35 Burst results for "Zero Days"
"zero days" Discussed on Security Now
"The ongoing use of multiple zero click exploits. Which do not rely upon any interaction from the users divide from from the devices user and those both worked seven years ago and they still work now in one instance which was highlighted by amnesty international multiple. Zero days were leveraged in i message to successfully penetrate a fully patched iphone twelve running. Ios fourteen point six this month so maybe they wore today. 'cause it's fourteen point seven but come on if fourteen point six had multiple zero days in i message. You gotta know the fourteen point. Seven has some. And they'll just ratchet forward their exploit chain in a series of tweets citizen labs bill maher's act said quote all this indicates that ns oh group can break into the latest iphones. It also indicates that apple has a major all caps his emphasis blinking. Red five alarm. Fire problem with i message. Security that their so called blast door framework which was introduced in iowa's fourteen Which also apparently introduced the the the percent at side remote code execution vulnerability so blast door by blasted the doors off that Anyway blast door which is supposed to make zero. Click click exploitation more difficult bill said. It's not successfully preventing those problems. The washington post said in their in-depth report that of the tested smartphones twenty-three devices had been successfully infected with pegasus and fifteen exhibited signs of attempted penetration. So you know we've seen other similar smaller anecdotal examples of this sort of abuse. I really hope that this expose might help to strongly demonstrate why we as an industry must always be working as hard as we can to create the most absolutely secure devices and protocols possible and that any deliberate weakening below the best we can possibly do would be foolhardy in the extreme we just. We can't let the government say. Oh trust us where where. The government brennan wadi more details. The amnesty international report is amazing and even further damning it contains ip addresses. Port numbers the url's of servers the names of background pegasus processes and more. The link is in the show notes..
Israeli Spyware Maker Is in Spotlight Amid Reports of Wide Abuses
"Israeli firm uses windows zero days to deploy spyware microsoft and citizen lab have linked israeli spyware company. Candy also tracked as sour gum to new windows. Spyware dubbed devil's tongue deployed using now patched windows. Zero day vulnerabilities. Candy row is a secretive israel based company. That sells spyware exclusively. The government's explained citizen lab and their spyware can infect and monitor. Iphones androids max. Pc's and cloud accounts citizen lab also tied over seven hundred and fifty websites to kangaroos spyware infrastructure finding that many of these domains mimicked domains representing media companies and advocacy organizations including amnesty. International and. Black lives matter. Cyber attacks increased seventeen percent in first-quarter. Twenty twenty one with seventy seven percent being targeted attacks this according to a new positive technologies cybersecurity threats scape q. One twenty twenty one report cybercriminals typically attacked government institutions industrial companies and science and education institutions. The main motive for attacks on both organizations and individuals remains acquisition data. Other findings in the report include. That ransomware is still the malware that is most often used by attackers. That the most popular vulnerabilities for attackers. This quarter were microsoft exchange server acceleration and sonic wall. Vpn and that more cybercriminals are developing malware to conduct attacks on virtualization environments another unpacked bug in windows prince. Buhler microsoft is warning of another vulnerability in its windows print spooner that can allow attackers to elevate privilege to gain full user rights to assist them this follows they're patching of two other remote code execution bugs that collectively became known as print nightmare. Microsoft released a new advisory late. Thursday for the vulnerability tracked as cv. Twenty twenty one dash three four four eight one microsoft credited dragos vulnerability researcher jacob baynes for identifying the issue. The vulnerability exists when the windows print spoiler service improperly performs privileged file operations
"zero days" Discussed on The Shared Security Show
"If it starts with ks. It's obviously of the earth is flat and this is our just everyone knows. Kevin actually does not believe the earth is flat. He's got it somebody thinks but he but he is a five g wi fi access point. Hey i'm still mad. My vaccine did not improve my cell service. It is disappointing and mad. Vote is supposed to get six g now. Because i well with that. I think that's a good point and the podcast as we venture into conspiracy theories from cybersecurity. What we should start doing what the late night shows. You can catch us later on in the extended version late late late late shared security show. We go to some conference somewhere just us on stage and we have the audience members. Just lob things to say like you know like a whose line is it. Yeah what does it saves for my hot scenes from a hacker security researchers zero day go and we can land about it kevin. That was the podcasters. Meet up at defcon. Every year for a long time never went to through stuff at us all the time like. Yeah it was crazy. 'cause we were there with paul dot com and all of the the big podcasts of the days weekly. Yeah now security weekly. But i was security justice back then man old podcast about all that you're right and people would throw. They would actually throw alcohol at us. I do find it funny that you mentioned during this dot since just recently on twitter. Somebody shared the picture of me. Getting hit in the middleweight bridge between the eyes by that rocket for the people who build them. Listen to that not me. What no that was. The he shared your shot. The rocket at everybody doesn't know that rocket shot by thomason. It was a great shot. You obviously marine well. I was sitting extra rob fuller. And he couldn't believe it he's like i can't believe you just hit him square right between the is that is that was because rob kept throwing stuff missing. We'll that's true. And then i actually hit you. Earth like right between the eyes so starting to think you can no longer do virtual meeting throw stuff at me. But you're just you're monitor all right guys. Well thanks for. Thanks for coming on the show again and we will talk to you all next time. That's all for this week. Show visit our website..
"zero days" Discussed on The Shared Security Show
"For greater productivity in your organization so moving on to. I love these names that we come up for these exploits and vulnerabilities. This one called print. Nightmare came out print nightmare. Holy print nightmare batman maybe ruined but aren't alternators nightmares. Like forget winters is a nightmare in and of it so this this all started one. Yeah office space if you remember. Pc low letter and smashing it in the field with the baseball bats. We all hate printers completely printers. That is proof. You've never worked. It many do you have in your closet. kim none. We actually just donated all of the old equipment that was here. So i can say zero old printers you shipped all hard drives with all the. Oh yeah we. We actually purposely put sensitive data on the hard drive for the opposite. We don't wipe them. We add more load the load them up. Yeah yeah and that's just if you've got a hard drive you deserve a treat. I don't know so. It's not like i've taught a forensic class that had active casework on the cd that was handed out to the forensics class. And that's not a. I did it but i know somebody who dated. I think it's awesome. That is pretty awesome so just to clarify though. This was not a vulnerability in a printer per se but it was a vulnerability in windows print spoiler which is essentially a service that is installed on a window systems mainly windows. This affects domain controllers servers. Yeah everything essentially and they finally released a patch but the patches and goodness yes yeah. They released a patch. The patch can be basically it only addresses one use case or one type of attack. There is another attack that was demonstrated by security researchers. And i put that in air quotes. If you're not on youtube. I did that for kevin by the way but yeah so that's fascinating about this is the whole thing was i guess. Accidentally leaked like there was the proof of concept exploit originally was like accidentally released and then that just became the management nightmare from microsoft trying to address the issue. Well if you read their recommendation like before the patch was out a pushed out a recommendation. Is that okay if you can do this do this thing. You can do that do this. Other thing and i don't know an enterprise in the world that could do either of those things and still print. You could fix the problem if every computer that needed to print a printer attached to the computer. So yeah that works at my house but not right. Yeah it was a this one was a bad one end. i think. Let's be very clear..
"zero days" Discussed on NBC Meet the Press
"Orchestrated complex attempt at derailing destroying the connection which is essential for our citizens. we had a breach. We had a ransom ware attack. On our information technology systems. That is the way we run our school systems. Although the united states is thus far averted a devastating attack on national grid state-sponsored attempts to take down the foundation of our infrastructure are on the rise. So i've resisted. It's the new frontier federal reserve chairman. Powell calls it. The central banks top concern over even another global financial crisis. We spend a great deal of time and money making sure that we are resilient making sure that the banks they spent a lot of time and money all of these institutions are constantly under cyber attack. It's one of those things that you never feel like you've done enough. Another major worry is the disruption of water access. What kind of signals. Brad are you seeing that. There are big targets on our water systems across the country. Well i wouldn't point to the water system specifically as being the top target of our adversaries. I just think it's the one that perhaps we should worry about. the most. What we are seeing is a small number of countries. Russia china iran north korea steadily increased their investments and become more sophisticated in this space. Microsoft said cybercriminals reap on average three hundred thousand dollars from smaller scale attacks like on hospitals and school districts who sometimes pay ransoms to undo the damage making them lucrative and relatively easy targets Head of it got up in the morning. And he sort of checks things around five thirty in the morning with his coffee and he knew something was not quite right right away. Public schools like hey vural and massachusetts were rocked by a ransomware attack just last week forcing school to be cancelled as it. Shut down the entire network quote before the scale corruption. The system crazy very crazy. The kids couldn't get a course do their homework through their own. Classes according to an investigation by nbc. Box at least one in six communities in massachusetts was infected by ransomware last year and at least ten paid. Hackers taxpayer money to unlock their files. I think that cyber criminal organizations typically operating from abroad target institutions where they know that security has not been advanced as much as it needs to be yesterday. They look at schools or hospitals. That may have tight budgets and they figure well if they have tight budgets probably not spending as much as they should to employ an it administrator or somebody like that this comes after the fbi issued a flash alert in march on an increase in ransomware targeting education institutions using ransomware called. Py or mess. Spinoza focused on schools and seminaries in twelve states. Microsoft says vulnerabilities have only accelerated with more kids going to school from home in the pandemic last year we saw basically two years of change take place only two months so we are more dependent on this technology than ever before we're sharing more of ourselves and our data and so what it means. Is that the defense of needs. That we have are both more important and to some degree their broader. Because we're more reliant on this technology in an effort to prevent future attacks congress allocated six hundred fifty million dollars of the latest one point nine trillion dollar covert relief bill for cyber risk management programs at the cybersecurity and infrastructure security agency known as cisa. We're in a continuous low-grade cyber conflict every single day. Alex stamos is a former facebook chief security officer and director of the stanford internet observatory. Do you think that the funding is adequate to help prevent future attacks. So i've been very impressive by the team that the by emissions put together and cyber there's an executive order coming out soon that's going to have some new rules takes important but st must also argues that more resources should go towards our defensive capabilities and processing the aftermath of major hacks when a plane crashes there are people whose entire job it is to figure out what went wrong and what other manufacturers can do better the future and we have no function like that on cyber and we need we need effectively a cyber. Ntsb meanwhile on the international stage the us has been absent in two thousand eighteen dozens of countries and over one hundred private sector companies.
The M.T.A. Is Breached by Hackers as Cyberattacks Surge
"Nyc transportation authority heck using pulse. Secure zero day back in april chinese beck threat. Actors breached. the network of new york city's metropolitan transportation authority by exploiting a pulse. Secure zero day vulnerability. According to mta's chief technology officer rafael portnoy while the attacker successfully hacked into mta computer systems. They were not able to gain access to employees or customer information which portnoy attributed to. Mta's layered security controls. Mta mitigated the vulnerability on april twenty first one day. After poll secure issued an advisory cybercriminals contest defined new crypto currency exploits april twentieth prevalent russian-speaking underground forum initiated a contest calling for its community to submit new methods of attacking crypto currency and offering a one hundred fifteen thousand dollar prize to the winner according to intel four seventy one's senior vice president of global intelligence. Michael d bolt some of the top ideas so far are generating a fake blockchain front end website to steal info such as private keys and balances creating a new crypto currency blockchain from scratch increasing the hash rate speed of mining firms and botnets and building custom tools to parse cryptocurrency logs from victim machines the contest which is expected to run through september first is a reminder that criminals continue to collaborate and explore cutting edge techniques to help further their motives. Fbi confirms revival as jbs ransomware attacker. The fbi confirmed on that russian cybercriminals group revival is responsible for the ongoing ransomware attack targeting gb s. The world's largest meatpacking company the fbi issued a statement indicating they are quote working diligently to bring the threat actors to justice and quote. Rievaulx is notorious for pushing. The boundaries of the ransomware is a service industry and targeting high-profile victims including former president donald trump and lady gaga with attempted extortion schemes.
Chinese State Media Indicates China Is NOT Banning Crypto Trading
"What's going on guys. It is thursday. June third and today we are talking about why chinese state media is indicating that china has not in fact. Banned crypto. i however let's start with a quick update on ransomware. Since i dropped that episode. Yesterday i've had numerous people. Send me articles and media accounts blaming the ransomware epidemic. On bitcoin or crypto in general. Npr called it the oxygen behind the surge so unfortunately my very easy prediction of ransomware. Being next bitcoin seems coming to pass. But i also wanted to share an interesting take. I saw from a couple of folks that was really well put by andy edstrom author of why bitcoin he tweeted bill gates becomes multi-billionaire by shipping insecure software. Us government pays hackers for zero day exploits and keeps them instead of telling software companies to patch them. Equifax loses one hundred million plus identities in stock all time high. What will solve this other than ransomware. Basically the idea that. I think that indies going for is that ransomware is the natural market byproduct of insecure software by the same token however it creates the financial incentive for that software to be in a world of ransomware. The cost of buying or building insecure software. Go way up. Which presumably give the advantage to less explainable software. Yesterday we also talked about the impact that ensures playing this potentially making companies more willing to pay ransoms because they know they'll be covered however insurance companies seem to be making moves so that might not be the case or at least it won't be that easy.
Ransomware Gang Reportedly Drops Encryption
"The babic ransomware gang says it's dropping the encryption of data of victims as a tactic instead will focus strictly on data theft and blackmail to enrich itself until now the gang did both stealing data from victim organizations and then encrypting the data on the corporate servers. The threat to the victim was pay for the decryption keys. Or the copy data will be released embarrassing. You and your customers. If the company didn't have a good data backup it faced to threats embarrassment and loss of business and the loss of data this double extortion. Tactic started being adopted by ransomware groups about two years ago but creating and maintaining encryption isn't easy some cyber security companies have cracked the encryption of a few gangs and are giving away the decryption keys to any victims m saw off is one of the companies that crack the babba code now. Barbeque has apparently decided that is easier and perhaps just as lucrative to only steal data and hold it for ransom a researcher adam soft doubts that other ransomware groups will follow this strategy by the way last week the babak gang gone into the computer systems of the washington dc police department and stole data. It is still threatening to release the names of police informants unless it is paid in an interview with the new site in poland babba claim. The police departments virtual private network was hacked. With a zero day vulnerability that is vulnerability that hasn't been disclosed. That claim hasn't been confirmed.
