SN 781: SpiKey - Ransomware Hits Jack Daniel's, Iranian Script-Kiddies, How Ransomware Happens


It's time for security now, Steve Gibson here coming up what are the University of Utah Jack Daniels, and Carnival cruise lines have in common Steve has the answer. We'll also talk about the number one way ransomware gets on your system. It's not what you think. Steve. Has An explanation, and then we'll take a look at an amazing bit of research showing how you can. Pick a lock. Just by listening. It's all coming up next on security now. Security now comes to you from twits. Last pass studios securing every access point in your company doesn't have to be a challenge. Last pass unifies access and authentication to make securing your employees simple and secure. Even when they're working remotely checkout last past dot com slash twit to learn more. Long. PODCASTS you love from people you trust. This is. This is security now with Steve Gibson episode seven, hundred, Eighty, one recorded Tuesday August twenty fifth twenty twenty spiky. This episode of security now is brought to you by what Sabi hot cloud storage thinking about moving your data storage to the cloud was Saab is enterprise class cloud storage at one fits. The price of Amazon S. three and faster than the competition with no fees for Egress or API requests and no complex storage tiers started free trial was Sabi Dot Com and the code security now. And by security scorecard, security scorecard helps enterprises managed digital threats with a three hundred sixty degree view of cybersecurity health through a single pane of glass to learn more and sign up for your free account visit security scorecard, dot, com slash twit. And by extra hop, extra hop, keep your business secure available with SAS based cloud native network detection and response. Learn more about how extra hops stops reaches seventy percent faster and experience the free trial for yourself at extra hop dot com slash security now. It's time for security. Now show recover your safety, your privacy or security online with our major Domo the man in charge Mr Steve Gibson Steve. Does lay. Oh, good to see you. I, did confirm. Yes. This is the launch of year sixteen wow. It was August nineteenth which was last Wednesday. Of Two thousand five, that was our our. Maiden voyage on this journey that. You proposed fifteen years ago. Thank God, you didn't have a crystal ball. Because this has been should be at Leeann you're one of my longest long latte longest lasting relationships. Same here. Same here that I've never cheated on you Steve Not. Once. They're. Okay there have been others yes I. Know there have been others. I've been able to share those experiences wells. That's true. Relationship coming. We're going to be doing a an event. In jeopardy celebrates diversity months. Tober for Bob, we'll have details and kill then. We have a little bit of a play on words. That's not my play on words. It's there's. Spiky S. P. I capital K. E. Y. we're going to talk about a an incredibly cool bit of technology An opportunity to sort of. Step back a little bit and look at the landscape of. Of the best this whole like. The low tech meets high-tech essentially, but we'll get to that I. WE'RE GONNA talk about. A new chrome, remote, code, Execution Flaw, which happily People will be patching when they moved to chrome eighty five I forgot the look and see whether I want eighty-five today supposed to be happening today. We also have some interesting news of three new ransomware victims. Some two of the three very well known an emergency patch from Microsoft and a little bit of the backstory around that. The emergence of amateur remote desktop protocol exploiters. And weirdly coincident with this podcasts fifteenth birthday which occurred. Was it last week or this week anyway. I get. These BS zero based or one based issues or a constant source of programming bugs and also brain bugs for me. Anyway the fifty, th birthday of the Zero Day initiative? Actually, I guess it would have been last week because there's happened one day after hours. The has the world's first null terminated podcasts so I understand confusion. Yeah. Yes. Very good. We also have I found a finally a good windows ten garbage wear remover that I'm going to talk about I'm going to offer some recommendations of several of my most. Successful Remote Networking Utilities we've got a bit submit a bit of miscellany some spin right news, and then we're finally going to examine a really terrific new high-tech hack against low tech locks and keys, and of course, we've got a really good. Funny very funny picture of the week after week. Yeah. Yeah, and also apropos. Great. I'm excited than other great show in the offing. Before, we delve into those mighty matters. Let me talk a little bit about something. Very hot. was. Not. The Sabi horseradish that you have with your Sushi though was Sabi hot cloud storage that I am such a big fan of you know and I admit. I'm a little prejudiced it was founded. By two of my great friends specifically David. Friend who was the CEO of Carbonite but he's a serial entrepreneur going way back two days designing the ARP synthesizer working with stevie wonder he's really an amazing fellow. One of the things that he and Jeff came up with in the early days of their research was a way to write too hard drives sequentially instead of sector-by-sector patented then and it it's actually was how Carmen I started and now with Sabi it, it turns out. That's a much faster and a much more efficient way of rain into the disk, it saves them money. So that saves you money they pass the savings onto you was Sabi. Cloud storage is a perfect alternative for anybody who says you know we're going to buy more on Prem storage effect we're going to get a certain amount every week every month every year from now on. That's very common because you look at Your Business you're cranking out data at a fairly consistent pace, and in many cases, you need to save that data for a long time that means either buying on prem storage or finding something better. That's was Sabi. Saudis eighty percent cheaper than Amazon s three. It's significantly cheaper that on prem storage even in fact, typically you can store data and with Saba cloud. For less than just the maintenance fees. On that storage if you bought the drives if you had it on premises less than the maintenance fees alone was Sabi is a really great proposition. It's also a lot faster than Amazon s three and it's compatible with s three because it it, it supports the S. three API although unlike Amazon was sobbing never charges for API access, they also don't charge for Egress and that's another big savings. A lot of times you store data in the cloud and you say that was a good deal and then you forget that it's GonNa cost you to get that data back never with Sabi. Sabi really kind of amazing but I know what you're thinking. You're saying, okay finally. Oh but with on prem storage at least I, you know that storage is sitting right there. It's safe and secure I. Would I think you're thinking very strong argument the data stored in the cloud is actually safer. And more secure eleven, nines of durability. That's that's as good as you can get that means you know if you do the math on average, you lose one file, every six, hundred, forty, nine, thousand years but you know what? You're not even going to lose that because it's hosted Premier Tier, four data center facilities that are redundant. Of course, highly secure as well, which means Oh and I should throw in one extra thing was Sabi does regular integrity checking where all objects stored at checked every ninety days? So if one bit goes missing. Don't worry it's redundant. You've got another copy of the data on another tier four data center or maybe two or three so you can always get it back. So you just never gonNA lose data. It's also more secure because it's securities turned on by default even if you don't specify encryption. All data stored in the SABA cloud is encrypted while at rest fully encrypted they follow industry best security models and design practices things like access control mechanisms bucket. Policies, access control lists. And I love the feature I think this is such a great feature. All data can be designated. Any data can be designated as immutable. You can say this is immutable I can't erase it. I can't change it without jumping through hoops. Obviously you can. You can turn it off, but it's not easily accessed, and that means it's it's protected from hackers from ransomware from you know the human error. That it's better than on Prem, less expensive, but better than on Prem, and now if you know, you're going to be getting a certain amount every every month for instance, you can take advantage of a new. Way To pay. You can pay as you go. They have a simple flat fee. Or you can pay with reserved capacity storage. which. Means you know I'm GONNA use this much every year you can reserve that much in one three or five year increments. You will get bigger discounts for longer terms and more capacity. So it is getting a discount because you know you say, yeah going to be using this much for this long. That's fantastic. It's another way we Sabi says if you're an MSP and you resell storage, this is a great choice for you. You'll actually sell more because and make more you'll be charging and you'll be making more. That's how big the price differential is. It's completely compliant with every industry FENRA CJ I, S it's hippo compliant. This was Sabi is highly secure disrupted technology. This really turning the storage industry on its ear, calculate the savings for yourself start a free. Trial Right now, you can try it for a month. GO TO WITH SABI DOT COM click on the free trial link, enter the code security. Now, Bang on it for a month absolutely free thing go the bosses say look boss we're going to save eighty percent we're going to be up to six times faster and maybe you've never heard of it maybe you know you say well, what about Amazon as your Google Cloud? No, you gotta you gotTa try this was Sabi. It's on a mission to tell the world W. A. S. A. B. I. Yes, spelled like the green stuff when you're Sushi but it's not join the Movement Migrate Your data to the cloud and do it with Confidence Sabi Dot Com free trial waiting for you offer code security. Now, take advantage of this is a great way to save was Sabi Dot Com. Thanks so much for supporting. Security. Now, in the whole twit network, we're big fans. Picture of the week. So. Yeah. It's a four frame cartoon. The first one shows the very familiar internet explorer ee. with some weird black shrouded hand skeleton hand. Trying to pull it off. Screen. and. That hand gives up and sort of breaks free. And then we see in the third frame that we have the grim reaper. And Grim reaper is saying Let's see Oh in the first frame. It says it's time to go and. The Internet explorer resists apparently and so then he then. The grim reaper. Has Go. And the fourth frame is Internet explorer is not responding. Very. Familiar. Chest with familiar to us all the grim reaper is puzzled that. Unable to. Remove. It. And this was apropos something that I I meant to talk about last week but didn't. Because it just under a year from now on August seventeenth of twenty twenty. One. The use of e eleven our last I e will no longer be supported for Microsoft's online services like office three, sixty, five, one, drive outlook and more, and of course, this is significant. We often hear Paul and Mary Jo talking about how corporations have built I E in by as A. As a component of their