short lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrated, but there's nothing stealthy about it. In particular. He said, I want to say to would be offenders break the law Ed. We will find you please. So exactly the kind of thing hackers go. knows. That's GonNa, really scare me, I remember when I was a teenager. And in Fact Leo, did this did I? You know I was always a good kid. But oh, to be seventeen and have done Brazi network in front of me. Yeah. Yeah. Twitter early, fairly clever. Because, well, go ahead because it the way did it was kind of kind of interesting. Yeah. So for their part twitter disclosed a bit more about the nature of the attacks. They said that the that the phone based social engineering attack allowed the attackers to obtain the credentials of a limited set of employees, which then made it possible to gain access to twitter's internal. Internal Network and support tools although not all of those employees were who are initially targeted had permissions to use account management tools. The attackers you know apparently, just actually just Graham was able to use their credentials to then access twitter's internal systems and gain information about twitter's processes that expanded knowledge then enabled the attackers to target additional employees who did have access to twitter's privileged account support tools. Reuters also had reported something that I had not seen elsewhere, which was that as of Earlier. This year. More than a thousand twitter employees and contractors had access to twitter's in tools and could change user account settings in hand control over to others a thousand. And this was a key. To former twitter employees. Well as we know such widespread access makes it difficult if not impossible to defend against the sort of hacking that occurred. So I did see some. discus. Conversations. I'm sorry. Sorry, discord conversations I, read everything. I could find and Zd net provided the most detail about the hack including those. As I said, some discord chat logs where Graham is seen soliciting the participation of the other two. He claims to work for twitter and then offers to prove it by modifying their twitter accounts. You also provided his bitcoin address. At Le-. I, heard you mentioned on Mac break weekly the rather. Head slapping fact that he provided his driver's license. You have to a corner coin base to set up an account. Yes. Yeah. And so he sold them access to some high value twitter accounts such as at execs at dark at vampire at drug. Anyway. The link with all the details in the show notes for anyone who's interested. So my take on this. Is. That it's another example of what you might call managerial inertia. And it was kind of natural, let let's remember that. When twitter was born. It wasn't initially taken very seriously. You know. It had that ridiculously limited text only. Patently, insecure messaging of hundred forty characters, Max. I, remember thinking, wait a one, hundred, forty characters that that. You know that's it. Those are the days. But obviously, over time, twitter's importance has grown dramatically as we know, heads of industry and state use twitter to reach their followers including, of course, are US president who uses it to directly reach each one of his eighty four and a half million followers, multiple times per day. And more than likely. Twitter also didn't take itself very seriously at the start you know, and as we've noted, there never really was any clear plan for how this free service was supposed to make any money. But over time. And very gradually that changed, and and so my point is twitter's importance doubt doubtless crept up on it over the course of many years. Twitter slowly grew into a truly important global communications facility. As. We know it didn't start out as as one, and it clearly is one today that didn't happen all at once. So I? Think the security breach is mostly a consequence of twitter. Doing things the way it always had and. Of, any change to the status quo? You know that occurred, it does the the the management just lagged behind. So. I might take on this is that this ultra high profile security breach was probably the best thing that could have happened to twitter did not actually result in a huge amount of damage. It has ruined a couple kids lives unfortunately It'll be interesting to see what the sentencing is Once this works its way through the courts. But it was obviously you know if if as Reuters reported at the beginning of the year. There were a thousand people who could do this both inside and outside of Twitter Ben. This is a very much needed wake-up call, which was delivered a probably in the nick of time. We've got a very high profile election coming up here in three months Don't we we need the Internet to You know not betray that the interests of the US. Electorate. So I'm glad this happened frankly because it's clear that twitter needs to get their act together that they don't. They haven't been taken themselves as seriously as they need to so. And against you know too bad for these, these these these young. Young. People. Garment Hack. Lawrence Abrams bleeping computer as we know, as always had a strong interest in ransomware. So I'm not surprised that his coverage of the Garmin ransomware attack was the most detailed of any I've seen nor that he's had access to some. Insiders who have reached out to provide him some extra tasty bits. Among. Other things an employee inside Garmon informed him that the initial ransom demand was for ten million dollars. Oh. Yeah. Holy Moly. Dead. Dead million dollars. Okay. We don't know what ransom was finally paid. But it seems more certain than ever. That Garmon did pay up Lawrence wrote. After a four day outage, Garmon suddenly announced that they were starting to restore services and it made us suspect that they paid the ransom to receive a decrypt her. then. Last Saturday. Lawrence posted today bleeping computer gained access to an execute, -able created by the garment it department to Decrypt a workstation and then install a variety of security software on the machine. Since wasted locker. That's the ransomware is an enterprise targeting ransomware with no known weaknesses in their encryption algorithm. Decrypt, her cannot be made for free. And remember that bleeping computer has has been sort of a focal point four. The less than well designed ransom. Where mistakes were found in the encryption which allowed for the creation of a no charge, dijk crypt door and those have been organized and are are and can be found through bleeping computer. So he said to obtain a working decryption key Garmon must have paid the ransom to the attackers and he said this is where he said is not known how much was paid, but as previously stated, an employee told bleeping computer that the original ransom demand was for ten million dollars. When extracted this restoration package? This is the one that they that they received. A copy of that had been prepared by garments it department. This. Restoration package includes various security software installers, a decryption key, a wasted locker decrypt door, and a script to run them all. When executed the restoration package, decrypt the computer and then preps the machine with security software. Garments stripped contains a time stamp of July Twenty Fifth Twenty Twenty, which indicates that the ransom was paid either on the twenty fourth or twenty fifth. Using the sample of wasted locker from the garment attack, that is the actual. The actual ransomware from the garment attack bleeping computer encrypted did a virtual machine. And tested the decrypt her to see if it would decrypt their files. He said in our test, the decrypt. Decrypt files. So Interesting was that the package received by bleeping computer included references to both the cyber security firm Ms Soft E.. M.. S., I S O. F T. R. M, m cysts, soft sorry. Emphasis soft, and the ransomware negotiations service cove wear. When bleeping computer subsequently reached out to cove where they were told that they do not comment on any ransomware incidents reported in the media. And similarly emphasise soft toll bleeping computer that they could not comment on any cases that they create decryption tools and are not involved in ransom payments. Brett callow a threat analyst at. Mc Soft said, I cannot comment on specific cases, but generally speaking emphasis soft has no involvement whatsoever in negotiating or transacting ransom payments. We simply create decryption tools. Okay. Now, that's interesting news. So it might seem odd for a reputable security firms such as m soft to to have anything to do with ransomware, but they have an interesting angle. As we know, the decryption side of the ransomware mess sometimes receives much less attention from the bad guys who need to create the decrypt her Dan, the encryption side. Consequently. The decrypt have tended historically to be buggy to crash or to for some reason, fail to fully undo the damage that they had originally done despite. Having, received a valid key. So that's where M soft comes in. They reverse engineer questionable ransomware decrypt. There's for which the decryption key is known. To create a more robust and reliable decrypt her for a victims systems. Emphasis soft ransomware recovery