North Korean hackers target security researchers
"North korean hackers targeting security researchers. Google threatened houses group. One that north korean government sponsored hackers are again targeting security researchers on social media something previously seen back in january. The attackers use fake twitter and lincoln. Social media accounts and of set up a fake website for the company securely climbing to offer offensive security services site hasn't yet been set up to deliver malicious content but has been edited. Google safe browsing as a precaution with known fake profiles reported by google and now removed the similar effort. Back in january attempted to install back doors into security researchers machines using zero day vulnerabilities and says it's likely the group has news zero days to exploit if they're trying the approach again report details data sent from mobile operating systems professor. Douglas j. life from trinity college at the university of dublin published a report looking at the telemetry data sent by an android devices on the os level. Finding that both os has sent data even opting out and not logged in. I m hardware serial numbers cookies and ip addresses. Were among the information sent with iowa sending some location data although up more data overall roughly one megabyte every twelve hours compared to fifty two kilobytes on both platforms transmitted data. Roughly every four point five minutes in response to the findings apple said the report misunderstands. How personal location data is protected. Google disputed the papers methodology and said it will release public documentation on the telemetry data. Collected does have the resources to succeed. Congress created the cyber security and infrastructure security agency inside the department of homeland security roughly two years ago in the wake of russian interference in the twenty sixteen election dedicated to focusing defensive cybersecurity. However recent interviews with current and former staff by politico found the roughly two thousand person agency maybe to stretch recovering from recent high profile breaches to prepare for future ones. The agency already had its hands. Full helping state and local election officials protect their systems ahead of the twenty twenty election before the solomons supply chain attack and recent microsoft exchange server. Exploits came to light. Current staffers report being somewhat exhausted with not enough personnel to fill out threat hunting. An incident response teams staffers. Acc is able to largely meet the security needs of other federal agencies but is struggling to provide support to private sector infrastructure companies. Still staff reports morale remains generally high with confidence a can fulfill its mission an energized by recent political appointees to dhs
Microsoft: 92% of vulnerable Exchange servers are now patched, mitigated
"Fast and furious exchange server hack addition. We've reported previously that microsoft released critical updates to fix for vulnerabilities in microsoft exchange servers on march second despite microsoft urging immediate attention to zero day vulnerabilities f secure reports that only about half of the visible exchange servers on the internet have been patched and criminals are attacking tens of thousands of them a day. The uk's national cyber security center recommends those who cannot patch right away should block untrusted connections to port. Four forty two andrew access through vpn. Microsoft has an automatic mitigation tool for unpacked servers. Available in defender
U.S. government to respond to SolarWinds hackers
"Us government calls for better information sharing in wake of solar winds exchange attacks. The biden administration is seeking new methods for better early threat detection of sophisticated intrusions. Such as solar winds and the exploits of the microsoft exchange server vulnerabilities. Both of these were uncovered by private firms specifically fireeye and microsoft. Both attacks originated on servers within the us placing them out of reach of the national security agency's powerful detection capabilities which us law restricts to international activities the proposed new initiative is destined to meet substantial opposition especially among private sector firms which fear damage to reputation potential data loss in working closely with the government hospitals hide pricing data from search results. Hospitals said are published their previously confidential prices to comply with the new federal rule of also blocked that information from web searches with special coating embedded on their websites. According to a wall street journal examination the information must be disclosed under a federal rule aimed at making the one trillion dollar sector more consumer friendly but of hospitals have embedded the code in their websites to prevent google and other search engines from displaying pages with the price lists according to the wall street journal examination of more than thirty one hundred sites when confronted some hospitals claim the coding to have been a legacy issue and quickly removed it new android zero day. Vulnerability is under active attack. Google has disclosed that a now patch vulnerability affecting android devices that use qualcomm chipsets is being weaponized adversaries to launch targeted attacks. Tracked as see the twenty twenty dash eleven to sixty one with a cvs s of four. The flaw concerns and improper input validation in qualcomm's graphics components that could be exploited to trigger memory corruption when an attacker engineered app requests access to a large chunk of the device's memory. The access vector for vulnerability is local meaning. That exploitation does require local access to device to deliver malicious code and set off the attack. Chain ransomware bank tells customers it lost their social security numbers flagstar. They bank based in michigan. That was hacked in january of this year has now revealed that customers as well as people who never had an account with the bank had their social security numbers. Other personal information stolen this is a correction and update to their initial statements. In which they said only employees information had been stolen. One victim of the breach said he has never been a flagstar customer but had taken a mortgage with a different bank who then sold it to flagstar without his consent in two thousand
Microsoft Exchange Hack And advice For Threat Hunting
"Matt thanks for joining us. Thanks for having me chris. Tearing indiana is that correct. That is correct. The up the mid west very good of chicago that's clauses of got to at microsoft exchange. It's pretty hot news. It's gonna continue on in fact. I've got some research. E today as well they've been monitoring it and there's a whole bunch of stuff going on yet. Those in the industry probably probably see cantata hearing about it but Fist pump dot last fraud. I was at right before that. That's kind of when things escalated to the point of Kind of global scale global event. We'll talk through where it's at you've on these strange saba security magazine We've we've put out a release from the security center and then we will say got matt on there with the video talking through it as well so you can check that out that athlete here from from the most math matt. There's a number of cds here and foreign actor involved so yeah maybe just told the story what you what. You've observed cy fire and What the situation is right. Now you know at a general sense this was a pretty complicated attack If all into the bucket of a zero day where nobody kind of saw this coming in. The third in this case was able to determine that there was a flaw in microsoft exchange. They were able to exploit and it wasn't only a single vulnerability in there is actually four three or four unique c vs In this instance that required a to be chained together to to get the successful exploit to happen so one of them would allow the unauthenticated bypass and then the other might allow you to write the file in this case a lot of the web shells that. We've we've been seeing
Microsoft races to patch massive server hack
"Kevin Mandia, CEO director of the cyber security firm, Fireeye says cyber security experts are scrambling to respond to a massive global hack of Microsoft's evil service software monster made short we have about 550 folks on the ground responding to breach is right now, and I'm not sure Climates ever been worse for the amount of work that we have? Dia says. The explosion of infiltrations of Microsoft email servers in late February appears to have come from China. The reason that was done is most likely to threat actors recognize the zero day was coming up to end of life. So they just hit everything they could with it and put a backdoor in place. You know, they put this secret door and every single house in the neighborhood kind of thing on, that's what they did here. The back door that they put in place is exceptionally consistent with the Chinese threat actors and I says the U. S. Will have to measure have response to the massive
Why the hack of Microsoft's email system is getting worse
"Welcome back to fast. We're learning more about a massive hack attack on microsoft's widely use email software. Some thirty thousand. Us companies could have been hitting this attack age avarice has got the very latest ayman. Yeah melissa the white house says it's leading a whole of government response taking this very seriously. Here's the statement from the national security council earlier in response to this hack which is allegedly coming from china. They say this is an active threat still developing and we urge network operators to take it very seriously. They say they're still figuring out. Exactly how a network operators can mitigate this threat but i talked to the president of one of the cybersecurity companies earlier today one of the cyber security companies that i spotted this exploit in the wild and actually alerted microsoft to the fact that they had a problem with their microsoft exchange email server software and i asked him why this thing was so hard to see he explained. This was tricky. Take a listen. It was quite under the radar and the sense that it wouldn't trigger any security alarm bells. Wouldn't trigger antivirus software. The actions that are being taken you know weren't too alarming of raising the alert but when our team kind of dug in a bit. You know we've found. Hey these guys are actually exploiting a bug in microsoft exchange so too big problems here. One is the fact that if you patch this software. Now you're not necessarily going to mitigate the damage because the attacker could already be inside your systems right so if the chinese are in your system reading your email and you closed the front door. The burglar is still in the building. That's necessarily a solution. The other big problem here is that other hacking entities around the world watched this unfolding last week and decided to pile on take advantage of some of the same zero day exploits that these chinese hackers were allegedly using and that means that a lot more entities out there a lot more groups of bad guys could be exploiting this same information stealing this email and doing just about anything with it so you could see ransomware attacks. You could see all kinds of other developments as a result of this hack and we still haven't seen all of that play out yet so some real problems now for. It departments and for people in the suite trying to figure out what to do with all this aim and it sounds like it's mostly small and medium sized businesses but what alarms me was that electric providers also hit reportedly in this attack. And you sort of walk through and for people who are sort of discounting this thinking just small medium sized business at the chinese get into the the personal email of an ice cream parlor like that's not going to be a big deal but the ramifications are actually much bigger than that. Yeah i mean what microsoft said in its initial posting about this is that they were targeting infectious disease experts law firms non-governmental organizations so a range of things that could involve classified technology or could involve sort of defense industrial complex stuff generally but also very specific medical and disease information potentially around covid nineteen and other other things so just imagine the damage that could happen to you as a company. If you're law firm got hit by one of these writing and that's all your secrets are right so the problem is pretty exponential and we just don't know who else has now piled on and is also stealing emails as a result of this same exploit because a lot of bad guys around the world said. Hey you know what. That's a great idea. we can do that too. And they piled in through the week last week. All right amen. Thank you
"zero days" Discussed on The Shared Security Show
"So so let's to our second story which is talking about some mac. Wear just called silver sparrow. Thought max were one hundred percent immu fight us. No there's no such as i'm always fascinated how they come up with these names for you know the marketing names for all the latest exploits and Silver sparrow sounds like it's because of the security firm that discovered it was called red canary. yes burn theme. I'm gonna go with that. I'm gonna go that i. This reminds me of my daughter Just rescued few months ago and when she rescued the dog they said his name is all and brin she said how do you know rutley told us you found this dog. The dog actually did they have a guy. I a guy like general their person whose job it is is when they get into dog they say random names to the dog see dog response when the dog response. That's its name so that person probably named malan that that's probably what happened are now that was related. It was related. So this yeah. It was interesting so apparently around thirty thousand macs were infected. Obviously targeting the newer m one. Mac so m one processor which very different for apple. Right moving away from intel. That could be a whole other topic in itself but Yeah i thought this is interesting. Just something going after a specific processor in type of computer an under is of not seeing in in the cup. I've only read a couple articles. On one of the reasons they went to the m one was to serve. you know streamlined cross platform. Joe the iphone. I've had the the mac offer so we see thirty thousand maxed out infected. How many i did it not infect lows or you don't really. I haven't seen where they've talked about the ios devices. Yeah that's a good point. No it didn't affect ios. But i think it's because i owe asses still. It's different than mac. Os i agree was founded interesting. This one woes of the johnston they use to execute. Stop that i this is. This is where we just have. Never say some yesterday with with a client. We can't secure things like we say we can't say yup that secure that is salt. We've fixed this problem because all it happens is the bad people. And you know apple verbal longest time was thus a choice. I hope you heard the talented and.
"zero days" Discussed on Ground Zero Media
"They were using them against other against other countries and In fact there's actually a movie if you wanna watch it. It's on showtime. I was watching last night called zero days and talks about how a number of things have gone down where we wonder if these zero day exploits were being used on other countries and if these countries are going to retaliate with there's zero day attacks or they already have retaliated or somehow broken through zero day zero day. Scenario basically is a security flaw. That has not yet been passed by the vendors could be exploited and turn into a powerful weapon of governments discover purchase or use zero days for military intelligence law enforcement purposes. That gets into an area of controversy because it leaves society defenseless against other attackers. Who discovered the same vulnerability so we decided to fire zero day Exploit at another country and they see that it came from author. They see that it has some sort of way of figuring out where it came from. Then we find ourselves in the same vulnerability in the scary part is is that it's just waiting there. Meaning that the cyber pandemic was talked about with the world economic forum is probably already underway. And it's probably been happening since march back when we were talking about solar We're talking about solar winds talking about Fireeye those accompanies that Had some speeches connections to a possible election problem. Remember we were talking about that and we kinda nailed it and said this is where your precedent lies with investigating whether or not you're dealing with election fraud but the media ignored it because of course You know there was nothing really involved here. Only the idea that zero day security breach or some other security breach could have happened. That we're seeing fire. I and and solar win being Basically hacked or basically seeing the downfall in the shutdown You can go back to the summer of two thousand sixteen where the shadow brokers which again triggers my mind to the league of shadows we talked about last night with the batman thing this shadow brokers in twenty sixteen released three hundred megabytes of nsa cyber weapon coat on the internet and near as experts can tell the nsa network itself wasn't hacked. But what probably happened was that there was a staging server for nsa cyber weapons. That is a server that the nsa was making use of damascus surveillance activities and it was hacked and some people would say that maybe it was hacked as far back as two thousand thirteen. You know when you hear about this whole who was spying on who what president was being they were all being spied. upon and obama. nuit biden knew it. Everybody knew it and so when they say well you know there's there's a lot of specious stuff going on here about cyber attacks and everything else they keep. They actually kept us pretty much close to the vest why because of the software that was involved zero day exploits that when you start speaking of them people get a little uncomfortable. So what i'm doing tonight is i'm talking about. I'm talking about because think it's important that you learn there are many other ways to disrupt a grid not just the emp weapon even emp. Weapons are right on the agenda of what russia and china doing right now trying to speed up the process of of space war or a grid war and then of course we look at zero day exploits and what they mean they are the doomsday exploits of the computer grid. And they may already be in involved or seated in the in the grid because we've had so many problems happening since march of last year into the election into now where a number of countries have already complained blackouts and problems with their computers anywhere from pakistan to to iran. And certainly something worth talking about. Especially when you're trying to plan out your life and being prepared and that's what's important is preparedness right five zero three two five zero eight sixty five zero three two five zero eight sixty counting down to zero day. We're back with more. Don't go away. I'm played lewis. And you just listened to a segment of ground zero in order to access the complete archive shows and podcasts. You must sign up on our secured server at aftermath dot media. It's only four ninety. Nine a month for the archive shows podcasts. Or you want access to the ground zero online library which includes videos audio clips e books documents a social media platform. Plus the archives shows podcast. It's nine ninety nine a month again. That's aftermath dot media at aftermath dot media. Thanks for supporting ground zero..
"zero days" Discussed on The Shared Security Show
"Of the world <Speech_Male> that we are currently <Speech_Male> living in your <Speech_Male> digital privacy. <Speech_Male> Cyber <Speech_Male> security and <Speech_Male> health is <Speech_Male> more important than <Speech_Male> ever. That's <Speech_Male> why i recommend the <Speech_Male> use of a faraday <Speech_Male> sleeve for <Speech_Male> your laptop <Speech_Male> smartphone and <Speech_Male> key fob and <Speech_Male> if you want the best <Speech_Male> faraday products <Speech_Male> on the market <Speech_Male> you need <Speech_Male> silent pocket <Speech_Male> and because you listen <Speech_Male> to this podcast <Speech_Male> you can take <Speech_Male> <Advertisement> ten percent off your <Speech_Male> order right <Speech_Male> now during checkout <Speech_Male> at silent <Speech_Male> pocket dot com <Speech_Male> by using <Speech_Male> discount code <Speech_Male> shared <SpeakerChange> security. <Speech_Male> Is your <Speech_Male> team. Starting to show. <Speech_Male> Signs of fatigue <Speech_Male> from traditional security <Speech_Male> awareness compliance <Speech_Male> training <Speech_Male> or from fishing <Speech_Male> assessments that target <Speech_Male> them for those teachable <Speech_Male> moments. <Speech_Male> As we've seen in <Speech_Male> recent news <Speech_Male> these kinds of training <Speech_Male> are having a negative <Speech_Male> impact on corporate <Speech_Male> culture and <Speech_Male> they're really not all that effective <Speech_Male> so there has <Speech_Male> to be a better way <Speech_Male> click. Armor is <Speech_Male> the first gamified <Speech_Male> learning platform that <Speech_Male> helps build a self <Speech_Male> defending team <Speech_Male> through engaging <Speech_Male> learning challenges and <Speech_Male> exercises <Speech_Male> its unique lesson. Templates <Speech_Male> built with <Speech_Male> proven gamification. <Speech_Male> Technics let <Speech_Male> people learn an <Speech_Male> exercise. Important <Speech_Male> defensive concept's <Speech_Male> in a safe <Speech_Male> and fun environment <Speech_Male> whether you need to quickly <Speech_Male> deploy a training <Speech_Male> solution that gets people <Speech_Male> to stop clicking on <Speech_Male> things immediately or <Speech_Male> you've got your own <Speech_Male> boring content that <Speech_Male> needs to be put into <Speech_Male> a more interesting user <Speech_Male> experience. Click <Speech_Male> armor can help so <Speech_Male> good at click armor dot ca <Speech_Male> slash <Speech_Male> shirt security <Speech_Male> to learn how to build <Speech_Music_Male> a self defending team <Speech_Music_Male> <Advertisement> <SpeakerChange> <Speech_Music_Male> <Speech_Male> annan. Privacy news. <Speech_Male> google has <Speech_Male> been working on a <Speech_Male> new technique to <Speech_Male> replace the use <Speech_Male> of third party. <Speech_Male> Cookies in its <Speech_Male> chrome browser <Speech_Male> called federated <Speech_Male> learning <Speech_Male> of cohorts <Speech_Male> or <Speech_Male> flock for short. <Speech_Male> This new technique <Speech_Male> will target ads <Speech_Male> based on <Speech_Male> clustering users <Speech_Male> into groups <Speech_Male> with similar interests. <Speech_Male> Which <Speech_Male> google claims <Speech_Male> is much more <Speech_Male> private than the <Speech_Male> way traditional <Speech_Male> third party. Cookies <Speech_Male> track everything <Speech_Male> you do online. <Speech_Male> Google says <Speech_Male> that this is a move <Speech_Male> towards more <Speech_Male> interest based <Speech_Male> tracking across <Speech_Male> the web <Speech_Male> as expected <Speech_Male> several. Advertising <Speech_Male> groups have. <Speech_Male> This proposal <Speech_Male> is anticompetitive <Speech_Male> and <Speech_Male> electric. Frontier <Speech_Male> foundation <Speech_Male> has said that flocks <Speech_Male> are quote <Speech_Male> the opposite <Speech_Male> of privacy <Speech_Male> preserving technology <Speech_Male> stating <Speech_Male> that the approaches <Speech_Male> aken <Speech_Male> to a behavioral <Speech_Male> credit score <Speech_Male> in it risks <Speech_Male> discrimination <Speech_Male> against vulnerable <Speech_Male> groups of people. <Speech_Male> Ruler intends <Speech_Male> to start public testing <Speech_Male> the flock <Speech_Male> technique in march <Speech_Male> followed by <Speech_Male> testing with advertisers <Speech_Male> in <Speech_Male> google ads. <Speech_Male> Starting in <Speech_Male> q two. <Speech_Male> That's all for this <Speech_Male> week. Show visit <Speech_Music_Male> our website shared <Speech_Male> security dot net <Speech_Male> for all previous <Speech_Male> episodes and <Speech_Music_Male> a sign up for our <Speech_Music_Male> email newsletter. <Speech_Male> First time listener in <Speech_Music_Male> the show. Please subscribe <Speech_Music_Male> wherever you <Speech_Male> listen to podcasts. <Speech_Music_Male> And be <Speech_Music_Male> sure to subscribe to <Speech_Music_Male> our youtube channel. <Speech_Male> Thanks for listening <Speech_Male> and we'll see you next <Speech_Male> week for another <Speech_Male> episode of <Speech_Music_Male> the shared <SpeakerChange> security <Music> show.