infrastructure with like custom APPs and things that's all glued in and they've got a year until you know it really stops being supported and also Microsoft will be ending support for I e eleven with Microsoft teams web APP later this year and all support ending. On November. Thirtieth. So you know the clock is ticking and corporations really need to be looking at at. edge. Now I don't know whether the I e. eleven compatibility mode built into edge will continue or not. But for what it's worth standalone I e in Oh sooner or later the grim reaper is GonNa is going to succeed, and then back that grim reaper may actually be named. Microsoft. Google chrome users should today. Be Moving to chrome eighty five most users don't need to do anything, which is good. It just updates itself. But this will fix a potentially serious remote Code Execution Vulnerability in Crumbs Web gl rendering engine. It's a use after free read flaw which was discovered by Cisco's Talos Security Group and it was responsibly reported to Google more than three months ago back on May Nineteenth Google quickly put the fix into their early release cycle in the in the Dev and the Beta. Channels of just a couple of weeks later in early June. And the stable channel, which I and most of US use is. Expected to be receiving that fixed today when chrome mouth from eighty four to eighty five I looked last night I was on eighty four I actually could look right now come to think of it because I got chrome right here. Let's see. About And Jackie O updating. Google. Chrome. Yes. I still on eighty four in a few moments I will be on eighty five. So you may need to go to help about to give a little kick that sometimes is necessary and then. It right it will. It will. And if you close, it will ris up but most of us never closer browsers that's right I. You know for me Fire Fox has just opened statically and you need to go to help about and then it goes ooh Yeah. Thanks for asking and then updates itself and and sometimes needs to do a a typically need needs to close and then reopen with all cabs surviving fortunately because as we saw last week I need all of those thousand tabs that I have open, not a thousand but. It has a scroll bar. So yeah. Wouldn't fit on one screen. So what do the University of UTAH? Jack. Daniels. Whiskey. And Carnival cruise lines all have in common. Well Friday last last Friday. The University of Utah revealed that it had paid a ransomware gang four, hundred and fifty seven dollars. And fifty nine cents. Four, hundred, Fifty, seven, thousand. Yes I got that would have been. Four hundred and fifty, seven, thousand dollars and fifty, nine, hundred, and fifty thousand. Fifty nine dollars. which sort of begs the question or they get that number? Now that I finally got it out correctly, it's probably bitcoin. Nine dollars like half a million bucks. It's like the Bitcoin version thing they probably would. Yes somewhere. BITCOIN that turned out to be that. And what's interesting is that was not to obtain the decryption key for their files. They didn't need it because it turns out that very few of their files were encrypted but rather her and Leo I know this goes to you know the thing that were you just kind of like. Grit your teeth to purchase the promise. From the extortionists. That the student information that had been exfiltrated beforehand while. Yeah that's not be publicly released your Seymour. One this is big. Yeah. Yeah. They're they're they're just they're hoping that the there is honor among thieves and that these guys will keep their word in senators. Word is that if if you want others to pay you yes. That's it. Exactly. If, of course, ransomware gangs or not all the same but and didn't we hear no, it wasn't It was cannon that had some information leaked last week that we reported on and so so Lawrence over at bleeping computer has said that you know they assumed since the jetsons cannon got themselves back up relatively quickly that they had paid the ransom. But now since the extortionists in that instance were leaking the information, maybe cannon had restored from backups and said, Nah, we're not paying your stinking ransom and the bad guy said. Here comes your You know your your private corporate next decade plans for the future. How do you? How do you want that? How how do you feel about that being leaked? Anyway. So the in this case University of Utah explained. That it had dodged a major ransomware incident and that the attackers managed to encrypt only zero point zero, two percent. Of the data stored on their servers. And the university staff was easily able to restore that from backups. However, the ransomware group then threatened to release student related data see they had obtained and exfiltrated. So, the university said after careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventative steps to ensure information was not released on the Internet and again to the extent that such. Can Be ensured. The Cyber Insurance policy pay part of the ransom, and the university covered the remainder no tuition grant donation state or tax payer funds were used to pay the ransom thought that was an interesting explicit statement that they made. They said, the university disclosed that the attack took place a little over a month ago on July nineteenth twenty twenty and the network belonging to the Collar College of social and behavioral science was the victim. So Apparently A. A you know as a sub set of the. Entire Larger University. was where the break in occurred and there must have been some isolation there. So anyway, that is one of the three and presumably they were able to negotiate a cheaper payment in order to you know because they hit the bad guys hadn't managed to get. The bulk of the of the university stuff. But you know they did pay for they promised to not share student data, and as you said Leo, the reason that would be honored as well as you know, nearly half a million dollars. And they want to do. Yeah exactly. You got to build your credibility. Exactly And two other large and notable recent ransomware victims were Brown forman famous for their distillation of Jack Daniel's Tennessee whiskey. And Carnival cruises. The Jack Daniels folks said are quick actions upon discovering the attack prevented our systems from being encrypted. Unfortunately again, we believe some information including employee data was impacted. We are working closely with law enforcement as well as world class third party data security experts to mitigate and resolve this situation. As soon as possible, there are no active negotiations so. In that. So that says it sorta sounds like. Oh, in fact, a that statement from Brown forman came after Bloomberg News reported that it had received an anonymous tip of the ransomware attack a site on the dark web claiming to be run by members of the reveal strain. A ransomware says that it had obtained a terabyte of data from the Louisville Kentucky based. Brown. Foreman the site said that stolen data included contracts financial. Statements Credit Histories and internal correspondence of employees also included were screen shots of file structures documents purportedly taken during the heist. So does look like the pattern we're seeing now is because you know major companies that have the deep pockets who also have the pocket depth to now proactively backup their servers well. So it's possible for the for if if the only thing done was encryption. A golden opportunity to extract a ransom could be thwarted if the if the good guys have backups at. So now what's being done is That data pre encryption is being exfiltrated and stored somewhere. Then the data is encrypted and so we have you know we're we're we're increasingly seeing this two part attack exfiltration that the company desperately does not want to be made public. In case they have backups in which case, they would not otherwise need to pay the extortion. So you know it's not really ransomware as much as it is. Okay. We got copies of all your stuff. Shall we share it with the world? PLANO blackmail. Yup. And as Carnival Corporation, the operator of the world's biggest cruise lines, they disclosed that they were hit by ransomware attack provided that provided unauthorized access to personal data of passengers and employees that could be back exactly passport information as well as s address name birthdate I don't know if they collect socials but boy that's. A lot information they have and credit card numbers. Of course I'm do they have passport information because they're dare cross they're taking the cross. country. Unless it it's very rare that a cruises just within one nation If you're going to another country they they collect your passport so they have they have. Screen shots of it. I mean they physically. Ill, they hold it while you're. Yeah Wow. Yeah. So Identify I've been many of their. Cruise lines. The talent America or was one of them out and that was a Holland America. seaborn was a recent cruise of mine and of course, carnivals a big one in an offer. That's right. They own a lot of the cruise lines will, in fact, you said like the whole Cruise Modell, we love cruises we won't be going on ninety times. More the day. Yeah. I look back on that with nostalgia and affection. The good old. Yeah. I was actually talking to my buddy Mark Thompson whom you know he's launched at a little project to provide air quality monitoring in real time to health clubs or he he must. That's great. Yeah ran and in fact I don't know how much of this I I can talk about. So I'll say. I just realized but we were talking about the air quality in cruise lines as opposed to. Airliners and it turns out that it's like the air is fully completely exchanged on an airplane very often right but not. So on a cruise line, which which deliberately maintains a closed cycle system because they because the external air is often not what passengers wannabe be breeze mug no control over humidity it's subtropical or whatever. Although. The lines on the small ships I go one we always have a balcony windows we can open and we always eat outside. So I'm not worried about that. But yeah, I would imagine some of those big ships you're not breathing outside air ever no yeah. No. Yeah, and so it is internally recycled and not of the highest quality. So Anyway Carnival said they had not yet identified, which of their many subsidiary lines was breached but because are publicly traded. They did need to disclose to the US Securities and Exchange Commission. The nature of the attack in their regulatory filing, they said based on its preliminary assessment and on the information currently known in particular that the incident occurred in a portion of a brands information technology systems. The company capital C. does not believe the incident will have a material impact on its business operations or financial results. Nonetheless we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies although we believe that no other information technology systems of the other companies brands have been impacted by this incident based upon our investigation to date there can be no assurance that other information technology systems of the companies brands will not be adversely affected. So a you know a CYA statement floor the for the regulatory requirements. which brings me to an interesting set of reports that were just released. Certainly, we all likely agree that a ransomware attack is the last thing any company wants given what we keep seeing. So. The question is how exactly are these occurring? The traditional answer has been phishing email. which hooks some