Security Now Episode 865 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for Security Now, Steve Gibson is here. We've got a new Java framework flaw called spring for shell to talk about. Yes, Steve's gonna issue a slight spanking to wise. There are three year flaw and their cameras unpatched until January. How did that happen? And then a new way to log in to servers. It's a lot easier. It's called port knocking, but is it safe? Steve explains all next on Security Now, podcasts you love from people. You trust this. This is Security Now with Steve Gibson episode 865 recorded Tuesday, April 5th, 2022 port knocking. Security Now is brought to you by Bitwarden. Get the password manager that offers a robust and cost effective solution that can drastically increase your chances of staying safe. Online. Get started with a free trial of a teams or enterprise plan or get started for free across all devices as an individual user at bitwarden.com/twit. And by ItProTV. Give your team an engaging it development platform to level up their skills.
Leo Laporte & Steve Gibson (00:01:20):
Volume discounts starts@five. Go to itpro.Tv/Securitynow make sure to mention SN 30 to your designated ItProTV account executive to get 30% off or more on a business plan. And by Kolide get endpoint management that puts the user first. Visit Kolide.com/Security Now to learn more activate a free 14 day trial today, no credit card required. It's time for Security Now the show we cover your security, privacy, and safety online with Steve Gibson at the Gibson research corporation LL Steve, Steve I'm coming, I'm coming up with some sort of let's get ready to see cure or something. I don't know.
Leo Laporte & Steve Gibson (00:02:07):
Yes. Just before we hit 9 99, we'll come up with a slogan for that's right. The show. Well, we have a slogan. What could possibly go wrong? Yes, that's a great slogan. I think that's probably the best thing ever. Yeah. so we're at oh, are we at 8 64, 8 65? I got 8 64 in the show notes. Oh, at the top of the show notes. I don't know. It says 8 65 in all of my stuff. Good. I think I just didn't update the title page or the title of the show notes. So everyone ignore that. It is definitely April 5th though, that I'm sure about we're gonna examine a critical Java framework flaw that's been named of course, spring for shell because it's mildly reminiscent of Java's recent log for J problem or log for shell problem. We'll also take a look at the popular QAP NA devices and several recent security troubles there.
Leo Laporte & Steve Gibson (00:03:10):
Sofas has earned themselves an attention grabbing must patch. Now 9.8 CVSs vulnerability. And it didn't take long like about 10 days for that theoretical browser in the browser spoof that we talked about to become non theoretical it's now in use. There's more worrisome news on the NPM supply chain package manager, exploitation front nightmare, the fin Fisher spyware firm, happily bites the dust, and some of the young hackers forming the lapses gang have been identified squarely in the doghouse this week is wise who super popular webcams have problems, which are just as serious as those of the company itself. It seems. And oh my God, the authentication bypass details, which I will share are so wonderful. Then after a little bit of closing the loop feedback from our listeners, I wanna talk about and put the idea of strong service concealment on everyone's radar.
Leo Laporte & Steve Gibson (00:04:30):
Thus, the title for today's podcast is port knocking. It's not a new idea by any means the articles and conversations about it typically have dates like 2008, but the concept is really clever. I think I've always thought it was cool and useful. And in today's world, there's, I think more reason than ever for ports and the services behind them that are not actively soliciting public traffic. You know, like a public web server does, you know, things that are like, you know, you wanna log onto your own LA NA sort of thing. If you don't need to publicly expose ports, there's just so much reason to keep them completely locked and hidden. And there turns out there are a number of ways this can be done. Linux now has a port knocking technology built into it. D D w RT open w R T there's a lot of ways to do this now.
Leo Laporte & Steve Gibson (00:05:39):
So I just kinda wanted to talk about this, the idea it, that there is a way to, for, for you to be remote from your location, have no exposed, open ports yet by knocking in a certain way, have the ports opened only to you at your IP and only for as long as you want them to be. So I think overall really interesting podcast for our listeners. I hear you knocking, but you can't come in, actually, if it's me knocking, let me in, right. It's okay. Yep. It's it's you knocking on you? This is not a security vulnerability, although I suppose it, it could be, we'll find out we're talking about the best, probably the best thing everybody can do as an individual to protect themselves online and that's get a password manager and I am often asked all the time really about what password your I should get.
Leo Laporte & Steve Gibson (00:06:39):
And I'll tell you what I tell people. And I've been telling them of late is open source. It's free for individuals. It's really secure it's Bitwarden, Bitwarden. It's the only open source cross platform, password manager that can be used at home at, or on the go it's trusted by millions. And it lets you do what everybody should be doing, which is generate long, strong, unique passwords for every single occasion. You don't have to remember 'em you store 'em in the tightly encrypted Bitwarden vault, and they're there whenever you need. 'em All auto fill. They've got plugins for all the browsers. So you don't ever have to worry about remembering these passwords, which means you don't have to reuse passwords. That's so important. And I'll tell you what for businesses. It's really, every organization needs to use Bitwarden. The Bitwarden, organizational cat is really cool because it, it starts with a personal fault.