"zero days" Discussed on The Shared Security Show
"You're listening to the shared security. Show exploring the trust you put in people and technology with your host. Tom ashton.
Breaking Into Secure Buildings
"Hacking large organizations. Banks governments isn't usually easy but there are ways to do it. You could fish the right employees then escalate privileges. You could find a zero day in particular software program used by the organization or you don't even have to start in cyberspace physical breaches stolen. Machines tampered with machines insider access hacking buildings themselves aren't the most widespread security threat out there but the exist. According to verizon report from twenty twenty physical actions are the six most common way that data breaches occur. And they're effective to think about it like this. Would you rather have to remotely hack into a laptop or just. Swipe it off a desk. Physical security isn't something we talk about much but we're going to today. Hi levy welcome to malicious life in collaboration with siberian and this episode. We're going to learn how to break into secure buildings or prevent others from doing it. T- my name is se aka freaky clown. I'm the co founder and co ceo of a cybersecurity company cooks agenda based in the uk. We work globally. Say genta is not like other cyber security companies and fz isn't like other hackers. His specialty is cyber physical security breaking into buildings red teaming for corporations banks and governments. But you know in real life that makes his workflow a bit. Different like for example. The first step in most major breaches is reconnaissance exploring an organization's digital infrastructure and their employees to find where they're most exposed. Fcc's reckon involves actually going somewhere and probably bringing some binoculars. Is it like the movies where you're just sitting there in your car sitting with a newspaper. That kid is sometimes more mind-numbingly boring than that. Sometimes it gets brady cold. I remember once Reconnaissance in a very calm sightsee much about on the building. I had to look at and i climbed over this. Barb wire fence it like in the morning. And i climbed through this like a thorn. Bush go early treaded by allows bleeding and had a a ski mask on. I had night vision goggles. And i had to sit in this ditch covault. This data is close enough and the ditch was half food muddy water and it just started to snow and i was really cold and wet bleeding and i had to sit there for like three or four hours whilst i watched this in order to gain some intel before i went back to my hotel room after the recon phase hackers usually send phishing email or text to the victim containing militia slink or pdf after his recon f c. Does something much more simple. In fact he doesn't even need to be a hacker for this part. So i never start with the digit i because the digital is actually harder than the physical and this sounds absolutely crazy but Each genuinely true. He is much easier to walk into a bank or any secure building than east digitally break in just walking in the front door. Oh actually be really really shocked at. How easy is i remember. Years and years ago. i was. I was on site for physical test and there was a couple of members of our company that were they and one of them said to me like audrey to like. Learn how to do the stuff you do a easy. just walk in and cable. What do i do right well. You don't really authorized to do this but our show you. How easy is right. So i'm like come with me. We walked to the front of the building. I look through the front windows right and you can see how this app is right. So the app is there's a couple of these electronic parties so someone goes up the swipe card the barriers swipe papa and they walked through okay so we have to do is follow someone through the way. These barriers work is they. They work with a small beam. That goes across right so if a large person with the suitcases going through. It doesn't shut the doors on the suitcase. Say imagine your as close as physically possible to the person in front of you. That's a legitimately allowed to go in and if you get close enough it's going to count was one person now. Will we have to ease. Make them feel humans of really pad being awkward and they wanna get away from that situation as quickly as possible. So the more would you make for that person then the less likely they are to confront you the more likely you are to succeed so it's like it. It's drizzling little bit. Oh you have to do is run to the front door. Run through the front door and basically run into the back of someone who is just going through that matt gate. Six is easy. Yeah eats really that easy so only it was. He ran up to the this of the the front door ran through the doors and picked up a person at random. He was just swiping. The card ran into the back of them and he basically said oh really. sorry how. it's a busy trying to get through really quickly. And he runs into them. They go through and they are feeling awkward. Because i just got run into. Everyone's where everyone's kinda like. Oh my god this is sorry And then they they so just let him go through.
Securing Apple devices
"Of apple's know system across multiple types of devices. You know it's it's on on one hand makes things easier protect but it also means that zero day attacks can be more pervasively destructive they cover sort of thousands of times the surface area target attack might otherwise have give and. I'm not sure if i'm getting that right. But is there sort of like a uniformity of like Apples structure whatever that may zero days especially vulnerable so apple doesn't have the same operating system across all the devices were mac. Os there's ipod iowa's grant tv os watch. Each device does have its own separated. separated operating system But is taking approaches to make that more uniform allowing to be able to pick something up from your phone and then be able to pick it back up on your mac or on your ipad so they are allowing that kind of cross use against the different operating systems are making that more like uniform. And so i don't know i i could totally see what the potential risks there Especially as apps made for ipads ios devices being added to the app store and being available on a mac because even though apple is pretty strict on their developers in what they allow in the app store we just had a case recently. Where they actually notarized mac malware to be able to be downloaded motorization was one of their big kennedy security approaches to help only allowed things that are authorized in kind of been blessed off. So they're not in there. There's no perfect defense Rate like you have to be aware of everything. There's always things that are gonna possibly slip. And so i do see that there could be potential risks with that for sure. Okay so speaking to that you know. It sounds like it's pretty hard. Is it pretty hard to sort of get one over via the app store in that way that you know they were able to authorize. This thing was so what happened with that. Was it just that. It looked very very realistic. And just sort of didn't pass the sniff astor's exactly and then it just turned out to be malware and that's that's not a common case no and that's the first i've heard of there may have been more but that was that was kind of like publicly made big knowledge. It's like okay so we want wanna talk. Obviously you're you're a bit of a mac guru here mcafee. We want to talk about. Mac specific security risks. That people should be aware of like what are some some common errors first of all that are made by apple users. You know just out in the world that opened them up to carry risks being careful what you click on that goes across any user. Just mac specific But yet just cautious of what you click on apple does a really good job of trying to put in some protections to the end user so not disabling things in the operating system right so like if you go to stack exchange looking for how to. Hey how do i do this. Really cool thing on my mac. And then they recommend that you disable internal protections like. You shouldn't do that like just cheap do rum. Yeah exactly in like there's always those targeted tools that are lake. Let's clean up your mac like here's your pop rate. That that that that happens a lot on the mac side because they are very focused on like your mac is contaminated. You need to download this kind of thing. So i think there's always that risk In depending on the type of attack and what what. The attackers like motives are is. There's always that sense of urgency rate. Like you need to do this right now. Because you're short-circuiting their commonsense. It's like right before. I can think about it. You just have kind of take a step back right like is this really is something bad But that's hard. I think there's there's always that pressure As a user to just be aware. But people like max because it's easy to use. They don't need all the ins and outs of everything Like people don't know where they're launch damon's launch In that there may be potential Tool there So i think it's just keeping be patient. Be weary of things that they download and click on Keep the native security functionality. That apple gives you enabled. Turn it off And just be more investigative into what they want me to add a would be my biggest lake just for any end user.
Two More New 0-Days Revealed in Chrome
"Two more new zero days revealed in chrome last week. We had three zero days patched in the previous two weeks today. We have five zero days patched in the previous three weeks. She's i know. And i we were just talking about this last week. Saying you know Once upon a time. I e was the favored target. Now it's clear. Chrome has become the majority browser. And you know it's trying to be kind of an every man's application execution environment. It's trying to be a little mini operating system with all the crap that that that the world wide web consortium keeps pouring into our browsers and is bugs so less wednesday. The eleventh chrome announced the stable channel. Update for windows. Mac and lennox. We're now at eighty six point zero point four to forty dot one nine eight and i had commented last week that i was already a dot one nine whatever it was or one six three or something i. I was further along then. Data made any announcement of and i didn't know why maybe this was part of that So this one is already rolled out under security fixes and rewards in their announcement of this stable update. They noted their standard boilerplate that details. Would-be kept restricted until the majority of users would no longer be effected. They indicated that both of those new in the wild zero days were discovered and reported by anonymous unquote the first on the seventh. And the second on the ninth and this thing was released on the eleventh so the update was pushed out to our desktops very quickly after it was reported to google And the bounty rewards for both of those was was dollar sign. T be d so you know to be determined The first flaw was another of those quote inappropriate implementation in eight which is exactly the exact language that was used to describe. The previous week's zero day vulnerability the other flaw was a use after free claw in the site isolation component which of course we depend upon. Because we don't want cross site exploitability and you know. This is the model for the way we need to be doing. Security moving forward researchers spot problems either doing static research or by catching something that they see happening in the wild. They report them privately to the responsible party. Whomever that is that responsible party rewards them for their discovery and for keeping their report private and then quickly updates the affected software pushing it out to all affected parties or devices depending on what it is. I mean that's what we're seeing here. Problems are being found. I mean they're going to exist in something as as crazy complicated as a modern browser not dimension an operating system. There's gonna be problems. There seems to be no end of them. You know we'll be talking about last tuesday's hundred and twelve things that were fixed and remember those are those. Those didn't just appear in the last month. Those have been lurking in windows and all related applications for probably a long time. We know that some of them affect windows seven the end. Those are not getting fixed anymore. So you know what. That's two thousand eight. That's twelve years ago. So we have this problem One thing we know today with absolute certainty is that cyber war and cybercrime either ad hoc organized are very real things
A new 0-day in Win7 through Win10
"As i said we have a new zero day and it's a complicated by the fact that it is existed at least since windows ten which as we know. Microsoft has at least since windows seven. Oh i'm sorry. Yeah since windows seven. Wow so last week. We talked at some length about the bug. Google found in the free type library which had been in use since june nineteenth. Two thousand fifteen or more than five years. What we knew then was that this flaw which was patched by that update to chrome was a zero day because it was being actively exploited. They you know. They fixed it in from one when they were notified. They fixed it within twenty four hours which was impressive response and they notified the free type people who also fixed it within twenty four hours also impressive. What we did not learn until the end of last week was that there was a previously secret. Second part to this zero day. The free type law was what was being exploited through chrome to open the door to the attacker but as is often the case thanks to modern operating system design the damage that can be done by an abberant application or exploit of an application running under the non root user account is deliberately minimal in modern operating systems. All of today's web browsers are careful to run under the users. Deliberately limited account privileges. This is why successful. Attacks and attackers often need to chain two or more exploits together to accomplish their nefarious ends. If the free type library happened to run in the kernel then a single exploit in it might have been sufficient but free type was also properly designed to run in user space so exploiting the free type flaw opened the door but the attacker then needed to elevate their privilege on the system to route or kernel level in order to get anything useful like from the attackers standpoint. Done the week before all of this. Google had seen the whole picture or presumably. The person who informed them had they saw this second phase. Which was leveraging a previously completely unknown and quite potent zero day flaw in windows to achieve privilege elevation. This was allowing the attackers. Then you know to do some real damage the privilege elevation that they discovered by watching it in action existed or actually i should say exists. Because it's still does today within the windows kernel based thus we have a problem there cryptographic services. Api and because that colonel based module the cryptographic services module exports and api. that's callable from user land. The bad guys can arrange to run their malicious code with full system permissions google's project zero folks immediately reached out to microsoft to inform them of what they had found and also to explain that since this was an act of vulnerability being exploited in the wild project zero normal patient ninety day disclosure window would be reduced as they even did for themselves to just one week actually. They only needed a day. And that's why the industry subsequently learned of this only late last week. That was seven days after. Actually eight after google told microsoft so the project zero the google's project zero day disclosure starts off with saying note. We have evidence that the following bug is being used in the wild therefore this bug is subject to a seven day disclosure deadline. And we've seen these in the past when we've talked about this and look did these in the period before the disclosure deadline all there is is just like a placeholder page no juicy details available because you know they're holding that embargoed until the problem can bet can't got fixed. They begin their right up by explaining the windows kernel. Crypt cryptography driver. C. n. g. dot says exposes a backslash device backslash c. n. g. device to user mode programs so in other words there's a. There's a divide the so that the cryptography driver looks like a device which exposes services through a device driver interface to programs running on top of the operating system and it supports a variety of a windows calls i. Ctl's i oh control calls. They said with non trivial impetus Input structures it constitutes a locally accessible attack surface that can be exploited for privilege escalation and they said such as sandbox escape. So of course they're they're they're viewing it from the stats from the standpoint of a sandbox escape because they're because the way this would have gotten in was through the browser which at and we know that running in the browser is deliberately sandbox so that it if it does something wrong it doesn't have access to much but by taking advantage of this. That code is able to escape from google's own chrome sandbox so microsoft for their part doesn't see this as such an emergency. Google has already closed and locked the front door. Through which attackers were able to reach the crypto. Api vulnerability and november's patch tuesday being next tuesday a week from this podcasts. Date of the third which you'll be the november tenth expects to have this fixed
Update Alert: Critical 0-day in Chrome
"Speaking of being challenged. The hacker news summed this up by writing attention readers in. You are using Google Chrome Browser on your windows Mac or Lennox computers you need to update your web browsing software immediately to the latest version Google released earlier today, and this was last week. So you know. Even, though that was last Tuesday even my own always sort of sluggish chrome had already updated but. This one just you our listeners may just want to make sure that they're now running eighty-six dot zero, dot forty, two, forty, dot one, one one. However, there's much more to last week's emergency update than what drove it, but we'll start with that. So last Tuesday's released closed five vulnerabilities. Four were rated high severity one was medium and one of those four high severity vulnerabilities was what we're talking about was a zero day that was seen exploited in the wild by being exploited by attackers who are using it to hijack targeted computers so You know that nasty one it was numbered CV e twenty, twenty, fifteen, nine, ninety, nine and what's significant is that it's a heap buffer overflow in free type, which is the widely used open source font rendering library, which is part of chrome but many other things. Various bounty payouts were or will be made for the other four vulnerabilities, but this biggie was discovered in house by Google's project zero researcher Sir J Glazunov. Even. So even though it was found in house, it was subjected to an accelerated seven day public disclosure released deadline because the flaw was under active exploitation and that's the project zero guidelines. You know you get. You get thirty days for things that like, yeah. You gotta gotTa get these things fixed but if it's if it's being used if it is a zero day, you get a week. As it happens, this only took one day for Google to begin pushing the update which they did on the twentieth they found out there was discovered on the nineteenth they had. They were pushing the fixed one day later, which is interesting because it wasn't even really their problem it was in the free type library not in chrome. Sir J immediately. Notified the free type developers who also developed an emergency patch to address the issue. And had it available the next day on October Twentieth And so that's free type two point one, zero, point four. This is significant because free type is everywhere. Without, revealing details of the vulnerability Ben Hawks who is project Zeros technical lead warned via twitter there while the team has only spotted an exploit targeting chrome users. It's absolutely possible that other projects that use any earlier versions of the free type, library and there will be roughly a gazillion might also be vulnerable and are advised to deploy the fix included with free type version two, point one, zero, point four, he tweeted while we only saw an exploit for chrome other users. A free type should adopt the fixed discussed here, and then I've there's he provided a Lincoln tweet I've got the link here in the show notes. And it is part of the stable release of free type again, two point one, zero, point four. So what we do know thanks to what Sir J has shared is that the vulnerability exists in free types function load s bit PNG. So it's load underscore S B it underscore PNG which processes P. Images embedded into Fox. It can be exploited by attackers to execute arbitrary code just by using specially crafted fonts with embedded PNG images, which out to be something that free type supports so in no not just curbed lifts, but you could embed images so and since web fonts can be specified by a web page, and since the browser will go download the font and then render glimpse from those fonts turning a theoretical free type flaw into an active exploit would not be difficult
"zero days" Discussed on The Knowledge Project with Shane Parrish
"You need to trust that vendor. You need to be sure that the interests of that vendor are at the very least not opposed to the interests of the country that you're in and I. I don't know how anybody could possibly say that about. Well, I remember when the breads to this whole thing, like we're going to set up this accredited lab we're GONNA test it. So we'RE GONNA loud British Telecom Tease Ed but we'll test everything that's deployed i. Remember just like that would fall apart in a second because the minute there's a zero day you're going to play it right away especially if it's leaked on the Internet and then you've deployed code that you haven't got reviewed and then holding just falls apart and I'm like, okay, we'll. We'll. It doesn't scale to the realistic pace of software. Development Ray. So let's let's imagine that a government does have program in place where every iteration of source code and these aren't small systems where we're talking millions of lines of salience. Let's assume you have a team of amazing source reviewers that can say with confidence. Yet this looks great. Or better yet, they have a set of automated tools to be able to derive that answer, which is challenging. Probably Possible extremely challenging the realistic outcome is the time for. Say Why way releases a new iteration the time from that release because if they are a vendor that actually believes in securing their product and that new release of the firmware has fixes. Time Matters. You're you're against the clock before vulnerabilities could be discovered an and put out because all it takes is for them to really firm once have somebody rip that firmware apart and identified differences between the old new. So you're immediately up against the clock, and if this ideal analysis process is being slowed down in any way, you're immediately P-, compromising the vendor in giving them the the argument that this system doesn't work because what they. I don't necessarily disagree with that. If I was the vendor and my releases were being slowed down by month, I would get pretty cheesed because some I fall. You're slowing down fixes and oh I'm sorry you're routers just got hacked. That's on you. That's that's not on the vendor at that point. So I don't think the concept is one that actually works and the way to avoid that as sort of like just not allow that in your critical infrastructure or do you think it should be not allowed in any infrastructure? Your personal take. Oh, my personal take I again I'm completely fine with the ban. I mean they're still allowed to. Sell into Canada. Not. Aware of what the I think is on. A I mean my knowledge is that are date so we'll have to like factoring this but I think it's not allowed in the critical components of Canadian Telcos, but it's out on the periphery but I, mean, that's like silly when you think about it right because you don't want to ever be held hostage to somebody who can. Who can turn that off and somebody who's more patient than you right because you could just go twenty five years with no incident and then all of a sudden there's an incident but you built up twenty five years of trust and credibility to the store. You tell yourself as we haven't had an incident, it's cheaper because it's likely. And not only are in debate subsidized by the government. Yeah. So I mean I'll ultimately this is I. I don't have any problem with the way being banned in the US I. I would not I would not argue about. By. The way the the name of the vendors Rhodium Buchen started sorry boop started zero zero. The ones by. Is Lump them together. Same parent company would imagine yeah yeah. What do you think of? SNOWDEN? I feel like you're asking questions that slowly taking years off my life. So I've been doing that since I met you. I do not agree with what's no didn't in any way. And that is that is putting it very very kindly. Regardless of you know at this point, there's been things that he brought to light that has been declared illegal. The the unfortunate assumption is that. Agencies security agencies Intel agencies are these devious groups that are like, let's do whatever we can and I don't think the average person actually realizes. How difficult job is how normal the people are who do that job they have families they come in they want to you know solve a mission earth solve a problem. Make things better and. The way he went out. With this giant trove of information, which we're GONNA come back to completely ignores the the the way that technical implementations get approved. It's not like developers are sitting at their desk and say I had this great idea. Let's go do it and all sudden it's running an operations without any. Accountability or review. There's a team of lawyers depending on the size of the country that will look at that and say, this is okay this is bad. I remember being a tse in arguing for something for I don't know how many years but there was there was a problem legally didn't get through and that that vetting process people take extremely serious and. If something goes through that process, there is a measure of legality to it. There are a group of lawyers who honestly like to say no to ideas. That Yup this is okay. So the idea that anything that has been deemed illegal, you know I I'm not in a position to say that's right or wrong. But what I can say is the process that those things would have gone through people arrested the sheer size good bureaucracy to get anything. Crazy. So so that whole side of things. I find unfortunate because the the by product of that is distrust for agencies that are working extremely hard to keep countries safe, and it is extremely disheartening for those people to you know get dragged through the mud publicly when the public doesn't actually have an awareness as to how much they sacrifice on a day-to-day basis I couldn't count the number of long nights that I've seen people work. You know it. It can break families it can break relationships and it has yeah, definitely. So the other side of it is Trusting his intentions. So he he had gripes about you know those types of illegal. You know mass monitoring or mass surveillance programs in the US why did he go public? With such a large archive that had nothing to do with that, why did he? You know expose completely legitimate legal intelligence gathering programs that have a ton of people's names associated with that. Why did he go out the door if that and that I think is what I have a much larger problem with and that. There was no thought process I it sounded to me. It seemed like more. He's just giving the intelligence community, the Middle Finger. Yeah, I mean I I sort of took away the same thing from that whole thing which was. Even. If he felt just in what he was doing, it would have had a different sort of feel to it when it came out. And you don't need to reveal the techniques. You can just reveal the details of the programs, but the actual techniques that he revealed the software techniques, the exploitation techniques. I mean that that definitely causes people lives that had a huge impact on people working there. And how how far back did he set programs? How much did? You know entire agencies need to go into damage control because some Yahoo decided that this thing over here was illegal and then Oh..