services, page states if the ransomware. If the ransom has been paid, but the attacker provided decrypt is slow or faulty. We can extract the decryption code and create a custom built solution that decrypt up to fifty percent faster with less risk of data damage or loss. So. This also explains why the decryption package garment finally used also contained legitimate security software. That extra security software along with improved decrypt, her may have been provided by emphasis soft or may have been. Put together by garments it. And of course, as we mentioned last week, now that evil corporate has been attributed as the creator of wasted locker and has been placed on the US sanctions list for using dry decks to cause more than one hundred, million dollars in financial damages. Paying this ransom could lead to hefty fines from the government. So do these sanctions sources familiar with cove where have told bleeping computer that the negotiation company has placed wasted locker on their own restricted list starting in early July and will not be handed handling negotiations for related attacks. So it does look like. Garment paid a ransom. On. Sarah ten, million dollars. Yeah. She'll demand would. Crack me. If I'm wrong I understand how hard it is to remediate after ransomware attack. But if you have a backup in your data, there'd be no reason to pay the ransom, right? Right. So this is an implication that garment didn't have a copy of its data. Well. I've seen reports. There was another firm I can't remember. It was also in the news last week they were at, they had thirty thousand workstations encrypted. They were. There that demand started also at ten million, they ended up settling if you can call that at two to four point five. So the negotiation through an intermediary came out of four point five. I don't remember now the name of the company even if you did this. Maybe. Three thousand workstations it'd be. Cheaper to pay a and have them decrypted and then just working again. But would you ever trust that station? That's? Exactly, the problem is still going to have to wipe it and reinstall everything. No matter what you pay. Yep I don't get it. I'm missing something. Well. My feeling is. A whole I mean certainly anybody now would have protection against you know like their main corporate databases would would be secure, but it might just be that you know restore that they're not doing nightly backups like nightly images or incremental 's of every single workstation in the organization. So militia. And you should have cold backups. Right? You don't want hot backups because those the encryption. But this is well-known technology. This is not. Difficult to do. True. No, I just think it's a matter of logistics. It's like a a large company sort of. The it department is busy running around remediating all manner of individual things and it's like, okay, that's on our to do list. Well, I i. hope the industry is you know changing the priorities of these things because it they really do need to get done. Especially now I mean, it's so obvious. This is going to be a big business issue. Who It is becoming at. You know big business. Let's take our second break that I about tore the the collision between tour and a doctor wants. we also might mention that funding for tour is being blocked by the trump administration right now. along with. Funding for signal and tour comes from the same people that do Voice, of America and there's twenty million dollars of. Congressional funding that's been approved, but is not being paid out and that may well impact towards dramatically. as a side effect. I, think, I don't think it's the intention, but and they were already a little short of cad like most open source projects. Yeah. our show brought to you by Oh I love these guys ww. Worldwide Technology WW T. Leeson. I went out there and march was the last trip. It was the last trip we have heard. We'll take now probably traveling again I. Hope we go back to the W.. W.. T.. Again and Saint Louis was a lot of fun. But what I really loved seeing the Advanced Technology Center the ATC. The just the whole ww t story is fantastic. It's founding its growth, the attention they've paid to. Management to to running a company, well, run the how what a great community member. They are their beloved in Saint Louis, they brought in a major league soccer team their founder, one of which one of whom is black. They're just a really great people. And then they years ago more than ten years ago. They had this idea to build this ATC. Their integrator for enterprise technologies a big big business. Customers and Of course, what you do if you do that is you recommend configure install. Big Stuff. You know big hardware, big hard drives What is it big? Ip, right and. So you need to try that stuff, you need to set it up. You need to do pilot programs and they realized the best thing we could do is just get everything. Everything, we can in this advanced technology center. So we could do the testing. Do the pilots spin up? Be Ready? Go Re knowledgeable. So they've started accumulating starting in one small building. It's in four five. Now rack after rack of half a billion dollars state of the art oem equipment. And customers that have adopted. The ATC is a tool in their product life cycle. Really. See the benefit they can. WW can educate evaluate innovate at such a rapid pace. There is nothing like it in the world. Half a billion dollars of equipment from. Hundreds of a Williams and key partners ranging from the big guys, the high tech heavyweights like f five red hat and Cisco and then, but the little ones too I mean everybody's there. TATUM Equinox, they're all in there. And that means for you as an enterprise technology user WW, T can be your trusted partner. They focus on business outcomes and they stand beside their customers. Every step of the way they've got the knowledge. They've got the skills. They've got the ability, and there's such a well run company with a commitment to back you up. This is what you want. That's why. Customers wwe never leave. They've been many of them have been there the whole for more than a decade. They know that they can go to www, get the answers. They need to make a better decision backed by testing experience, not just by well, what do we got in the shelf? The extra mile, and so many respects. We one of the things when we toured the facility, they have cameras the big big screens and I'm saying what does it will those are fulfillment centers are all over the world? Where we integrate the hardware and we ship it off and said, what's that guy doing this? Every one of them has a fulltime carpenter. on-duty because unlike other companies when we sell a system, we wire, we set it up. It's ready to go, which means we have to build custom crates to cushion it to get it all the way there to fit it. Every crate is unique and difference. The carpenter builds this crate. So we can ship it to us. So as a wwe customer and you get it, it's not, it's ready to go. You Open the crate, you roll it out. It's working. It's ready to go. And then the ATC, I can go on about this too their on demand F five plus red hat open shift lab for instance is so cool. Where else can get hands on access with step by step instruction on emerging it. Technologies and architectures things like Kuban Eddie's infrastructure automation with answerable I. Know a lot of you already do this. No it. But if you don't, this is where you go to to to learn about it. So you're up to speed with the latest technologies, application. Security. With, the five advanced web application firewall? When we talk about these breaches and the the garments. You need to laugh you need all this stuff if you're just in devops. The other thing I love about ww t. they are all over the latest technologies in making you more efficient more productive devops is a great example or what they call CIC de continuous integration continuous deployment. They're all over that. They have on-demand labs and the expertise to help you there. It's a great investment. WWE's made their customers to ensure your success and you could participate in that. In fact, directly because this, this ABC's also. Also available to you as a service, they have what they call a lab as a service. It's a dedicated lab space within the ATC where you can perform your own programmatic testing using that half billion dollar ecosystem that they've built, and because it's virtual, you don't have to go to Saint Louis although I highly recommend that those Ravi. Only it's great, but and the and the beer is very good in Saint Louis. But. You don't have to go to Saint Louis Nowadays, this is actually a great benefit you could you can. T, use the labs of service anywhere in the world anytime? Twenty, four seven. This is the same lab that WWe's on engineers working everyday beatty testing, new solutions based on the latest and greatest five and red hat technologies. Building reference architectures, custom integrations to help their customers make decisions to see results faster. and. By the way that saves you money because the work is done ahead of time not when the equipment arrives. WW T just launched this lab as a service last summer. It's been a year. Now, the whole ATC ecosystem is participating. This really