Leo Laporte & Steve Gibson (00:07:38):
So all, all your employees you'll tell, 'em look Bitwarden, it's free, it's open source, create the personal vault, and then we will invite you to the organizational vault and you get really the best of both worlds. You get protected business passwords stored notes, all the secure stuff. I put my driver's license. My I support my, my social security, everything in there where it's completely secured, but then you also completely, you know, it's in the same interface, but separately have your personal information. I think this is a great idea and I'm a geek, you know, so I'm really excited about this new feature Bitwarden just added a command line interface. Actually they've had a Linux version command line version for a while, but now they've had a new command serve. And what that will do is start a local express web server and enable restful API calls.
Leo Laporte & Steve Gibson (00:08:33):
So for interactions with the encrypted vault, which is a very clever and secure way, you know, sometimes people talk about the browser extension as being potentially a, a problematic, this is a great way to integrate Bitwarden into your existing systems and tools. And it means automations and processes will be open and available to you. It's again, open source, got a great API. So I'm very excited about what the developer community's gonna do with this could not be easier to switch to Bitwarden by the way, if you're using any other password manager, I switched from last pass. But if you using Dashlane one password, Mikey, easy to export, or even from browsers, which by the way, you probably ought to do, I don't think it's ever really a good idea. Despite what Tavis Ory says to let the browser handle your passwords.
Leo Laporte & Steve Gibson (00:09:24):
I think you need a password manager. You can suck it right out of your browser, into your password manager and delete it from your browser. That's a really good idea. Last month Bitwarden started a phased roll out of something else. New account switching. This has just been added to mobile applications. Yes, they have applications for iOS, for Android for next Mac and windows. Needless to say with account switching, you can log into a total of five Bitwarden accounts and easily switch between them without logging out and logging in. And again, so that's a really even nicer way of separating the work and the home Bitwarden, vaults. I just think Bitwarden's great. And if you have a business, you've got to have it completely customizable. It adapts to your business needs. They have a feature called Bitwarden, send built in fully encrypted method, send transmit SENSIT information time of the year.
Leo Laporte & Steve Gibson (00:10:17):
And right now tax forms. You wouldn't wanna be sending those through email or text use bit war and send. The other end does not have to have a Bitwarden account. It's fantastic. Of course, Bitwarden lets you generate unique secure passwords for every site, enterprise grade security, that's GDPR compliant, California prime, obviously compliance CCPA HIPAA SOC two. And by the way because of the way Bitwarden works, it mitigates Phish attacks in your business too, because it will not autofill a phony website. That looks just like the real thing the user might, but Bitwarden knows better if you so Bitwarden because hazard open source free every to individuals, if you want it for a team. The team organization option is three bucks per month per user, which is great because it's a great way to share private information with coworkers departments and entire organization.
Leo Laporte & Steve Gibson (00:11:12):
If you're a bigger business, you might wanna look at the Bitwarden enterprise organization plan just $5 a month per user. And of course, because Bitwarden's open source and they very clear about this with me. They have no business model that forces people off the free tier. You can use your basic free account forever for an unlimited number of passwords. I personally, I pay for it 10 bucks a year for a premium account. I just wanna support 'em but you don't don't have to and you never will. So if you've, if you've been kind of, I don't know, cheesed off by companies that take their free tier and say, oh yeah, you can't hardly use it. Or now it's time to pay. Not with Bitwarden. They also have a plan for families. You might wanna look at the family organization plan 3 33 a month gives you up to six users.
Leo Laporte & Steve Gibson (00:11:58):
It's a very nice way to kind of get premium features for an entire family. Look, we talk about password managers all the time. The one you should use, the one I use is the only one I use Bitwarden. It's the only open source cross platform password manager you can use at home on the go at work, trusted by millions of individuals, teams, and organizations worldwide. Get that free trial. You can start it right now with a free trial of teams or enterprise plans. Of course it's free forever across all devices as an individual Bitwarden.com/twi big fan of this team of their product. I just couldn't be happier. It's nice to be happy with the password manager you use, right? Cuz you use it all the time Bitwarden.com/twi. Thank you Bitwarden for supporting security now. And thank you Security Now, fans for supporting Steve by using that address Bitwarden.com/twi picture of the week.
Leo Laporte & Steve Gibson (00:12:54):
Yeah. this was one that I had in the collection. I, I just, it's just sort of fun. Anyone who's who has actually spent time programming will probably get a sense for this. We, the picture just depicts your kind of typical programmer dude. We've got some energy drink cans like on the desk, a coffee mug that looks like it's got some coffee dripping down the side, some crumbled up piece of paper. Of course the ever you have to have yellow post-it notes, like stuck on the everywhere. Margins of your monitor and crumbled up paper, more qualified. Yeah, yeah. And energy drinks. Yeah, yeah. Yeah. So at this, at this moment we catch him with his, you know, raising boats, fists in the air celebrating he's like got some success and he says, wow, a different error message. Finally, some finally some progress we made progress.
