Security Now 969 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here. We've got a great show planned for you Coming up. We're going to say hello to Veejer Voyager 1. There's some really interesting news in attempting to re-establish communications. Why is it better sometimes for a security researcher to keep their mouth shut? Steve has some strong words and we'll talk about the slimy world of zero days for pay. Turns out, you can make a lot of money if your ethics are a little, you know, fuzzy. All that and more coming up next on Security. Now Podcasts you love.
From people you trust this is Twit. You trust this is Twit. This is Security Now with Steve Gibson, episode 969, recorded Tuesday April 9th 2024. Minimum viable, secure product. It's time for Security Now. Oh yes, once a week a must listen Steve Gibson and the latest security news. Hi Steve, hey Leo.
0:01:08 - Steve Gibson
Great to be with you again for another. Well, we got a bunch of really cool stuff to talk about. Oh good, the podcast does not have a particularly catchy title.
You know, I guess I would argue that the one the podcast that we titled One was probably was catchy. Yeah, that was catchy and pithy and all that. This one is minimum, viable, secure product, oh, which I had fun with it, mostly because it is so dry, but it's also very important. So that's how we're going to. We're going to do a close look at an important industry initiative, which is what this is titled, unfortunately. You know, you could just say MVSP. That's like better, right, mvsp, but it's minimum, viable, secure product which just acquired an important new contributor.
But first we're going to look at when is it far better for a security researcher to just keep their mouth shut. And what happened in this case when he didn't? What happened in this case when he didn't? Are all Internet-based secure note exchanging sites created equal? What's been happening in the lucrative, if slimy, world of zero days for pay? And what has NASA just learned about the state of Voyager 1? That little intrepid puppy, just? Oh, and, by the way, leo, I watched the documentary you referred to, it's quieter in the twilight.
0:02:51 - Leo Laporte
Isn't that a great All about leisure. I loved that.
0:02:54 - Steve Gibson
Really really fun. Yes, also, I will tell everybody that something momentous has happened with Spinrite and then we'll take our deep dive into the fascinating. Actually it is because it's going to make a lot of our listeners smile. Minimum, viable, secure product because it encapsulates, you know, the history of this podcast in many senses, so I think I have, of course, a great picture of the week. So, for podcast 969 for April 9th, here we go, love it.
0:03:25 - Leo Laporte
Here we go. 969 for April 9th. Here we go, love it, here we go. 969 is on the air, our show today brought to you by Zscaler, the Z in scalar zero trust. Zscaler is the leader in cloud security. No surprise if you listen to this show absolutely no surprise that cyber attackers are using artificial intelligence in ways new and novel and innovative to compromise users, to breach organizations from high precision phishing emails to video to voice deep fakes of CEOs, celebrities. It's incredible.
In a world where employees are working everywhere, your apps are everywhere, your data is everywhere. Firewalls and VPNs are just not enough to protect organizations. They weren't designed, frankly, for these distributed environments and, more importantly, maybe these AI-powered, very sneaky attacks. In fact, in many cases, as we've reported on this show, firewalls and VPNs are the attack surface. That's how they get in.
In a security landscape where you have to fight AI with AI, the best AI protection comes from having the best data. And Zscaler who has the best data? The best data. They've extended their zero trust architecture with powerful AI engines that are trained and tuned not just by past data, but 500 trillion daily signals every day. 500 trillion in a security landscape where you got to fight AI with AI. That's key, isn't it? Zscaler Zero Trust in AI helps defeat AI attacks today by enabling you to automatically detect and block advanced threats, even threats no one's seen before Zero days. Discover and classify sensitive data everywhere. Generate user-to-app segmentation which is a great idea, to limit lateral threat movement, to quantify risk, to prioritize remediation, to generate board-ready reports reports, because the board's got to sign off. Learn more about Zscaler Zero Trust Plus AI to prevent ransomware and other AI attacks, while gaining the agility of the cloud. It's really brilliant Experience. Your world secured. Visit zscalercom slash zero trust AI. That's zscalercom slash zero trust AI. We thank you so much for your support, zscaler. We're working together, aren't we? Steve Gibson.
0:05:57 - Steve Gibson
And that is getting ahead. That is like being ahead of the curve to already be up.
0:06:03 - Leo Laporte
Oh yeah, some you know, uh uh, ai ai well the thing that's combat when they say 500 trillion signals a day. But if you think about it, you kind of have to constantly be looking out for what's new, what's happening, what's how are people being attacked? It's always changing and ai makes it possible to change really, really rapidly, so you can see why they want to do that anyway. Do you have a?
0:06:29 - Steve Gibson
picture. We have a picture, um, so I've had this one for a while. I've I've mentioned having a bunch that were in the in the queue. I got a kick out of this one because so we have a a one-story sort of it's like the side of maybe it would be a strip mall or something where you have, you know, the need for roof access, but it's in sort of a public environment, so you just don't want random people climbing up on the roof right.
Yeah, yet you still need, like, when one of the AC units dies or something happens, you need service people to get up. So you've got a ladder running up the side. Now, okay, how do you lock the ladder? And you've just seen it Go ahead.
0:07:24 - Leo Laporte
So this is clever in a way.
0:07:27 - Steve Gibson
So how do you lock the ladder? You know ladders got rungs. I know it's great. So some clever individual figured okay, we're going to put a hinged sheet metal panel like across the front of this ladder and we're going to lock it with a padlock and only the manager of the complex has the key for this padlock. Brilliant, and yeah. So basically it's completely closing off the rungs of the ladder. Yeah, so you know you can't climb up a smooth surface.
0:08:05 - Leo Laporte
No, it's just okay, can you no?
0:08:07 - Steve Gibson
Now, unfortunately, the ladder is mounted to the side of the building with a set of rungs.
0:08:17 - Leo Laporte
That are exactly ladder-like.
0:08:22 - Steve Gibson
So, gee, if I wanted to climb up on the roof, how would I do it? Well, I just go up the side of the ladder where the rungs are mounted to the side of the building, until I get above the sheet metal sheet that I can switch over and climb up the rest of the ladder so well they handily give you a ladder on the ladder, which is great yeah, we have here a failure of imagination or malicious compliance.
0:08:54 - Leo Laporte
You know, the guy who installed it said I know this is useless, but that's what they're paying me to put in so it'll serve you right?
0:09:01 - Steve Gibson
yeah, thank god it's got a padlock. That's all I can say.
0:09:06 - Leo Laporte
That's hysterical, oh my.
0:09:07 - Steve Gibson
God, wow, okay. So what year is it, leo? It's 2024, right 2024,?
0:09:15 - Leo Laporte
I believe yes, sir.
0:09:16 - Steve Gibson
Okay, yes, it's still the case that publicly accessible Internet-connected high-profile devices are being found to have manufacturer hard-coded remote access credentials. Now I suppose that would be more difficult for us to believe if it wasn't so long ago. And if it wasn't that long ago is what I meant, that Cisco's own internal audit of their devices, which was spurred and we cover this on the podcast by repeated discovery of their own hard-coded credentials in their equipment, kept turning up instance after instance of the same thing. Equipment kept turning up instance after instance of the same thing. So like it's not shocking, but you know, because you know here, even the market leader at the high-end, enterprise-grade networking gear was suffering from the inertia of the way they'd always done things before, even a decade after it had really no longer been safe to do that, decade after it had really no longer been safe to do that. Okay, so it's taken some time but, as we've been discussing more recently, we finally have, we're kind of coming to an agreement and we're going to see more of this agreement here at the end of the podcast on a set of straightforward and widely recognized best practices. So I've just put out five of them here no default manufacturer set credentials of any sort anywhere.
The first time a device's firmware boots, it should see that its credentials are blank. After it's had the chance to generate sufficient internal entropy for random number generation, it should create a very strong new default credential from scratch and present it to its user. Now the user will be free to then change it to whatever they want, but by default, any newly installed device will give its own security a head start by defaulting to something strong and nothing from the manufacturer. You know, yes, if it makes technical support more difficult, that's just tough. Once upon a time it might have been fine to default the username and password to admin and admin and to print that on the quick start guide, but those days are long past. All of our listeners have seen those days. Security is inherently porous and the pressure against our porous security is now steadily on the rise. That's the other thing that is like so clear now. Okay. So first, nothing by default.