well meaning but unsuspecting insider. Well while fishing email is indeed a popular entry-point veteran. These three recent reports from cove wear emphasis soft. Yeah M. I keep tripping over that emphasis M sis. Yeah M emphasis soft and recorded future. Clearly show that fishing actually takes a backseat to our old friend RDP, and I have a chart on page two of the notes. which is really interesting. This is a it's a ransomware attack vectors. Over time and. It would be a pie chart except a pie chart can't show. Percentage change over time. So this is a line chart from fourth quarter of twenty eighteen through the second quarter of twenty twenty. So Up to current. which where it's showing that percent of. Of cases. Of RTP, compromise email, phishing, software, vulnerability, or other. So it's it's like a pie chart varying over time. So consequently, for example, at in in the fourth quarter of two thousand eighteen by far and away the majority of the attacks. Looks like maybe just eyeballing it maybe eighty five percent were RDP. That down as a percentage can as eight. This makes is That big a problem. Yes, it is yes holy. and. These guys provide the raw data to back that up and it's windows RDP right? It's Microsoft Windows is a yes. Windows is one hundred percent RDP. and. So so email phishing did come up as a percentage which pushed the percentage of our DP down but it's holding it's own, and then of course, what happened in the Dow in Twenty Twenty and twenty? Well in the first and second quarters of two thousand twenty is due to that that Cova D- And the the the dramatic increase of hastily brought up RDP services in order to allow remote access s that began you know that essentially began fighting with with email phishing as an entry point. So those are the two but. Email phishing never even reached parody with RTP. It's it's it's gone up and down, but RDP is holding its own which I think is one of the one of the things that I it's GonNa spend some time talking about here in their report emphasis soft explained what's happened this year they said in recent months, organizations across every sector have come to rely heavily on remote desktop protocol to maintain business continuity while respecting social distancing and back up a little bit Leo, just to address your your your your comment remember that. There have been a series of really bad. Authentication problems with RTP. Don't they use VPN's and other solutions WHO's using? E. That's there are eighty, eight, hundred, thousand, eight, zero, thousand exposed RTP services on the Internet. It is absolutely crazy but they're just assuming that you know Oh. Yeah you know it must be secure because Microsoft says we can turn it on well. Microsoft said that once about Windows Printer and file sharing Cemil how that mean Barracuda in their ad says ninety one percent of all. ransomware attacks comes through a phishing email spear phishing emails, and everyone I heard about is a spear phishing email I can't imagine canon or carnival or any of these people's using RDP. That's crazy. In. In terms of number I'm sure it's the smaller guys that are deploying that technology that they need to. Anyway so so MC soft said however the rapid shift to remote. To remote working has also provided a unique opportunity for ransomware groups. Threat Actors predicted that many organizations would not have the time or resources to securely implement RDP during the mass transition to working from home, and as a result may be vulnerable to compromise. They were right according to a McAfee report, the number of Internet exposed. RDP. Ports grew from approximately. Oh, boy I under buy low balled it. From approximately are you sitting down Leo? Three, million in January of two, thousand, twenty, two more than four point, five, million in March so. In. In less than three months. An additional one and a half million additional RTP ports became publicly exposed. Later. In their report, they note that while the threat is not new and of course, as we know all too well on this podcast. The global shift to remote working has revealed many organizations do not adequately secure our DP and that the bad guys are taking advantage according to a report by Kaspersky. At the start of March twenty twenty, there were about. Two hundred thousand daily brute force. Attacks in the US. But by mid April just six weeks later. That number had grown from two hundred thousand to nearly one point three million brute force attacks per day. Now today RDP is added as the single biggest attack vector for ransomware. So. So, all of these four point five million RDP ports are publicly exposed and they are being actively attacked and and what is to me shocking is that Even, now Microsoft has not stepped up and offered better security. and so you know, of course, this obviously underscores the point I've been making, which is that RDP simply cannot be safely exposed to the Public Internet. And there are two reasons It's no longer sane to trust that Microsoft hasn't or won't make a mistake in their prevision of the RDP service they've done so over and over in the past, and as we'll be learning in a few minutes, they just released an emergency patch for two more privilege elevation flaws in windows remote access service, which is what RTP as part of. The second reason we cannot trust RTP is that its native authentication mechanism are pathetic I went looking for something that I that I thought I might not know about RDP authentication thinking Microsoft had must have fixed this and I found a a very recent. It was only a couple months old best practices advisory from Microsoft on securing our DP authentication it amounted to be sure to use a strong password. There is zero multi factor support for RTP, which is unconscionable. There are multiple third parties who have responded to this need created by Microsoft by creating their own much more secure RDP gateways which are laden with authentication features so You know if you don't feel like rolling your own solution and you do have money to burn because none of these third party solutions are inexpensive. You could simply throw some money at the problem and by yourself. This much-needed security. or You could get a bit clever and roll your own. If the clients you have connecting have fixed Ip's. Restricting access to the RTP port from only those Ip's is an immediate proven fast insecure solution. If. The IP's are largely fixed as with the typical residential broadband service the use of A. DNS solution can allow for tracking their infrequent but possible changes. And typical changes may be so infrequent that updating the access firewall from dying. DNS. Doesn't even need to be automated I i. know that the you know the IP's that I maintain in my two locations. They're essentially static they. They haven't changed like in years. But if highly dynamic roaming access is needed, then no form of IP based access restriction will suffice. This lifts the requirement for authentication from the network layer to the application layer again, history teaches. That what we must avoid is public access to an RDP end point just there's no safe way to protect it we can't trust Microsoft and we can't allow for this brute force brute forcing of our authentication. You know one point, three, million attacks per day is ongoing right now. So that requires the use of something in front of the RDP an point I've talked about using a VPN offering some form of. And That we're the VPN offer some form of strong multi factor authentication either a time based one time password or certificate based but I wanted to add another option to the pot. By noting that SSH is widely available. Almost off all almost always offers the very strong authentication options that we're looking for and it can be used to tunnel RDP. In fact, if you Google tunnel RDP over SSh, you'll be rewarded with all the suggestions you might need and for all os platforms. The only. As I was thinking about this, the only theoretical downside is that as a purist both RDP he an ssh used TCP long ago when we were first covering the operation VPN's in this podcasts. Deep. History I noted that there can be some tunnel confusion when t C. P. is tunneled inside. TCP. Since then you have two sets of TCP's error recovery and packet retransmission. The theoretical optimal solution is for the VPN tunnel to use dumb old you DP packets and for the tunneled protocol. for for an to use UD packets for the tunnel protocol and then RDP, over TCP, which is carried by the UDP tunnel. So that way the RDP's TCP. Protocol. Handles any packet losses and re transmission, and those are carried over UDP. I did find some SSH UDP tunnelling systems, but there is so much apparent success with simply tunneling RDP over standard SSh TCP tunnels that it appears my theoretical concerns be nothing more than that just theoretical. So anyway, I wanted to propose another option to the need for somehow hiding RDP end points from the outside world. It's clearly necessary to add some other layer of security in front of RTP. Somebody in our chat whose company uses it say this they use a proxy server in front of it. So it's not publicly available IP address. Yeah which makes you just have to hide it yeah. And I'll I'll. I'll mention one more Microsoft issue and then we'll take our second break last Thursday. Microsoft issued an emergency out of cycle update for Windows eight point one, eight point, one RT, and windows server that the matching server instance of a point one which was Windows Server Twenty twelve are to. The emergency update patches a pair of recently disclosed security vulnerabilities. I have a link in the show notes because. From my reading of this doesn't look like this is going to be an automatic update maybe they'll roll them out next month. What's interesting is they're both high severity privilege escalation vulnerabilities residing in the remote access service, which is obviously a particularly vulnerable area of a server. Interestingly, both of these vulnerabilities were patched as part of the previous weeks August patch Tuesday. But that was for windows ten windows seven for those on extended support and Windows Server two, Thousand Eight, Twenty Twelve Twenty Sixteen Twenty nineteen and windows server versions nineteen o three nineteen o nine and two thousand and four systems in other words everything other than windows eight point one and its corresponding server twenty twelve are too. So as near as I can determine. That these patches for those two operating systems just weren't ready in time to make you know whatever quality control. If any Microsoft is applying to the monthly patch cycle. But at the same time, they were critical for Microsoft to leave them hanging since somebody examining the patches and we now though that, no, that happens somebody examining the patches for the other. Oh S.'s could probably figure out what it was that was fixed and note that they had not been fixed in Windows Server Twenty twelve are two and then perhaps. Go attack it. By reverse engineering what had been fixed in all the other platforms. So as I said, it may be that they need to be manually patched and installed. It wasn't clear. Assuming that they'll be part of next month's patch batch. I would say that end users probably don't need to worry because you know windows eight point one probably doesn't have. Any remote access services publicly exposed in the typical end user environment behind a NAT router. So Unless you're were unless you're actually running windows server two, thousand, twelve or two you probably don't need