Leo Laporte & Steve Gibson (00:13:49):
It's like, he's been like, what is wrong? No matter what he tries. Just keep getting the same error message. Oh look, it just changed. Okay. We're getting close. I've got another one. I don't know if, if you ever get this, but I, I, I'm still working on the advent of code problems, you know, off and on. They're really fun programing require. Oh my yeah, yeah, yeah. Really. This one's a, the day 19 was a challenge, but well, and Leo I've always told people to the best way to learn a is to use it to solve problems. Yeah. And these are hard problems. So something worked by accident. Do you ever have that happen where I went? This shouldn't work, but it does. And then I, I tried it with different problem sets and different and it, it, it works. I'm not sure what it works.
Leo Laporte & Steve Gibson (00:14:38):
No, I, I I've had that. In fact, there have been times when I've written a huge amount of new like spin right code for example, and you know, and it assembles correctly, no syntax to errors. And then I launch it and it like goes and it's like, wow, I'm not sure I trust it. Cause this easy, I have to pay a bigger price in order to have, have it all work correctly. Absolutely. Absolutely. Well, last week we noted Chrome's second, zero day of the year and titled the podcast last week's podcast, targeted exploitation with information, thanks to Google threat analysis group research, which documented the details of the exploitation of Chrome's first zero day of the year. This week we switched apple who last Thursday pushed out patches for its own fourth and fifth, zero days of the year. Last year, Google had a total of 16 for Chrome and apple was at 12 for the year.
Leo Laporte & Steve Gibson (00:15:48):
So for apple to be already at five five for by the end of the first quarter, suggests the run weight, a run rate that might break both of their 20, 21 totals. We'll see how that goes. Anyway. the fourth and fifth patches, which again, zero days cover iPhones, iPad, and max. And these are true zero day flu laws since in their typically obscure way. They said that the issues may have been actively exploited may. Okay. So why the emergency, I mean, they like, this was a, a, you know, get this out now level patch. Anyway, in any event we have an out of bounds, right. Issue in the Intel graphics driver that allows apps to read kernel memory, you know, and that's never what you want. And an out bounds read issue in the apple, a V D that's the audio video media de coder that will enable apps to execute arbitrary code with Ker privileges.
Leo Laporte & Steve Gibson (00:16:57):
Both bugs were reported by anonymous researchers and resulted in iOS and iPad. OS both moving to 15.4 0.1 and Mac OS Monterey to 12.3 0.1. The first flaw was fixed by improving input validation is all they said. And the second by improving bounds checking. So, okay. We'll see how apple goes. With the rest of the year. Another worrisome vulnerability in a Java framework has surfaced the cybersecurity firm. Pretorian said that the flaw impacts the spring core on the Java development kit versions nine and later it's a, and this is odd too. It's a bypass for another much. And I mean much older vulnerability from way back in 2010. That one was tracked as 20 10, 16, 22. And yes, only four digit those quaint days when we only needed four digits to number our C 10,000 security flaws.
Leo Laporte & Steve Gibson (00:18:16):
Yeah. What happened to that? If exploited, this bypass enables an unauthenticated attacker to execute arbitrary code on the target system, it of course a remote code execution RCE, and unfortunately a Chinese security researcher briefly posted a working proof of concept for this exploit to GitHub before deleting the account. But as we know that it doesn't take long, nothing remains hidden on the internet. So indeed the proof of concept code was quickly shared in other repositories and tested by security researchers who confirmed it was a legitimate exploit for this new potentially severe and previously unknown Java of vulnerability. So it had been patched in 2010, but there was another way to get to it or something. Yes, exactly. So probably not fixed the way we would've wished, which would, which is to say it would stay fixed. This was a bypass around the way it was fixed.
Leo Laporte & Steve Gibson (00:19:26):
So spring is a software frame for building Java applications, including web apps on top of the Java EE, the enterprise edition platform researchers have, who've looked at it have said that in certain configurations exploitation of this issue is straightforward. As it only requires an attacker to send a HTTP, you know, a standard web query to a vulnerable system, however, exploitation of different configurations will require the attacker to do a little additional research to find payloads that will be effective. So in that sense, it does feel like the log for Jay, which as we know, turned out, be like the end of the world, because it wasn't just drop dead simple for script kitty weenies to, you know, massively ex you know exploit. It really required more expertise. The spring frameworks maintainers, spring.io, which is a subsidiary of VMware last Friday released emergency patch patches to fix this so called.
Leo Laporte & Steve Gibson (00:20:39):
And it actually has been called spring for shell. You know, it's a zero day RCE. Well, that's what, what they're calling it. And I was trying to decide whether this would really be a zero day, if it wasn't being actively exploited in the wild against victims. And, you know, we know that Microsoft has a different has their own definition for zero day. Normally we reserve the term and we're trying not to overuse it by making it overly broad to, to be like, oops, we learned about this because we saw it being used. That's clearly a zero day. So this is kind of a gray area because it's been, the exploit has been publicly disclosed. And I'm, I imagine that in the next week or two, I'll be saying, ah, yeah, it went, it went from pub disclosure to weaponized. But anyway, I think that since a public proof of concept exploit exists before a patch is ready and there's no, actually a patch just happened.