Second and this was one of the new things that has resurfaced recently, proposed by CISA that I really think is right, and that is physical access required, changing the security of anything in any dangerous direction, like turning on UPnP, which should certainly not be on by default, including that administrative username and password we were just talking about, must be accompanied by a physical button. Press either beforehand to enable admin access for some period of time, or afterward to confirm the application of the new settings into the current setup. And yes, again, that will make fully remote admin impossible, but it will also make fully remote admin by bad guys impossible, right, and we've seen over and over again that it's not actually possible to have one without the other. So, yes, it'll be inconvenient, yes, you may have to call down to the basement and tell Morris to press the button now because you want to. You know, apply these settings from the comfort of your office on the 20th floor. Fine, do what has to be done, but it will keep the bad guys out.
Number three only absolute minimum functions publicly exposed by default. A router, for example, you know it must have its WAN interface publicly exposed to be at all useful as a router, but it does not need a single additional service beyond that. So therefore, not one additional service should be bound to that interface, the WAN interface, without explicit manual enabling, accompanied by clear caution notices and, yes, pressing a physical button on the router. And, needless to say, when that service is instantiated, it will start off with a fully random and strong username and password. You know, we know how to do this. Now Four autonomous firmware updates received and applied by default.
All connected devices must ship from the factory with their auto firmware update system enabled by default. Again, it could be turned off, but everything should default to most secure. These devices should then periodically ping a factory server to check for the availability of new firmware. The router's ping should include its current firmware version and the cryptographically signed ping reply should provide the router with the current version and the urgency associated with moving from where it said it is to the latest today. The device's admin can decide which levels of urgency are permitted to auto-update. You know, maybe you want to back off and only allow the ultra super emergent updates to happen immediately. Otherwise they might need management oversight or they might be deferred until 2 am, whatever. So there could be administration over that, but the system ought to take care of itself over that. But the system ought to take care of itself. And last, firmware for devices must be maintained as long as they're in service, and this is probably the trickiest of the five, because you have to then solve the problem of how long should a supplier be reasonably responsible for making the firmware of an end-of-life and out-of-service device current? Whatever the supplier's decision may be, it must be clearly and publicly stated so that prospective purchasers can plan accordingly changes that might be dangerous, no unnecessary services enabled, auto firmware updates enabled by default and a clearly stated end-of-life ongoing support commitment.
So if you think back through all of the individual events many of them having significantly catastrophic consequences that we've covered through this podcast's 19 years, almost every one of them could have been prevented if these five fundamental principles of safe Internet connectivity had been in place.
So today, as luck would have it, we have news of yet another. A researcher discovered that D-Link network attached storage you know NAS models DNS 320L, 325, 327l and 340L all share a distinguishing and I don't know if it's horrifying or it's disappointing. Anyway, he found that the firmware they share had been hard-coded by D-Link with the same fixed remote access backdoor username and password, and even the term password is being generous here because it's left blank. His GitLab handle is netsecfish N-E-T-S-E-C-F-I-S-H, as in network security fish, and his page on GitHub says the described vulnerability affects multiple D-Link NAS devices, and then he enumerates those four. The vulnerability lies within the NAS underscore sharing dot CGI URL, which is vulnerable due to two main issues a backdoor facilitated by hard-coded credentials and a command injection vulnerability via the system parameter. This exploitation could lead to arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration or denial of service by specifying a command. Okay, this guy's subsequent Internet search revealed 92,589 of these devices currently exposed on the public.
0:19:50 - Leo Laporte
Internet.
0:19:50 - Steve Gibson
Oh man, yes, 92,589 right now on the Internet, with the highest concentration appearing at IP addresses in the US. The big problem is that this family of D-Link NAS devices were first phased out of D-Link's product line on October 29, 2017, and two years later, on the same day, in October 2019, all support for them was terminated by D-Link. Even so, it appears that our network security fish gave D-Link no prior notice of his discovery before he published it. Before he published it, no opportunity to decide whether they wished to alter their standing policy for out-of-service life products Two weeks ago, on March 26th, a date which I'm fond of because it's the day I was born and Leonard Nimoy.
Leonard Nimoy and I. He simply published everything he knew about. This simple HTTP GET query containing the username message bus and a blank password can be used to cause any of these 92,589 currently online network-attached storage devices to execute arbitrary commands. We see from the packet capture he enclosed that he issued I have it in the show notes he issued a command to a machine at a redacted address, and even doing that would be controversial unless the machine was one he owned, which seems unlikely A command to which the machine replied with a valid HTTP 200 OK response. It included other reply headers and XML in the body of its reply. So from that we learn that the D-Link NAS devices are running the light HTTPD web server version 1.4.28. The LiteHTTPD web server version 1.4.28.
Now you know I'm unhappy with what D-Link has been found to have done. We'll get to them in a minute. But it's not clear to me that anyone is helped by Phish's public disclosure and that 92,589 people and their networks and their data stand to be attacked and compromised as a result. You know, before he made this needless public disclosure, it might have been that someone might have eventually stumbled onto this too, and it's true that we don't know that it hasn't happened already, but we do know that it was never public before and that now it is. And another lesson we've learned through the years of shared experience on this podcast is that the height from which the fruit is hanging matters a lot. Far more low-hanging fruit is plucked than high-hanging fruit able to issue a series of simple HTTP GET queries, and how are any of them going to be able to resist any target as tempting as this? This is the definition of a ScriptKitty class vulnerability. So this person's disclosure two weeks ago has, without any question, compromised the security of 92,589 still online, still functioning, still in use and still sitting on other people's networks D-Link network-attached storage devices.
At the same time, a fair question is what would Google do and by Google I'm referring to Google's Project Zero, with their famous 90-day disclosure policy? Now, in fairness, he didn't give D-Link even a one-day. This was a zero-day disclosure. But in the case of Google, with Project Zero, they give manufacturers 90 days to produce a patch for a discovered flaw before Google will release the flaw's technical details. And, as we know, many companies have felt significant pressure to fix a vulnerability the project zero had found in their products.
But in this instance, the answer to the question what Google will do is that I'm not a hundred percent sure. For one thing, these are long out-of-service devices that are no longer being maintained by their supplier. You know, and we know, that even Google has, like, known vulnerabilities in Android that is no longer being maintained on Android smartphones and it's like well, sorry, we're not, we're not patching that version of Android any longer. So that's a policy. We're not patching that version of android any longer. So that's a policy.
Um, but the other thing is, this is not actually a bug. This is an undocumented, deliberate backdoor that d-link embedded into their devices, their consumer networked NAS devices for some unclear purpose. So, because it's old, out of service and not a bug, I'm pretty certain that Google's Project Zero would never even consider taking this up in the first place and if they knew about it, they would just be mum. So this brings us back to D-Link, a well-known, reputable, popular Taiwanese network hardware manufacturer that's been around since 1986. I've purchased a bunch of D-Link equipment, mostly network hubs, I think, through the years. I suppose that, at least among those of us here and others who learn of this past behavior, this at least tarnishes their brand in our mind. Right, I'm like I'm not buying a D-Link NAS now when I know that for some reason they've got this undocumented backdoor.
They did, we don't know about them today, no-transcript. If the owners of those devices had registered them, well then D-Link could conceivably today reach out to them. But what would they say? You know that NAS that you purchased from us 10 years ago. Well, uh, we had planted a secret remote access backdoor into it and it was recently discovered and has now been made public. So you know, we're really sorry about that and you should probably definitely immediately disconnect your D-Link device from the Internet. Have a nice day, and would you like to consider buying a newer NAS from us? We have a bunch of nice, shiny ones for you to consider. Well, right, so they're not going to say anything. You know, and I don't know, that they're even legally vulnerable here, so it's not clear that anything could be done on the legal front.
This was a design decision made by D-Link. Bad in retrospect, but there it is, and they may have had some justifiable rationale for it. They may have had some justifiable rationale for it. The username message bus kind of suggests that perhaps these devices could be set up in a cluster where this message bus allowed them to interoperate in some fashion. So you know it should have never been put on the public Internet. Maybe that was a mistake, maybe it's only meant to be on the LAN and somehow that wasn't done right. In other words, bad design not to control who could use it on which interface. But it wasn't an obvious crime on D-Link's part. And speaking of crime, here it comes.
Yesterday, entirely predictably, ars Technica's headline read Critical Takeover Vulnerabilities in 92,000 D-Link devices under active exploitation. That didn't take long, ars wrote on Monday, meaning yesterday. Researchers said their sensors began detecting active attempts to exploit the vulnerabilities starting over the weekend. Gray Noise, one of the organizations reporting the in-the-wild exploitation, said in an email that the activity began around 2.17 UTC on Sunday. The attacks attempted to download and install one of several pieces of malware on vulnerable devices, depending on their specific hardware profile. One such piece of malware is flagged under various names by 40 Endpoint Protection Services Security organization. Shadow Server has also reported seeing scanning or exploits from multiple IP addresses, but did not provide additional details.