to worry. But if you are I would sir I would certainly think that worth going to get that or making sure that it isn't already updated. Microsoft. This covert I think tells you why it's so big because is one particular kind of ransomware phobos that focuses on RTP and it's ransomware is a service. Oh, any idiot. And and all the credentials are available online for pennies. So any idiot can go either do a show Dan or get some credentials, and then you don't have to know what you're doing whereas any spear phishing attack anything more sophisticated is gonNA take a lot more effort. So is low-hanging fruit. You probably don't make a lot of money with it. You know these are the hundred dollar two, hundred dollars three, hundred dollar ransom. Back half-million. Yes, and in fact it that you what you have just said is exactly where we're headed right after our second break and I even use the phrase low hanging fruit because Yeah Yup now I understand it doesn't counter intuitive. But of course is not because lots of people who don't know what they're doing or putting RTP. Out in the public which xactly. So When there's so many better solutions out there. But it's you know it comes with windows way you know it's available. Why not? And turned on yeah. Wow and then they're using monkey. one-two-three is the Password I. Mean Saturday the same people, right? Johnny Buddy. That's my. of course, you're getting bit it's. On the first. Not Very lucrative. Wow. You're. You know if you really want the money, you're going to go out and. Find a company and target them and take some time, and then that's when you can exfiltration data do all those fun things. you know. Make a lot more money I would imagine. Wow. Wow. I can't believe that in this day and age. That's that's what's going on. That's why you need the security scorecard our sponsor. Not only you want the security scorecard on your company by the way, we gotta be which I'm pretty happy about You're going to want to get a security scorecard for any company you're doing business with because as we know, that's part of the problem. What was it? Was it a target the got attacked because their HVAC partner had access to the network, and so somebody hacked the maybe the HVAC guys using RTP they hacked the Hvac guy and then got into the bigger breach. You you. You're you're giving people access to your network. You're paying people you're using people you want to check their security scorecard. It's the global leader in cybersecurity rankings. The only service that is continuously rating one and a half million companies. So it almost guaranteed if you go to security scorecard. By. The way that security scorecard dot com slash twit. If you go to security scorecard and look up an organization, you'll be able to see their scorecard right there. Because, they're rating everybody. This is their mission is to empower every organization with collaborative security intelligence. Because you're only secure is the companies you work with right? So for us, it was important. We ran our security scorecard and it gives you details on why you scored lower in certain areas. By the way, we are fairly highly ranked among businesses that are in our business, but I still I didn't want to be, and so we went and we fixed the problems associated. With with the lower ranking, squeak an F. in one score, which was APPs, and that wasn't much. We can do about that actually. But but at least we know where the weaknesses are. So security scorecard is a really great idea. Give you a three hundred sixty degree view of your cybersecurity health through a single pane of glass there patented rating technologies used by over a thousand organizations for lots of different reasons self monitoring, of course. Just as we did, you can evaluate your organization cyber security risk using real data driven objective and and continuously updating metrics. The provide visibility into your information security control weaknesses right. It's also good though for third party risk management, you can see how any company you want to do business with partners. Vendors. Suppliers are treating their cybersecurity enhance how they might impact you you wanNA value at all the risks and your ecosystem. It can also allow companies to fix and find security risks and vulnerabilities across their sternly facing digital footprint. It's also great because it's so easy to read. They use those letter grades, ABCD NF just like you learned in school, everybody understands them. So it's great for board or executive level reporting. It's great if you're getting cyber insurance underwriting in the insurance space very useful. Everybody likes this idea that you can get the grade. And by the way companies with the C. D. or F.. Are Five Times more likely to be breached and I don't know I have to check. But I bet you anything they look at RTP I'm sure they would. The data's used to calculate scores across ten key risk factor groups. Things we talk about all the time on security now patching cadence application security DNS health. Network security endpoint security, you may be using individual tools, individual areas DNS health is always one that we talk about, but this does it all. And you get a great in every one of those ten key risk factor groups. So, let's companies easily understand and continuously monitor. Their cyber security posture in the posture of the people they deal with. And then there's the security scorecard atlas. which is the leading cyber security questionnaire invalidation solution cut through the questionnaire noisy could find your score. And make your. Business Cybersecurity it's a centralized platform leveraging machine learning to automate the cybersecurity questionnaire exchange process for senders and receivers. I actually didn't know anything about this but I've learned about this since this is one way companies work with other companies with a cybersecurity questionnaires. They've got a great process for this, which makes it two times faster. It makes it more accurate and most importantly that makes it more secure. Security scorecard is atlas is the only platform in the market that instantly maps out cyber security rating data, individual responses. So you could see immediately they're great all the way across the board you get a real three, hundred, sixty degree view of the risk you're taking on you can also cut the questionnaire cycle in half. Because, they've got twenty plus industry standard questionnaires. They also have accustomed question here wizard. So it's easy to create these questions. You can collaborate easily and securely with your team and with third, parties. Look security scorecard was founded with the notion that every business. Has a right to its own security rating. That's why they give these away. You can get yours right now in fact, you can check the score of your business up to five others at security scorecard dot com slash twit absolutely free best product security ratings twenty by twenty twenty Se magazine, they just got that award. The combined power of security scorecards, ratings, and their atlas gives organizations. A A three hundred sixty degrees of cybersecurity for company in the world there's or the companies they deal with and get the score of Your Business and up to five others right now to learn more sign up for your free account security scorecard, dot com slash twit he at least should check your company right now security scorecard dot com slash twit. If you're doing business with other companies, you can't say you guys secure. Yeah we're secure. Okay. Good. No. No you need security scorecard, security scorecard, dot, com, slash twit This is one letter grade. You're really gonNA WANNA find that. back to the show we go with Mr Steve Gibson. So speaking of low hanging fruit is Iranian script kitties are using RTP to deploy the Dharma ransomware. This was some interesting and disturbing research by a group known as group one be I'm sorry I, Be Group B. they detailed the collision of RDP and ransomware the explained that apparently like from all the forensic evidence, these look like low skilled hackers will explain why in a second likely from Iran have joined the ransomware business targeting companies and Russia India China and Japan. They're going after the new low hanging fruit represented by casually or hastily deployed RDP servers using publicly available tools. The group is deploying the Dharma ransomware and based on the forensic artifacts of the attacks it appears to be. A non sophisticated purely financially as opposed to example, politically or state level motivated group, which is new to cybercrime their extortion demands range. They're pretty modest from one to five bitcoin, which puts it at around eleven thousand, seven, hundred up to maybe sixty thousand dollars and they locate targets. The old fashioned way by scanning Ip address ranges for exposed. Remote desktop protocol RDP and points. Their tool of choice is a freely available open source port scanner called Mass Scan we've talked about before. once they've located a potential target they which is to say they found port three, three, eight, nine, open they launch a brute force authentication attack using another tool NFL brute, which is a utility that simply repeatedly attempts to authenticate against RDP using a list of username and passwords attempting to find a combination that works if they get in they sometimes attempt to elevate their privileges by exploding old vulnerability which exists in windows seven through ten. And researchers at this. Company Group. IB learned about the new group A couple of months ago in June during an incident response engagement at a company in Russia that had been attacked based on that forensic analysis and the artifacts from that, they determined that the attacker to probably be a Persian speaking newbie. The the conclusion is supported by clues from the next stages that they found of the attack. which appear to lack the confidence that you would expect from an actor who knows essentially what to do once they've gotten in. I be. Like Oh. What are you recommend? Group IB wrote interestingly, the threat actors likely don't have a clear plan for what to do with the compromise networks. Once they've established the RDP connection, they decide which tools to deploy to move laterally. For instance, to disable Bilton, a software, the attackers used defender control, and your uninstall her. Who which are you know? Tools available sort of generic in order to to get done what they want nothing sophisticated they're. Further evidence that the operation is the work of a script Kiddie from Iran comes from search queries in Persian. To find other tools necessary for the attack like, okay. Let's see. What should we search for? Now to probably twelve year old. US anyway those those searches were were turned up in Persian language telegram channels which provide those tools or. The number of victims compromise so far by this attacker is not known. Nor is the path that led the threat actor to the Dharma ransomware service operation. You know are a s but. Given that the Dharma operators provide a toolkit that makes it easy for anyone to become a cyber criminal. It should not come as a surprise that inexperienced individuals are deploying this file encrypting malware is like oh? Oh Yeah. Wait. Now, we're supposed to launch the Dharma. Once they get in. So, the senior analyst at group IB. A guy named Oleg Skull skulking said that the Dharma ransomware source code which was leaked in March likely explained the increasing use of this model wear strain Oleg