Leo Laporte & Steve Gibson (00:21:41):
But certainly the proof of concept had existed for some time. It probably qualifies as a zero debt. There was also some confusion because two other related vulnerabilities in that same spring framework were also disclosed. Last week, there was a dos vulnerability, you know, meaning you can crash the thing and the spring cloud expression, resource access vulnerability. And I didn't dig into those cuz they've, they've been patched and it's like, okay. And they're unrelated to this one. So there's also been some questioning about just how bad this RCE really is. You know, the concern is that it is it it's being in use by enterprises for all kinds of the, their own custom server things, which means that it's, you know, who knows what's wrong with any particular enterprise's implementation. After an independent analysis, flashpoint said, they said, quote, current information suggests in order to exploit the vulnerability, they attackers will have to locate and identify web app instances that actually use the, and here it is the Des serialization, tills, something already known by developers to be dangerous.
Leo Laporte & Steve Gibson (00:23:03):
Okay. But that doesn't mean developers aren't using them because they're there, right? It's an API, oh, look, this does what I want. Let's you know, so again, it's not like developers are nearly as security focused as we are. And the group listening to this podcast is and you know, we've talked a lot about the dangers of Des serialization. Java is an object oriented language, which means that an is a complex well, or at least can be typically is a complex data structure. So how do you store such a thing? The way you store it is you serialize the object into a bite stream, you know, a blob which you then store. And in order to later, restitute the object into a form that Java can use it. You need to Des serialize, the blob and a Des serializer is inherently an interpreter of the bite dream.
Leo Laporte & Steve Gibson (00:24:05):
And as we know, naive interpreters are written to assume that they will only ever receive a valid Des serialization stream to deserialize. In fact, in a interesting twist, we're gonna see that this, this this wise CA ham authentication flaw is just sort of like that it, that they, the guys that designed the handshake just assumed you'd be a valid handshaker. But no, anyway the security firm rapid seven said that despite the public availability of proof of concept exploits, it's currently unclear which real world applications use the vulnerable functionality, which is really just to say, we don't know yet, you know, this is, so this just happened. So, you know, we need exploits in order, you know, we need, we need actual actually to have some problems before we know they and they, and they said configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation, however, cert CCS off quoted vulnerability analysis analyst will doorman.
Leo Laporte & Steve Gibson (00:25:24):
He tweeted, he said the spread for shell exploit in the wild appears to work against the stock handling form submission sample code from spring.io. If the sample code he says is vulnerable, he said, then I suspect there are indeed real world old apps out there that are also vulnerable to remote code execution. And I think his logic is exactly right. You know, the developers again, they're just gonna take the sample code, which is obviously using the Des serialized tills. And you, you know, like tweak it, change the name to their company and, and whatever. So the flaw was assigned to C V with a CVSs of 9.8. So that's meant to grab everyone's attention. And yesterday, so Monday VMware published security updates to remove the flaw from their spring IO subsidiaries code, the it, as we all also know, you know, publishing the update is different from having it deployed on a server that's out on the field.
Leo Laporte & Steve Gibson (00:26:36):
And this is all just very fresh. So as I said, I expect in a couple weeks much as we'll be talking about the, the, about the exploitation of the browser in the browser flaw that was theoretical two weeks ago, not anymore. So I think the same thing will probably be happening here between the initial discovery of the vulnerability and yesterday's match publication exploitation of the vulnerability where possible appears to have taken off at least as much to, for, for the CVE to get a 9.8. So it's considered to be of critical importance to anyone using this spring framework. If you, if you're responsible for it or you know, that your, your, your organization uses it to definitely go get VMware's update and fix this. It impacts the spring being a framework is, is of the VC style, the model controller approach, and also spring web flu apps running on JDK nine and later are vulnerable.
Leo Laporte & Steve Gibson (00:27:51):
So definitely worth doing okay. We recently talked about the denial of service bug that Tavis orandi and Chrome TLS guy together worked to discover in the open SSL library. Remember that that's the one which results in an infinite loop and essentially process or capture when processing client certs that have been deliberately manipulated to use specific elliptic curve crypto parameters among the many companies whose products can lightly can likely be hung when they receive such a maliciously crafted client. Cert is the Taiwanese company QAP, which last week revealed that a selected number of its network attached words, appliances were in fact vulnerable to this open SL problem. Last Tuesday, their advisory said an infinite loop vulnerability in open SL has been reported to affect certain QAP NAS if exploited, the vulnerability allows attackers to conduct denial of service. So, you know, that's not the worst of all possible outcomes, you know?