The vulnerability pair found in the NAS underscore sharing dot CGI programming interface of the vulnerable devices provide an ideal recipe for remote takeover. Remote takeover, the first, tracked as CVE-2024-3272 and carrying a severity rating of 9.8 out of 10, is a backdoor account enabled by credentials hard-coded into the firmware. The second is a command injection flaw, tracked as CVE-2024-3273, with a severity rating of 7.3. It can be remotely activated with a simple HTTP GET request. Netsec Fish, the researcher who disclosed the vulnerabilities, demonstrated how a hacker could remotely commandeer vulnerable devices by sending a simple set of HTTP requests to them. So thank you and congratulations, network security fish. What a nice public service you have performed for 92,589 D-Link users whom you've just single-handedly turned into victims Yikes.
0:32:10 - Leo Laporte
Yikes, yikes, yikes.
0:32:12 - Steve Gibson
That's bad news Before long it is Before long, if not already, those 92,589 D-Link devices will be infected with malware, if they aren't all already. After all, today's Tuesday, and as I mentioned at the start of this adventure, the Internet scan distribution shows that networks in the United States contain more of them than any other single region. I wonder whose networks those devices may be sitting on, and I wonder who might be interested in finding out. So I suppose the final takeaway lesson for us is that complex devices of this sort that are no longer being actively supported cannot be used safely, at least not in settings such as connected to the Internet, where the security risk is high. Of course, that's easily said, right.
It's difficult to retire a perfectly good working device for no obvious reason other than its manufacturers no longer active supporting it. A mature policy would ideally rotate such devices into less security-sensitive roles, give them a place inside the network behind the firewalls, where they can live out their lives in peace while continuing to be productive, while continuing to be productive. I very much hope that the 92,589 owners of these surviving NAS devices do not experience much hardship as a consequence of network security phish's needless, pointless and destructive disclosure. It should be clear that there are times when it's far better to just say nothing. Wow.
0:34:15 - Leo Laporte
It's like he's showing off really right.
0:34:17 - Steve Gibson
Yes, that is all. There's no other justification. Leo, nobody's learning a lesson. D-link can't do anything about this. They won't do anything about it. It is just hubris, it is just ego, it is just hey, look what I did, look what I found. But but he, he could have said this without I mean, well, better to say nothing, right? But you know, he, he gave a complete here's how you attack 92 plus thousand open, wide open, innocent devices that are never going to be patched. It's just like, hey, here, take them over, I guess. Install.
0:35:03 - Leo Laporte
Malfair.
0:35:04 - Steve Gibson
You know, create a botnet, see whose network they're on Pivot. And you know, because, who knows, some enterprise, some IT guy, could have said, hey, I have one of these at home, works, great, I'm, you know, let's buy one for the company. And so it's on the enterprises network. Some someone's going to get in pivot now have access to their LAN from from this device that is straddling the LAN and the WAN and, you know, install ransomware on their network. Why? Because some guy says, hey, look what I found, it could have been worse.
0:35:42 - Leo Laporte
He could have sold it to Zerodium, right. I mean, at least he didn't sell it to a nation state. Not that they would have paid much for it, but still.
0:35:52 - Steve Gibson
Although I'm not sure that this isn't worse, because now it's a feeding frenzy.
0:35:57 - Leo Laporte
It's free. Yeah, he's giving it away.
0:36:00 - Steve Gibson
Well, it's every script kitty. Who ever had a W get command.
0:36:07 - Leo Laporte
Right.
0:36:11 - Steve Gibson
What's the other one? Curl, the famous Linux Curl, Curl, Curl. It's like wow.
0:36:18 - Leo Laporte
So Leo, on that happy note let's tell our listeners why we're here.
0:36:24 - Steve Gibson
And we're going to find out why you don't want to use a private note-sharing site.
0:36:30 - Leo Laporte
Oh, interesting, yeah, the only D-Link thing. I used to buy a lot of switches. I think I might have still some rolling around, but those are passive, they're not.
0:36:38 - Steve Gibson
Yeah, exactly, I think they had really nice-looking little network hubs and switches.
0:36:47 - Leo Laporte
And then I think I own a D-Link cable modem. That's such a bad practice to hardwire a backdoor. Oh, Leo.
0:36:54 - Steve Gibson
It's just depressing. I mean, at some point we need legislation where? Yeah, you're responsible, just you're, yes, exactly exactly. If something happens because of what you did, you, you are now liable to on, you know you're on the ending, uh, on the on the receiving side of lawsuits, because that's just you just can't do it.
0:37:18 - Leo Laporte
Our show today. Steve brought to you by a name you'll remember Ah.
0:37:23 - Steve Gibson
ESET, a name we never forgot because we use it.
0:37:26 - Leo Laporte
Eset, love ESET. With ransomware, data breaches, cyber attacks on companies becoming increasingly prevalent, it's important to have proactive security in place, ready to stop threats before they happen. You need your digital guardian. You need ESET. On average, it takes these numbers are so when I read these, I go oh, this is awful. On average, it takes 277 days 277 days to identify and contain a security breach. Meanwhile, you know you're in trouble right During the breach. Time is your enemy. You've got to act fast. That's why you need ESET's MDR, your Managed Detection and Response Service. Get it MDR that brings threat management right to your doorstep, tailored to fit the size of your business which is nice for a small business like ours, right, or your current cybersecurity needs. With ESET's MDR, you'll get 24-7 cybersecurity coverage with a potent blend of AI-driven automation human expertise, too. I think the both together is actually really critical, bolstered by cutting-edge threat intelligence Human expertise, too. I think the both together is actually really critical. Bolstered by cutting-edge threat intelligence and with professional support backed by ESET's teams of renowned researchers, resolving issues now suddenly becomes a manageable task. That's got to breathe a sigh of relief time.
Let ESET's MDR help you save time, resources and money. We use ESET. We're big fans. I know you save time, resources and money. We use ESET. We're big fans. I know you will be too. Go to businessesetcom slash twit to optimize your security with ESET's managed detection and response service. That is again businessesetcom slash twit. We thank them so much for helping us with security now in all our shows and keeping us secure at the same time. Thank you, iset Steve.
0:39:20 - Steve Gibson
So get a load of this one. Last Thursday, brian Krebs you know of KrebsOnSecuritycom fame, who really likes doing, you know, deep security research posted a piece that just makes you shake your head. He wrote A cyber crook who has been setting up websites that mimic the self-destructing message service PrivNote spelled P-R-I-V-N-O-T-E, dot com. Maybe PrivNote, but PrivNote, you know, as in obviously, privacy accidentally exposed the breadth of their operations when they threatened to sue a software company. Wow, this is chutzpah. The disclosure revealed a profitable network of phishing sites that behave and look like the real priv note. Oh no, except uh-huh, except that's okay, this uh-uh. Any messages containing cryptocurrency addresses will be automatically altered with a different payment address. Brilliant, good it is. It is diabolical, controlled by the scammers. So Brian explains. He says launched in 2008. Privnotecom employs technology that encrypts each message so that even Privnote itself cannot read its contents and it doesn't send or receive messages. Creating a message merely generates a link. When that link is clicked or visited, the service warns that the message will be gone forever after it is read. Privnotes ease of use and popularity among cryptocurrency enthusiasts has made it a perennial target of phishers. Who could have seen that coming? Who erect PrivNote clones that function more or less as advertised, but also quietly replace their own cryptocurrency payment addresses when a note is created that contains crypto wallet addresses.
Last month, a new user on GitHub named fory66399 lodged a complaint on the issues page for Metamask, a software cryptocurrency wallet used to interact with the Ethereum blockchain. 4e66399 insisted that their website, privnoteco, was being wrongly flagged by MetaMask's ETH phishing detect list as malicious, which of course it was. 4e66399 wrote quote with their arms crossed we filed a lawsuit with a lawyer for dishonestly adding a site to the block list, damaging reputation, as well as ignoring the moderation department and ignoring answers. Provide evidence or I will demand compensation. So MetaMask's lead product manager, taylor Monahan, replied by posting several screenshots of PrivNoteco showing that the site did indeed swap out any cryptocurrency addresses. After being told where they could send a copy of their lawsuit, 4E66399 appeared to become flustered and went silent. Now Brian's piece continues with one of his terrific deep dive researches into all the details, and he uncovers a large network of very similar clone websites by backtracking their domain registrations.