creates a multiplier effect of knowledge speed and agility anytime anywhere in the world for you. The wwe customer tips, not just the labs at their studies case studies, articles. There's all sorts of information back go. Now, you can do it right now, you could sign up. Takes no time WWe dot com slash twitter. You could see all the stuff, the offers ww dot com slash twit, and the minute quarantines over I'm going back to Saint Louis and I hope you'll meet me out there. We'll have another fun event ww t dot Com. Slash twit worldwide technology is these are the good guys when it comes enterprise ww delivering digital outcomes and modernizing it infrastructure all over the world. They call it. Silicon Valley in Saint. Louis is pretty amazing W, W. T. back we go to Steven. Oh. Sir. So. The tour project. has recently been in a back a bit of back and forth with a security researcher by the name of Dr Neal Croats. He obtained he neil obtained his. In computer science from Texas and. and His. Bachelors from. UC. Santa Cruz. He has a long history of finding and reporting problems with the tour network. Any operates multiple tore nodes himself. From you know like looking over the history of this, he appears to have long been a bit of a thorn in the side of the tour engineers. And frankly not all of his concerns over tours. Privacy guarantees a peer to a warrant do concerned for example. He wrote at one point over in fact in like in ramping up to his decision finally to disclose something without. Permission, he said over three years ago. I tried to report a vulnerability in the tour browser to the tour project. The Bug is simple enough using Java script, you can identify the scroll Bar Width. Each operating system has a different default scroll bar size. So an attacker can identify the underlying operating system. This is a distinct. That can be used to help uniquely track tour users. Ahead. He says, imprint many users think the tour make some anonymous, but tour users can be tracked online. They're not anonymous. So. Anyway. Okay. He. In three years despite trying, he had not managed to get this fixed. During that time, the tour project joined hacker one who you know, the firm that we've talked about often for Creating Bud Bat bug bounties, and officially credited him for the discovery of this problem. The fact that. Java script running in a browser could determine the width of the scroll bar. Okay. they credited him with the discovery of that and. I don't know whether he received any monetary payment, but the the resolution of this was deferred from tour two Mozilla. Since after all you know the tour browsers based on Fire Fox, and that's MISSOULA's baby after some length of time doing nothing with this, it was dropped just the the guy who to whom it was assigned dea signed himself from it, and that upset the upset, the good doctor. And of course, we've seen instances of this before where security researcher finds a problem that he or she believes to be highly critical, and that needs everyone's attention right away. If not yesterday a, but for whatever reason, they don't obtain the satisfaction that they're looking for from the. Parties, they feel unappreciated for their efforts you know stiffed and ignored. So then what comes next in the case of this Dr? Neil. Croats. Under, the subheading dropping zero days, he now explains on his most recent blog posting. In fact, he uses the definition that I don't agree with. He says, he starts off a zero day. In quotes is any exploit, that has no known patch or widespread solution, and of course, as we know I disagree with that, I think that it's just an unknown vulnerability unless until it has found to be exploited anyway, he continues a zero day doesn't need to be unique or novel. It just needs to have no solution. He says, I'm currently sitting. On dozens. Of Zero days for the tour browser and TOR network. He says since the tour project does not respond to security vulnerabilities and you know in fact, they do. He says, but anyway. Does not responded security vulnerabilities. I'm just going to start making them public. While I found each of these on my own. I know that I'm not the first person defined many of them. Well, okay. He infers that I suppose. It's you know. So here we have the unfortunate phenomenon of the security researcher whose original white hat begins to dim. As his or her work doesn't receive the attention, they believe it deserves. So he continues the scroll. Bar. Profiling vulnerability is an example of as zero day in the tour browser and I'll just say as an aside, we could hope that all of these other dozens of zero days are of similar impact He says, but there are also zero days for the Tour Network One, zero day for the tour network was reported by me to the tour project on the December twenty seventh twenty seventeen. He says in Peron's about two and a half years ago. The tour project closed it out as a known issue won't fix and informative. He says, let's start with a basic premise. Let's say you're like some of my clients, you're a big corporation with an explicit. No tore on the corporate network rule. This is usually done to mitigate the risks from malware. For example, most corporations have a scanning proxy for Internet traffic that fly the tries to flag and stop malware before it gets downloaded to a computer in the company. Since tour prevents the proxy from decoding network traffic and detecting malware tour is not permitted. Similarly, tour is often used for illegal activities and he sites child porn drugs, etc.. Blocking tour reduces risk from employees using tour for illegal purposes although denying tour can also mitigate the risk from corporate espionage. That's usually a lesser risk than malware infections and legal concerns. He says, keep in mind these same blocking and filtering requirements apply to nation states like, China, in Syria, their water control and sensor, all network traffic, he says, but I'm going to focus on the corporate environment. It's one thing to have a written policy that says don't use tour. However, it's much better to have a technical solution that enforces the policy. So how do you stop tore users from connecting to the tour network? The easy way he says is to download the list of TOR relays. A network admin can add a fire rule blocking access to each tore note. Then he says zero day number one, this apparently the beginning of dozens. Blocking tour connections. The smart way is as there are two problems with the block them, all approach I, there are thousands of tornadoes checking each network connection against every possible tornado takes time. This is fine if you have a slow network or low traffic volume, but a dozen scale, well for high volume networks, second, the list of nodes changes often, this creates a race condition where there may be many new tor nodes. That is seen by tort that are seen by tour users but aren't blocked by your network block lit list yet. He says however. What, if there was a distinct packet signature provided by every tore node that can be used to detect a tour network connection. Then you could set the filter to look for the signature and block all torque connections. As it turns out. This packet signature is not theoretical. and that in his blog posting, he goes on to describe in great detail tours, T., L. S. handshake, and the unique properties which he found and told her about two and a half years ago of the T. L. S. certificates, which toward node servers generate on the fly. then. He says. Finally, he's validating the vulnerability back in two, thousand, seventeen, I used a scanner and showdown to search for T. l.. S. certificates. In theory, it's possible for there to be some server with a server side t LS certificate that matches the signature, but that is not a Tornado D- in practice, every match found was torn owed. Is that I even found servers running the tour demon and with open onion routing parts that were not in the list of known notes. He says, somewhere, non-public bridges are were private tournedos. Similarly, I scan to every known tore node, each matched this tour specific signature profile that makes the detection one, hundred percent accurate. No false positive. No false negatives is although now that I've made this public someone could potentially generate false positives or false negatives certificates. The false positives are relatively easy to construct the false negatives will require editing. The tour demon, source, Code Wallace scanner could be used to identify document every tour server. He says, corporations don't need to do that corporations already used stateful packet inspection on their network perimeters to scan for potential malware with a single rule, they could also check every new connection for this tour signature without using large lists of network addresses. You can spot every connection to a tornado node and shut it down. That is shut the connection down before the session layer. T. L. S. finishes initialising, and before any data is transferred out of the network. So. We then explains that he reported this discovery of a simple way of detecting and thus blocking all tour traffic. He said I reported the simple way to detect tort traffic to the tour project on. As we said, before twenty seven, th of December Twenty