Leo Laporte & Steve Gibson (00:29:09):
Yes, your NAS goes down, but it doesn't go down in a way that let's any bad guys get in. So, okay. It's sort of sacrifices itself. I have a list of the affected QTS and Q UTS versions, but QAP doesn't yet have any patches available anyway the good news is, as I said, the only thing an attacker can do is to hang your NAS, which you then reboot and it's back up until they hang it again. And they could only do that if TLS connections are being accepted from random IPSS out on the public internet, and everyone knows that's never a good idea, right? QAP keeps being somewhat of a mixed blessing as I've looked through some of the back and forth conversations like that, that are, that surround its various problems. I, I find, I see that its users generally love their devices, you know, despite them having had more than their share of security troubles, even just this year.
Leo Laporte & Steve Gibson (00:30:18):
I mean, we've been talking about Q a vulnerabilities for years. QAP is currently working to catch up to the open SSL dos flaw, which is only a couple weeks old, but they're also still working to patch that recent, dirty pipe Linux kernel flaw from earlier in March which also currently has no mitigate on QAPs NAS devices. The good news there is that at least it's only a local privileged escalation vulnerability. On the other hand, if you're in a big enterprise and you're not able to trust all the people on the inside of your network, the fact that it's only local doesn't, you know, provide much comfort. And it's not QAPs fault about the open SSL side, at least, well, actually even this, this dirty pipe, cuz you know, both of these problems arise from the Linux kernel that it's built on. So, you know, everybody who was using the Linux kernel with those problems, would've been subjected to these potential vulnerabilities.
Leo Laporte & Steve Gibson (00:31:26):
But more than that, attackers have been puling QAP devices all year with both ransomware and brute force attacks to the point that the brute force attacks prompted QAP to urge its customers, to remove their internet exposed NA devices from the internet in late January QAP forced out pushed an unexpected and not entirely welcome update to its customers, NAS devices after warning them that the deadbolt ransomware mounting an offensive aimed at QAPs users. So on top of everything else, these users are targets and just two weeks ago, reports surfaced the deadbolt. The deadbolt ransomware was added again in a new wave attacks against QAP and last August two vulnerabilities that could result in remote code execution and denial of service respectively prompted emergency patches by QAP. Now, interestingly, this broader topic. And I think this is probably what made me think of it actually of today's topic, this, you know, the broader topic of the dangers of public port exposure, which QAP perfectly evidences serves as a perfect lead in to today's discussion of port knocking.
Leo Laporte & Steve Gibson (00:32:57):
The idea being the, there is a way and it's hosted on Linux. So QAP could use it of, of completely blinding the public internet to the presence of open QAP services except to people who know the secret knock, which we'll be talking about later, both pros and cons because port knocking has had some, some people lose saying, eh, it's just security through obscurity. I'm not sure that I buy that. Okay. Soho has a 9.8 last week cybersecurity firm. So Sofos warned that a recently patched critical security vulnerability, you know, and that's the way you wanna start these notices about a 9.8 that it's recently patched good, better than, you know, we don't have any fixed for it yet. Recently, patched security, critical vulnerability in its firewall product was now being actively exploited in real world attacks. Well, that's not what you wanna say, but that flaw CVE 20 22 1 0 4 sports, as I said, the attention grabbing CVSs of nine, eight and impacts sofa's firewall versions, 18.5 0.3 also known as 18.5, Mr three and earlier.
Leo Laporte & Steve Gibson (00:34:34):
And what you never want to hear is that it's an authentication bypass vulnerability in the user portal and web admin interface. You could argue that the user portal needs to be open and running on the public side, web admin, eh, you know, I have to be convinced, but once again, there's a way to protect that. And still worse when it's exploited this particular 9.8, thus the number allows a remote attacker to execute code of their choosing. And obviously since it's under exploitation, the bad guys are aware of it. Soho security advisory said Soho has observed this vulnerability being used to target a small set of specific organizations, primarily in the south Asia region. We have informed each of these organizations directly. So clearly they've got some telemetry with their product, which has allowed them to, to determine whoops, this is happening and nice of them to let their customers know a and you know, as for doing it right, the flaw was addressed first in a hot fix that is automatically installed for customers who have the allow a automatic installation of hot fixes setting enabled.
Leo Laporte & Steve Gibson (00:36:00):
And I recognize we've talked about this a lot that the whole issue of automatically pushing updates of security vulnerabilities is a bit controversial. I would argue it's becoming a less controversial with time. But at least in this instance, having Soho to taking responsibility for and maintaining their firewalls to me, sure. Seems like a good idea. Our operating systems are doing it now. Our mobile device platforms are doing it now, you know, pushing that out one level or layer to the firewall that's that is of the operating systems. That seems like a good idea, especially when it's also in front of a whole, potentially a whole organization. If it were mine, I'd be inclined to let Sofos autonomously maintain the firewall whose code they created in the first place. And you know, I'm sure it's signed and authenticated and there's no way for it to be spoofed.