What I found interesting about this was that this is not, you know, hacking, some fancy new blockchain technology contract thing that like nobody understands, but to steal like a windfall of 50 million dollars all at once. No, instead, this is stealing individual, small cryptocurrency transactions from cryptocurrency end users, and you can imagine the dialogue right, you know? Quote I haven't received the drugs. I sent you the money. For what do you mean? You never received the payment. I sent it right. I sent it right after I received the email with your wallet address and the money was taken from my wallet. If you didn't get it, then where did it go?
0:44:35 - Leo Laporte
that's right before he got it uh-huh.
0:44:40 - Steve Gibson
Well gee, it appears likely that it may have made its way into some russians pocket perhaps because you are not paying close attention and use privnoteco or privnotacom or private messagenet or private noteio or tor noteio or privnotecom or privnatecom or privnotecom. Believe it or not, Brian's research traced each of those PrivNotcom malicious copycat domains's note on their PC so that it cannot be decrypted except by another third party. The problem is the technology required to do this is not readily visible and auditable by a site's user, nor would they understand that. You know crypto code. Even if it was visible, the site clearly and cleanly claims that they're unable to read anything that's being sent. And you know, the unwitting user has heard of such sites like PrivNotecom. That's authentic, you know, and that site arranged to do just that, so it's got a terrific reputation. And PrivNoteio, well, it looks the same, so it's probably just the same.
People who also got that cool io domain and it's one fewer characters to type Might as well use PrivNoteio instead of PrivNotecom. What could possibly go wrong? You know? And after all, PrivNoteio, it says it cannot read anything that's sent. So let's just copy and paste our wallet address into it, Right?
Good luck with that. Okay, leo, let it take one more break. We're gonna, then we're gonna talk about crowd fence. Uh, a new upstart to give zerodium a run for their money.
0:47:25 - Leo Laporte
That's why zerodium was on my mind, because we talked about this on sunday. Yeah, yep, and they're offering big bucks too they are man.
Wish I knew how to hack. Uh know, you wonder why so many of our sponsors on this show are security companies. Now you know. Now you know Our show today, brought to you by Lookout Yep.
Today, every company is a data company. Right? That means every company's data is at risk. Cyber threats and breaches and leaks these are the new norm, and cyber criminals grow more sophisticated by the minute, a time when boundaries no longer exist. What it means for your data to be secure has really fundamentally changed. Enter Lookout. From the first phishing text to the final data grab, lookout stops modern breaches as swiftly as they unfold, whether on a device in the cloud, across networks or working remotely at the local coffee shop. Lookout gives you clear visibility into all your data, at rest and in motion. You'll monitor, you'll assess, you'll protect, without sacrificing productivity for security, because this is the new normal. With a single, unified cloud platform, lookout simplifies and strengthens reimagining security for the world that will be today. Visit lookoutcom today to learn how to safeguard data, secure hybrid work and reduce IT complexity. That's lookoutcom. You need it. You need it, and Steve's going to tell you why right now. Holy cow.
0:49:09 - Steve Gibson
We talked a lot about Zerodium in the past. They're the folks who offer extremely large bounties for new and unknown zero-click vulnerabilities and, unlike the good guys at HackerOne or ZeroDay, these creeps sell these ZeroDays, doubtless at significant profit, to unknown but certainly big-time buyers such as Israel's NSO group, for use by the Pegasus spyware and almost certainly to governments and intelligence services around the world. In other words, the platform publishers such as Apple and Google are the last to learn of these exploits, are the last to learn of these exploits. Well, now, on Saturday, techcrunch brings us news of a newcomer named CrowdFence. Maybe they're fencing I guess they're fencing the illegal, the ill-gotten goods of a zero day, and CrowdFence intends to give Zerodium a run for its money. And you know, this is not really a market where we'd like to see competition flourishing. We'd prefer that the market didn't exist at all.
I have a screenshot in the show notes of Crowdfence's current offering lineup. At the top of the heap they've got SMS and MMS, full chain zero click compromises, the discovery and disclosure to them of which would net someone selling it somewhere between seven and nine million US dollars. I mean, basically, you find one and if you check your ethics at the door, you're done for life, right. I mean, you could probably survive on nine million dollars. You know, I mean actually just off the interest. You know I mean actually just off the interest, okay. So in this case, full chain means something that gets the entire job done, not just a oh look, it crashed, but you know, oh look, we now have root access to do whatever we want, sort of thing. A full chain zero click for Android brings in five million, whereas the same thing for iOS is priced at between five and seven. And these are all just within the top paying mobile platform category. Crowdfence is also interested in mobile apps, other mobile things in mobile apps. Other mobile things desktop virtualization, baseband meaning you know the radio that underlies our smartphones enterprise web apps and more.
Techcrunch's headline was price of zero-day exploits rises as companies harden products against hackers. Okay, well, that's good. With a subheading, a startup is now offering millions of dollars for tools to hack iPhones, android devices, whatsapp and iMessage. Techcrunch writes tools that allow government hackers to break into iPhones and Android phones. Popular software like the Chrome and Safari browsers and chat apps like WhatsApp and iMessage are now worth millions of dollars, and their price has multiplied in the last few years as these products get harder to hack to hack. On Monday, startup Crowdfence published its updated price list for these hacking tools, which are commonly known as zero days because they rely on unpatched vulnerabilities and software that are unknown to the makers of that software.
Companies like Crowdfence and one of its competitors, zerodium, claim to acquire these zero days with the goal of reselling them to other organizations, usually government agencies or government contractors, which claim they need the hacking tools to track or spy on criminals. And, of course, we have lots of evidence. We've discussed through the years on this podcast that you know politicians and political activists and you know enemies of powerful people. Whoever end up getting spied on not just intelligence services tracking you know known bad guys. Crowdfence, they write, is now offering between five $7 million for zero days to break into iPhones, $5 million for Android $3 million and $3.5 million for Chrome and Safari zero days respectively, and $3 to $5 million for WhatsApp and iMessage zero days. So the increase in prices comes as companies like Apple, google and Microsoft are making it harder to hack their devices and apps, which means their users are better protected. Okay, and so, in other words, of course, as zero days become more rare, they naturally become more valuable. It's good news for everyone that they are becoming more rare.
Techcrunch continues. Dustin Childs, the head of threat awareness at Trend Micro's Zero Day Initiative, said it should be harder year over year to exploit whatever software we're using, whatever devices we're using whatever software we're using, whatever devices we're using. Unlike Crowdfence and Zerodium, zdi pays researchers to acquire zero days on the other hand, not $7 or $9 million then reports them to the companies affected with the goal of getting the vulnerabilities fixed. So those are the good guys where you get to keep your ethics with you while you accept, you know some good money, but not enough so that you never have to do anything and can retire on a beach. Shane Huntley, the head of Google's tag team, their TAG threat analysis group, tracks hackers and the use of zero days. He said, as more zero-day vulnerabilities are discovered by threat intelligence teams like Google and platform protections continue to improve, the time and effort required from attackers increases, resulting in an increase in the cost for their findings, resulting in an increase in the cost for their findings. In a report last month, google said that last year in 2023, it saw hackers use a total of here it comes 97 zero-day vulnerabilities in the wild. That was last year. In all of 2023, 97 zero-day vulnerabilities, and the various spyware vendors, like the NSO group, which often worked with zero day brokers, were responsible for three quarters of all zero days targeting Google products and Android.
People in and around the zero day industry agree that the job of exploiting vulnerabilities is getting more difficult. Dave Manchuri, a security analyst with knowledge of the zero-day market, said that hard targets like Google's Pixel and iPhone have been becoming harder to hack every year. He said I expect the cost to continue to increase significantly over time. Paolo Stagno, the director of research at Crowdfence, like the new bad guys, told Tech Grunch quote the mitigations that vendors are implementing are working and it's leading the whole trade to become much more complicated, much more time consuming, and so clearly this is then reflected in the price. The first time I read that, I thought trade, what trade? Then I realized that they're calling this zero-day vulnerability finding and selling a trade, and I suppose it is, though it feels like ransomware gangs talking about their profit profit?
0:57:46 - Leo Laporte
no, no, it's just trade, it's not how about theft through extortion?
0:57:51 - Steve Gibson
you know how is that profit, but I suppose that it is sadly profitable, though it hardly seems earned. Anyway, the Stagno guy from Crowdfence explained in 2015 and or 16, it was possible for only one researcher to find one or more zero days and develop them into a full fledged exploit targeting iPhones and Androids, he says. Now this is almost impossible as it requires a team of several researchers, which also causes prices to go up. Crowdfence currently offers the highest publicly known prices to date outside of Russia, where a company called Operation Zero announced last year that they were willing to pay up to $20 million for tools to hack iPhones and Android devices.