"zero days" Discussed on The Knowledge Project with Shane Parrish
"Drives me so much jargon in this industry in particular right and a lot of it is hells e like it's created by the. Sales teams salesforce the. The. The number of times. I have had to worry about this know these features that are sold to businesses around the world being on the other side of the coin just years ago. Never I've never had to worry about machine learning and by the way existing machine learning implementations and a lot of solutions out there. Is the exact same thing that you know I've seen anti-viruses back in two thousand and five they just didn't call it machine learning. It was just training analytics to to look for anomalies and. So new earn attacker would did you worry about? Oh that's an intimate question. Getting, caught I mean ultimately. Yeah I mean so as an attacker, it is a continuous balance between risk. And losing the capability. And this is what does that mean and I'm speaking from back when I was at the it means that you know when I said earlier that on the you know that first. Pillar of cybersecurity. Call called pillar there's an economy behind it. So there's a cost to building. Capabilities to to go after a particular target. If, you lose that capability that immediately is an expectation of. Finding a new one. And it's difficult. There's there's cost of there's labor. And that that is a very big component that goes into the knee, the risk equation as to how you're going to approach an operation how aggressive you're going to be indifferent different agencies around the world will do different things I mean, you look at China and Russia they're remarkably aggressive. With a lot of. Disregard to their own intellectual property and what they're using but they're certainly not quiet about what they're doing spray and pray right I find I find it. Really intriguing makes makes me wonder a little bit like they have an army of thousands of people in warehouses crank in the stuff out which they probably do, which is really scary. Yeah one of the things that I always found really fascinating a bit intelligence problems was there's always a country with more people. Who are just as smart if not smarter than you and just as good if not better technology than you and yet your tasks was sort of defending or in some cases acquiring information against these people and the Hubris that sort of like goes into a we know best and yeah, that was always an intriguing calculation. Back. Back it's It's a good debate to have I. Guess if you've got a something that took a lot of time to build, do you throw it down a hill and hope for the best or do you protect it? He put shoulder pads and knee pads on it and Try to make it last as long as possible and sue talk me through that. They're like, how do you see that because allied governments friendly governments whatever you WANNA call them have exploits that are zero days. That they don't release that have huge national security implications like we've seen some of those become public. And have massive implications wasn't the NHS hacking grip written the result of a stolen zero day from. An allied. That one's tough. Should they disclose them? What's your? How do you think about the? So. So from what? I. So full disclosure, I don't have as. Exposure to what the internal debate is on. That I'm aware that happens I think a lot of it comes down to what the perceived value is gained versus lost if you if you if you don't disclose something and you use it operationally. Is there more good for the the mission the country it's people by not disclosing in verses disclosing and losing a capability. Yeah. It's a tough one because you know the the the adversaries of allied governments aren't going to disclose. They're not going to care if they have something, they can weaponize they will use it and I I think. Unfortunately data's probably the tone that set globally that. Underpins a lot of these the the decision making like if if you're being attacked constantly in having your intellectual, your nations intellectual property stolen I, mean you could disclose all the vulnerabilities you have, and you know about as a nation, it's not gonNA stop them It's just not going to they're going back to the the group example of. There are more out there was a backlog apparently. Being only gonNA probably push buttons. Here's you might want to take a drink. taught me a little bit of boat-. Wow Way I'm just gonNA leave it there expand on. So we've had many conversations chestnut that situation is. So why always had a bit of a an interesting less than smooth ride I would say they came out of nowhere with all, TAC? Yeah. which which Barack Asli happened right after a Cisco leak, a giant Cisco Source Code, but it's a coincidence. Yeah. So. You know there's there's documented ties to. The Chinese federal government. With that company existing there is. I don't know if they were ever convicted. It was back in two, thousand, three, two, thousand four but there was a there was a very clear cut case that. was using conveniently leaked intellectual property. This is back to. If I was going to steal your intellectual property is much more deniable if I lied it onto the Internet and then use it and come out six months later and say, Oh, look I just found this out there and I used it. Really. Convenient And you know where we are today while a basically price undercuts other other vendors and you know I ask how do they get to that point that sounds like the have a lower rnd budget and how do you have a Lower D budget? You you get intellectual property view creative means. You today with. Them being banned from the US. I don't disagree with that I different thoughts about the whole Tiktok. Situation. By we dive into the why? Why don't you disagree with that? Why don't I disagree with them being banned? Yeah. I mean I agree with them being banned. Yeah. So so I don't think there is a framework to build trust I. Don't think they have. Earned that trust and giving you know. If a nation is going to re kit their entire country with a new type of wireless gear. Especially, with the complexities.
"zero days" Discussed on The Knowledge Project with Shane Parrish
"There was one that was written ball was that group was that leak I guess the one I'm referring to. was. From NSA and it was as a whole treasure trove of two and this one was particularly interesting because it really there are events that occur that destabilize. I guess the defensive posture. ransomware in general I don't get how it even exists. Is the easiest our to detect and stop how there's a industry around that my mind. But the attack vector that people use to wrap ransomware the payload, weaponize the that chain I talked about earlier basically allowed a point and exploit capability on patched windows machines to walk me through ransomware like what what happens. Depends on the flavor but the the the overall goal is to extort money. Out of the victim. So there's different ways to do that. If you tack a an individual, you would potentially encrypt their personal photos. Credit card information may be other personal compromising information and then say give me x amount of money or I'm going to I'm going to expose all your photos or I'm going to delete it all when it comes to businesses, it's more of going after intellectual property where if a particular workstation gets compromised ransomware runs on that workstation. In crypts everything potentially deletes deletes everything at the time. Typically making a copy of it because there's value in that, and then we'll go through all the network shares and did the same thing so. There's one particular. There's different groups of of ransomware actors out there some that are. won't call the bluff and others where if you say I'm not going to pay you. They will one hundred percent follow through on what they're going to do and this weird I guess sub industry has emerged from. ransomware actually being thing and being accepted. Where companies will actually does negotiator. So if you think back to those really cool movies where you know there's a really cool ransom. Sorry hostage negotiator. Trying to talk somebody at. That exists for ransomware and it drives me. For Me Yeah. Why is that a problem with do? Like deer customers have ransomware problems like no because they they they used. we protect against that that vector but the how how do you stop that like if it's that easy to stop what isn't everybody stop it I I wish I had an answer to that. I don't think you know a network monitoring solution will not stop a ransomware. There's nothing you can do about be on hose. Yeah. You you have to be on host and you have to have a measure of sophistication and tradecraft to to identify and block it. We've seen we have coexistence scenarios where. I won't identify the companies, but they are very very large successful companies, cybersecurity companies, and. The ransomware gets by them, but we stop it and it blows my mind that. Based on the. News, that's easy like the. Big thing you're worried about it is a very, very basic profile to stop identify I might be jaded because I've been doing this for twenty years and in the grand scheme of things that I've been a part of. ransomware definitely low on the sophistication bar. Do you think it would exist but they cryptocurrency and anonymous payments forums because it's always seems to be at least in the news it's always like you need to pay in Bitcoin so I can run away with this money and I would say definitely harder because that is definitely a very convenient payment structure. To pay to pay with Bitcoin the I'm just thinking in cases where we we've seen financial redirections and those are anonymous accounts that are used and then torn down So there's there's definitely how hard is that to track click if you're sort of like the FBI or the another three letter agency like to follow that path. I don't I don't know about that It's not my not my background, but I would say the. The challenge would not necessarily be the difficulty it would be the average. PERSON OR business getting any agency to care to track it down because Intel agencies law enforcement agencies aren't sitting around waiting for things to do the. Just really big problems they're going after trying to fix and solve. Small Company law firm getting ransomware. Is is just low on their well Sunday minute matter payment for them. In some cases, it's life or death the business because you can effectively turn the business off overnight and. Just eliminate it especially if you're small and you, you don't have these sort of big bank accounts too. Yeah. Yeah. I I'm aware of businesses that have been shut down because of ransomware the the payment is just too I and It's much easier just to say. Full thrown in the towel we're GONNA, fold up shop and maybe start again and. This is ultimately why I don't. Like I get very frustrated that companies will pay ransom or not take the time to. Hire company ahead of time like it's much much easier and cheaper to be preventative and to to harden your your system and be ready for a tax I mean that that is the reality of today and anybody who thinks otherwise is you know they've got their head-in-the-sand. You're going to get ransom word bad things will happen hopefully, it doesn't kill your company or compromise customer data. That's that's a whole other aspect of this equation that I don't think people will take into consideration of their legal obligations to report compromises in customer date. Now they're fines I I remember. Before covid nineteen dropped there was discussions about six figure fines going to Canadian companies. If they are ransom, weird customer data gets compromised and it is shown that they weren't taking the problem seriously. So they didn't have the adequate security protections in place. What's adequate tone so subjective. Yeah Yeah I mean is that back to that Gartner I check the box you can't sort of like fire me so so if I was a Virtual see so I would probably reference the Gardner Qantara to make sure that. The Executive Board is covered. In regards to liability. There's almost like two layers to this right. There's the apparent layer, which is like I want to solve cyber security but the real layers like I wanNA keep my job and Way. To, do that as not take any risks and go with the industry standard and ultimately when it comes down to accountability. That is a safe way to go. It is unfortunately your own. Yeah. It's it's. It's the safe way to go, but it's not the best thing for the company it is not. It is not forward facing. I think it's being naive in regards to the type of taxotere coming. So if you're a customer and you don't know a lot about this one of the questions you should ask to sort of reveal that type of solution you're getting for real instead of sort of checking the box you know right off the bat I would say, how are you protecting my company? Did tell me how you're protecting my company like full stop. What happens when something goes wrong. And you'll probably get a whole.