indicated that quote it's surprising that Dharma landed in the hands of Iranian script kitties who are using it for financial gain as Iran has traditionally been a land of state sponsored attacks engaged in espionage and sabotage. So in other words. You know I maybe it's not that surprising because it's sort of now available for everyone not just a state level actors. And of course, we've talked about how this new ransomware as a service model is allowing many hackers who would never be in the ransomware game to become players. And I I don't given that we have ransomware as a service. Now I don't see how this problem is ever going to go away. So again. No exposed open RDP ports. Okay. Not For our listeners. Arrange to put something anything in front of our DP so that you or your company are not open to exploitation. You know this is not as bad as Microsoft's original wide open windows file and printer sharing, which is what drove me to create GRC's shields up service. So many years ago, but it does definitely need a tension. No exposed RTP ports. Zero Day initiative. Zdi that we've also referred to recently turned fifteen. As I mentioned the top of show, it turns out that there's a bit of a synchronized fifteenth birthday since last Thursday postponed to owns founding parent the Zero Day initiative also turned fifteen. Just, as podcast did our first podcasts as I mentioned was August, Fifteenth Two thousand, five one day before the founding of these E D I program that's interesting on yeah. One day on last week's occasion of their Fifteenth Birthday Zdi. Announced that more than twenty five, million dollars in bounties had been paid to security researchers over the past decade and a half. Those monies went to more than ten thousand security researchers across more than seventy, five hundred since successful bugs submissions. In explaining the genesis of Zdi they said starting in two thousand five. Three com remember them three COM announced a new program called these zero day initiative. The plan was to financially reward researchers researchers who discovered previously unknown software vulnerabilities and disclose them responsibly. The information about the vulnerability would be used to provide early protection to customers through tipping points I s their intrusion prevention system. The filters for that while Best Zero Day initiative then worked with the affected products vendor. To fix the vulnerability. So. That's an interesting angle here that the commercial tipping point I P S would benefit from providing immediate awareness of a vulnerability and could offer their proprietary customers, their commercial customers, unique early protection. Thanks to the IP S.'s being immediately updated before any fix was available from the vendor, which as we know, could take like. Ninety days or more. That would then of course, the the vendor would then fix the problem downstream of the IP S. eventually. But even after the vendors problem was fixed, there's certainly some value in knowing when attacks are being launched against ones Ip s protection even when there's no. Back in vulnerability any longer. So anyway, that's that's sort of that's how this happened is that three com said, let's let's Get in the business of collecting this information from hackers that will allow us to much to mature our intrusion protection system. In advance of any vendors vulnerabilities being fixed, we offer our protected customers, this window of safety. For their own back end systems and we're going to turn this into a commercial venture. So, they ended up saying that first year, the Zdi published a total of one advisory. Pertaining to semantics Veritas Net backup. Fifteen years later they said we've now published as I said at the top fifteen hundred advisories as we evolved into the world's largest vendor asking. Bug Bounty Program. To say, it's been a journey is an understatement. It certainly had some ups and downs, but the program is stronger than ever and on track for our largest year ever as we begin our sixteenth year as they did last week as we did last week let's take a look at some of the more notable happenings in the life of the ZDI program. So I read through the entire posting and it provided such a useful and synchronized perspective and walk through the fifteen years of this podcast I. decided I wanted to share it with our listeners. So here's what they said. Fraught through the years of two, thousand, five through twenty, ten, their first five years they wrote looking back at our activities through these years induces nostalgia as it reminds us of the bugs we bought in products and companies that are no longer with us. We can also see the rise of research into different products and technologies. For example, we bought only to apple bugs in two thousand six, that number rose to fifty, two by two, thousand ten. Java bugs particularly sandbox escapes or also popular during this time, and of course, we were talking about them on this podcast all the time. They wrote it's a bit odd to look back at the progression from buying bugs in what was simply known as. To buying bugs in Sun Microsystems Java to buying bugs in Oracle's Java. This time period also saw the first pony to own contest, which was in two, thousand, seven, the contests, the contest launched at the time when I'm a Mac I'm a PC commercials dominated the airwaves. Devices. Remember that. Yeah. Yeah Yeah and apple devices had an aura of invincibility about them. Astute security researchers new better and DINO DIS OH v proved it winning himself a Mac book and ten thousand dollars. The contest has grown exponentially since then there are now three different competitions pawn to own Vancouver though the main one that we often come up yet we always cover which focuses on enterprise software phone to own Tokyo which focuses on consumer devices and Pony own Miami introduced this year with a focus on scatter products prone to own also served as a coming out for many high profile researchers who after winning the contest went on to work on various prestigious teams and projects. So from twenty, ten to twenty fifteen, their second five-year block they said, this was a transitional period for the program as three COM together with ZDI was purchased by Hewlett Packard. Then later split off as part of HP enterprise. However, the core principles upon which the program was founded remained the core principles we operate by today four of them encourage the responsible disclosure of zero day vulnerabilities to the affected vendors. Fairly Credit and compensate the participating researchers including yearly bonuses for researchers who are especially productive within the program. Hold product vendors accountable by setting a reasonable deadline for remediating reported vulnerabilities and remember we talked about a six month Zdi the patients that I had for six months and then finally disclosed publicly. Microsoft's one of those two zero days that Microsoft didn't fix until Zdi disclosed it, and then they thought, oh, because they just drag their heels and finally protect our customers and the larger ecosystem. So they said by this time, the Zdi was large enough to have an impact on the overall ecosystem it was during this period that we grew to become the world's largest vendor? Agnostic Bug Bounty Program title we still hold in twenty eleven. We had our first public zero day disclosure when a vendor failed to meet the patch deadline over the years holding vendors accountable has helped lowered their response time from more than one hundred and eighty days to less than one, hundred twenty even though we reduce start disclosure window, the rate of zero day disclosure stayed relatively consistent. Another big change during this period was the increase in research work done by the vulnerability researchers employed by the zd program. There have always been great people working on the program doing root cause analysis on submissions, but an increase in the size of the team allowed for members of Zdi to begin reporting their own bugs as well. ZDI researchers increasingly published their findings and expanded their speaking at high profile conferences including black hat and DEFCON. The increased size also helped spot some trends in exploitation. It was during this time that we saw a surge in submissions of Java bugs during or rather however once browsers implemented click to play practical exploitation became much more difficult bud bugs exploiting use after free conditions in i. e were also quite common until the isolated heap and meme G. C. Mitigation were silently introduced by Microsoft. ZDI researchers found a way to exploit the mitigations and were awarded one hundred, twenty, five, thousand dollars from Microsoft for their submission. Interestingly, Microsoft chose not to fix all the submitted bugs. So a portion of the report ended up as a public release zero day in they said in case you're wondering all of the money was donated to various stem charities. During this timeframe, the bug bounty landscape became normalized and broadened vendors such as Microsoft and Google started their own bounty programs and bug bounty programs were created that allowed companies like starbucks and Uber to offer bowties. And as we know by the bounty programs were created what they mean with. Them. Of course, is hacker one which we have spoken of often and just recently. They wrote the idea of crowdsourcing research entered the mainstream not every program was successful as some vendor suddenly realized that if you offer money for bug reports, you get bug reports. This left some companies scrambling to react after starting their program with mixed results. It was definitely a time of growth and learning throughout the industry pawn to own continued to grow as well. Twenty ten saw pawn to owns first successful mobile device exploit demonstrated by Ralf Philipp Weinmann and Vincenzo I-. Ozo-. Against the iphone the apple iphone three gs we also started seeing vendors release large patches just. Before the contest since the rules require the latest version for all exploits, contestants pawn to own contestants often found themselves patched out just before the contest. It also meant the Zdi had to scramble to get the targets up to date with all the latest patches often staying up all night installing updates in twenty twelve a second contest mobile phone to own was added to focus on phones and tablets. And finally, the Final v The final five years fifteen twenty to present. In two thousand, fifteen trend micro acquired the HP tipping point APS, and the program along with it. This opened a new world of opportunity for Zdi as the vulnerability intelligence produced by the ZDI program could now be used to improve not only the tipping point, I- ps, but other products within trend Micros line of security solutions as well. ZDI's association with trend micro also resulted in a massive increase in interest in vulnerabilities in trend micro products themselves to their credit trend micro produced Sorry Trend Micro product teams have not shied away from the work of fixing the bugs submitted by independent Zdi researchers, and we have established a targeted initiative program just for select trend products. The threat landscape shifted as well. Before two thousand twelve, we rarely saw an adobe reader submission outside of Po to own. Once we reached twenty twelve, there were more than one hundred submissions. Many of those reports were submitted by ZDI researchers overall in internal fines represent about twenty percent of all the cases we process every year bugs