Nineteen Hacker, one bug number three, zero, zero, eight, two, six, meaning that hacker one has acknowledged it at presumably he's been paid a bounty for it says the response I got back was disappointing or in fact, maybe the response means he didn't get paid. The. Tore replied hello and thanks for reporting this issue exclamation point. This is a known issue affecting public bridges. The ones distributed via bridge DB. See ticket number seven, three, four, nine for more details. This issue does not affect private bridges. The ones that are distributed a peer to peer. AD. Hoc Way. As indicated in the ticket to fix this problem, we're aiming to make it possible to shut down the or port the onion routing port of tour relays. In our opinion, we should not try to imitate normal SSL shirts because that's a fight, we can't win. They will always look different or have distinguishes as has been the case in the plug transport race. Unfortunately, ticket number seven, three, four nine is not straightforward to implement and has various engineering complexities. Please see the ticket for more information due to the issue being known and plan to be fixed I. Making this issue, I'm marking this issue as informative. So. Needless. To say the doctor was displeased at his blog posting itemized disagreements with. This decision? You Take my word for it won't go over them. Then he concludes with some commentary on Bug, bounties and a promise for more zero days, which I think are simply presently known vulnerabilities. He wrote more soon. If you have ever worked with bug bounties. Then, you are certain to recognize the name Katie. Mo-. Soroush of course, we've talked about her in the past she created. He says the first bug bounty programs at Microsoft and the department. Of Defense, she was the chief policy. Officer at Hacker won the bug. Bounty Service, and she spearheaded NTIA's awareness adoption groups effort to standardize vulnerability disclosure reporting, and he says parents full disclosure I was part of the same the same ntia working group for a year. He said I, found Katie to be positive and upbeat person she is very sharp, I minded and realistic. So, then he said earlier, this month Katie was interviewed by the verge cast podcast. He's at I. Expected Her to praise the benefits of vulnerability disclosure and bug bounty programs. However, she surprised me, she has become disenchanted by how corporations are using bug bounties. She noted that corporate bug bounties have mostly been failures. Companies often prefer to outsource liability rather than solve problems, and they viewed the bug bounties as a way to pay for the bug and keep it quiet rather than fix the issue. Every problem that Katie brought up about the vulnerability disclosure process echoed my experience with the tore project. The tour project made it hard to report vulnerabilities. They fail to fix vulnerabilities. They marked issues as resolved when they were never fixed. They outsourced simple issues like passing a simple scroll bar issue upstream to fire Fox where it has never fixed, and they make excuses for not addressing serious security issues, and we'll just note what he considers to be serious security issues. During the interview she mentioned that researchers and people reporting vulnerabilities only have a few options, try to report it. Sell it or go public. He said I've tried reporting and repeatedly failed. I've sold working exploits but I also know that they can be used against me and my systems if the core issues are not fixed. And even the people who buy exploits from, me would rather have these issues fixed. That leaves public disclosure. He says in future blog posts, I will be disclosing more tour zero day vulnerabilities most, but probably not all all are already known to the tour project. I have a list of vulnerabilities ready to drop. And for the tour fan boys who think US bridges, we'll get around this certificate profiling exploit. Don't worry I'll burn bridges next. So. Anyway. I thought. This story was interesting and worth covering and sharing with our listeners because it illuminates another facet of this weird security industry that we spend time looking at every week. It's certainly the case. that. A vulnerability hunter lacks the ability to force their discoveries to be fixed. But. I think that forcing discoveries to be fixed is probably the wrong goal If after having been informed of it, an organization should choose not to repair a defect in their system for whatever reason. Isn't that entirely their business I mean I I, understand the EGO involvement and the temptation to force the issue. the security researcher is in possession of knowledge, the public is not but. Attempting to publicly shame an organization into bending to the attackers will. Feels wrong especially when that public shaming must in order to be effective, inherently put other users of the organization systems at some form of increased risk I mean. That's that's the nature of the shame. So it's clear how a formal bug bounty program such as hacker one could be abused by an organization to purchase and then sit on their bugs. But again, isn't that exactly the right that they have purchased? That's part of the bargain. The bug hunter agrees not to disclose and in return receives payment both for the documentation of the discovered problem and for their continued silence about it. What happens after that is no longer the hackers business that information has been sold. So, anyway. I thought it was interesting I I have not made a time to listen to Katie's conversation with the verge but IF I if I. Find Time and can find it I think I will 'cause I'm kind of curious to hear. You know what someone? Who is a big? Proponent of this economic model for monetize ing the work of investigators and I mean arguably resulting as we've talked often about you know much heightened security overall for the industry and I guess no system works perfectly all the time. And I heard you sort of. In some agreement in the background Leo. So. I think that the core lesson of this next story is in this day and age and in twenty twenty and beyond it's truly necessary to do everything. Right? which brings us to the latest mistake. This was not a bug. It's a design mistake. Back, in April, in response to the flurry of interest in zoom both the over world who wanted to use it and the underworld who wanted to abuse it zoom bobbing as we know, became thing which caused us to title an episode. Zoom goes boom. The trouble was that zoom meetings were not required originally to have any kind of password protection. Just the meeting code were sufficient to allow otherwise uninvited visitors to break into and and disturbed zoom conferences of all kinds. Zoom quickly responded by adding a six digit pin to protect entry into all recurring zoom meetings. And as we know a six digit pin can provide some useful security after all. That's what are authentic caters all use. But it must be deployed with some care because it does not by itself. Provide much entropy and sure enough Tom Anthony the VP charge of product at search point in the UK. Discovered that zooms implementation of six digit. Pins had made a classic rookie mistake and frankly in this day and age is kind of unforgivable. but I'm sure they were in a hurry to close down the zoom bombing problem. Okay. What Tom discovered somewhat to his amazement. was that zoom it failed to implement any sort of rate limiting to prevent high-speed brute force guessing of these comparatively short six digit. Numeric pins like I said. A rookie mistake. As time as Tom wrote in his right up this enabled, he said quote an attacker to attempt all one million possible pins in a matter of minutes and gain access to other people's private zoom meetings. So, as we know in the absence of any checks for repeated incorrect password attemps, which would lock out like like lockout an IP. Nor any rate limiting. For mistakes. And really when you think about it, correctly entering a SEC, a six digit pin, that's just not difficult to get right if you know what it is. So it would make sense for the entry system divert to be highly intolerant of what is clearly you know guessing. So. None of that was present. So an attacker could leverage zooms web client and remember it's a simple. You are L. https, colon slash slash zoom, dot us, slash j slash than the meeting ID. To continuously send these HDD requests until one million combinations have been tried. It, he noted with improved, threatening and distributing. That the client that guessing clients across maybe four or five cloud servers. The entire six digit, one, million possible pin space could be checked within a few minutes. He responsibly reported glaring oversight to zoom on April. First. Along with a python based proof of concept script, the next day zoom took their web client off line. Since that was the largest and most glaring exploit vector, and then a week later, they fixed the flaw. Permanently, and correctly. So. It's obviously good that this was caught early and fixed quickly. But the lesson here is that this should never have happened in the first place. The problem we have today is that truly important security pieces are still being. In an ad hoc fashion. You know like everyone is rolling