"zero days" Discussed on The Knowledge Project with Shane Parrish
"US X. Amount. This is where I want you to send this money now, and that is remarkably in surprisingly effective and hard to track down even though there's like a total with bank accounts will come to cryptocurrencies and sort of ransomware later but. With. Bank accounts. It's it's easy to see where the money goes. It's really hard to get the money back once it's gone. Yeah and that's conventional sort of attacks read verses sort of somebody like Boeing or General Electric or sort of Cisco who would have a lot more valuable Ip and probably worth zero day or sort of like developing a customs boy can you walk me through like how that would work? Of course. You're more the pointy end of the stick. Yeah. Yeah. So the way the way exploitation works is. Specific platform you'd like walk there. Let's walk through windows windows okay. So, if you're going after a windows box it's either a server or workstation typically servers if their Internet facing gives you the ability to hit a direct. So if you have a as zero day and you know a web. Server for example, that is something you can directly access and an exploit that that is a very. Direct way I guess of of attacking the approaches you have a windows client. You're you're sitting at your desk, you have a laptop and you're just typing away and you get an email that is probably the most common way. What what that looks like is again back to the scenario where you're trying to convince somebody to trust an email. So they click on a link what happens like walk me through I click on this lane. Yeah. Yeah. So so the first thing that happens is The browser would be exported. So whatever browser renders that link web browser exploit would would basically gain code execution and modern browsers are definitely getting better at protecting against that type of thing. So chromos every browser has a sandbox now most browser flavors are. Some measure of chrome. So even Microsoft edge is now based on chromium and says brave and says like. Fire Foxes and there is no no fire foxes not I think they're still rocking their own their own setup for now they just fired their threat team. She's. Near that. So yeah. You gains execution inside the browser and then the goal is then to gain privilege in the operating system. So that could constitute a sandbox escape to get out of that. Browser. Sandbox. Privilege escalation to ideally execute at a higher privilege level to to basically nullify any security on the host and ideally get execution in the operating systems Carl and once you're there is largely game over. But. You get colonel on individual host walk me through how you like how does that become network access to? Superman level or So. So once you have that you you, there really is no barriers to do to doing anything on that host. So, if you want to open up, calms back to mothership, you can do that if you want to access a whole bunch of data. You can do that. But how do you open up calms his everybody monitoring these links now in terms of like how you xl information. No. No let's say. So we're kind of diving into why this is actually a really hard problem in why any specific pillar doesn't work. So if you only buy network monitoring solution, you won't see really anything described as far. If you buy an endpoint only solution, there may be hints of things that have happened depending on the sophistication of the endpoint solution, but as soon as it gets so particularly deep. In the colonel the you're not going to see that. So it's a very challenging. Position that that's why having holistic approach is so important you need network, you need endpoint. So if you get by either one of those things, the other will pick it up and how does that work like on a particular client I can understand how those things communicate. But then how do you how do you take an attack on one company and then translate that into a defense on another company with something you haven't seen before. So I guess largely that depends on how well the cybersecurity solution is implemented if it is part of a network where you can dynamically signature and attack quickly. And create an artifact will say that can be applied across the network of other customers. That is a way to combat against that. I. Mean the Zero Day problem is is something that's always going to be there I think this is something that a lot of vendors don't actually realize that no matter how much you lockdown you're operating system there's always going to be creative group out there. That does things better. I can get around it. I. Mean. If you look at Apple Apple Iphone for the past. Decade. They've been adding an increasing number of security mechanisms into the operating system that largely limit an operator to only be able to do specific things. But that is largely crippling from a security standpoint because all you need to do is get around the set of Medicare. And you now. Can Own any apple device in the world in a really scary thing is recently a company called Lupin. That you know they by zero day. It's. Actually go after that but what they do is speculate but. They, by Zero Day exploits and they posted something recently where they said we're we're full up on. Irs Privilege Escalation We get enough. Yeah, and at that isn't a wakeup call to to Apple I. Don't really know what would be as as basically the industry is saying. Yeah you're operating system is not secure as you think it is that it's kind of like the Great Wall theory, right like this big wall around. But once you're on the inside of that wall, it's like there's no defenses after that. Yeah and that perfectly describes apple that actually describes every mobile operating system out there will android talked to me about the specific challenges with Andrew. Have they're they're like a host of other problems that aren't Common occurrences that have to be dealt with like everyone has a different version of android that they're running. It's always at a date. It's yes. So androids and interesting beast because a lot of the most common platform. Yeah. Yeah and it gets a lot of positive attention out there because it is an open platform you down nightmare. Download the source code and you can see what's running and not is a component of a secure operating system I guess that. The average person could go out and audit. What's there? The person could if they want take that, download it pilot, put on their phone and maybe add some additional bells and whistles. The concept is very noble. The reality of it is not so great because what we have today is there is the main android branch that evolves that Google releases android Scott recently released and vendors will take that and they will adopt it as is or they will customize it or they will. Take particular parts of the what's. Called a change history, it's basically the. The changes that have been made to the code base when that is taken new contacts with vulnerabilities. The fixes may or may not make it in. So you could have. The latest Samsung phone running android eleven that doesn't actually have all of these security fixes that the main android branch. Because somebody's the accepting or rejecting. Yeah. Yeah and I and I can tell you that one hundred percents certainty I have not looked at android eleven. But what I've experienced over the past two decades, there are problems in the Samsung version that have been missed because humans again are part of the equation and you know on the list, it'll say CB CB fixed but those fixes aren't they're..
"zero days" Discussed on The Knowledge Project with Shane Parrish
"Of the solutions out there there there are a few. That are decent but. Look at what your options are do I buy antivirus to buy any spyware? Do I buy firewall Shane maybe an IDs intrusion detection system maybe an point detect and respond maybe user behavior analysis maybe a network monitor and the way that vendors will try to push it forward as they say, you actually need all that which is total crack do not need all of those things they do not work well together so that that will thing angers me to no end. The third bit is a category that isn't actually Cybersecurity I. I read an interesting article recently in a kind of clued me in was like actually yeah. No. This third thing or pillar exists that is entirely wrong and it's that bit that happens in on the Internet social media, that type of thing. That isn't actually security related but people like to kind of put a box around that. So an example would be. Election interference. So how to what are the organized influence in influential campaigns on social media to get people to vote in particular directions? I do not think that cybersecurity, but that also gets lumped in. So, that that is the third bit, which is kind of like fo- cyber security. It's a little bit confusing because then you lose track of what's actually happening but I mean intelligence agencies been spying on other countries forever one of the things that have changed now is not only the amount of consumer data and the value of that data, but also that people are spying on companies now as a means fasttrack in D.. Y. Invest Hundreds of millions of dollars when you can sort of like just hack into somebody else's computer and download all their work, and then climate is your own. It highlights why? People companies need to take this problem seriously, and I don't think it necessarily extends just two large companies at this point legal firms. Accountants, huge targets, huge targets. I. Mean you think about what they're dealing with in regards to confidential agreements, financials of individuals and companies, and that's one thing I think we've seen over the last couple of years. The attention that state sponsored groups are going after it's no longer you know the Sony's of the world it is. Now you're you're you're law firms because there's a lot of intelligence value. They're patent firms I mean there's there's a lot of intelligence value there. So the. You know how how seriously smaller companies need to take this threat I think is really gone. Funded super interesting talking to kpmg just last week and they're like Oh sent me this. I was like, how do I send it to you and they're like just put an email like what what are you talking about? Like putting that in email? Yeah. I sort of compromise with like I used quick forget dot com like uploaded something just like this is good for like six hours so you'd better downloaded, but it's amazing to me that the lack of thought that goes into the information you share and how that manifests itself or what's exposed right because if somebody breaks into that computer that whole email chains they're now the files they're already, but a lot of the emails stored in the cloud it's a lot easier to access than people realize what makes you want to tackle this problem like this is like the greatest intractable problem ever with. Tons of competition like the government's doing host based, you have private sector doing all of these things cobbling together solutions like what makes you think that you? Can have a better outcome for customers. Probably A joke but nobody knows the industry better than you do but like seriously there's billions of dollars going on here. Yeah. So if you look twenty years ago. It's the same problem. We'll one of the things I tell people when they join who you know when I hire from intelligence agencies is that be prepared to be disappointed because the problems that you're going to see will shock you. The you know that they're still out there. So the techniques that are ten years old. Are the problems that should be ten years old are still happening today, and I think that that's a large referendum on how not good this security industry is actually trying to solve the problem and if and if I look at. You know the vendors out there I'm not GonNa name any specific competition. But what I see is a sales strategy that is like a warped used car salesman strategy and that's probably an insult a used car salesman out there because it's it's much worse. It's it's all about the transaction. It's all about you know getting getting that done taking the customers money and saying good luck, and that isn't resolved responsible for anything and that's not making anything better. How should that work like? How do people buy cyber? Isn't it the? I wasn't on sort of like the acquisition of cyber side but like this cartner quadrant sound familiar. Yes. So that is a I guess a measuring system, a measuring stick to help vendors or customers and prospective customers companies I guess is a better term to guide them in buying what they they may or may not need. There are few problems with that. The Gartner quadrant system is often outdated. We were, for example, field marketing a manage detector response service well, before it was defined in Gartner, and ironically at the time we had a hard time. Gaining traction because that's always looking at like existing sort of technology and threats and looking backwards saying like, Oh these people accomplish this but not looking for in terms of where the industry's going so that you know that that is a it is a useful classification system. It is just behind the curve continuously. The second thing is I don't think businesses actually selling what they're looking for Yelich how would you be educated if you're like a? Law Firm and accounting firm..
"zero days" Discussed on The Knowledge Project with Shane Parrish
"Research. I remember contentious time that you and I actually you know stood up at a town hall and got argument with a director. Stu. If you're listening we're sorry and it was. It was very frustrating and I remember that colleagues saying this is just part of businessman like once you once you part of a group that does something really good and people take notice and they you know they want to turn that into a larger part of the organization and with that. Comes what you're seeing now. Formalized, you can't work more than this. You have different reporting responsibilities, and at that time I just I just wanted to innovate. I just wanted to come up with new solutions to the problems that operations were running into. You know not being able to do that in its raw form was extremely frustrating see left and we can't talk about what we did there but we can talk about what you did right after he left and so you started lynch pin and you you an unconventional sort of wave of starting that company which is releasing. Privilege elevation to get some attention on Microsoft you WanNa talk about that? Yeah. So That was a that was a funny period so. You know at the time my business partner and I we thought you know how can we make a splash because when we left? Our attention was to. You know augment the world that we left with. A privatize twist on things? So we thought about okay. How can we can? We really stir things up a bit and at the time Microsoft was released seeing mandatory drivers signing as part of Windows. Vista. which showing our age right there and you know there's so much hype around it and the way it was being advertised whether it was going to be the silver bullet to stop on our to stop you know anything bad that could be happening. And anybody who has spent anytime I guess on the offensive side of the host was looking at that and saying no. Yeah it'll. It'll be. It'll make things better. But, it's not going to be the silver bullet that everybody thinks. So we said, well, why don't we just do something kind of funny and you know show them. So what we did was we wrote a tool called a den what that's the name the company was done whip, which is this wound. In reverse. GotTa signing Certificate Under this fake company legitimately registered fake reality and released a tool that would load. It was assigned component that load unsigned driver and it was Not to do anything other than show how easy it is with the most simplest goofy approach to get around this problem. And so at the time I was in Australia with my business partner starting things up we're working out of a closet really kind of ragtag. Set Up to start, and at the time there were people being. Arrested for violations of the Daca, digital millenniums act which. You know back at that time was a really contentious thing because changing what people could or could not do computers. A is a really big deal. So when we released that some people are like that's kind of neat and other people are you know one person in particular was like this is a violation of the DMCA you should be arrested. PS. It's not really that cool. I'm going to go and release a tool that. Actually exploits eighty drivers and video drivers, and then basically does the same thing but I've done it a lot cooler. So take that Lynch Pin. Ray and in reality that that was remember that guy. Yeah. That was so much worse because I don't know if it actually resulted in the revoking of API and videos. Signing certificate but it was something that you know to us it was it was. It was well, it was stupid to say that we were violating the DMCA and. The response was just so much unbelievably worse and it was it was a very weird first months of the company. Do you ever miss sort of working at the Intelligence Agency? I. Miss People I. Miss a lot of really good people. MAZING people. It's a very underrated people think that all sort of like government employees are lumped in the same same group they're not. As we can both too. Yeah. So so I missed the people I missed having firsthand exposure to the mission. I think back to some of the things I got to see him be a part of that. No one will ever know about and that. Is, really cool. It was really a part of that. It creates memories that I'm pretty sure if I were to run into somebody thirty years from now on the other side of the world in a bar you know immediately there's that connection of like did that that was really cool. So yeah. I mean I miss aspects but I don't miss the the handcuffs that. Were ultimately, a part of my departure from there, and then when you love do you ever feel like there was? The didn't want you to succeed because they wanted you to come back. A part of you that felt like it morning contracts that didn't want to. I don't know if there's any interest in me coming back I think there was definitely skepticism as to whether I could succeed. Which? I'm fine with that. Clearly a time, my business partner and I were the first ones to kind of make that jump and do that together and. There's a lot of skepticism as to whether we should be allowed to do that whether we are able to do that I. I remember having a departure interview with a high of manager who sat me down and said..
"zero days" Discussed on The Knowledge Project with Shane Parrish
"Nineteen ninety nine we met to. You as crazy. Yeah world. Who used to work together at the intelligence agency YEP and then that. Was the most insane period of time ever right where in the small team. September eleventh happens the world forever changes our team works. For, effectively seven years like I don't remember. Any of US having vacation from two thousand and one to two thousand eight other than like a random Monday or something. Yeah. I. Mean Firstly, I think let vacations probably largely overrated dissimilar Mahalick but yeah no, it was a really neat way to start I mean are. You know just a year or two apart but. It was definitely a very interesting experience being thrust into a an environment where everything you do contributes much more than you would ever think because coming out of university you're you want to get a job with a good salary all the sudden year I in our case. We're doing things that actually matter to the country that have a very significant outcome and it it's like going from zero to mature. Very quickly overnight. Yeah. Yeah. I. Remember One of the first meetings I have with you. We're trying to figure out how something works and I stood up. You know in my university sort of bravado and I was like, Oh, I'll tell you how this works and then I spent like thirty seconds explaining this thing and then you looked at me and just deadpanned like you're absolutely wrong. Here's how it works. You stood up for forty five minutes you worked through like every instruction that happened in the operating system and it was just blown away by your level of knowledge. I mean, that's kind of you to say there's probably a factor of blown away at how much of a jerk was in the process of that which. I'd like to say as change, but probably not so much. But yeah, it was really It was cool I I i. think the environment that we got to work in was learning from people. The for me that that time in my life really defined what a good team was. You know when you learn something, you share it with other people in the office I I. Remember you know there's five or six of us in particular point where it was a very large research focused group at anytime you learn something or I learned something are one of our colleagues learn something. Really, neat discovery but we took the time to educate each other and I think what that fostered was a team that. Of Trust that I had never experienced in my life I remember entering that team being massively humbled. And you know once once the EGO got with. And you could really jump into that environment it. It catapults ones growth, and I still look back to those times and consider myself extremely lucky and I always acknowledged that time in my life largely defined to today. I want to come back to that in a second I remember it is weird to hear you say you're humbled. You're literally the best in the world that way you do, and we're GONNA come back to that through this interview is a Jerkin whiskey. Pretty good at that. I remember showing up like. Me All the time and your Mazda the Amex Amex that was that was the smelled like, Tuffy Atlanta? Yeah. No. That was the was the dream cyber mobile. We spent a lot of time together. What made you leave? So I- i- I reflect that quite a bit just because I get that question often I don't think I've ever really had a good answer that that wasn't necessarily immature. The ultimate reason I left was because I saw a limit to what? I could grow into an what the vision of the group I was in. Achieving like there was a ceiling arbitrarily put on top of that and I'm the type of person that I don't work. Well, when somebody says, this is as far as you can go or this is what we're going to do regardless of what the evidence. Or ideas or good ideas bad ideas whatever. That that stocked and it was not an environment that I said I can grow here anymore. One of the big indicators of that which you probably laugh at this but there's a, there's a management competition. I screwed up the entire the entire interview but it was the same problem where somebody would ask it on the interview would ask me a question and rather than give the answer of. You know I would I would build a team to do this. I would request funding to do this. I would reach out to universities to bring them into the into the fold so That's the answers they wanted to hear what I gave them, where the technical responses to the questions they were asking. So how would you solve this problem? Yet my answer was well, I would do Xyz Ed and then I would do this. You can play the game. No, it was just I answered the question. And I think that was the first time. It really dawned on me that I probably don't fit into the mold that they were looking for. So I think that's when I started to the the the ball started rolling on my departure. I remember it changed probably about eight months for laughed like it started to get more. I don't I don't even know how to word this when we started it was. Very, fast moving. We had a lot of authority a lot of control lot of decision making power, and then slowly as we became more successful, the irony is like that. Sort of became less and less over time. Yeah I remember. Having a conversation with one of our mutual colleagues at the time and I remember being very irritated about the the arbitrary handcuffs that were being put on our ability to innovate..