effecting Acrobat Fox it and other PDF readers continued to be prevalent but we've also seen the rise of De serialisation bugs and a sharp increase in Scada vulnerabilities. Home Routers have also become a popular target says they can be compromised on mass to be used in botnets and De dos attacks as a result, the ZDI adapted and began accepting. Related. Submissions especially those related to IOT devices. The production of the. The Wassenaar Arrangement. Posed some challenges especially when purchased bug reports from member countries however, we were able to navigate the paperwork needed to transfer cyber arms and stay on the right side of the law. The virtualization category was introduced to pawn to own in twenty sixteen, and since that time we've had several guest to host escapes demonstrated, and of course, we've talked about those on the podcast. The contest celebrated its tenth anniversary in twenty seventeen by acquiring fifty one zero day vulnerabilities over the Three Day contest and twenty nineteen we partnered with Tesla to award a model three to a pair of researchers who exploited the car's infotainment system Zdi. Researchers also demonstrated their own exploit of the infotainment system. The contestants have changed over the years as well in the beginning individual researchers made up the majority of entries but with. Only a few with only a few teams participating at one point. This shifted to most participants being teams sponsored by their employers there have been instances of teams filling bug reports with vendors before the contest in the hopes of killing their competitors exploits in the past couple of years that has shifted back towards individuals and small independent teams, and we've never stopped growing. We hit our peak of fourteen hundred and fifty published advisories in twenty eighteen and were set to eclipse that this year. In fact, we've been recognized as the world's leading Vulnerability Research Organization for the past fifteen years according to according to. A mighty AH, the ZDI was responsible for over half of all measured vulnerability disclosures and twenty nineteen more than any other vendor. And, finally, moving forward, they said over the past fifteen years, we've seen trends in exploit economy, vulnerability marketplace come and go. But through it, all we've been laser focused on one thing making the digital world more secure one. CVA, at the time through the tireless work Zdi researchers and the wider community, we've determined to continue disrupting the vast cybercrime economy and raising the Bar for enterprise software security for the next fifteen years in the on. So anyway interesting walk through the past fifty years. which corresponds with the PODCAST and we've covered all this stuff along the way completely parallel. Very cool. Yeah. So a couple of bits of miscellany. I mentioned that I had finally found a what I consider to be a useful bloat war where remover for windows ten I actually knew about it before and I had forgotten about it and I was reminded of it from up by a tweet for something else this company does and I thought Oh. Yeah. I. Remember Owen Oh anyway there there. Oh, amber sand. Oh. Oh no and The one I like is Owen. Oh App buster if you just Google oh anchor sand. Oh space APP buster. You'll find it from Owen Oh software it's free they have some various commercial offerings. So I think this is sort of a you know a a bit of a loss leader for them. But of all the things I've tried I like this one, the best it. Is Comprehensive it. Let if if if you enable the display of hidden things which you probably should not. Then you are able to to really you know get yourself in trouble but anyway, I just wanted to point our listeners at owing. Oh, apple buster as a it's a nice utility. You don't need to install it. It just runs standalone so you can if you just. Drop it on your desktop. If you make changes, it will create a little companion file outside of itself where it stores those changes but that allow that also allows you to move them around Anyway. I like it a lot and it's what I been using and I will continue to use what I want to. D-, CRAP AFFI-, a new installation of windows ten with. All this ridiculous animated tiles and and Candy Cane. Crap I just. Again I can't believe what what's been done to windows. On a serious note. I've been using something now for about a year that I can honestly say I have fallen in love with. It is a modest program. Called Remote Utilities. Four windows It is paid. And it's a commercial APP. It is. It's a remote control APP I've looked around at all and. And got through a went through a period about a year ago of trying them all the the in my case, the need was that. Lori but my significant other whom you've all heard me mention from time to time we wanted to set her up with the ability to do remote neuro feet remote neuro feedback. What that meant was that she would send out a laptop, a an eeg amplifier and the required eeg electrodes. In that, laptop would be a bunch of software which would provide real time feedback about her clients, some aspects of her clients brain functioning. and. It works like regular you know any sort of Feedback where? You see the exposes something that your brain is doing, and you learn to push it in the direction you're supposed to and you're able to death thus modify the function of your brain works. She's had a whole bunch of interesting. Heartwarming successes. especially with kids but the point is she needed remote access to these laptops she needed to be able to work with the person remotely. Change settings. Basically remote control. I looked at everything and this is what we've been using for the last year and it is such a win. I just wanted to put it on our listeners radar As I said, it's commercial it is not a subscription. Being an old fart myself. I would not consider it if you ha- if it had to pay by the month and everything is turning into a subscription model which just irks me so they have a number of different licenses. To suit enterprise needs if you're just. if you have modest needs, they have A. Free license that will allow you to put the the connection settings for up to ten remote machines in your viewers. Address Book I purchase a license because an fact. Greg, my my own tech support guy. Has a little business on the side. Hell helping his clients. He completely fell in love with it and switched to using it Laurie is. been using it for a year. So how am I it's it's it's not expensive. You can find if there have like. Pricing plans again, you can use free. For Free, you can put ten remote computers under control. There's A. The host APP. is what goes on the remote machine what they call the viewer is used by you that tack in order to get access to the remote machines. You can use their infrastructure in order to knit the machines together. But if that makes you feel uncomfortable, you can also use a self hoped hosted server, which you put somewhere, which allows these things to. Connect to each other through nat. So this all does Nat you know nat routing and and and rendezvous services. There's also an agent which can be used for spontaneous access to remote system without installation you adjust if you some if you immediately needed to get access to remote system, you just send this agent to that person who would run it on their machine, and then you would have access to it with the proper security. PC world in their review of remote utilities wrote for power users there's plenty to like about remote utilities. Several connection modes are offered beyond the full remote desktop experience. There's also file transfer mode, remote device manager, a registry viewer remote webcam access, and a terminal mode, which is excellent excellent way to perform simple command line tasks remotely. There's an MSI configure to create custom host installers for unintended for unattended access or to customize the remote agent module where you can put your own. Company logo and welcome text for a for attended support. It supports power control mode allowing you to remotely restart a PC either a normal or safe mode shut it down lock it put it to sleep active directory support. You can fat you could fetch an active directory tree, add new domain controllers and access active directory workstations and servers with one click. got. Two factor authentication time based token for access for access to specific or every remote. I mean, it just goes on and on all the connections are are not L. S. one point to it that cannot be turned off encryption always on. You can encrypt your address book. In case, the viewers workstation was ever compromised to keep a bad guy from using that to get into the system that you have access to host identity is certification based to ensure you're not yet that you are connecting to the same host that you intend to. some. Sort of spoof. Deploy it in a totally isolated environment over a land where you have direct connection or over the Public Internet, which is why how, for example, Lori and and I use it blank passwords are not allowed there there. No default passwords either I mean, these guys clearly understand security they did everything right? It's got built in protection against brute. Force cracking. Would an excessive number of incorrect password attempts to seen the system automatically begins decreasing the amount of or increasing the amount of time required and will lock out an that is is failing at multiple requests, and of course, there is no ability to brute force. Because most systems are behind nat. So there's no open ports either anyway, it goes on and on. Just called remote utilities. I am in love with it. I wanted to make sure our listeners knew about it. The other thing I wanted to put make sure that I sort of reminded people of I'm still in love with sink dot com but it's limited to synchronizing a single folder tree among one or or while among two or more windows devices. It's perfect for what it does. I'm using it I'm loving it. For for that it's great but. In another aspect of what we needed for for lorries deployment we wanted. A little directory tree that's underneath each of these neuro feedback APP. that are out in each of these deployed laptops and there's twenty of them out at the moment we wanted a little snippet of a directory tree to get synchronized back to the DRO that we have in our location and sink thing. Again it's I mentioned it before I want to just remind people of it I I was asked by somebody in twitter who had a couple of q nap servers, how he how he and his buddy could synchronize them to back each other stuff up and I was reminded of sync thing which just does that perfectly that you can run sing thing on Q. Nap I'm running it all my dro bows you know runs on Mac and windows and Lennox free bsd Solaris and open bsd it's open everything protocol Source. Open? Committee I mean it's it's It's a great tool and it supports a far more flexible. Like, you can get yourself lost you can create something so complex. So I have all of the machines that are out there synchronizing a snippet of of their directory structure back to a a compound directory structure on the drove. Oh, which Lori is able to see some of the folders are one way synchronizing so that for example, logs that are that are external synchronized back to us. Some of them are are the other one way in the other direction so that Lori drops a media file that she wants to go out to everybody. She just drops it in the media folder on the job Oh and the next time everybody connects they get updated automatically. And