The prices in Russia, however, may be inflated because of the war in Ukraine and the subsequent sanctions. May be inflated because of the war in Ukraine and the subsequent sanctions, which could discourage or outright prevent people from dealing with a Russian company Outside of the public view. It's possible that governments and companies are paying even higher prices. This David Manuceri guy previously worked at Linchpin Labs, a startup that focused on developing and selling zero days, and again, there's no way that selling zero days is is ethical and cool. Lynchpin Labs unfortunately was acquired by US defense contractor L3 Technologies, now known as L3 Harris, in 2028. That's encouraging, anyway, david said, quote the prices CrowdFence is offering researchers for individual Chrome remote code execution and sandbox escapes are below market rate from what I've seen in the zero day.
1:00:00 - Leo Laporte
Wow, below market rate.
1:00:02 - Steve Gibson
That seemed like a good price to me, wow. Alfonso De Gregorio, the founder of ZeroNomicon, an Italy-based startup that also acquires Zero Days so they're scattered around agreed with this, telling TechCrunch that prices could certainly be higher. Well, I guess he wants them to stay low because that's the price he has to pay researchers or hackers who find them I really don't want to call them researchers. Zero Days TechCrunch rights have been used in court-approved law enforcement operations. In 2016, the FBI used a Zero Day we know where this is going provided by a startup called Azmuth to break into the iPhone of one of the shooters who killed 14 people in san bernardino. According to the washington post, in 2020, motherboard revealed that the fbi, with the help of facebook and an unnamed third-party company, used a zero day to track down a man who is later convicted for harassing and extorting young girls online.
There have also been several cases where Zero Days and spyware have allegedly been used to target human rights dissidents and journalists in Ethiopia, morocco, saudi Arabia and the UAE, among other countries with poor human rights records. There have also been similar cases of alleged abuse in democratic countries like Greece, mexico, poland and Spain. Neither Crowdfence, zerodium or Zeronomicon have ever been accused of being involved in similar cases. On the other hand remember, they're one party removed. They're not the guys who are doing the exploiting of these exploits. They're selling to entities which are then turning around and doing this abuse. So, yeah, these resellers would not be in the loop, they said.
Zero-day brokers, as well as spyware companies like NSO Group and Hacking Team, have often been criticized for selling their products to unsavory governments. In response, some of them now pledge to respect export controls in an effort to limit potential abuses from their customers. Stagno said that Crowdfence follows the embargoes and sanctions imposed by the United States, even if the company is based in the UAE, for example. Stagno said that the company would not sell to Afghanistan, belarus, cuba, iran, iraq, north Korea, russia, south Sudan, sudan and Syria all on the US sanctions list, that's a really long list, it is.
And he said everything the USs does, we are on the ball, you know why?
1:02:59 - Leo Laporte
adding that, if I bet, we're one of their biggest customers uh yep, uh-huh, we don't want to get them.
1:03:06 - Steve Gibson
I would bet that the nsa is probably taking our taxpayer money and buying these exploits so that they can do things with it. I'll bet you're right, leo. He said if an existing customer gets on the US sanctions list, crowdfence would abandon it. All the companies and governments directly sanctioned by the USA are excluded, of course they are Uh-huh. At least one company, spyware Consortium, intellexa I-N-T-E-L-L-E-X-A, is on Crowdfence's particular block list Of Intellexa. Stagno said I can't tell you whether it has been a customer of ours and whether it has stopped being one. However, as far as I'm concerned now, at this moment, intellexa could not be a customer of ours.
In March, the US government announced sanctions against Intellexa's founder, tal Dillion, as well as a business associate of his. The first time the government imposed sanctions on individuals imposed in the spyware industry. Individuals imposed in the spyware industry. Intellexa and its partner company, citrox has also sanctioned by the US, making it harder for the companies, as well as the people running it, to continue doing business. Intellexa's spyware has been reported to have been used against US Congressman Michael McCaul, us Senator John Hoeven and the president of the European Parliament, roberta Mazzola, among others. And finally, de Gregorio, the founder of ZeroNomicon, declined to say who the company sells to. On its site, the company has published a code of business ethics.
That's right because these guys have business ethics, leo. They're so ethical. I wonder how many sentences or how many words in their ethics statement, which includes vetting customers with the goal of avoiding doing business quote with entities known for abusing human rights and respecting export controls. Now, reading about the so-called export controls, one does have to wonder how difficult it would be for any major country on the US sanctions list to establish a behind-the-scenes relationship with another company in a non-sanctioned region to use as a middleman. Middleman In any event, I thought the checking in on the state of the zero-day market would be useful. While it may not be good news that prices are increasing, since that significantly increases incentives to find the fewer and fewer remaining zero days that exist, the fact that the prices are rising because these remaining zero days are becoming ever more scarce, well, that's certainly good news. I have one bit of miscellany, which is happy.
Last Thursday, nasa updated the world with the news of the status of our intrepid Voyager 1 spacecraft. The headline of NASA's posting was Engineers pinpoint cause of Voyager 1 issue Our working on solution. They explained, quote Engineers have confirmed that a small portion of corrupted memory in one of the computers aboard NASA's Voyager 1 has been causing the spacecraft to send unreadable science and engineering data to Earth. Since last November. Called the Flight Data Subsystem, fds, the computer is responsible for packaging the probe's science and engineering data before the telemetry modulation unit, the TMU, and radio transmitter send the data to Earth. In early March, the team issued a poke command to prompt the spacecraft to send back a readout of the FDS memory.
1:07:20 - Leo Laporte
Is that a Facebook poke command? They poked it.
1:07:25 - Steve Gibson
That's similar to a like, but it dates from 1971, so it's not quite the same. The original poke.
That's right, which includes the company's software code as well as variables, are all being sent back the computer's software code as well as variables. Using the readout that they received, the team has confirmed that about 3% of the FDS memory has been corrupted, preventing the computer from carrying out normal operations. The team suspects that a single chip responsible for storing part of the affected portion of the FDS memory is not working. Engineers cannot determine with certainty what caused the issue. Two possibilities are that the chip could have been hit by an energetic particle from space, or that it simply may have worn out over 46 years.
1:08:27 - Leo Laporte
I understand that, just like the rest of us. I understand that completely.
1:08:31 - Steve Gibson
Although it may take weeks or months, engineers are optimistic. They can find a way for the FDS to operate normally again without the unusable memory hardware, which would enable Voyager 1 to begin returning science and engineering data. What a miraculous story.
Leo it is astonishing, isn't it? And when you consider, what is it, is it billions or millions of miles away? It is astonishingly far away. How can that thing be pointing at Earth, I mean, talk about? I mean, it's a fraction of a degree At that distance for its antenna, a directional dish, to still be perfectly aligned. To me, that's what is stunning, amazing.
1:09:30 - Leo Laporte
And they don't have enough power to send a broad beam, it's got to be a fairly tight beam, right, amazing?
1:09:36 - Steve Gibson
I mean the power is dropping. As we've covered through the years, they're using a radioisotope based system. Basically, the decaying radioisotopes are heating a thermocouple which is generating the power to drive this stuff. And they've had over time, as as less and less radiation is being produced because it's just winding down, the power produced has diminished. So they've been having to judiciously turn off successive instruments of their total instrument package because they're looking at the total number of watts being generated. It's just astonishing.
1:10:25 - Leo Laporte
It is 15 billion miles from Earth.
1:10:30 - Steve Gibson
That's insane.
1:10:32 - Leo Laporte
It is incredible 46 years, 7 months 4 days, 9 hours, 4 minutes and 23 seconds 15 billion. It is insane. I almost feel like that can't be right, I know.
1:10:48 - Steve Gibson
And how can it still be pointing with enough accuracy at us?
1:10:53 - Leo Laporte
That's mind-blowing to me 22 and a half hours light distance away. How did it happen? And a half hours light distance away?
1:11:05 - Steve Gibson
How did it happen? Oh, and there. You just scroll by the instruments which are now on and off on both of the devices.
1:11:12 - Leo Laporte
Yeah, so one is the first column.
1:11:15 - Steve Gibson
Plasma science is off, imaging science is off, interferometer spectrometer is off quite a bit, but there's still four science projects still on yeah, cosmic rays, low energy charged particles and magnetometer wow, oh, and plasma wave subsystem still on and actually we we learned that when voyager 1 passed out of the heliosphere, the, the models which cosmologists and astronomers had made were found to be wrong, so it was never expected to be anything other than a flyby some of our planets to take some pictures, but it just wouldn't die. So it kept on going and it had so much useful instrumentation on it that they're learning new things still, which are still valuable.