Microsoft's 0-Day Folly
"But. At some level if you can get a lot of them, that's aggregated value. It's it's not good. Speaking of not good. Last week's patch Tuesday. When when zd net subs up We've patch Tuesday saying Microsoft says attackers have used a windows zero day to spoof file signatures and another Roku Remote Code execution in the Internet explorer scripting engine to execute code on. USERS devices. We need to take a closer look and actually those two things are the subject of the podcast that we will get to because. It's just hard to believe what a closer look reveals. But we have a hundred and twenty new flaws. In Microsoft's software fixed last week making it the third largest patch bundle of all time topped only by each of the previous two months with good and July, weighing in with one hundred, twenty, nine and one, hundred, twenty, three fixes respectively. This month's bundle carried a bit more urgency than usual. Since one of those seventeen flaws which were classified critical was zero day underactive attack at the time of the updates and one of the remaining more than one hundred flaws rated as merely important was also a zero day being exploited in the wild and publicly disclosed. So not even secret. The first of the two is titled It's e Two, thousand twenty, thirteen, eighty scripting engine memory corruption vulnerability being scripting engine problem. We should not be surprised to learn that the source of the trouble is e eleven. It was reported by a researcher at Kaspersky lab, and since it could be invoked by a militias office document, the belief is that it was probably spotted being used in fishing campaign. Microsoft. Had this to say about it. They said in a web-based attacks scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through I e and then. Convince a user to view the website. An attacker could also embed an activex control marked safe initialisation in an application or Microsoft Office document that hosts the I e. rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user provided content or advertisements. These websites could contain specially crafted content that could exploit owner ability in other words. Anything, that puts content. On a website that is able to evoke I e which we know they can. Can. Can do this. So keep this in mind when we get to the other end of this podcast because. It's unbelievable what the history of this is. So that remains a threat to anybody who hasn't yet applied last Tuesday's updates to their installation of windows ten. So obviously, it would be good to do that the second zero day despite being actively exploited in the wild and publicly known is only rated as important, which seems odd since it is CV twenty, twenty, fourteen, sixty, four and labeled someone innocuously as a windows spoofing vulnerability. Okay I suppose the scale of the problem should relate to what's being spoofed bugs description will catch your attention because it allows attackers to spook the identities of other companies when signing digitally signing an executable. Now, that's the way the press covered. We will get to the details a bit later and Microsoft's words. They said these spoofed signatures could allow an attacker to bypass security features. Intended to prevent improperly signed files from being loaded. Now, all of this is a bit of misdirection because the signatures are actually not being spoofed as we'll. We'll exp explain that later. So this too is not good but. Will cover the details at the end beyond those two day those two zero days. Five of the other critical bug fixes are for Microsoft's Windows Media Foundation, the multimedia framework and infrastructure, which has been used to render digital content ever since windows seven and since windows server two, thousand eight. In these cases successful exploitation would allow an attacker to install militias south ware manipulate data, or create new accounts. And among the rest because again, we had one hundred and twenty to choose from There's also twenty, two, thousand, ten, forty, six, another nasty one in the dot net framework affecting versions two point zero through four point eight. It's a remote code execution flaw. In the way dot net handles imports. An attacker could exploit this vulnerability to gain admin level control of the vulnerable system. This vulnerability would be exploited by uploading a specially crafted file to a web APP, which is, of course, not a heavy lift these days there's all kinds of Web APPs that are saying you know that that involve uploading user submitted stuff. This allows that to be exploited. So as always don't wait too long before
Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
"Everybody from the British. Ask this week's interview. Episode has any Greenberg senior writer at wired. He just SORTA book called Sand Worm New Era of cyber war in the hunt for the Kremlin's Miss, dangerous hackers, it is all about hacking group inside of the Russian government called San Worm. They were responsible for the most damaging cyber warfare attacks over the past year there behind not PECI. The hackers took out in the mayor shipping line hospitals across the U. K San has totally escalated. What we think of Cyber War, and he's book gets all into how they were discovered how they were flushed out the. The intricacies of these various hacks. It's super interesting. The book is a thrill ride. If you're looking for something that isn't the virus. This is like a thriller, a highly recommended. It was really fun to talk to her about the stuff. one thing I. WanNa know we're all at home so during this in every might hear some kids in the background. I asked you just be a little forgiving that we're all. We're all dealing with it and he was a great interview. Check Out Sandy Greenberg of sand worm, a new era of cyber war and the hunt for the Kremlin's most dangerous hack. Any Greenberg your senior writer at wired you're also the author of Sand Worm, new era of cyber war in the hunt for the Kremlin's most dangerous. Welcome glad to be here so even writing about cybersecurity frontier I think you just said two thousand six and writing about Cybersecurity, but this book sand worm as I was reading it. It seems like it's called the new era of cyber war. It seems like there's been a huge turn in sort of state-sponsored. Particularly Russians sponsored cyber attacks. How did you come onto that notion? How did you begin reading this book I'm I'm very curious how you see. See that turn happening well. In late twenty sixteen, my former colleague Kim Zetter she had been the one who really covered state sponsored hacking in cyber war stuff, but she left wired, and this was also at the time. When you know Russian hackers were meddling in the US election, they'd hacked the democratic. National Committee and the Democratic Congressional Campaign Committee and the Clinton Campaign, so my editors were really primes on face, mantra hacking all of a sudden, but what they? They really what they told me they wanted was a actually like a big takeover of the whole magazine. All about cyber war, but cyber war to me is different than those kinds of espionage election, meddling tactics so I went looking for no real cyber war story, which means to me like a actual disruptive cyber attacks, and as I looked around. It seemed like the place where that was really happening was in Ukraine not really in the US in fact maybe. Maybe what was happening in? Ukraine seemed to me like it was in some ways, the only real full blown cyber war that was actually occurring where Russian hackers were not just attacking the election which they had done, they tried this spoof the results of a presidential election, but they had also attacks media and destroyed their computers. They had attacked government agencies and tried to like destroy entire networks, and then they had turned off the power for the first time. In December of two thousand, fifteen, the the first actual blackout triggered by hackers, and just as I was look into this happened again the the effect, the seem hacker group caused a blackout this time in the capital of Kiev so I wince looking in Ukraine for this cyber war story that. Turned into a cover story for wired that kind of gave editors what they wanted, but then also kept unfolding This cyber war kept growing in scope and scale and. The original story written for wired was kind of about the fact that you could look to Ukraine to see the future of cyber war that will what was happening. There might soon spread to the rest of the world. And that is actually what happens to like just after we publish that cover story to same hackers released this climactic terrible cyber attack in Ukraine. Called Not Petiot that spread beyond Ukrainians became the worst cyberattack history cost ten billion dollars, so when that happened, that was when I saw that there was potential to do a book about this that it was not just a kind of case study about Ukraine or even kind of predictive story, but a an actual full story arc about this one group that had carried out the what I would say was not only the first. First Real Cyber War, but the worst cyberattack in history and the you know I wanted to capture the the Ark of that story in the effects, the real experience of cyber war. Yeah, so the group is called sand worm in this is just one of the the sort of opening arcs of the book is how they've come. They come to be named this because references and code walk people through just like it's so. relatable that like even these hackers are using using this language that leads them recalled Sandwich Tell people about it. So when I started to look into the origins of this group after that second blackout attack I I found that this this company called eyesight partners which have been acquired by fire I I, said partners was the first to find these hackers in twenty, fourteen, basically using fishing in kind of typical espionage tactics, plant malware in the networks of typical Russian hacking targets like groups across Eastern, Europe and NATO in a look like what they were doing was just kind of typical espionage. They were planning. This by wear calls lack energy buds will first of all they could see that they were rushing, because they had this server that they were using to administer some of these attacks and they. They left the server, so anybody could look at it in. There was a kind of Russian language to file for how to use black energy on the service, so these guys seem like they were rushing, but even more interesting in some ways. was that they to track each victim each instance of black energy? This malware has little campaign code in each campaign was a reference to the science fiction novel Dune and you know so like one of them was something about Iraq is, and then one of them is about the sutter cars, these like imperial soldiers in in that SCI FI universe so I said partners named this group sand worm, because well just because it's a cool. Name associated with doing, but it turned out to me. It became this very powerful because a sandwich miss this monster that lies beneath the surface, and occasionally arises from underground to do terribly destructive things. partners didn't know that at the time, they they soon afterward realized what sand. was doing was not just espionage, but they were actually doing reconnaissance for disruptive cyberattacks. They were also hacking power grids. They were planning black energy, not only in the European Eastern European targets in the US power grid networks as well. The Ultimately Syndrome was the first twenty fifteen to cross that line in use black energy as the first step in a multi step attack that led to a blackout. So this was not just espionage really was kind of like you know this monster that rises from under the ground to do terrible acts of mass destruction that came to pass so one of the things that comes up over in the book. Is this growing sense of dread from security researchers and analysts? Oh this is an imminent threat to the united. States just Ukraine, but like this is happening here and then there's a sense that the United States actually open the door to this kind of warfare with stuxnet. which was an attack on Iran? How how did those connect for you that it seemed like there's a new rule of engagement new set of rules of engagement for cyber warfare that actually the United States implicitly created with with stuxnet by attacking Iran. Yeah, I mean I tried to highlight. Clearly sand worm are the real bad guys in the story, they are the actual hacker group that did these terribly reckless destructive attacks that actually in some cases put people's lives at risk, the kind of in some parts of the story they actually shutdown medical record systems and I. Think may have cost people's lives with cyber attacks today they are the actual antagonist here, but I also want to highlight the ways that the US government is is partially responsible for the state of Cyber War, and there are a few ways that that's true. I The US! Open the Pandora's box of cyber war with stuxnet. This piece of now where that. That was used to destroy Iranian nuclear enrichment centrifuges that was the first piece of our that actually have caused that physical disruption destruction, and we now see Sandra doing the same thing in Ukraine. In in fact, in some ways around the world, also the the US hordes, these kind of zero day, secret hacking techniques, some of which were stolen and leaked and used by sand worm, but then I think the in fact, the biggest way that I tried to highlight that the US is responsible or complicit or negligent. Here is that we did not call allows what Santorum was doing in Ukraine and say to Russia. We know what you're doing. This is unacceptable. Nobody should be turning out the lights. Two civilians with cyber attacks. There wasn't a message like that I. mean the Obama White House sent a message to Russia over this kind of cyber hotline to say your election hacking is not okay. We see what you're doing and we want you to stop, but they said nothing about a tube blackout attacks in Ukraine, and that was kind of implicit signal to Russia. They could keep. Keep escalating, and even as all the cyber security, researchers and Ukrainians were warning that what was happening to Ukraine, would soon spread to the rest of the world, the US government ignore this both Obama, and then the trump administration until that prediction came to pass and a sand worm cyberattack did spread to the rest of the world, and it was too late, and we all suffered globally as a result, so let's talk about patch it. WAS CATASTROPHIC IN SCOPE, right? It took out the mayor shipping line, which is a massive business. It took out some hospitals in UK like it was huge in scope. I don't think people really put it all together. Talk about how it started and how big it grew. Yeah, so not too was kind of like big apotheosis sandwich, where all of these predictions of the terribly destructive things they were doing to the rest of the world came to pass but it did it started in Ukraine. They hijacked this. The the software updates of this accounting software called me doc that is basically used by everybody in Ukraine. The quicken turbo tax of Ukraine. If you do business in Ukraine, you have to have this installed, so sanborn hijack the updates of that news to push out this worm to thousands of victims mostly in Ukraine, but it was a worm, so it's spread the mmediately end quickly kind of carpet bombs. The entire Ukrainian Internet's every computer at spread to would encrypt permanently. You could not recover the computer, so it very quickly took down pretty much every. Every Ukrainian government agency twenty two banks multiple airports for hospitals in Ukraine that I. could count and in each of these cases. What is eight took them down. I mean it destroyed essentially all of their computers, which requires sometimes weeks or months to recover from, but then as you know, this is a worm that does not respect national borders. So even though it was, it seemed to be an attack intended to disrupt Ukraine. It immediately spread beyond Ukraine's borders. Borders to everybody who had this accounting software installed? That was doing business in Ukraine and some people who didn't so that includes Maersk. The world's largest shipping firm and Fedex and Mondelez, which owns cadbury, NABISCO and ranking manufacturing firm that makes tylenol in Merck. The Pharmaceutical Company in New Jersey on each of these companies lost hundreds of millions of dollars. The scale of this is kind of difficult to capture but I in the book I tried to. To I focused in part Maersk because it is just a good company to look at because you can. They had this gigantic global physical machine that is they have seventy six ports around the world that they own as well as these massive ships that have tens of thousands of shipping containers on them. And I told the story of how on this day seventeen of their terminals of were entirely paralyzed by this attack with ships arriving with just. Piles of containers on them. Nobody could unload. Nobody knew what was inside of nobody knew how to load or unload them with around the world of seventeen terminals, thousands of trucks, Semitrailers, carrying containers were lining up in Lyons miles long because the gates that were kind of checkpoints to check in the these trucks to drop something off or pick it up. They were paralyzed as well. This was a fiasco on a global scale is responsible for a fifth of the world's lable shipping capacity. They were truly just a rendered brain dead by this attack, but yeah displayed out at all of these different victims MERC had to borrow their own each vaccine from the Center for Disease Control because they're manufacturing. Manufacturing was disrupted by this, and it ultimately spread to a company called nuance, nate speech to text software. They have a service that does this for hospitals across the US to dozens of our possibly hundreds of American hospitals at this backlog of transcriptions to medical records that were lost because of this, and that resulted in patients, being do for surgeries or transfers, other hospitals in nobody knew their medical records were updated. I mean this was scale where hundreds of hospitals each of which has thousands of patients missing changes the medical records. We don't know what the effects of that work, but very well could've actually harmed people's health. Our lives I mean the scale of not petty is very difficult to. Get your mind around, but we do know that you know monetarily cost ten billion dollars, which is by far the biggest number we've ever seen, but it also had this this kind of harder to quantify toll on people's lives, so it it you know you read about it at length and wired. Obviously these companies go down of ripples in mainstream sort of general press, but I don't feel like people really not like Oh. This Russian group called San Worms sponsored by the Russian government. Unleash this attack in it caused this cascading effect of failure and disaster cost in that because we know what we can attribute it to the government, our government. I don't feel like that connection got made for people. What is the gap between other as a hack and Oh, this is actually a type of warfare engagement, because that that connection seems very tenuous. I think for a lot of people. Even as sort of the more general mainstream press covers this stuff. Yeah, you know. I don't think that that's is just like the nature of. Of Cyber War I think that was a failing that that lack of connection is a failing on our government's parts, and on you could say even on the part of some of these victims like these large companies I mean I at the time did not pitch it happened. I was fully on the trail of standard within days. I was talking to cyber security researchers who? Who had piece together? Some of the forensics to show the not petiot was Sandra that it was a Russian state-sponsored attack in yet none of those companies that I mentioned mercker Mondelez or Maersk or Fedex, or any of them wanted to say the Russia had done this to them and know governments were talking about either like the Ukrainian government was. They're always willing to point. Point the finger at Russia, but the US government was not, and you know that to me seemed to be just kind of I mean I felt like I was being gas. Let's at that point. I had watched Russia due to Ukraine for a long time at that point tonight. I sort of understood that NATO in the West. We had this kind of cruel logic that. Ukraine is not us. Russia can do what it likes to Ukraine because they're not NATO not e you. They are Russia's sphere of influence or something I think that that's very wrongheaded, but at least it made sense. You know to have that that viewpoints, but now this attack had spread from Ukraine to hit American soil American companies in many cases and yet still the US government was saying nothing I just thought this was bizarre and you know so i. For months I was like. Trying to get any of these companies to tell the story of of their experiences, not Peta I was trying to figure out why the US government wasn't talking about the fact that this was a Russian cyberattack and ultimately I. Think it was I. think it was kind of I know partly disorganization negligence. I think it may have something to do with the fact that the. The? Trump administration doesn't like talking about Russian hackers for obvious reasons, but eight months after it took eight months ultimately for the US government to finally say not that it was a was Russia it was the worst cyberattack in history, and then a month later. The White House impose consequences in put new sanctions on Russia and response, but it took nine months and more importantly it took. Multiple years this without was the first time this was twenty eighteen, and the Russian cyber war in Ukraine had started around the fall of Twenty fifteen, so that's just incredible span of negligence when the US government said nothing about these escalating unfolding. Acts, of Cyber Award that there should have been unacceptable from the very beginning I mean these are the kind of quintessential acts of state sponsored cyber attacks on civilians, trying out the lights. You know that's the kind of thing that I believe that the US government should have called out and drawn a red line across at the very beginning took ears, so I do think it was a big failing. Of of diplomacy, it just seemed like that part of the problem, and this is kind of an expression is it's so hard to describe like if the Russian government sent fighter jets to America and live their support. Okay, like everyone understood, you can see it. You can understand what happened there. In the you know, there's like a however many decades of movies about how to fight that war. This is a bunch of people in a room typing. Like it there's just an element of this where the dangerous Oh federal where the attack is invisible, and while the effects might be very very tangible, the causes are still sort of mysterious people so. My question is who is sandwich. What what do we know about them? Where do they work? What are they like? Do we have a sense of how this operation actually operates? In some ways the the biggest challenge of reporting this book, and I spent essentially the third act of the book, the last third of the reporting of the book, trying to answer the question of who is in worm, who are these people? Where are they located? What motivates them and I guess to partially spoil the ending here. They are a unit of the year you. They are a part of Russia's military intelligence agency, which is responsible for you know, this is not a coincidence. They are responsible for election meddling responsible for the attempted assassination of You. chemical weapons in the United Kingdom they're responsible for the downing of a seventeen as commercial passenger jet over Ukraine were three hundred innocent people died on the G. R.. You are this incredibly reckless callous out military intelligence agency, but they act like kind of almost just cut through mercenaries around the world. Doing Russia's bidding in ways that are very scary, so I threw essentially like a combination of excellent work of a bunch of security researchers who I was speaking to combined with some confirmation from US intelligence agencies, and then ultimately some other clues from the investigation of Robert Muller into meddling all these things combined created the trail that led to one group within the JERE. You that were you know I? Eventually had some names and faces even address of this this group, and all that was actually