Leo Laporte & Steve Gibson (00:37:00):
And yes, it's true. If they suffer to break in bad guys could potentially poison the source of the updates and, and push that out. So there's the downside of that, but on balance, probably a good idea and not surprisingly until the firewall is updated one way you know, or the other, if, if a user goes and gets it themself, they recommend that their users disable wan access to the user portal and the web admin interfaces. And I would wonder why certainly those should not be enabled unless they're absolutely needed. And in a statement about both their integrity and their commitment to doing things right. And the severity of the issue, they've also provided updates to many earlier past end of life versions of their firewalls and firmware Soho said users of older versions of Soho's firewall are required to upgrade, to receive the latest protections. And this fix, these things were past end of life. And they thought, okay, this is bad enough. We're just gonna fix those. And as we'll be seeing, that's a choice that wise did not make with their cameras.
Leo Laporte & Steve Gibson (00:38:22):
Leo, a choice I'm gonna make is to have a sip of water, our show today. Thank you. Steve brought to you by it. Pro TV, love it pros, right? Where would it be with Adam? And if you've got a team of it pros in your business, you know, they keep everything going just right. Your team though needs to keep it skills up to date, right? To continue to ensure your business is security, safety, safety, it's success. The good news is ItProTV's a great place for people with it. Teams, great training, lots of information, fun engaging. You might say, well, I don't care if it's fun. Yes you do. You want it to be engaging so that you are you're in employees, you, or you will wanna watch it. In fact, the good news, 80% of all users who start a video on it, pro TV actually finish it.
Leo Laporte & Steve Gibson (00:39:23):
It is engaging. It's informative. You get what you need from it. It doesn't waste your time. It drives me crazy. I'll watch YouTube videos and it takes 'em 10 minutes to get to the point, not ItProTV, they right into it. You'll enjoy learning on the platform. Your team will enjoy and they will get the tools they need to make your business thrive. Binge worthy content. And man, is it up to date? It pro TV has seven studios running all day, Monday through Friday. Content from the recording. Studios goes into the library within 24 hours, 5,800 hours now of incredibly wonderfully done training in every area of it. Microsoft, Cisco, Linux, apple security cloud, soft business skills. You can get training and search for your team, all done in one place. Cuz they've got EV every vendor, every test, everything you need, this is a constantly changing industry.
Leo Laporte & Steve Gibson (00:40:23):
And if you listen to this show, you know that there are new security threats all the time. You can't rest on your laurels. Your team needs to be always learning ongoing. Education's a big part of keeping an it team working with ItProTV. You'll love the dashboard for the business plan. You can track team results, manage seats, assign and unassigned team members. And you can do it very granularly. You can assign full courses or individual episodes within a course, every course, by the way has a full transcript. So it's easy to find the portion of the course that you want to brush up on and go right to it or assign it. You'll get metrics like logins, viewing time tracks completed. You can have users in a big clump or you can have subset of users. So you can have customized assignments. You can of course monitor progress.
Leo Laporte & Steve Gibson (00:41:10):
You'll get usage reports. So you know whether it's worth the investment, I think your team's gonna love it. I know you're gonna love the results. And of course we always talk about it. Pro TV's individual plans. It's the best place to get it training, whether you're getting into the business and you want to get those initial certs or you've been in the business for a while and you want to get new skills, give your team the it development platform. They need to level up their skills and enjoy the journey. That's what I love about it. Pro TV they've they've got an it teach pro TV enterprise plan for teams of two people to a thousand people. Volume discounts start at five seats, man, I'm gonna get you an even better discount. Just mention S and 30 security now, 30 for a 30% discount on a business plan, go to it.
Leo Laporte & Steve Gibson (00:42:01):
Pro.Tv/Security Now it pro.tv/Security Now we've known these guys since they first started. I am a, you know, a friend and a fan of them and I really encourage you to check 'em out it pro.tv/security now. Okay. Tono, let's go on with a show. Oh, let me turn your mic on. That'll help. Okay. There we go. That's one way to fix the bit lost just to turn the mic off, right? Yeah. I can't read his list. No, don't know what he's saying. Okay. So last Thursday, the us CSA ordered federal civilian agencies to patch. Not only that critical Sofos firewall bug, we were just talking about you know, presumably if they don't already have automated update or auto update enabled, but in addition seven other vulnerabilities and civilian, the federal civilian agencies have three weeks or until April 21st to get them all patched.
Leo Laporte & Steve Gibson (00:43:11):
And CISA says all eight of these vulnerabilities are under active exploitation. We know that the Sofos one is well in addition to the Sofos problem, the CSA also order federal agencies to patch a high severity arbitrary file upload. That doesn't sound good vulnerability in the trend, micro AP central product management console that can similarly be abused in remote code execution attacks. Two days earlier, trend micro said that it had observed at least one act of attempt of potential exploitation. Okay. Which sounds a little bit like they're hedging, but you know, I'm sure I'm sure they know that this is a actually happening. And the, the list of eight total, you know, you must patch these commandments include the need to patch a different QAP NAS problem than the one we were just talking about. An improper authorization vulnerability would, has been reported to affect QAP NA running HBS three, which is their hybrid backup sync when exploited that vulnerability allows remote attackers to log into a device.