1:12:10 - Leo Laporte
Patrick said wait a minute, it's getting closer to the Earth. Yeah, because the Earth's rotating in its direction. Right now, the distance from the sun is going up.
1:12:18 - Steve Gibson
It's 15.1 billion miles from the sun, or 163 astronomical units so that means that it's moving away from away from the sun more slowly than the earth is currently moving around, and thus toward it at the moment it's gaining and then, of course, as the earth, you know, processes, it will go the other way and, uh, it'll gain faster.
So, and there's only now one radio telescope in Australia which is able to to talk to it and unfortunately it's tasked with doing lots of other things. So they need to like, steal a little bit of time at the right moment when they're able to send a burst of instructions to it, and then they wait 44 hours for 22 for it to go out in 22. I mean, and Leo, the other thing, think of the science we had in 71. You know, that's when I had my first car that had an empty engine compartment because there was an engine and a gas line going to a carburetor. I mean, there was no and you had a throttle. I had to pull the throttle to start the engine when it was cold in the morning.
1:13:29 - Leo Laporte
Oh, the choke, yeah, yeah, yeah, yeah, the choke. The choke, not the throttle Right the choke.
1:13:33 - Steve Gibson
I mean, that was the world in 71 where Wozniak was saying Steve, I think I can get rid of one more Apple computer because you know we need the space.
1:13:46 - Leo Laporte
Look at this where it is Way the hell out there, way beyond anything else, the farthest man-made object in the world, in the universe, unless there's other men elsewhere, but we don't know that.
1:14:00 - Steve Gibson
Yeah, I don't know where that Tesla coupe is at the moment.
1:14:03 - Leo Laporte
A lot closer, I can promise you?
1:14:06 - Steve Gibson
I think so.
1:14:07 - Leo Laporte
Wow, just a great story.
1:14:09 - Steve Gibson
It's such a great story and again 1971 technology. It's just astonishing.
1:14:15 - Leo Laporte
But think I mean in 1969, we landed on the moon two years before that and we're having a devil of a time doing it again.
1:14:22 - Steve Gibson
So maybe, maybe those guys back in the 60s knew something yeah, the bits were bigger and so they were more robust back then. What you want is bigger bits, really.
1:14:32 - Leo Laporte
Yeah, our bits have gotten way too small.
1:14:35 - Steve Gibson
Speaking of bits, I was tempted to name this podcast spinrite 6.1, because what happened Sunday afternoon means so much to me, but, you know, since it doesn't mean that much to the rest of our listeners, that didn't seem appropriate. What happened on Sunday is that I finally updated GRC for the first time ever to begin offering 6.1 as its official spin right. Wow. So 6.1 is finally what new purchasers will receive when they go to GRC for the first time. So you know it's huge for me. I've been living with my commitment to offer and I don't have the website all clear.
1:15:21 - Leo Laporte
Oh yeah, so it's still 6.0 right here I know, I just got this done.
1:15:25 - Steve Gibson
If you click on the menu under Spinrite in the top left there's a little yep.
1:15:32 - Leo Laporte
Upgrade to 6.1. Okay, yep.
1:15:34 - Steve Gibson
Or if you just click on Purchase Spinrite, go down a few and then you can see that it is 6.1 is what we are offering.
1:15:44 - Leo Laporte
That's pretty cool, steve. So by the way, this website looks like it came from 1971.
1:15:48 - Steve Gibson
Congratulations I came from 1971, but the bits aren't bigger here that's right, the bits are bigger baby is the website written in assembly?
1:15:59 - Leo Laporte
Tell the truth.
1:16:00 - Steve Gibson
It's all hand-coded. I wrote it in HTML, before CSS even, and I do look at the code and it hurts actually. And I've had a number of our listeners who've said Steve, steve, steve, no, no, no, I'm a website designer, let me fix this for free. I will be happy to fix it for free and I you know I want to do it. One of the problems I had with employees was they were having all the fun doing the work and so consequently, you update that and then you got to maintain it.
1:16:34 - Leo Laporte
Trust me as somebody with a modern website stick with what you got. Static is good, I am Anyway.
1:16:41 - Steve Gibson
I've been living with my commitment to offer 6-1 for so long now, you know it's been more than a decade, and I felt guilty whenever I've stolen time from that, you know. And now, every time I remember that 6-1 is there being sold, it's like oh.
I mean it gives me a great sense of peace. Anyway, one thing I wanted to mention, though, to our listeners is that, after sharing the experience my wife and I had with her Dell laptop during last week's podcast, I did notice an uptick in Spinrite sales, in other words, more yabba-dabba-doos. Notice an uptick in Spinrite sales. In other words, more yabba-dabba-doos. Now, I'm fine with that, since many people have reported significantly improved performance after running Spinrite at level 3 over an SSD, which is almost certainly going to also improve the long-term reliability of their system. So I can stand behind the benefits that people are likely to see. My only concern was that until the afternoon of this past Sunday, april 7th, which also happened to be my third wedding anniversary, so it was a busy day. Unless those new purchasers knew to then go to GRC's pre-releasehtm page, they would have obtained 6.0. So I just wanted to make sure that anyone who may have heard that and been excited and went out to get Spinrite that they knew that they were getting 6.0 and everyone should go get 6.1. You can just you can use your receipt that you received to bring up the page and download. 6.1 is what we're offering now. So anyone who goes to get it now. Who bought 6.0, will get 6.1. Or you can go to the slash upgradehtml.
Greg said to me, my tech support guy, why are we still calling it pre-release? And this was, I think, yesterday. And I said me my tech support guy, why are we still calling it pre-release? And this was, I think, yesterday. And I said, oh yeah, so I created another page called upgradehtm, so you can use that too. Anyway, the second thing I wanted to share was inspired by someone using the handle TheBigBear, who posted it over in GRC's Spinrite news group. Over in GRC's Spinrite News Group.
After running Spinrite 6.1 on two Macs, he posted. He said and now I have two Macs tested and refreshed, he said, and it makes quite a difference. The frequency with which the colorful beach ball had shown was starting to worry me and it has all but disappeared now. And the startup times feel halved at least. He said. Wish I'd measured it before and after. He said, documentation is not my strong suit, but I will put it on my to-do list to write an update mentioning the extra hoops required with the latest Sonoma Mac OS.
Now, the reason I'm mentioning that, aside from it being another instance of welcome feedback about my use of the past three and a half years creating 6.1, is that, while FreeDOS and Spinrite will run on Intel-based Macs, getting them to boot from a CD or USB can be a bit tricky. So I wanted to remind any would-be Mac purchasers that this is the reason I created GRC's freeware named Bootable, in favor of DOS Boot. Although that was you know, I was tempted to name it that you know you can get Bootable, download it for free. If you can get it to congratulate you on your success in booting it, then exactly the same path can be taken with Spinrite. And, as I said, bootable can be freely downloaded at any time.
And GRC's web forums at forumsgrccom contain a growing knowledge base of help for Mac users, and I know that that's where this big bear guy will will post instructions and more details, although there's already a lot of stuff there, because you know, mac users have said, hey, how do I get this to go? So, anyway, next up is email. I know our listeners can't wait to have, for GRC to have a mailbag that they can send things to and then is to update the documentation and then this project will be finished.
1:21:14 - Leo Laporte
So yay, and now what Next after this?
1:21:22 - Steve Gibson
I know what, but. I'm not gonna say yet okay, so uh smart wise I'm gonna one thing at a time I always get myself in trouble by over committing and pre-committing and my wife, bless her heart, says now, you're not gonna promise anything again, are you? I was like I'm still recovering from the last promise.
1:21:46 - Leo Laporte
Yeah, well, she's put up with this. If you got married three years ago for the entire life of your marriage, maybe it's time to take a little break. No, she is a dream. Yeah, so that's awesome. Yeah, uh, would you like to take break? And I will do our last ad of the show and we can get to whatever it is that the minimum viable, secure product.
1:22:09 - Steve Gibson
Whatever that means Not the catchiest name, but a bunch of good ideas, okay.
1:22:15 - Leo Laporte
But first a word from Delete me, and this you need to know about, because, as you well know, there is no comprehensive data privacy bill that has passed in the United States. They keep talking about it, as they have for 20 years. Meanwhile, data brokers have just multiplied like topsy. If you've ever searched for your name online and you don't like how much of your personal information is available and if you haven't, by the way, don't Trust me, it's unnerving. Maintaining privacy, though, is more than just a personal concern. It's a family affair. Now Deleteme has family plans. You can ensure that everyone in your family feels safe online. This is really a good idea.