then some things are bidirectional synchronize so that the most current copy is synchronized anyway sink thing dot net is that and it's it. There's an investment you need because it's Kinda funky the way it works it took a while for me I was going for a while but once you understand the way it works, there's just nothing it can't do in terms of of like options and features and and the the complexity that you're able to maintain and again, all nap penetrating you can open a port if you want, you can allow to you to you too UPNP if you want or you can allow it to use external relay servers. And it will do that as well as you see I ferry happy user for the last five or six months. I didn't know that. I love sing thing because you don't need a third party clouds coverage if you have enough to. them all in fact, after you mentioned sink dot com kind of was looking for other things I tried other third party stuff. Then I found sink thing I said Oh, that's exactly what Steve Needs I've been meaning I mean. FOR SOME TIME But it's really great. All My systems are on it, which is nice. If you have multiple systems because then Yup keep stuff in in sync. Hands on Macintosh piece on it this past Saturday ironically. So you, you know I'm in me and ask you because I really like this idea that each device has its unique identifier plus each folder has its unique identifier and even though I just showed both of those secure because if you. Entered into your same thing, I want to join Leo's W six, M Ucla Nine F. Folder I'd still have to give you permission to do it so it's correct. In that what happens is? If somebody were to grab that and drop it into their sink thing and try to create tr try to create a connection. You a a request on your end would would pop up saying, Hey, somebody. Got Your I d. do you want to allow it but that's also the cool thing is that you can sure easily create a directory and share it with a friend they use that and then you link those two things together. It's just I mean they just nailed. It reminds me of our old friend bittorrent sync except it's done right? It's. It's really it's it's I think it's just exactly and it's open. Source so we don't have to guess what the Protocols Open source air everything is certificate based. That's basically a large fingerprint of the certificate that identify that uniquely identifies that machine but and and and and you're able to do things like say if a new fold if a new sub folder appears or if a machine I'm connected to creates a new folder I, want to automatically grab it and start sinking it or I don't and. Again. There's so many features that you can get yourself a little tangled up but for for a power user it, they nailed it and massively cross platform it runs on every. That's why I use it. It's on my Lennox machines. It's a demon that runs in the background on all of my machines Lennox, MAC and windows I love file version, and you have lots of choices of filed version and I often We'll do it send only. So don't have to worry about sinking deletions you send it send only that's basically a backup it. Change here will be synchronized but nobody else's changes will be synchronized. So it does take a little time to kind of figure it all out but I was. I'm supremely impressed with it I'm glad you agree. Mean to ask you about it. Yeah good. Good good. And it's free. Okay. Yes and free. It's yes. Very, much world world. So. Over the weekend using digits entirely Automated Self Service System I re keyed. All of GRC's certificates ahead of the next Tuesday September first deadline after which search can only have a three hundred and ninety seven day life rather than twice that. And among those that I re keyed was GRC's revoked dot GRC DOT COM Sirte. Which I mentioned last week had expired so that it was being dishonored due to expiration rather than revocation so that for those listeners who had been using the that service and I learned that there were. Five hundred eighty, some a day are going to the revoked dot GRC, dot com page that system is up and running again. So I bought it. I bought myself an extra year before I need to do all of that again but I also realized benefit of having the expiration date of all of my search now. Is. If we're going to be needing to do this annually as I will starting two years from now because from now on certificates after are going to be expiring annually. Doing that certificate renewal work in a single. We'll. We'll at least be much more convenient than being interrupted multiple times per year. You have a new holiday on your calendar, cert- Renewal Day and you just do it every year. Yeah. Now, of course, it is the case that it's only necessary because I'm using lovie sorts. Organization. Validation route as as a class above the DVD search the domain validation, which can be and I recognize this. Fully automated and a lot of a lot of people are just GONNA say okay. Gibson you know I, don't care. I'm just going to use the academy protocol with let's Encrypt and let my server keep itself updated and I and I get it maybe someday that'll happen. But for now I did you know digit cert has made this so simple for me that it's something that I enjoy and all my circuits are now synchronized and I just wanted to mention that revoked DOT GSI DOT com is back up and running again. Oh and one last bit. I meant to mention last week Leo and I know you'll appreciate this that as a result of all the benchmarking rnd we've done we have learned a great deal about SSD's operating in the real world. I Samsung Kingston, OCC VERTEX crucial and others. And what has surprised us? All is the non uniformity that many of them show in their operation. It's not what anyone would expect from something with the seeming purity of solid state memory that their operation was kind of all over the map and varied widely at the five different points where we are benchmarking them the thing I meant to note. was that one single brand stood out from all others? Samsung was by far the most rock solid. And every one of those that we saw followed like there were many of them in represented in the population that had been looked at so far they all followed the governing specifications to the letter which many did not but also the the performance was just solid there. There's favorite verse Yeah Yes really. Love That I just wanted to want to say that I'm sure that ev the gang who were working with me in the spin right dot Dev group all will see their future purchases biased all things being equal toward Samsung because we all were going. Wow. Because I mean, we're all sharing all of our results and is like, whoa. Okay. Let's take. Let's take our last break. I. Have Sipa Coffee, and then we're GonNa talk about a very cool high-tech hack on low tech hardware. I don't know what that is, but it sounds good. Let me. Get our final sponsor queued up here, and we will give Stephen chance to hydrate while I tell you a little bit about something I call. Extra hop well, actually they call it to that too. So it's it's Nice I mean it's it's some synchronicity. Their extra hops an interesting company because they started by doing performance monitoring they put extra hop sensors all over. The network everywhere out there your network clients networks, the cloud networks for performance monitoring. It turns out there's a real benefit to doing that. So not only do you see performance, but you also see. Threats and risks. The new it reality. And it's funny that we should have been talking about this today's remote access right on a massive scale. Rapid Cloud and multi cloud adoption a steady increase in internet of things devices. Everything we talk about on the show including huge rising cybercrime. More, important than ever that that organizations can see what's going on in their environment and when I say in their environment I mean everywhere. From your systems to the cloud data center to the customer. And in order to protect your business nor to scale your business in a unified visibility. You need the context for your detections intelligent response workflows. So your teams can collaborate easily and act fast you need extra hop. This is the best way to gain insight everything that's going on on your network from you to your customer and back extra helps businesses stop reaches seventy percent faster. Let me explain. That is because extra hop eliminates blind spots and detects threats that other tools completely miss that they can keep your business secure and available as a sast based cloud native network detection, and Response Solution used by a lot of people. For instance we talked to wizards of the coast's their chief architect and information security officer damage, Dale Wizards of the coast you know they do the. The the magic, the gathering, and all of that they secure and support their cloud their on aws. Using, extra up Dan said, there's no other company that aligns to supporting the devops model that is the speed, the lack of friction the next drop. You've probably seen the name ULTA beauty. There's one in our our local mall over here they use extra help to secure their Google cloud as well as keeping their network and security teams closely aligned. You know when you've got a lot of outlets, you've got ECOMMERCE your engineers have a lot to work on, but you want them to focus on innovation to. A We talked to senior it engineer John Crazy says quote before extra hop, we had limited visibility into what was going on in the cloud but now we quickly identify vulnerabilities and exploits and understand how our applications are performing in the cloud. You WanNa take control of your clad security and you want to do with a tool. It's been around it's a proven track record that really really works. That's extra hop. You. WanNa know more about how extra hops stops breaches seventy percent faster. There's a free trial you could try it yourself extra hop dot com. Slash. Security now, extra hop. Think of a little bunny taking one extra hop hop dot com slash security. Now, this is a solution that has evolved to really provide exactly what its customers need some of the biggest companies in the world it and you will want to two extra hop dot com. Slash security now now back to Steve. So. We already know. That smartphone cameras now have sufficient resolution. Yes, and our software's become sufficiently clever. That a photo of a traditional house key at a distance can be used to reconstruct a working physical key. Yes and we also know that the vibrations of objects in a distant room we've talked about balloons, a bag of potato chips, light bulb, or even the leaves of plant. Can Be observed optically by laser or similar technology at a distance to reconstruct the acoustic waves those objects are being subjected to to eavesdrop on conversations occurring that. And now. With, the publication of some intriguing new research. Another piece of our traditional perception and assumption of security. has just fallen to the wayside. The research paper which. Documents the detailed and painstaking work by three quite enterprising students in the department of Computer Science at the National University of Singapore bears the title. Listen to your key. Towards. Acoustic. Based physical key inference. Oh no no no. No. Oh my guess. Okay. The abstract of the paper reads physical locks are one of the most prevalent mechanisms for securing objects such as doors. While many of these locks are vulnerable to lock picking. They are still widely used as lock picking requires specific training with tailored instruments and easily raises suspicion. In this paper, we