Leo Laporte & Steve Gibson (00:44:28):
So I suppose it's no surprise that, you know, QAP is being targeted as much as they are. Anyway, when I was, when I was looking over this list, I did a double take since two of the eight CVEs, which CISA says are currently under active attack are dated 2018. And one is back from 2014. The two from 2018 are for Daon GPO O N routers. And I'm sure we talked about this back in 2018, cuz I remember the GPO N stands for gigabit, passive optical network routers, G O G O on and they suffer from a, again a long since patched command, injection vulnerability and authentication bypass vulnerability, two different problems currently under attack that have like long since patch. But again, it's a router, so you can kind of see it like, you know, in a forgotten closet somewhere, just sitting there doing its job, hosting all kinds of cryptocurrency minors.
Leo Laporte & Steve Gibson (00:45:40):
And then who knows what else? Okay. The CVE from 2014 is a bit startling, 2014 it's CVE 20 14, 60, 24. So the year gets assigned when it's discovered. So right. So it's been eight years. Yes. Eight years this thing. And, and it's like in use now it's being like sure. It is they're they're seeing people. It's an only good for this thing. Yeah. Oh boy. It's description in the national vulnerabilities database says the Kerberos key distribution center. The KDC in Microsoft windows server 2003, service PAC two windows Vista service PAC two windows server, 2008, service pack two and 2008 R two service pack, one windows seven, service pack, one windows eight and windows 8.1 and windows server 2012 gold and R two that's you know, it's there every it's in all those allows remote authentic domain users to obtain domain admin privileges using a forged signature in a ticket.
Leo Laporte & Steve Gibson (00:47:02):
And I, that sounds familiar to me. I'm sure we talked about it back then. And it's been exploited in the wild since November of 2014. It's an known as the Keber check sum vulnerability. So here we are eight years later and the us CSA feels the need to explicitly tell federal civilian agencies that they now, you know, eight years. But no, no. Now you have three weeks to get that patched. You know, I I'm sure all they needed was a gentle reminder and oh yeah, get right on that. Meant to do it yesterday, you know, thanks for the reminder. Wow. Okay. Two weeks ago, when we talked about the browser in the browser attack during podcast 6 83, it was all just theoretical. You know, remember that it's penetration testing developer, Mr. Doc had simply produced a very convincing proof of concept. You know, we, we, we showed in the show notes side by side, a real oof popup authentication and his faked one.
Leo Laporte & Steve Gibson (00:48:27):
And they were the same, same domain name, which was spoofed everything. So he demonstrated that using just HTML, CSS and JavaScript, you could produce an actual lookalike multifactor authentication popup and in today's world, it took less than 10 days for that. Hey, that's a great idea concept to become fully weaponized last Thursday, a Belarusian threat actor known as ghost rider also known as UNC 1151 had been spotted leveraging this recently disclosed browser in the browser technique as part of their credential fishing campaigns, which are simultaneously exploiting the ongoing Russian invasion of Ukraine. As Mr. Docs demonstrated this technique allows a legitimate domain and popup to be shown to an unsuspecting user Google's tag team. Their threat analysis group wrote in a posting last Wednesday, that ghost writer was using Mr. Doc's browser in the browser to siphon credentials entered by unsuspecting victims. Oh, of course who doesn't love Mr. Docs?
Leo Laporte & Steve Gibson (00:49:51):
What good possibly go R let's just show this to the world because you know, maybe the Belarusians are out of fresh ideas for how to fish people. So the tag team said in early March Google's threat analysis group published an update on the cyber activity. It was tracking with regard war in Ukraine. Since our last update tag has observed a continuously growing number of threat actors using the war as a lure in Phish and malware campaigns. Of course, God, of course it always happens. Government backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups have used various Ukraine war related themes in an effort to get targets, to open malicious emails or click on M just links financially motivated and criminal actors are also using current events as the means for targeting users. For example, they wrote one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine.
Leo Laporte & Steve Gibson (00:51:07):
Oh wow. That's just low. Good. So low. Hey, would you like your mother to be rescued? I'm I'm a, I'm a, I'm a Russian and I found your mom and you send me some money and I'll bring her home. Wow. Tag tag has also continued you to observe multiple ransomware brokers continuing to operate in a business as usual sense. So, you know, it should be no, as it should be no surprise. Anytime anything of importance happens anywhere, the SCS surface in an attempt to leverage the event to their advantage, whatever it might be in this case, Google's group wrote that ghost writer, actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential, phishing landing pages on compromised sites. So here we have an example of a purely theoretical proof of concept being picked up within days of its publication and quickly being leveraged to significantly increase the effectiveness of a traditional Phish and log on campaign.