Deleteme helps reduce risk from identity theft, from credit card fraud, from robocalls, everything under the sun cybersecurity problems, harassment, unwanted communications. It's also, I think, a security issue for small businesses, or any business, because the information about your management and their direct reports is also available online. We know that because we've been attacked phishing attacks from people impersonating our CEO, sending messages to her direct reports saying I'm in a meeting, but I need some Amazon gift cards so we can give them to our hosts. So please get these right now. Put them on your credit card, I'll reimburse you and we can send them out Now. Fortunately, our employees are not idiots. I did not fall for this, but what was very unnerving, very scary, is the idea that they not only knew Lisa and her phone number. They knew her direct reports and their phone numbers and they knew enough about us to create a credible spear phishing attack. This is why delete me is more than just a personal issue. It's a security issue.
Sign up today, get the family plan. Absolutely Delete me. Experts will find and remove your personal information from hundreds of data brokers, helping you reduce your online footprint, keeping you, your family, your business safe. You can now, with the family plan, this is really neat. You can assign a unique data sheet to each family member that's tailored to their online footprint. With easy-to-use controls, account owners can manage privacy settings for the whole family under one roof, and this is important. Everybody's threat model is different, Everybody's exposure is different, and this is the other really important thing. You can't just do this once, because these data brokers are like cockroaches. As soon as they, you know they have a legal obligation. There's a form on their site. This is delete the data they do. But as soon as they do that, they start collecting new data and, before you know it, you've got a whole new dossier on you. So Delete Me continues to scan and remove personal information regularly.
We're talking about everything Addresses, phone numbers, photos, emails, relatives, social media, property, value, income information and more. Protect yourself, Reclaim your privacy. Go to joindeletemecom. We use this. It's worked really well for Lisa. I think it's a great idea and it's a really important idea for families, for small businesses, any business. Use the offer code twit for 20% off Joindeletecom slash twit and use the offer code twit and you'll get 20% off at checkout. It really works. Joindeletemecom slash TWIT. All right, minimum viable. I know what a minimum viable product is. When you're an app developer or creating a new site, you'll create the minimum viable product, you know. But what is this? Mbsp?
1:25:58 - Steve Gibson
Sure, that's where they came from. So our beloved industry is slowly, very slowly, getting its act together, but it is happening, and I've been encouraged by some recent news surrounding the minimum viable secure product effort. The group's list of contributors has been growing and it now includes some well-known names such as Salesforce, google, okta, slack, vanta and about 20 others. I guess that's Okta. The reason this is today's primary podcast topic, aside from the whole thing being an extremely worthwhile effort, which it is is due to the announcement of the effort's latest member, which was made on Thursday last week. The posting reads today, we're excited to announce that CISA is joining the Minimum Viable Secure Product Working Group.
Since launching CISA's Global Secure by Design initiative last year, we've received a tremendous amount of feedback, including through our request for information that recently closed. And, of course, it was the Secure by Design initiative where we first saw this notion suggested of requiring a manual action on the device in order to change the configuration in any way that could be foreseen as being dangerous, in any way that could be foreseen as being dangerous, which I think is brilliant Because, you know again, inconvenient, yes, but it's the right thing to ask for, anyway. So CIS has been leading on a lot of this. They said one of the key questions we've gotten is how organizations consuming software can ask the right questions of their software manufacturers. Consuming software can ask the right questions of their software manufacturers. Such a secure-by-demand approach, as opposed to secure-by-design, which is what CISIS is, they said, is crucial to drive the uptake of secure-by-design principles and practices. Too often, procurement questionnaires are filled with long lists of questions which don't always correlate with positive security outcomes. In order to achieve a future where technology is secure by design, companies buying software should have simple and to-the-point questions for their vendors.
The MVSP is an important step toward this goal. Mvsp offers a simple checklist that organizations can use to strengthen security at multiple stages to review their own well, their software vendors' security during procurement, as a self-assessment tool for their own software as part of their software development lifecycle, or as contractual controls which can go a long way toward helping ensure secure-by-design principles are followed. We're excited to join the MVSP working group to help shape the direction of the initiative going forward. The MVSP is composed of a broad coalition of technology manufacturers and the working group is open for anyone to join. Okay now, reading through the MVSP's checklist put a smile on my face.
As I mentioned at the top of the show, as I imagine it will, both its civilian and military bureaucracies might start making an adherence to these principles more than just requests, but make them mandatory for future purchases. The MVSP website is just mvspdev and they explain their mission by writing minimum, viable, secure product is a list of essential application security controls that should be implemented in enterprise ready products and services. The controls are designed to be simple to implement and provide a good foundation for building secure and resilient systems and services. Mvsp is based on the experience of contributors in enterprise application security and has been built with contributions from a range of companies. We recommend that all companies building enterprise software and notice today. Today it's a recommendation. Let's see how this evolves over time. It would be just terrific if it became more than a recommendation, so that we recommend that all companies building enterprise software and services or otherwise handling sensitive information, implement the MVSP controls and, where possible, go well beyond them in their application security programs. We welcome constructive feedback to help us continue to improve MVSP and provide a control set that meets the needs of its users. Okay, so MVSP is a list of essential application security controls that you know at the enterprise level.
Let's look at what they are disclosure policy that outlines the testing scope, provides a legal safe harbor and gives contact details for security reports. Okay, those are all things we've discussed in this podcast. Vulnerability researchers should be free, should know that they're free, to research a company's products, the security of them, while being legally protected from retribution or reprisals if they hack a supplier's product without malicious intent for the sole purpose of discovering and then responsibly reporting vulnerabilities, even if it's for pay, and responsibly reporting vulnerabilities, even if it's for pay, if it's to report them to HackerOne or a legitimate service. But the point is publish a vulnerability discovery and disclosure policy and make it clear. Also flesh out or rather fleshing that out. The MVSP lays out the required components Develop and document procedures for triaging and remediating reported vulnerabilities, Respond to reports within a reasonable time frame and patch vulnerabilities quickly. They also suggest contracting with a security vendor to perform comprehensive penetration testing of product services and dependent systems at least once a year. We know that's been done, but we know that's not probably common practice enough. So, yes, you need third-party eyes on something. Your own developers cannot aggressively test the security of the products they developed. It just doesn't work they have.
Notify relevant parties about any security breach that affects sensitive information no later than 72 hours upon discovery and upon learning any additional details of the breach. Consider reporting the breach to relevant national cyber security agencies, in line with local guidance and regulations. In any such reporting include the nature of the breach, relevant contact information, the consequences of the breach and the measures taken and needing to be taken to remediate the issue. Be certain to sanitize all storage media holding unencrypted production data. Implement single sign-on using modern, maintained and industry standard protocols for all customers at no additional cost. For all customers at no additional cost.
Redirect traffic from HTTP port 80 to HTTPS port 443. Exceptions to this are internally secure protocols designed to run over unencrypted connections you know, such as OCSP, the online certificate status protocol. That doesn't need it and I also noted whenever I've been doing digital signing of code, the connection to the timestamp server is just HTTP because it provides. It's another example of a protocol that uses its own internal security. Also, include tricked transport security header along with a long max age value and set authentication cookies as secure. We know that this prevents the browser from ever sending those cookies out over non-encrypted connections They've got.
Apply appropriate HTTP security headers to reduce the application's attack surface and limit post-exploitation. These should include setting a minimally permissive content security policy you know the CSP limiting the ability to inline frame the application by enabling framing controls with X frame options or CSP frame ancestors, and disable caching for APIs and endpoints that return sensitive data. Again, these are all things that web designers should do, but they don't unless they have to, or unless they're told to, or unless, you know, unless there's some policy to make that happen. I remember doing that for the squirrel queries and responses from the squirrel server, the squirrel queries and responses from the squirrel server, and you know it's a little nerve wracking because you're you're well sir especially nerve wracking to add them after the fact, because you're not sure what you're going to break If, if, if, maximally restrictive policies are there from the start, when you add a feature and test it and it doesn't work there from the start, when you add a feature and test it and it doesn't work, then you can look at how to make the smallest change required to loosen the policy to allow the technology you want to work to work. That's entirely different from just not having anything at all, where everything works. The problem is lots of things you don't want to have work will then also work.
And of course, the MVSP also had a lot to say about password policies. They wrote if password authentication is used in addition to single sign-on, then and we have a seller series of bullet points do not limit the permitted characters that can be used, yay. Do not limit the length of the password to anything below 64 characters. Do not use secret questions as a sole password reset requirement. Require email verification of a password change request and require the current password in addition to the new password during password change. Store passwords in a hashed and salted format using a memory hard or CPU hard one-way hash function. Enforce appropriate account lockout and brute force protection on account access and do not provide default passwords for users or administrators.