propose spiky. A novel attack that significantly lowers the bar for an attacker as opposed to the lock picking attack. By requiring only the use of a smartphone microphone to infer the shape of the victims key namely bitings or cut depths which form the secret of a key. When a victim inserts his or her key into the lock, the emitted sound is captured by the attackers microphone. spiky leverages the time difference between audible clicks to ultimately infer the biting information I e the shape of the physical key. As a proof of concept, we provide a simulation based on real world recordings and demonstrate a significant reduction in search space for May pool of more than three hundred and thirty thousand keys. To three candidate keys for the most frequent case. Okay. So, in other words Yes Leo. These researchers have shown that just capturing the sound of a traditional physical key being slid into its lock is all that's needed to recreate that key. With a high level of confidence, a nearby smartphone or even the houses nearby. SMART. Doorbell microphone. provides. Audio, which is sufficiently accurate to provide the clues. We all know how a traditional physical lock and key work. Inside the lock are a series of six spring loaded pins. which are each split at a different location along their length. When the proper key is inserted into the lock. The ridges on the key. Pushing against those internal springs positions, each of the pins such that the splits in the pins line up with the edge of the locks cylinder. Thus, no pin prevents the cylinder from then freely rotating the lock. And I suppose. Because, I'm a bit odd. Throughout my lifetime, I have often stopped to appreciate the sheer beauty of that simple invention. Iroquois no power. It is durable and largely weatherproof except in the face of extreme freezing. And it's extremely reliable so much so that its failure is vanishingly infrequent and when it does eventually fail. Typically, after decades of reliable use and wear. It does. So in a fail soft fashion only after providing ample clues that it's need for servicing is becoming cute. So such that jiggling the key in the lock is a long standing name. But mostly, it achieves all this in an example of a brilliant tradeoff. We get all of that in return for accepting that it's not perfect protection. Is it cryptographic Lee secure of course not can it be picked and defeated by anyone skilled in the art with a few simple lock picking tools Yup Are there sufficient combinations that no one else is key will open it. No. A famous hack is just to try locks with keys. They don't belong to sometimes you just get lucky specifically because the universe of all possible combinations comparatively small. But likelihood of any random key working in any random lock is low enough that no one bothers to try. But it's exactly that comparatively small universe possibilities that allows this research to succeed. Wants the audio of a key insertion has been obtained spike's inference software gets to work filtering the signal to extract the comparatively strong metallic cliques as the keys ridges hit the locks pins the click occurs when one of the spring loaded pins crosses over the top of any of the keys ridges I have a picture, a photo diagram from their PDF, which shows that in the instance of the Click occurring on the six pins. They explain as I just did how the lock works mechanically then the event of the Click and I actually I made they had they have a a photo Graham of the audio. and which plays from Google which you can hear Lee you should probably put this into the podcast. It's GRC's shot cut of the week. So it's GRC DOT SC slash seven eight one. And there it is. Of course we've all heard this, but you don't pay any attention to it right and it is. Clear But I guess modern. Phone microphones are good enough. They could pick IT S. Yes so so basically they say as well so Don't do don't do the daily. It's correct. It's just the teeth. The right the bidding now. Okay. So the grooves in the side do create classes of keys which will work in the law right and those do differ from a among brands and within brands. So so that does create subsets. But you can easily there probably aren't that many sets I would exactly there are not. Yeah and so for example, many times your key won't even go in and then if it does then go in but it won't turn. Right Soy the, the the clicks drive the inference analysis. It's the time between the clicks which allows the spiky software which they've developed to Compute the keys Inter Ridge distances. And what locksmiths refer to as the biting depth of those ridges, which is how deeply they cut down into the key shaft and where they plateau out. If, a key were to be inserted at a non constant speed. The analysis would be defeated though the software can compensate for small insertion speed variations. So but if you're like if this freak you out and you are at high risk, you felt, then you could simply start inserting your key at a non constant pace and you would defeat this but given all the available acoustic information complete disembark beauity cannot. Be obtained. So they end up with multiple possible KHIING's in the best case, and this is why the papers abstract noted that this spiky software will output the three most likely key designs to fit the lock that was used in the audio provided by that file, which does reduce the potential search space. As I said from three hundred, thirty thousand, which is is is the universe of possible combinations down to just three. They said when victim inserts a key into the door lock. An attacker walking by records, the sound with a smart phone microphone spiky detects the timing of these clicks from the sound. We then utilize the click timestamps to compute the adjacent interreligious distances given a constant insertion speed. We use the computer distances to infer the relative differences of adjacent Biting Depths, which spiky exploits to ultimately obtain a small subset of candidate keys that includes the victims key code. They said, we detect all click events from the audio recording. They do subject it to a high pass filter to reduce the impact of low frequency ambient noise retaining only frequencies above fifteen kilohertz that contains the information, the acoustic information about the clicks. And they said subsequently, we identified the starting point of each click or its onset in the pre-processed signal by applying change point detection algorithm on short time windows around the computed peaks to account for their millisecond granularity. They said, it finds the least some of standard deviations across to regions that transition from low to high amplitude that is in terms of the the amplitude of the click sound. So they got they did some some serious acoustic processing to just absolutely nail down the time event of the Click. For anyone WHO's interested I've got the PDF link to their research in the paper. It goes onto explain exactly how they convert the click onset timings into a few possible candidate. KHIING's. So, anyway, I just thought you know one more longstanding time honored piece of real world technology has just fallen. No longer insert. Into a lock without the I without the possibility of somebody simply eavesdropping and you could imagine Leo if you had a a telephoto microphone at a distance. Aimed at that lock, and you know if somebody were to insert the key, it would be able to pick it up at a distance with the big parabolic. Mike, and. Capture the sound and that would be enough is then amazing. Isn't that cool estimating. He how doable you think that is. I. Mean I know it's theoretically of course but. I mean they they did it they. They recorded it. They were A. They wrote the software it designed three keys at one of those three open the lock. Isn't that great. I, I just you've got to admire the ingenuity and the cleverness involved. Whether the out say. I could see a big three letter agency using this. We should write this into the next Jason Bourne script or something I. think that'd be so. It would be useful in a situation where the you would be observed picking the lock. Certainly, a three letter agency would have people who can you know pick a lot I can pick a lock. You can lock a of techies know how to do that. It's just you know it's not that difficult but during the process. You're observable. So if you had a scenario where someone posing as at. A cable TV service man or maybe the house cleaner you know needed to just be able to walk up quickly insert the key and enter you'd WANNA be prepped ahead of time, and so this would allow you to produce one of three keys where they could look like they were fumbling for the right key among their key ring. But in fact, they were trying the you know the subset of possibilities and then say oh. Yeah there it is. Wall Street in with. All standing around watching them That's wild. Steve Dented again, I always do it's fascinating stuff and that's why we listen each and every Tuesday to security. Now, you can get Steve's famous spin right? The world's best hard drive maintenance and recovery utility at his website G. R. C. Dot Com version six is out six one is on its way by six today you'll get six one for free and you could participate in the in the building of six point one which is moving apace. That's all GRC DOT com. We also find the show there. He's got sixteen kilobits and sixty four kilobytes versions of the show, the Audio and got transcriptions which are very handy. If you like to read along while you listen he also has lots of other free stuff there. So check it out GRC DOT com you can leave feedback there G. dot com slash feedback or leave it for them on twitter Steve is a yes a twitter user and his twitter handle is at s g GR CD respond to people though as much as just. If people leave you a message or get it I do when I can. But frankly there's Overwhelming. Yeah, it is. Yeah I. I figure people would rather I got spin right six one done. Then spend a day responding to private tweet so I try to meet them. Yeah I get a lot of email every day. And it it breaks my heart because it's always for me. It's people who listen to the Tech Guy who have fairly basic questions suffering and they can't find help but. If I answered that email I wouldn't be able to do anything else. So, what's all we do? We do what we do. Yep as best we can. Of course, what you should do is you just come back here every Tuesday route about one thirty Pacific, that's four thirty, eastern twenty, thirty ut see that's when we record the show. You can watch us do it live at twit dot TV slash lives there's audio and video there. If you're doing that chat with US chatrooms IRC, dot twit dot TV, you can also get on demand versions of the show. Not, just Steve Site but at our site in this case, twit dot TV slash S, and of course, on Youtube and you can always subscribe. Get your favorite podcast APP and subscribe to security. Now 'cause you don't. WanNa. Miss an episode. You want a complete set collect all nine, hundred, ninety, nine. Eventually, that's the number. This is episode seven, hundred, Eighty one. And I. Thank you Steve. Have a great week. We'll see next. Bread radio. One More twit well, checkout smart tech today at dot TV slash t t it's the show where Matthew. Cover everything. There is to know about smart tech it's automation it's connected devices it's smart home it's all those goodies and so much more. We get the news, we get the latest devices we do reviews everything you got to check it out twit dot TV slash. S FOR SMART Tech Today.

Coming up next