their own every time. They need a solution. They're still needing to reinvent the same wheel over and over again, and this approach invites mistakes even if people like new to do it, right, man, it's it's. It's unbelievable that. Could. You know in this day and age implement a six digit pin where no measure was taken to prevent brute forcing. But that's what zoom put online. you know today every developer rolls, their own web Ui to suit their particular needs. So every one of them is different. Them handles log in a little differently. There's no uniformity about passwords. Can I use a special character? How long can it be? What if I forget it? Everyone handles recovery slightly differently to what we have today is a mess. And no one does Oh, and and not only does use a convenience suffer but sodas security. So it's going to be interesting to see how this gets resolved. You know downstream, we all know that I designed something that attempted to unify this process But at some that needs to get adopted a solution needs to get a adopted. Wide, and it's going to have to have have to be a solution that that. that. Broadly solves the problems and that doesn't require everybody to re roll their own solution or we're not gonna get ahead of this. But again, I just a the good news is this was this was April. First, this was probably before the you know the heavyweights. Got Involved, and so this was still the. Hopefully the original team at zoom who said, well, you know, let's just create a quick solution We'll see. another Sha one deprecation in their posting titled Sha One, Windows Content to be retired August third twenty, twenty in other words says as the fourth, that was yesterday. Last week, Microsoft the following announcement they said to support evolving industry security standards and continued to clete to keep you protected and productive. Pardon me that's assuming the windows ten, we'll boot. Microsoft at or that you can print. It does Microsoft will retire content that is windows signed for Secure Hash Algorithm One Sha one from the Microsoft Download Center. On August third twenty twenty, they said, this is the next step in our continued efforts to adopt secure Hash Algorithm to as H. A. to which better beats modern security requirements and offers added protections from Common Attack Vectors Sha one they wrote is a legacy cryptographic, Hash? That many in the security community believe is no longer secure. Using. The SA one hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks or perform man in the middle. Attacks. Microsoft no longer uses Sha one to authenticate windows operating system updates due to security concerns associated with the algorithm at has provided the appropriate updates to move customers to Sha to as previously announced accordingly, beginning in August twenty nineteen. So a year ago devices without Sha to support have not received windows updates. If you are still reliant on Sha one, we recommend that you move to a currently supported version of windows and to stronger alternatives such as sap two. So. The only consequence, I could see this having. would be those among us who have some reason to setup and update older versions of windows. For example, I was just recently testing spin rights forthcoming. USB PREPA technology, which I as we know packaged as Init- disc under windows xp because it still needs to run their and windows seven, which continues to valiantly hold onto a bit more than a quarter of the desktop market share. Last time I looked, it's at twenty, six, point, seven, two percent. It originally shipped without support for Sha to fifty-six as did Windows XP. So I wonder whether there will be a bit of a catch twenty two because there are windows updates that are required to add Sha to fifty six support to Windows XP and Windows Seven. So they must still be signed with. Sha. One in order. To Allow Sha, to fix Sha to fifty six support to be bootstrapped onto those earlier. Operating Systems. Fortunately I long ago created kits of all the required files so I'm okay and and I imagine that that's also true for most others who have a similar interest in archaeology. But I did what? I thought. Whoa Sha one's going away Oh you know good thing I've got you know. Raid based archives. In multiple places of those particular files that allow the older oh S.'s to. Understand signing, with Sha to fifty six. And Yeah, archaeology. Speaking of with Q. NAP in Q. Snatch. Q. Nap Network attached storage devices. Well. They've been giving their owners and the security industry, some serious problems for nearly a year. Though the troubles appear to date as far back as two thousand, fourteen. So six years we've touched on this before, but it's worthy of a brief refresher because there's been a recent escalation in the breadth and depth of the attacks against still unpacked. COONASS, devices. Last week of the cybersecurity agencies in both the US and the UK issued a joint advisory about a massive on going malware threat, which is infecting the NAS appliances of q nap. Taiwanese. Based Company. The malware goes by the name Q stanch. For some reason Derek It. I don't know. I'm reminded of that. Have you seen that the the the? Auto insurance commercial where the gals talking to bigfoot and he's lamenting the fact that no one cares about Derek. Yes. Anyway. So. Q. Snatch also known as Derek is a credential and data stealing malware, which has compromised more than sixty two thousand devices. Since reports began last October I. There's a high degree of affection in North America and Western Europe. We Love Them. They're great. I mean not so great as they used to be. But yeah. Yeah. So. It's probably for the best that the even today, the exact infection factor is not publicly known. It has not been disclosed, but the US cybersecurity and infrastructure security agencies, C. I. A. and the UK's. Aber Security Center MCSE wrote in their joint. That quote, all Q nap. Nass devices are potentially vulnerable to Q. Snatch malware if not updated with the latest security fixes unquote. And also that quote once a device has been infected attackers can prevent admins from successfully running firmware updates. So talk about a catch twenty two. Ju Snatch has an assortment of features. which are implemented as modules. Therefore. The problems include, but are not necessarily limited to a password logger, which installs a fake device admin log in page to spoof people into obtaining into entering their credentials which then grabs. A. Mork generic credential scraper. An sat an SSh back door enabling the attackers to run arbitrary code on the infected devices, a web shell to provide malware operators with remote access to compromised Nasr's. And a data theft module which steals a predefined list of files, including logs and system configuration and sends them in encrypted form to attacker controlled servers. So in other words, you don't want this to be in to be running in your network attached storage. But getting rid of it is tricky. It requires multiple reboots soul for firmware downloads, some sort of a mel wear scraping utility and more I've got linked to the Q. NAP advisory At Q. Nap, they say Q. Snatch. Collects confidential information from infected devices such as log in credentials and system configuration. Due to these data breach concerns. Q. Nap devices that have been infected may still be vulnerable to reinfection after removing the malware and other words don't just flush the malware. but then retained the use of your favorite passwords in the device for the sake, for example of connectivity with other applications or users. Who may have and be using the previous credentials? You should assume that a complete compromise of all the secrets in the device has already taken place including all accounts on it. And be also wary of. Of Any add on software, you know how lots of these network attached storage devices. Now, you're able to stall or all sorts of other goodies. Be Don't have any there that you're not using and get rid of any that your question that you're. You know unsure about anyway, it's a mess if you own a Q. Nap Nass. It's worth some time to make sure that it's clean. My discussion last week. Of the forthcoming mass storage benchmark, which will be another development spinoff of the aw on the ongoing work towards spin right six one. Generated, a lot of interest and feedback from our listeners. A many people wanted to know where it was and how they could run it. So I need to quickly note that it that it even it the benchmark is still in development and not yet ready for general use and believe me. When I say that at this point, it would cause far more confusion frustration and questions that it would answer because it's it's it is just a development tool, but as soon as it's ready for general purpose, use it, I will make it easy to find and I will formally invite all of our list listeners to experiment with it. I mentioned last week that I was GonNa, that I was going to add further granularity to the benchmark. To. Look at the timing of the individual thirty to. Thirty two megabyte transfers which make makeup the larger one GIGABYTE benchmark. We did that and the results were very interesting. We definitely found spots. Where drives? Excuse me. We're drives both