And what about the use of security-sensitive third-party libraries? You know, like Log4J, they say. Use modern, maintained and industry-standard frameworks, template languages or libraries that systematically address implementation weaknesses by escaping the outputs and inputs. Ensure third-party dependencies are maintained and up-to-date with security-relevant updates, having a security score of medium or higher, applied in line with your application patching schedule. Upon becoming aware of a known exploited vulnerability you know that's CIS's KEV collection affecting a third-party dependency, the patch should be prioritized.
Where dependency patching or upgrades are not possible, equivalent mitigation should be implemented for all components of the application stack, and so we can sort of group all of this as things that somebody trained in modern security measures would know, but also things that are, you know, not fun to spend time on. Right, it's like, gee, what did you do all last month? Well, you know, I brought us more into compliance. What? Well, you know what new functions work as a result? Well, none, but we're more in compliance than we were. The point is, you know, it's thankless, right? It's not until everybody around you gets attacked and hacked and you don't, that you begin to look like a star.
So, anyway, hardly surprising, these guys are also big fans of logging, recommending that logs be kept of all authentication events, both successes and failures, and I thought that was interesting. You know. Log all security-relevant configuration changes, including, of course, disabling of logging. And log application owner access to customer data to provide access transparency. Owner access to customer data. To provide access transparency. The logs must include the user ID, who is involved, the IP address from which anything is happening, a valid timestamp, the type of action performed and the object of the action Logs must be stored for at least 30 days at no additional charge. I thought this was interesting to the client or customer.
We know that we've recently seen instances where some cloud providers said well, actually Microsoft in particular yeah, we'll provide you with more advanced security logging, but that's an extra cost option and, as we know, they've backpedaled on that a bit. And not surprising. The logs? The logs should not contain sensitive data or payloads. And though it barely needs saying, they recommend using current maintained industry standard means of encryption to protect sensitive data in transit between systems and at rest in all online data storage and backups. And when vulnerabilities are found, they say produce and deploy patches to address application vulnerabilities that materially impact security. Within 90 days of discovery For vulnerabilities with evidence of active exploitation, production and deployment of patches should be prioritized. Okay, that one is a duh. And finally publish a security bulletin that details the vulnerability and its root cause.
If the remedy requires action from customers, we've seen many instances where permissions were far too open. We've noted that nothing breaks when everything, when everyone can access everything. So it's often discovered after a breach of some kind that the source of the breach was overly permissive access controls. So they write. Limit sensitive data access exclusively to users with a legitimate need. The data owner must authorize such access. Deactivate redundant accounts and expired access grants in a timely manner. Perform regular reviews of access to validate need to know. Ensure remote access to customer data or production systems oh, I'm sorry. Ensure that remote access to customer data or production systems requires the use of multi-factor authentication. And I know, yeah, everyone knows. All of that is obvious.
I will say you know, I'm subjected to it by level three because my badge. They insist on continually expiring my badge and it's annoying because it's me and I have to make sure that I'm keeping it renewed, because if it does expire, then renewing it is a bigger pain and if I need to run over there I need to have my badge current and they're constantly expiring it. On the other hand, yes, it's more secure. If it were not just me, if it were an organization where, for example, 20 people had access, the act of having to renew all of those badges would be like oh, wait a minute, herman no longer works here. So it's yeah, I'm not renewing that badge, but if it didn't expire, your attention wouldn't be brought back to it.
So you know all of these things are. You know they're little incremental increases in pain, but they're important because they do things. So you know nobody wants to sit and make time to review access permissions. It's boring and you know it may not even be productive. You may not find anything that needs to be changed, while a million other actually important things need to be done as a consequence. Typically it never happens, but it can be a big source of problems.
So they also advise that it's important to maintain a list of third-party companies with access to customer data, which can and will be made available to clients and business partners upon request. And what occurred to me is, since that list, providing that list might be embarrassing if, for example, it were to contain the names of contractors who were no longer affiliated with the organization. This also again forces a review and provides some incentive to remove access once relationships have terminated and instances where the access doesn't, you know, remove itself. And again, through the years we've seen that you know instances where that not happening has come back to bite companies and since it often doesn't happen automatically, it's another of those things that often falls through a crack.
They close this comprehensive list of you know of things that, as I said, everybody knows would be good to do, but many organizations are still not doing. By reminding about the need for an importance of backups, they recommend not only securely backing up all data to a different location. You know, leo, this is your standard. You know three, three, three or whatever it is, backup system Three two, one yes.
Three, two, one. Right, I knew there were some numbers involved.
And you know, we all know that everybody would like to be in full compliance with these guidelines, and we also know about inertia and that few things change on their own for the better or, for that matter, change at all. It is for this reason that these MVSP guidelines exist, and it's the reason CISA has added their name to the group's growing list of contributors. The bottom line is that doing all of these things would come at some cost, and most businesses are looking for ways to cut costs rather than ways to incur additional expense. And the businesses don't pay the price until they get bit by a security problem. So it's going to be a difficult lift, but at least now all of these useful concepts have been pulled together in a single place, mvspdev. And if at some point world governments were to require compliance, well then everyone who wanted to sell to those major markets would need to clean things up, and that would help everybody well, it's a step yes and it just it is.
You know we're not going to get there without it, right? It doesn't mean we're going to get there with it, but you know it's better to have it than not, right, right?
1:48:00 - Leo Laporte
good job, mr g. You did it again and released 6.1, which is also pretty hot.
1:48:08 - Steve Gibson
Thank you yeah.
1:48:10 - Leo Laporte
Steve Gibson is the guy in charge at GRCcom. That's the place you go to get Spinrite 6.1, the world's best, and it just got a lot better. Hard drive mass storage maintenance and recovery utility 6.1 is available at GRCcom A free upgrade for those of you with 6.0. Check it on out. You'll also find the podcast there. He's got a whole page devoted to security now, including the show notes, which he does really well. They're fully linked and all the information is there. He also has transcripts there, written by Elaine Ferris, so they're very, very good, and he has the 64 kilobit audio version of the show plus a 16 kilobit audio version for the bandwidth impaired. All that at GRCcom. Check out everything else, not just Spinrite, but Shields Up and all the other great stuff Steve does, including that validator program. You did Valid Drive for USB drives, which I'm sure is a very hot item right now on your site. Yeah, make sure you get what you paid for.
We have audio and video at our website, twittv slash SN. There's also a YouTube channel for the video, which is very useful, even if you subscribe and you get the show and so forth. But if you want to share clips, it's absolutely the best way to do it. Youtube makes that very easy. Of course, subscribing and your favorite podcast player is probably the best way. That way you'll get it automatically the minute it's available, right after we record, which we do every Tuesday after MacBreak Weekly, which ends up being around 1 30 to 2 PM Pacific time. That is roughly four 30 Eastern. It is roughly 2030 UTC.
You can watch us do it live. If you can't stand waiting for the edited version, we stream on YouTube for all of our shows as we're doing them. Yeah, just go to youtubecom slash twit. If you subscribe, you'll get a notification when we go live, but subscribing is probably the easiest. Go to youtubecom slash twit. If you subscribe, you'll get a notification when we go live, but subscribing is probably the easiest thing to do. You don't have to think about it, you just get it automatically. Steve, I will be back east next week, but I'll still do the show, but I'll be doing it from mom's house.
1:50:13 - Steve Gibson
Yep neat.
1:50:14 - Leo Laporte
Yeah, it'll be fun and looking forward to seeing her. And it's fun to do the show remotely. It's good practice. You know, I've got all the equipment out there. I don't have to schlep it with me anymore. This makes it very easy. Nice, I will see you next Tuesday.
1:50:28 - Steve Gibson
For episode 970,. My friend, we are closing in on 999, and the good news is, when that overflows into a fourth digit, I'll still be here.
1:50:42 - Leo Laporte
We can do hex.
1:50:45 - Steve Gibson
I just want to throw that out there. Oh, let me tell you, I've heard so many ideas. Oh, my goodness, how about let's make them negative and go down? We could do negative, one negative, that's right. Episode minus 427.
1:50:59 - Leo Laporte
That would be funny, that's right.
1:51:01 - Steve Gibson
Well, it would give us more three-digit numbers.
1:51:05 - Leo Laporte
All right, steve, see you have a great week.
1:51:07 - Steve Gibson
We'll see you next time on Security. Now have a great trip. We'll talk to you next week from Boston, bye.