only finally fully confirms After the book came out Justin in recent months when the White House finally actually was the State Department's. End as well as the UK on Australian and other governments together finally said yes, sand worm is in fact that this unit of the year you so this theory that I developed in positive near the end of the book was finally basically confirmed by governments just in recent months. So one thing that strikes me at that is I, think of the Russian military things. Gru is being foreboding being obviously, they're very very good at this other a buttoned up in then they have like a incredible social media presence that kind of POPs up throughout the book that distracts from what doing. They set up Gucci for two point Oh when they were doing the DNC hacks that fed to wikileaks in the. That account insisted it was just guy. They set up the shadow brokers which was. I read. It is just like your some goof-balls like they wanted to seem a lot dumber and a lot smaller than they were. They were very effective at it to people I. Talk About those that strategy, and then I guess my question have is like a re better at seeing that strategy for what it is well. You make a really interesting point. The uses these false flags like throughout their recent history that we I should say we don't know that they were responsible for shadow brokers. In fact, nobody knows who shot a brokers. The shadow brokers truly are, and they are in some ways the biggest mystery in this whole story, this one group that hacked the NSA apparently and leaked a bunch of their zero day hacking techniques, or maybe they were even say insiders. We still don't know the answer to that question, but the other other incidents you mentioned. That are you are responsible for this Guja for two point zero fake hacktivists leaked a bunch of the Clinton documents. They're responsible for other false flags like they at one point to call themselves the Cyber Caliphate pretended to be Isis. They've a pretended to be like patriotic pro. Russian Ukrainians at some point they they're always like wearing different masks ends. They're very deceptive. in the a later chapter of the book, some of the biggest one of the biggest attacks they. They did was this attack on the twenty thousand Olympics where they not only wore a false mask, but they actually had layers of false flags where as cyber security researchers W. This melwert was used to destroy the entire back end of the two thousand eighteen winter Olympics. Just as the opening ceremony began, this was a catastrophic events. The aware had all of these fake clues made look like it was Chinese or North Korean or maybe Russian. Nobody could tell it was like. It was this kind of confusion bomb almost designed to to just make researchers throw up their hands. Give up on attributing mallards. Any particular actor was only through some amazing detective work by some of the analysts that I spoke to the able to cut through those false flags identify that sand was behind this essentially, but yeah, it's it is a one very real characteristic of the jury you that they are almost they seem to almost take pleasure or like be showing off their deception capabilities to and their evolving those capabilities they are getting more deceptive over time as fake gets more, destructive aggressive. Advertising content when I say Utopia what comes to mind? Birds Chirping lush natural beauty dialed up and vibrant technicolor. Is it within reach. Your world. World. explained. You are an essential part of the Pathak social body. Everybody in that place. Everybody happy now. While the peacock original series brave new world takes place in a scientific futuristic utopia. The concept is nothing new Sir Thomas more. I introduced the theory five hundred years ago, but we keep looking for that community identity stability of aldous. Huxley's Utopia and not finding it. Americans are the unhappiest they've been in decades and we're increasingly lonely. whereas in a utopia, everyone belongs to everyone else. In nineteen, forty-three, the psychologist Abraham Maslov developed a theory of Yoga. One that allows total self determination in basic terms. maslow's theory says that in a utopia we decide for ourselves what we need and how we're going to get it in Huxley's Utopia. Citizens always get what they want and don't want what they can't get. Sounds pretty good right then. Why can't we make it happen? For a Utopian Society, to work, we might need to disband some of the things we hold dearest marriage government privacy individualism, even family. See for yourself if a utopian world is as perfect as it seems watch, brave new world now streaming only on peacock. This is advertising content. Hey. This is bowes I'm a podcast or By, I, a Gamer Five G. is changing the gaming world in really unexpected exciting ways with the help of Samsung Five G. I'm getting a peek at how gaming is getting faster smoother and can even improve our lives well. Let's dish some secrets about the future gaming. Dr Jean Mechanical Direct Route Game Research and development at the Institute of the future. She's also a bestselling author game inventor. She's optimistic about gaming impact on us and our minds. The biggest thing that we've seen in research is that. We need to be able to game in the moment wherever we are. So, what happens when when you're playing when your favorite games is that it fires up than her logical pathways, it's kind of like having a of caffeine and a pet dog from your favorite coach, and you've just meditated for an hour. This emotional neurological power up is called the game transfer effect, and that effect is heightened when using five. Five G. The game transfer fact requires you to be totally immersed in the game, so you want to have the most amazing graphics and the most immersive audio and with five G. to do that anywhere anytime, be one of the first to harness the game transfer effect with Samsung Galaxy Five G. now available on Galaxy, S Twenty-five g and a seventy one five G. feels good to be I with Samsung. I love to play the game of like. Imagine the meeting and imagine that the one set of meeting which is like the actual hackers finding the vulnerabilities figuring out how to jump from Windows, eight computer to some sort of physical hardware controller that actually runs like that. That's a very hard problem in and of itself, and then the other meeting. They're like what we're GONNA do is claim to be a guy called Gucci for two point, Oh and like those are. Not Connected Right, but the way they throughout the book the way they execute East campaigns they're deeply connected, and that seems like not only just a new kind of warfare, and you kind of craft, but some just consistently seems to work in surprising ways like the tech press is GonNa. Be Like Gucci. I says this and we're. There's never that next step of also we think it's Russian government, and that seems like first of all I'm dying. I imagine the meeting right. I would love to be a fly on the wall of the meeting where they decide what their twitter name is going to be today. I'm very curious how they evolve those attacks in such a way that it just seems to be more and more effective time. Yeah, I mean. I also love to have been those meetings in. It's my one kind of regret in this book that I never actually got. Interviews, it's almost an impossible thing to do. They liked find defectors from the R., you or something. He will tell those stories at a knock it murdered I mean. It's kind of a possible, but but. In some cases? I think your earlier points. They almost seem kind of bumbling in these things they do them in a very improvisational way. for two point Oh seemed almost like it was a justice thing they invented on the spot, tried to cover up some of the the accidental ups like they had left russian-language formatting errors in the documents that they had leaked from the DNC, so they admitted this guy who appeared the next day and started. Talking about being a Romanian. Friends as motherboard Lorenza, Franceschi decry he started this conversation. Align with with Guja for two point, oh basically proved at the guy could not actually properly speak Romanian. BE Russian speaker. In fact, it was. It was almost comical at the same time. They're using very sophisticated hacking techniques doing destructive attacks on a massive scale, but they're also. They seem like they're kind of making it up as they go along. They do things that don't actually seem very kind of strategically smart. They kind of seem like they're trying to impress their boss for the day. Sometimes with just like some sometimes, it's just seems like the Jere. You wakes up in asks themselves. Like what can we blow up today? Rather than thinking like? How can we accomplish the greater strategic objectives of the Russian Federation? So they are fascinating in that way and very stringent colorful group. That's I think one of the biggest questions I have here is. We spend a lot of time trying to imagine what flat and Mirror Putin wants. You know when he grows up, but it. None of this seems targeted like what is the goal for Russia to disrupt the Winter Olympics right like. Is there a purpose to that? Is that just a strike fear? Is it just to? EXPAND THAT SUV influenced. Is it just to say we have the capability furious is there? has there ever really been the stated goal for this kind of cyber warfare? That one is particularly mystifying. I mean you can imagine why Russia would want to attack the Olympics. They were banned from the two thousand Eighteen Olympics doping, but then you would think that they might want to attack the Olympics and send a message maybe like eight deniable message a message that you know if you continue to ban us. We're GONNA. Continue to attack you like like any terrorists would do, but instead they attacked the winter. Olympics in this way, that really seemed like they were trying not to get caught, and instead like make it look like the was Russia North Korea? And then you have to like what is the point of that was? The could kind of. Sit there in Moscow and kind of like rub their hands together in gleefully. Watch this chaos unfolds. It almost really does seem like it was petty vindictive thing that they just for their own emotional needs wanted to make sure that nobody could enjoy the Olympics if they were not going to enjoy them I that was, but that one is i. think outlier in some ways for the most part you can kind of see. The Russia is advancing. The G. R. You that sand worm is advancing something that does generally make sense which is that. In Ukraine for instance, they're trying to make Ukraine look like a failed state. They're trying to make Ukrainians. Lose faith in their security. Services are trying to prevent investors globally from funneling money into Ukraine trying to create a kind of frozen conflict, as we say in Ukraine where there's this constant perpetual state of degradation. They're not trying to conquer the country, but they're trying to create a kind of permanent war in Ukraine and would cyber war. You can do that beyond the traditional front end. It is in some ways the same kind of tactic that they used in other places like the US which. which here we saw more than influence operation that they were hacking leaking organizations like democratic campaign organizations and anti doping organizations to kind of so confusion to embarrass on their targets. They're trying to influence like the international audiences opinion these people, but in Ukraine, it is in some ways, just a different kind of influence operation where they're trying to influence the world's view of Ukraine. Influence Ukrainians view of their themselves under government to make them feel like they are in a war zone even when their kid hundreds of miles from the actual fighting. That's happening on the eastern fronts in the eastern region of. Of Ukraine so in a book you you you go to Kiev. You spent time in Ukraine. Is there a sense in that country that while sometimes light goes out sometimes our TV stations. Their computers don't boot anymore. Because they got rewritten, the Hydros got Zeros like. Is there a sense that this is happening? Is there a sense the defy back is there does Microsoft deploy you know dozens of engineers to to help fight back. How does that play out on the ground there? Yeah, I mean to be fair. Ukrainians are very stoic about these things and regular. Ukrainian citizens were not bothered by you know. Know a short blackout. They didn't particularly care you know. This blackout was the first ever. Hacker induced blackout in history but Ukrainian cyber security. People were very unnerved by this end, people in these actual utilities were traumatized I mean these attacks were truly like relentless sins very kind of scary for the actual operators at the controls I mean in the first blackout attack. These poor operators Ukrainian control room in western Ukraine they were locked out of their computers, and they had to watch their own mouse cursor. Click through circuit breakers, turning off the power in front of them I. Mean They watched it happen? At these kind of Phantom hands to control of their mouse movements, so they took this very very seriously, but yet Ukrainians as a whole I mean they have seen a lot. They are going through an actual physical war. They've seen the seizure of Crimea and the invasion of the east of the country. You know the the date hits. A Ukrainian general was assassinated with a car bomb in the middle of Kiev, so they have a lot of problems, and I'm not sure that cyber war is one of the top of their minds, but not patio I. Did, actually reach Ukrainians normal. Ukrainian civilians to it. It shook them as well. I talked to two regular Ukrainians. who found that they couldn't swipe into the Kiev Metro. They couldn't use their credit card at the grocery store. All the ATM's were down The Postal Service was taken out for every computer that the postal service had was taken out for more than a month. I mean these things really did affect people's lives, but it kind of. A until that kind of climactic worm. Not Patio for I think for this to really reach home for Ukrainians. who have kind of seen so much. How do you fight back? I, mean I one of things that struck me as I was reading. The book is so many of the people you talked to people who are identifying the threat. They're actually private companies. Eyesight was the first even detect it. they are contractors to intelligence agencies the military in some cases, but they're not necessarily the government right like it's not necessarily Microsoft. Who has to issue the patches from the software not necessarily GE which makes simplicity, which is the big industrial controls talk about a lot. How does all that come together into a defense because that seems like harder problem of coordination? Yeah, I mean defense in Cyber. Security is in an eternal problem. It's incredibly complicated, and when you have a really sophisticated determined adversary, it know they will win eventually ends I. think that they're absolutely lessons for defense in this book about you know. Maybe you need to really really think about software updates for instance like the kind that were hijacked to a with this medoc accounting software. As a vector for terrible cyber-attacks. Imagine that like. Any of your insecure apps that have kind of updates can be become a a piece of Malware, really unique to signature networks need to think about patching on. There are just an endless kind of checklist of things to every organization needs to do to protect themselves so. In some ways that just like a Sisyphean task and I don't. I don't try to answer that question in the book because it's too big, and it's kind of boring as well, but what I do really hammer on is the thing that the government's really could've done here. which is to try to establish norms tried to control attackers through diplomacy through kind of disciplinary action through things like kind of Geneva Convention for Cyber War if. If you think about a kind of analogy to say like chemical weapons, we could just try to give everyone in the world a gas mask that they have to carry around with them at all times, or we could create a Geneva. Convention norm that chemical weapons should not be used in if they are than crime, and you get pulled in front of the Hague. Hague and we've done the ladder and I think that in some ways should be part of the the answer to cyber war as well we need to establish norms and make countries like Russia or like organizations like the G. Are you understand that there will be consequences for these kinds of attacks, even when the victim is not the US or NATO or the? The EU and I think we're only just starting to think about that. One of the questions I had as reading is it seems like a very clear red line for almost everyone you talk to is attacks on the power grid right? That is just unacceptable. You should not do it if you do it. You've crossed a line and there should be some consequence. Is, that clear to governments. Is that something that our government says? It's something that the says it has been established. It seems like it's it's the conventional wisdom wants to salvage, but I'm not unclear whether that is actually the line that exists. It definitely has not been established, and when I kind of did these I managed to get sort of interviews with the top cyber security officials in the Obama ends trump administration Jay Michael Daniel was the cyber. Cyber Coordinator for the administration was the kind of cyber coordinator boss in the The Homeland Security Adviser for trump and both of them when I asked him about like wiped. Why didn't you know to put it bluntly like? Why didn't you respond? When Russia caused blackouts in Ukraine? Both of them essentially said well. You know that's not actually the rule that we want to set. We want to be able to cause blackouts in our adversaries networks. In their power grids when we are in a war situation or when we believe it's in our national interest, so you know that's the thing about these cyber war capabilities. This is part of the problem that every country. Absolutely the US among them isn't really interested in controlling these weapons, because we in this kind of Lord of the rings fashion, we are drawn to them to like we want to maintain the ability to use those weapons ourselves and nobody wants to throw this ring in the fires, of Mount Doom. We all wanted maintain the ring and imagine that we can use it for good in out. So that's why neither administration called that Russia for doing this because they want that power to. Make the comparison to to nuclear weapons but Negotiated drawdown and treaties with Russia in the past we count warheads where aware that the United States stockpiles can destroy the world. Fifty Times over today maybe tomorrow one hundred hundred like what we have a sense of the the measure of force that we can. Put on the world when it comes to nuclear weapons, there's a sense that Oh, we should never use these right like we have them as a deterrent, but we've gained out that actually leads to his mutually assured destruction like there's an entire body of academics. There's entire body of researchers. Entire body is got scenario planning with that kind of weapon. Does that same thing exist for for cyber weapons. There are absolutely. Know community is of academics. Policymakers who are thinking about this stuff now, but I don't think it's kind of gotten through to actual government decision. that. There needs to be kind of cyber deterrence in how that would work. In in the comparison to nuclear weapons is like instructive, but not exactly helpful. In fact, it's kind of counter-productive because we cannot deter cyber-attacks with other cyber-attacks i. don't think that's GonNa work in part because we haven't even tried to establish it yet. There are no kind of rules or read lines, but then I think more importantly. Everybody thinks that they can get away with cyberattacks that they can. They're going to create a false flag. That's clever enough that that when they blow up a power grid, they can blame their neighbor instead, so they think they're. They're gonNA. Get Away with it, and that causes them to do it anyway. A not fear the kind of assured destruction so I think that the the right response, the way to to deter cyber attacks is not with the promise of a cyber attack in return. It's with all the other kind of tools we have, and they've been used sometimes, but but they were not in the case of Sand Werman. Those tools include like sanctions which came far too late in the story indictments of hackers. In some cases, we still haven't really seen syndrome. Hackers indicted for the things that they did in Ukraine or or even not petty. And then ultimately just kind of messaging like calling out naming and shaming bad actors, and that has happened to some degree with Sandra, but in some cases there have still been massive failures there there has still been no public attribution of the Sandwich attack on the twenty eighteen Olympics I mean. My Book has been out for months. I think show pretty clear evidence that syndrome is responsible for this attack. The very least it was Russia and yet the US and Korean War, These Olympics took place at UK, none of these governments have named Russia as having done that. That attack which almost just invites them to do it again whenever our next Olympics are going to be, I guess maybe not this year, but if you don't send that message than you're just essentially inviting Russia to try again so I think might my big question is what happens now? I mean right we you write about. The NSA has tailored access operations, which is their elite hacking group. We are obviously interested in maintaining some of these capabilities. We've come to a place where people are writing books about how it works. What is the next step? What is the next? does it just keep getting worse or does this kind of diplomacy you're talking about? Is that beginning to happen I? Think there is some little glimmers of hope about the diplomacy beginning to happen I mean this year in February I think it was the State Department's called out a sand worm attack on Georgia, where a worms hackers basically took down a ton of Georgian websites by attacking the hosting providers as well as a couple of TV's broadcasters in the US. State Department with a few other governments not. said this was sand. Worm named the unit of the GRU. That's is that was confirmation that I've been looking for for a long time, but they also made a point of saying that we're calling this out is unacceptable, even though Georgia. Georgia is not part of NATO or the U. so that's that's progress. That's essentially creating a new kind of rule. That's state-sponsored. Hackers can't do certain things, no matter who the victims and that's really important. Also, it was kind of interesting because federal officials like gave me a heads up about that announcement before happened, which they have very very rarely do and I think they were trying. To say was in we. We read your book and we. Got The message okay like Stop attacking us about this like we're trying. We're doing something different here I. Don't want flatter myself that I actually changed their policy, but it did seem interesting that they wanted to tell me personally about this so i. I think that like maybe our stance on this kind of diplomacy is evolving, and we're learning lessons, but at the same time we also see the attacks evolving to. To and their new innovations in these kinds of disruption happening, we've seen since some of these terrible Sandra attacks. You know other very scary things like this piece of our called Triton or crisis that was used to disabled safety systems in a oil refinery in Saudi Arabia on that was you know that could have caused an actual physical explosion of petrochemical facility? The the attacks are evolving to okay final last real question. Tell people where they can get your book. You can find all kinds of places by on indie Greenberg Dot net. Written another book as well previously, yes. That's right. I wrote a book about wikileaks. Cypher punks and things like that. That's right well. I'm a huge fan. It was an honor to talk to you. Thank you so much for coming on I know it's. It's a weird time to be talking about anything, but the coronavirus I was very happy to talk about something else, which is that it seems a little bit more in control Even if it is quite dangerous, a thank you for the time. I appreciate it. Yeah, I'm glad to provide people with a different kind of apocalypse as a distraction.