spinning and solid state. But interestingly, primarily, solid state. were a great deal slower to respond, and in general, we're seeing much more evidence that highly used regions of SSD. Typically at the front of the drive underneath the operating system are consistently performing much more slowly sometimes as little as half the speed as compared to the unused areas. We know that SSD's broadly employ to management schemes to compensate for the technologies. Inherent lack of right endurance. They perform wear leveling, which dynamically relocates data from the more highly used silicon to the lesser-used regions. And just as with hard drives, SSD's are also generous generously overprovisioned to allow regions that finally have been worn out to be replaced with fresh storage that had been set aside for that purpose. So, what we think we're seeing and that is being revealed by the benchmark could be the extra time being required for error correction, which would tend to be required to fix low bit count errors as memory is becoming fatigued, and we might also be seeing evidence of some overhead associated with the management of what eventually becomes physically fragmented solid state storage in any event is doesn't appear to be something that there's much awareness of today, but this benchmark reveals it conclusively and I imagine that our listeners at we're gonNA find this fascinating so. Stay tuned and we're, we're I have a few more things to deal with and then I'll be integrating this final a HCI driver part into the earlier I d e and compatibility and legacy mode drivers to produce a single result which should run on everybody's hardware, and then the fun will begin. And Leo the the Booth Whole Fund is going to begin after we. Break for our final spots if you can call it fun and look at that look at that picture, Oh my good. A good logo is really all you need. I. Think -At's be as successful malware. Remember heart bleed red. Yeah. This one looks a little clip art, but we'll you know we'll. We'll show you in a second our show today I to brought to you by Melissa. Melissa keeps your data. Fresh data has a best by date just like the food you eat and you wouldn't want to eat them. You know. I find him in the Pantry, all the time can with an expression, a year or two old. Your customer data goes bad to thirty percent. Of, customer data goes bad each year. Melissa. Make sure that data is accurate and they do it in just the best way I love it So you know you. WanNa make sure you're not annoying customers with duplicate mailings. You're not mailing those important mailings to the wrong address. I'm. Not GonNa name names, but we did have a Fulfillment company that was doing our merchandising send one hundred and eighty masks to St-. One poor guy in Gainesville Florida. We should have known something was up because we started to get. Emails from people saying Yeah I ordered a tweet mask. had my address rate except for the it said was in Gainesville Florida, but I'm in Iowa. and. We got a few of those. Then we got the note from my sister Joe I think in Gainesville say, Hey I just got hundred eighty masks. That's called bad customer data and. It's embarrassing. It's cost you money. It cost that company that was doing that our business because you bet we moved on to another company that can get that stuff delivered. That's why I love. Melissa. They've been keeping business data fresh for over thirty years. They do a lot of stuff they have. secure, FTP, you can upload your customer list. They have an API, they do accustomed. Gracious. There are a lot of people use Melissa in their point of sale software. Are there online software? Oh, you got the wrong simplest for. That's Melissa. That's almost got started with zip code completion now, they they do much more. They. Can Add customer demographic information to records property and mortgage data marital status social media handles. So Melissa filling the gaps by adding the emails and the phone numbers that are missing from that customer record. They also will de Dupe eliminate old data even update data for customer that's moved. A identifying current customers easily allows you to find new perspective customers. Melissa has a prospect database to it's really it's everything about addresses and more verify addresses. I. Shouldn't even say that because it includes emails, phone numbers, names, they you know everybody misspelled LaPorte. They always put capital P. in there, Melissa fixes it. Is it now if that's Leo, LaPorte is this, it's really great. Melissa can actually help you verify your data. The best place possible when it's being entered, it doesn't even get into your system. Wrong. You can match and consolidate records with their matching and deduplication tools which let you uncover, merge and purge hard to find duplicate records who doesn't have duplicate records right and I used to get five. Catalogs, restoration hardware, same name, and address. It's like dudes. Only one of those. They look expensive Actually, it was also a negative experience for me, and that's I'm sure not what restoration hardware wants. Save money eliminate, customer and annoyance get the things you need to the right customer at the right time. So flexible on Prem Web Service Secure FTP software as a service choose whatever works best for your business needs, and by the way I know this is a big issue for everybody. Melissa continually undergoes independent security audits to reinforce their commitment to data security privacy and compliance requirements. They have the utmost dedication keeping your data secure by implementing strong controls and safeguards. So when you upload to their execution FTP, no, that date is is trustworthy. They're not. Not Cross pollinating it, they're not doing anything with it over ten thousand businesses, trust the address, experts, Trust Melissa, they get it done. Be Your data driven experts they're supporting by the way. Another nice features Melissa Right. Now, during the Cova crisis, they're supporting communities and qualifying essential workers. So if you qualify organization get six months of free service, there's an online application at Melissa Dot com slash twit, don't put up with added date customer data. You drink sour milk. Why would put up with customer data that's out of date, try Melissa's API's in the developer portal. It's easy to log on sign up and start playing in the sandbox anytime. You want twenty, four seven and you can get started right now with one thousand records claimed absolutely free. Get your Christmas card list cleaned up or something. Melissa M. E. L. I. S. S.. A., DOT, com, slash twit, nice people, they do a great job Melissa, dot com slash twit. We thank him so much supporting security. Now, thank you for supporting security by using that address Melissa Dot Com. Slash twit. Okay Steve I. Shall I show the logo? That all. You. Pre. Existing. Yeah. Yeah. Of does I don't know what do you think? Maybe not the worm, but the boot. Definitely. Worm looks like somebody dread themselves, Kinda. It's cute. It's very cute so. Early in the history of this podcast. Well before modern secure booting was actually invented. We talked about how truly insidious route kits could be remember those episodes. Leo. We had a lot of fun with that. Oh. Yeah. It was it. Sony that was hiring itself. Yeah. Crazy, they put drm a root kit. That's a good ride by hooking and basically just hide its own files. In this case by hooking in subverting the operating systems own file system, a user could be looking right at a directory containing malicious malware. And not see it. You do a directory listing and the route kits. API Hooks would filter out any and all appearance of any files. It didn't want you. Or your av or anything else to see you know scanners wouldn't see it. You wouldn't nobody would see it. But the files was still be right there like you know in front of you unseen. So route kits are a big problem when the goal is to have a truly trustworthy system. And we previously covered the concept of secure booting. Thoroughly. Many previous podcasts both in the context of securely booting a PC and also, IOS, that has a similar secure boot technology. The idea took is the establishment of chain of trust which is anchored by some route component that can be absolutely trusted, and which is then able to examine and verify the trustworthiness of each and every subsequent stage of the booting process. With secure booting enabled, the integrity of the resulting system is supposed to be. Assured and some that you can assume. So. When to researchers? Mickey. Looks like Scott of. Jesse Michael, both at eclipse him announced their discovery of a vulnerability which they called boot hole in the grub to boot loader used by most lennox systems. which can be used to gain arbitrary code execution during the BOOT process even with secure boot enabled. This understandably generated quite a stir within the security industry. This meant that attackers could exploit this vulnerability to break boot security and install persistent and stealthy boot kits. No and boot kits are another name for route kits essentially to provide near total control over the victim device GRUB Gr. UB. STANDS FOR GRAND UNIFIED BOOT loader. I've got a link to their full description. At a PDF, link in the show notes. But in their disclosure of this. Got a nice summary. They wrote the vulnerability affects systems. Secure boot. Even if they are not using GRUB to. Almost. All signed versions of Grub too are vulnerable me, and there's one that isn't. But otherwise, they're all known to be vulnerable meaning for this is them. Virtually, every Lennox distribution is affected in addition grub to supports. Writing Systems, colonels and hyper visors such as Zan. The problem also extends to any windows device that uses secure boot with the standard Microsoft third party, you EFI certificate authority. Thus, the majority of laptops, desktops, servers and workstations are affected as well as network appliances and other special purpose equipment used in industrial healthcare, financial, and other industries. This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious you. Efi. BOOT lowers in other words speaking the idea of corrupting a systems boot is not just theoretical. It is actively happening in the wild today. So they continue eclipse, him has coordinated the responsible disclosure of this vulnerability with a variety of industry entities including. Vendors computer manufacturers and cyber security emergency response teams mitigation will require new boot loaders to be signed and deployed and vulnerable boot loaders should be revoked to prevent adversaries from using older vulnerable versions in an attack. In other words that the boot loaders. The vulnerable boot loaders are currently signed and trusted by the root. The brute of trust in the U, EFI on the motherboard. So this is an instance where revocation of some form is required. They finish. This will be a long process and considerable time for organizations to complete patching. And other words. This is a big whoopsie however. Nobody. Should go out and fixes right now, I'll. Get to why? In a second because it is actually causing way more problems than it is worth. I'M GONNA. Cut to the chase here because part two of this. Is what has happened since in their disclosure document? explained. The problem they said in the course of eclipse seems analysis. We have identified. Guess what? A buffer overflow vulnerability. In the way, Grub. Two parcels content from the GRUB to configure file named GRUB, dot. C F, G. They said, of note, the GRUB to configure file is a text file and typically is not signed like other files and execute ables. And I'll note that that that one Grub two that I mentioned that is not vulnerable to this is not vulnerable because it requires the GRUB DOT C F G to be signed so. they said this vulnerability, this buffer overflow in the parsing of GRUB. Dot C F G enables arbitrary code, execution within GRUB, to, and thus control over the booting of the operating system. As a result, an attacker could modify the contents of the GRUB. Two configuration file to ensure that attack code is run before the operating system is loaded in this way, attackers gained persistence on the device. Such an attack would require an attacker to have elevated privileges. However, it would provide the attacker with a powerful additional escalation of privilege and persistence on the device even with secure boot in. and. Properly, performing signature verification on all loaded execute ables. One of the explicit design goals of secure boot. is to prevent unauthorized code. Yeah. Even running with Admin privileges from gaining additional privileges and pre os persistence by disabling secure boot or otherwise modifying the boot chain. With the sole exception of one booth tool vendor who added custom code to perform a signature verification of the GRUB. Dot C. F, G configured file in addition to the signature signature verification performed on the Grub to execute -able. All versions of grub to that load commands from an External Grub Dot C.. G.. Configured file are vulnerable as such. This will require the release. Of, new installers and BOOT loaders for all versions of Lennox. In other words, this is not a quick easy small fix. Vendors will need to release new versions of their BOOT loader shit hymns to be signed by the Microsoft Third Party you. Efi Certificate Authority. It is important to note that until all affected versions are added to the DB X. Revocation lists and explain that in a second, an attacker would be able to use a vulnerable version of Shiism and Grub to to attack the system. This means that every device that trusts, the Microsoft party, you EFI certificate authority will be vulnerable for that period of time. Okay. So I. As regards the buffer overflow. You. EFI does not. Employ. Address space layout random ization. Execution Prevention or any of the other common. Mitigation protections that have fortunately become standard in our operating systems. This means that weaponising this buffer overflow will be trivial for attackers who already have a foothold on the targeted computer to exploit the flaw worst, add to sense the underlying that part who already have access to the attacked computer. Yes. Exactly. That's why nobody needs to actually often pop and run around circles and worry about this. Incidentally, I've never installed Lennox without turning off secure boot because. Most Lennox's aren't signed. So right, it gets in the way. So. This would be for enterprise users who are using sign Lennox is and so forth. So. For example it is Red Hat enterprise Lennox that has a has been found to have a problem. We'll get there in a second, but I was GONNA say that Grub to is all as often open is also open source, and then we already have full open documentation of the problem so. Bad guys you know. Maybe there will be a bit of a race again. Leo. As you highlighted. This requires modifying a configured file that is stored in the U.. Efi, that no one can get to unless they have physical access to the system or already have elevated privileges. So. It. Makes a serious problem worse and persistent, and if you didn't know it, if you had this something got into your system and you had, it could arrange persistence that a. you know a reformat of your hard drive with resolve. Yeah. That's good. Yeah Yeah. So we talked about this before, but it's worth noting that thankfully the secure BOOT system was understood. To require from the beginning some form of truly effective revocation mechanism, not the mess that we have with our browser certificates. So every UEFA system which support secure boot contains a pair of protected databases. The allow DB which is just called DB lists the approved components and the disallow DB, which is what's called DB x contains a list of known vulnerable or militias components including firmware drivers and boot loaders. So, what this means is that all previously vulnerable boot loading components, all of these grub, the various Grub twos that are out there and are signed and are trusted. And are now known to be exploitable. They all have to be added to the disallow DB so that a bad guy who does get this kind of access can't swap out your good grub two for a one of these previous bad GRUB twos. So it's a big problem to remediate. And this has to happen to every single motherboard where trusted secure boot wants to be used. But Leo wait. There's more. And it's like Oh. My God, more in response to eclipse. Sins. Vulnerability report. The GRUB to code came under additional and as it turns out very much needed scrutiny. A distressing number of additional vulnerabilities. were. Then discovered by the canonical security team. CV. Twenty and I'll skip that preamble from now on fourteen, three, hundred, eight Grub to Grub Malik does not validate. Highs allowing for Arithmetic, overflow and subsequent heat. Overflow. Fourteen three Oh nine grabbed to injure overflow in Grub squash read simulink may lead to heat based overflow. Fourteen, three Ted. Overflow read section from string may lead to heap based overflow. Fourteen three eleven energy overflow in Grub E. X. to read link leads to heap based buffer overflow. Fifteen 705 avoid loading inside colonels when Grub is booted directly under secure boot without him. Fifteen seven, oh. Six script. Avoid. A use after free when read redefining a function during execution and finally fifteen, seven, seven, the what is it the seventh? Yes, they seven. Additional CV energy overflow in init- read size handling. So yes. GRUB to turns out to have had a lot of problems. And finally came to the security industry's attention. And given the difficulty of this scale. This kind of ecosystem wide update, and revocation There is a strong desire to avoid having to do this again in six months. So a large effort spanning multiple security teams at Oracle red, hat. Canonical vm ware and Debbie Allen using static analysis tools and manual code review. have. Identified and fixed dozens of additional. Broil boomer abilities and dangerous operations throughout this Grub to code base that do not yet have additional or have individual CV's assigned. So Yeah Leo. You might as well have just turned off secure boot because I don't think it was really. Anyway, anyway. So. What needs to be done now to fully respond to the the revelation after this flaw, broadly five things and don't do them. UPDATES to Grub to to address the vulnerability. Don't do that. Lennox distributions at