"Some time ago about a year ago, or maybe two years ago, twitter introduced time based one time passwords google authenticated as most people know that mechanism where you have an authentic eater APP on a mobile device, and that gives you six digit codes to log in as to factor, which is much more secure than SMS SMS of course can be hijacked if your Sim Card is hijacked, so a lot of people were speculating all of these different methods of attack to me. It seems unlikely that accounts that are very familiar with some checking because. Because it happens a lot in crypto and has had a lot of high profile. Reporting would have SMS. It also seemed unlikely that even if they did that, someone was able to Sim Jack phones from big accounts across two different continents, at least because some of these accounts are china-based or singapore-based, some are europe-based. Some are a us-based that involve several different phone carriers in different countries all done within a matter of hours. It seemed to me very unlikely that I would be the case so assuming that they did have hardware two factor authentication. Or at least an authentic eater op, you can't really steal a password. That's not enough. So then, if the account security is likely to be quite secure, what are the other avenues someone can get in? The next most likely mechanism of attack would be API's so twitter has API's that allow various social media, aggregate or sites to post so that whole team of people can schedule and review and posts to multiple platforms similtaneously I. Use platforms like that, too. It allows me to work with a team of people and collaborate on what we post and schedule it out in advance. So. When you see a personal message from me, his personal, but when you see an with like I'm doing this video on Saturday, you know that's scheduled in advance and it's posted automatically. Are, not sitting there, attaching images and typing in Hashtags in real time. These services of course access the twitter API using off which is a nation protocol. It's the same protocol that's us when you log into a site using your google account and it redirects. You gets an encrypted challenge response message from uses that antedates into sight. And these gain full access the twitter time and presented in some of the site. You're probably familiar with things like hoot, sweet and buffer, sensible and various other sites like that now. These sites are not always as well secured. So that was my immediate suspicion. Because from there you can easily post the message, and if that site security isn't a strong with two factor, etc, I assumed. had been compromised than because there are only a handful of social media postings services eight. It was quite possible that all of these disparate companies were using the sang. Then the attack continued to escalate. One of the things that was noticeable was that the tweets that will come out? Were saying twitter web APP. Now when you have an off service that is posting remotely through the API. It has a clear identifier, says twitter for iphone, says hoot suite, it says some social media, posting or something like that. It doesn't say twitter web up. So my immediate suspicion was that this was a browser extension again much easier to compromise it. Browser extension that is a common single point of failure across all of these different accounts, and would have access to twitter web API to post on behalf or maybe sore credentials for users. There are a lot of sloppy browser extensions out there and then people started talking about the possibility of zero day browser exploit now. That'd be a very serious problem. Because Zero Browser, exploit effectively means that someone was compromising browsers through some click through mechanism, revolt, execution, or something like that and hijacking credentials from inside the browser secure store. That's a very serious. Because I would affect not just twitter, but then again it was only happening on twitter. And why would you use a zero day? Browser exploit that can be enormously powerful to hack only one site twitter, and then to use it to do this silly. Nigerian scam. I'm using the term Nigerian scam because Nigerians have anything to do with us, but because this type of scam originated with the Nigerian Prince Story, I mean it's a story, actually the we've seen repeat over and over and over again for two decades exactly I was reading through some kind of gaming coverage of this and many of them are likening it to scams that. That have been pulled in Yvonne Line, which is a popular sort of Laissez Faire, M., o. and ruined scape, also, which is really like a mostly for kids type of environment, and again like seven years ago. Apparently there was a rash of this type of give your money and I'll give you double back and again of course in crypto currency. We've seen this since.
"zero days" Discussed on The CyberWire
"And now a word from our sponsor extra hop securing modern enterprises with network detection and Response Security teams today what to say? Yes to cloud adoption just like they want support enterprise iot an edge computing but the more complex your architecture the less you can trust your perimeter to keep threats out when attackers make it into your environment. You need to be the hunter. Not The hunted. Extra hop helps organizations like Home Depot and Credit Suisse detect threats up to ninety five percent faster with the context they need to act immediately visit them at RSA for a full product demo of threat and response for cloud multi cloud and hybrid enterprises or learn more at extra hop dot com slash cyber. That's half dot com slash cyber and we thank extra hop for sponsoring our show funding. This cyber wire podcast is made possible in part by McAfee security built natively in the cloud for the cloud to protect the latest like containers to empower your change makers like developers and to enable business accelerators like your team's cloud security that accelerates business. It's about time go to McAfee dot com slash time coming to you from the two thousand twenty. Rsa Conference in San Francisco. I'm Dave Bittner with your cyber wires summary for Wednesday February twenty six twenty twenty. Google has patched a chrome zero day that undergoing active exploitation in the wild mountain view isn't saying much about how where or by whom the vulnerability is being exploited by twenty twenty sixty four eighteen in fact Google's not really saying anything at all confining itself to this terse observation. Google is aware of the reports that an exploit for CV twenty twenty sixty four. Eighteen exists in the wild zero day. Type confusion issue one in which an APP initiates data execution of a certain type of input but is subsequently fooled into treating the input as a different type. Exploitation could give an attacker the ability to run malicious code within an application to other non zero days are also fixed in the update users are advised by multiple experts to patch energy. Wires says the Coast Guard has confirmed that the ransomware attack against a natural gas facility sissel warned of on February eighteenth was in fact the same incident the US coastguard reported in a December Maritime Safety Information Bulletin. Dragos offered the same evaluation last week. Fire I notes. The ways in which industrial systems have become increasingly attractive targets for ransomware operators. The extortionists are now frying bigger fish than heartland school districts concerns about ransomware our high on the list for those charged with defensive infrastructure as F C W reports. Cia Director Crabs observed this week at RSA as if to give point to those concerns a small electrical utility in Massachusetts the Reading Municipal Light Department has disclosed that it sustained a ransomware attack last Friday. Another big trend in ransomware is stealing files in addition to simply encrypting them bleeping computer notes that the operators of d'appel payment ransomware have now adopted the increasingly common tactic of adding dachshund to the traditional threat of data loss. D'appel payment has established a site where it will post private files stolen from victims who declined to pay the ransom and our sac panel hosted by cyber scoop featured the directors of two major US agencies and essays Cybersecurity Directorate led by an Newburger and the Department of Homeland Security's Cybersecurity and infrastructure security directorate led by Christopher Krebs. The organization see their roles and missions as complementary and offering a good scope for collaboration work against the influence operations and other information operations that targeted. The two thousand sixteen elections and that have since continued spurred more effective information sharing and Microsoft's January patches provided an important opportunity for the two agencies to reach out to the public on an urgent matter of online security Dallas County Iowa has ended its bungling and discreditable treatment of two coal fire. Penetration testers dropping all felony burglary and criminal trespass charges against them Info Security magazine reports in another legal case the extradition hearing in the matter of Mr Julian assange continues at Woolwich Crown Court. Reuters reports that barristers working on behalf of the wikileaks. Proprietor branded allegations. That Mr Assange helped the then. Us Army specialist Bradley. Manning hack into classified systems as lies lies and more lies a position that the American prosecutors of course are unwilling to accept. Mr Assange Council also took on another central US contention that wikileaks. Publication of material then specialists manning stole put lives at risk on the contrary argued lawyer mark. Summers when Mr Assange learned that unredacted copies of the material he'd received in prepared to share with various media. Were about to become public. He tried to warn you. Authorities calling the State Department and asking to speak with then Secretary Hillary Clinton to warn her. That lives were on the line and that something needed to be done. She didn't take his call. Mr Assange defense team said and no one got back to him in the promised. Couple of hours Keith. Millar ski held leadership positions with the CYBERSECURITY team in the Pittsburgh Office of the FBI and under his teams watch several high profile criminals and organizations where brought to justice. These days. Keith. Millar ski is with the team at E. Y. He stopped by our booth at RSA to share his insights. I spent twenty years at the FBI. And at that time you're eligible to retire just a great opportunity. Kinda still continue fighting the fight but just from the other side Ernst and Young gave me just a great opportunity to come and be a leader in their cyber practice in continue doing threat intelligence and incident response and being able to help clients just from the other side. So it's been a great transition. What sort of insights have you gained from being on the other side is a fresh perspective? From what you had before I think one of the things was the state of Cybersecurity is a lot worse than I thought. You know being a being on this side. I thought it was a little bit better. The the other thing is just. It's all about defense whereas when I was in the FBI was doing offensive defensive and investigations so so it is a little bit of a different beast bit bit fund nonetheless so in terms of the things you have your eye on these days particularly when it comes to ransomware what are you and your colleagues. Ernst and young focused on so when I look at ransomware I really look at that as a probably the biggest cyber criminal threat affecting companies. Today you know in the past you had a different banking trojans and they were doing account takeovers over the last five six years. The banks have got really good at stopping wire. Big Wire transfers going out so these organized crime groups. It's not profitable to do those big wire transfers. Because they're just not as successful but they're leveraging that that access that they had now to do what we're calling enterprise hunting ransomware or big game hunting ransomware. I'm curious to I mean from your point of view. I know the the line from the F. B. I. Forever has been. Don't pay the ransom right now. There's you're on. The other side has Are you still believe that's the way to go? Well Yeah I mean. I believe that you shouldn't pay the ransom because that's just giving money to criminal organizations and I believe that if you have really good cyber hygiene insecurity practices put in place that you could prevent the majority of these attacks and so you shouldn't even be in a position to have to pay these ransoms. So what you really want to kind of do with these with these groups is kind of put together a playbook because they all do follow a pattern in once you once you know their playbook you can build defenses around that everybody has a limited budget right and they have to allocate the various things that you know dial in the percentages to to various things. What's your tips for folks? Who HAVE RANSOMWARE FRONT OF MIND? How should they be approaching that from a practical point of view? Well I think you have to use intelligence to really drive your business practice You really need to understand where your crown jewels are. You need to be able to know where your risks are and make a business decision based on a risk are can you be one hundred percent secure absolutely not you need to manage your risk to a level where you're comfortable that? Hey my spend is at this right level. Lower my wrist to this level when that's acceptable for that and that's that's what you have to do. The only way to do that is really good. Intelligence on where your crown jewels are and also You know the techniques tactics used by the threat actors out there. What are you tracking in terms of evolution in these ransomware groups? How they're coming at people? What what are the trends there? So one of the biggest trends that we're seeing lately is because People don't WanNa pay the ransom or the restoring from backups. You know what we're seeing then is now a couple of the groups. I just saw d'appel Palmer mazes another group right now. Where since they're in your network for thirty to forty five days they're stilling documents and now they're saying if you don't pay the ransom now. We're going to post your your confidential documents. So so we're seeing a trend to for them to try to really make sure that they get that money from you. Turn up the heat turned up the heat. That's Keith Millar Ski from E. Y. to return to our SAC twenty twenty. What's our sense of the conference this year? We'll say that the event is well attended. Despite the last minute high profile cancellations announced last week it is perhaps a bit more subdued than we've seen in previous years. Some of the sense of reserve is no doubt due to concerns about Kovic. Nineteen the corona virus strain that prompted those eleventh-hour withdrawals hand sanitizer stations. Are Much in evidence and people seem less apt to shake hands more generally and with respect to the business of cybersecurity. We'RE GETTING A VIBE. That people see small businesses the mom and POPs as underserved by the sector finally inspired by Cisco's launch of its secure x platform at our SAC. And especially by the news that secure XS internal name had been Fenosa marketwatch wonders what superheroes exemplify. The spirit of various cybersecurity companies technically is a super villain. But we'll leave that aside they can find themselves to the Marvel Universe so DC superheroes need not apply iron man was the superhero. Most companies chose as their muse role model followed by captain's America and marvel with sue storm. Vision Suri doctor. Strange and ant man the ANC pin version. Thank you very much. Also crossing the finish line to our industries. Shame not a one of them. Chose Dr Charles Xavier. The silver surfer and obvious choice. When would think for any browser security vendor or the ancient one sad marketwatch had some suggestions for the various companies? They talked to and their suggestion. Struck us is better than the companies. Preferred superheroes again sad for our part. We Call J. Jonah Jameson. He's what you call high energy.
"zero days" Discussed on The CyberWire
"Something as being wholly within the European Union then it's much easier to understand how they the sanctions will will apply in the process. Roses will be followed when he starts look at companies outside of the EU but still humbling a used citizen data. Then you know I'm not. I'm not truly sure how don't work work. I think it's more about where is your dad are going to be held if the is the country that you don't necessarily trust needed make a personal decision as to whether you want it to move forward with it. The one big beef I had is that every company seem to implement it in their own way with their own plug in and they all had different lasn. It's an approach is and that seemed to me just incredibly wrong. Yeah I agree. I think one of the challenges that we've had with GDP are that it's been completely a non-prescription disip technology and how people do things so it gives you kind of best props. His both words about you know you will keep information secure. You will set individual but there's actually nothing underneath underneath that. How you all recommendations or suggestions on technology say page layout so that then he's left to each individual company John Field thank. Thank you so much for all your insights in very interesting part pleasure. Thank you very much reminds me. This is Carol -Tario for the cyber wire. According to the Japan Times Mitsubishi Electric yesterday disclosed. The Chinese actors hit the company with a massive cyberattack last year in addition the personal information on some eight thousand individuals attackers may have obtained quote email exchanges with the Defense Ministry and Nuclear Regulation Authority as well as documents documents related to projects with firms including utilities railways automakers and other firms and quote the personal data exposed in. The incident belong to nearly a two thousand new graduates who applied for jobs at Mitsubishi Electric between October. Two Thousand Seventeen in April twenty twenty others who were job-hunting with the tokyo-based firm between in two thousand eleven and two thousand sixteen were also affected. The company noticed an anomaly in its networks in June two thousand nineteen investigation of irregular activity tippety on devices in Japan eventually revealed that someone had obtained unauthorized access to management networks. Those parties are believed to be Chinese criminal. Gangs Gang's in other news from the cyber underworld the operator of a booder service that is service that offers distributed denial of service attacks for higher has published telnet credentials for more than half a million servers home routers and smart devices why would they have done this according to ZD net net which asks them. The boot service has now been upgraded to a higher end model instead of just riding atop vulnerable IOT devices henceforth. It will rent high. Hi output services from cloud providers bust the fire sale. We guess although the specific motive for making mischief in this way still strikes us as obscure the leaker said they compiled the list by scanning devices with exposed telnet ports and then tried I factory default credentials followed by easy to Guess Password combinations credential stuffing effort and finally are you thinking of filing a claim in the equifax breach settlement. Well if you lar- deadline is tomorrow you'll need to have your paperwork. Ducks in a row to qualify and now a word from our sponsor extra hop delivering cloud native network detection and response for the hybrid enterprise. The cloud helps your organization relation move fast but hybrid isn't easy. Most cloud security failures will fall on customers not service providers now that network detection and response is is available in the public cloud. It's finally possible to close the visibility gaps inside your network extra reveal X.. Cloud brings cloud native network detection detection and Response to aws hoping security team spot contain and respond to threats that have already breached the perimeter. Request your thirty day. Free trial of reveal X.. Cloud today at extra hop dot com slash trial. That's extra hop dot com slash trial and we thank extra for sponsoring our show.