other vendors using grub to will need to update their installers, boot loaders, shins, and actually the they will need to re update them. New shems will need to be signed by the Microsoft Third, party you EFI certificate. Authority. Administrators of affected devices will need to update installed versions of operating systems in the field, as well as installer images, including disaster recovery media, and do that yet. Eventually, the UEFA revocation list DB X. needs to be updated in the firmware. Of each affected system to prevent running any of the previously trusted now known to be insanely vulnerable code during boot. we never talked about the need for Shins, and I've used that term a couple of times, open source projects, and other third parties create a small APP called a sham. It works it will. It contains the vendors certificate and code that verifies and runs the BOOT loader the vendors. Shim is verified using the Microsoft third party. You Efi Certificate Authority and then the Shim loads and verifies the grub to boot loader using the vendor certificate embedded inside the ship. In other words, it's a means of installing essentially a third party certificate, which is then used by other projects like open source projects to which are signed by that so that they're able to. To you know participate in this whole secure project as well. While it. Certainly. True. that. Secure boot should be made as secure as we could make it. Some knowledgeable security industry insiders feel that way too much. Ado is being made of this whole thing set aside the fact that it was also badly broken. Initially, we'll get there in a second, but we know of HD Moore. He's the, widely acknowledged expert invulnerability exploitation who was the original developer of the Meta split framework. He told ARS Technica Ze Dan Gouden in an interview. He said quote. I argue that secure boot is not the foundation of PC security today. Because, it is rarely effective. And by Eclipse Sean's own claim, it has been easy to bypass for over a year now with no long term fixes incite. I'm not sure what the buck. I'm not sure what the buffer overflow in Grub to is useful for since, there are other problems if the GRUB dot C. N., G. is unsigned. It may be useful as a malware vector, but even then there is no reason to exploit a buffer overflow. When a custom GRUB DOT C F G file can be simply used to chain load the real operating system. He saying in other words if you're going to change grab to why bother with a buffer overflow, just have it load something else of your choice i. So. Still We want Grub to to be as secure as it can be, as you said, Leo. For Enterprise Environments. And there's an aspect of this is reminiscent of spectrum meltdown as I mentioned where the cure is arguably worse than the problem because. Red. Hat's patch to Grub two, and the colonel once applied is now rendering those systems completely. Unbelievable. The issue has been confirmed to a fact to affect red hat. Enterprise Lennox. Seven, point eight and eight, point two. It may also affect eight point one and seven point nine. The derivative distribution cent os is also affected. Consequently. Red Hat is now advising users not to apply the GRUB to security patches. Until these initial issues have been resolved, they say if someone has installed the fix do not reboot. Your system downgrade, the affected patches, and if the patches were applied and the system reboot was attempted and failed user should boot from an an an Ra. Or sent. You, know said Oh s DVD. It's troubleshooting mode set up the network. Then back out to restore the system's original boot. Additionally. First reported in Red Hat Enterprise Lennox apparently related bug reports are now rolling in from other distributions from families as well. Boon to and Debbie and users are reporting systems, which cannot boot after installing the grub to updates and canonical has issued an advisory including instructions for recovery. On affected and no longer bootle systems so It's certainly good that the Grub to code got a clearly a very clearly much-needed close examination with many fixes. I mean dozens. But this particular problem requires, as I said, the GRUB DOT configure file to I be somehow maliciously. Doing that would require physical access to the system or elevated privileges, and at the moment updating to fix, this might render one system completely unusable. The obvious advice since the sky is not actually falling would be to wait a while until all the dust from this build and various kinks have been worked out of the process. Then have a leisurely update and know that a bunch of potentially exploitable flaws have been fixed and that's a good thing. But again, I, it's nice to. To Hear Leo that you're not running with it? No. With secure turned on because, of course, that's also a problem for spin right that I will have to be dealing with at some point. If Secure boot ever actually becomes an issue, you know I will need to be able to get spin right to boot e either to have a user briefly disabled, it was enabled. But you know I'm also seeing the same thing. It's nobody's running with it on it just in the. And if you buy a windows machine and you don't do anything, it's going to have secure boot, but I know Lynn user would because not no I. Mean I, guess in enterprise, there are signed versions of. But why should I take my version of links to Microsoft to get it signed? So I can. Doesn't make any sense for a long time. We thought secure boot was a conspiracy by Microsoft to damage Lennox now. No, that's that's not true but. Yeah. I. Just turn off usually. Most of the time it's easier, install stolen that way, and I'm glad to hear. That secure. That's pretty funny. Wow. That's interesting that you can't because you need to boot up clean to run spin, right? So, you would need a signed version of free. Well, you're not using freed US anymore. Right. You're going to boot directly. Yeah, the the you Efi version will boot natively. Right. So I would you'd have to sign. I'll either get it. Signed I mean it's. It's probably very much like the driver signing process we have. Now as we know windows ten requires signed drivers right and I have driver that I created a as a little side project for some Laurie. Needed that needed to run under windows ten. So I you know I got myself certified and got a driver's signed so that it would run under an UNMODIFIED windows ten system so I imagine it's sort of. Of like that I'm sure I'm sure I will be able to do that. It's like getting an extended certificate or something. It's really just a and I may be able to do the same sort of the same sort of Shim thing where I get them to sign my see a which then securely foods insecure boot boots I spin right on the system Brian. So right, and there are a lot of Lennox users that don't use. GRUB, to, boot. There's other boot manager system. These very popular one, right? I, think GRUB is kind of probably fading away. Boy It. got. It. Got I. Guess a deer. I dearly needed security update. Wow. ooh. Refit also popular All right. My friend that's IT for today. Good job. Your little boot with a hole in it. Steve Gibson does show every Tuesday I. Usually show up about one one, Thirty Pacific for Thirty Eastern Twenty thirty. Now that you're grounded Li I ain't going nowhere. That's right. I'm here man You can join us live. If you want watch us make the show. That's easy enough. All you have to do is go to twitter dot TV slash live live audio, and video streams for variety sources. They're pick the one you like no more mixer, but we still have others you can also get the show after the fact you've got sixteen kilobits audio, you're going to stop doing that you said. No I think it's it's not popular. Yeah. I. he also does the transcripts drew great, and of course, sixty four kilobytes audio. So those versions are all G. R., C., dot. com. While you're there, pick up a copy spin, right? Hey, it couldn't hurt great system, recovery tool, hard-drive recovery and maintenance utility. Everybody ought to have it, and if you get it now you'll be ready to six one, the minute it comes out plus all the interim releases. Steve's working on somebody says, your your next release will be What they would they would they call it something to bypass. BOOT right. Steve's next program fixed secure. BOOT issues, I like it boot, right? G.. R., C., DOT, com. We have the show also audio and video at. TWIT DOT TV, slash S, and it's also on Youtube. You can subscribe in your favorite podcast application. That'd be the best way that we will get the minute. It's available each and every Tuesday afternoon. Thank you so much, Steve. Have a great week. Stay safe. See you next time on security now. Do. Hey. What's going on everybody? I. Am host at Twit, TV? Got a question for you. Have you gotten tired of how Badger photos are looking every time. You posted an instagram betty yet. Have you gotten yourself a new camera and you can't quite figure out why images just don't look that good well. The solution for you is my show hands on photography each and every Thursday I sit down and share different tips and tricks that are going to help make you a better photographer and a better post processor. So subscribe today at Twitter Dot TV, slash hop to learn more.