Leo Laporte & Steve Gibson (00:52:22):
You know, and as we discussed at the time, Leo, two weeks ago, you look at it and it's like, yeah, this says, pay Powell very clear. P a Y P a L no typo, no is not Pope pal or anything else. You know, looks great. Click that link. What could possibly go wrong? Yeah. When we first talked about N PM supply chain attacks last week, the security firm JRO had identified at the time, a total of 218 malicious packages, which were using a form of name collision to replace packages in the, at Azure name space, by, by naming their malicious packages without any name, space designation, their packages might be obtained. If a developer had not explicitly specified the at Azure name space as their target for their dependency at the time. And we, we, and, and it turned out, you know, that was true.
Leo Laporte & Steve Gibson (00:53:36):
You know, it wasn't a massive effect, but it was worrisome. And at the time J frog had not. I find the threat actor behind this NPM repository attack. Now a week later, we know more, the threat actor is named red Lilly, R E D hyphen L I L I they've been linked to this ongoing large scale supply chain campaign targeting the NPM repository and have published nearly 800 malicious modules. The Israeli security company check marks said, customarily attackers use an anonymous disposable NPM account from which they launched their attacks as in one account. But this time they said the attacker has fully automated the process of NPM account creation and has open dedicated accounts, one new account per package, thus making in this new malicious package, much more difficult. These new malicious packages, much more difficult to spot check marks findings build upon recent reports from, as we know J frog, but also Sonatype which detailed hundreds of NPM packages, which leveraged the dependency, confusion, typo, squatting style package replacement to target not only Azure, but also Uber and Airbnb developers.
Leo Laporte & Steve Gibson (00:55:17):
According to a detailed analysis of red Lilly's modus operandi, earliest evidence of anomalous activity was found to have occur on February 23rd with the cluster of malicious packages being published in bursts over the span of about a week, specifically the automation process for uploading the rogue libraries to NPM, which check marks described as now, now being a factory involves using a combination of custom Python code and web testing tools like selenium to simulate user actions required for replicating the user creation process in the registry. So in other words, they've, you know, a, an actual user goes through some processes to sign up for and acquire an NPM account. Well, nothing prevents all of that from being automated. You know, this is, you know, reminds me of the problems we were having initially over on our web forums, right? Because you could have bots or actual users, and we have seen actual users creating accounts. So it's true. They're not a robot when they click, I'm not a robot they're telling the truth.
Leo Laporte & Steve Gibson (00:56:44):
Bypassing the one time password verification barrier put in place by NPM is no problem. Since NPM sends a one time password to the email address, the attackers bot registers with and what I've seen firsthand from bot registering on our, our web forums. They just create Gmail email accounts. Like there is no tomorrow, you know, typically a, a normal first name and then six or seven digits, which they just make up at random, probably doesn't exist. Create the account looks, you know, I mean, it is the valid Gmail account. They then register under that the one time verify, you know, verify your email goes there. They pick it up from there, plunk it into the webpage. It's the whole thing is now automated. So one malicious package per account, thanks to automation. Check marks. Researchers said, quote, as supply chain attackers, improve their skills and make life harder for their defenders.
Leo Laporte & Steve Gibson (00:57:50):
This attack marks another milestone in their progress by distributing the packages across multiple user names, the attacker makes it harder for defenders to correlate and take them all down with one stroke as had traditionally been possible. So, you know, I read this as sort of the chickens coming home to roost. The NPM system never had super tight security, and that was fine for a long time, but now it's not. And this is sort of, if we were to, if there was a, a recent theme, it would be things that were okay for a long time are no longer. So the, the lowest of the low hanging fruit has been picked. Now, attackers are looking around for other targets and they're finding them, they're finding things that were not really deeply secured and going after those, you know, it's on the MPM side, it's lack of tight security is finally becoming a problem for it.
Leo Laporte & Steve Gibson (00:59:02):
And the only way to combat this would be to impose much more stringent strictures on account creation and content publication and you know, you know, like making somebody be a, a registered user for some length of time, the problem is I've seen that being bypassed. I've had O over on GRC prior to us locking things down to a much greater degree, which we finally have when I was getting rid of old accounts, there were all these bogus accounts that had been created that had never posted anything, presumably waiting for a time when they would come back later. And if there was some sort of a time, you know, a, a minimal time, somebody has to be a, a member before they're allowed to create content. They were just letting those clocks tick waiting for the time that they would start posting spam under of those accounts.
Leo Laporte & Steve Gibson (01:00:01):
So I don't know how you solve this problem, but it is a, it, it really is one FID Fisher has been lurking around for years as one of the more successful and prevalent commercial spyware purveyors. They had their, their product is called fin spy. And the good news is that this Munich, Germany based spyware company formally declared its insolvency last month, amid an ongoing, not only amid, but due to an ongoing and certainly unwelcome to them, him for the rest of us investigation, into its business dealings, they made the mistake fin Fisher did of selling their premier spyware product fin spy to the Turkish government without having the legal documentation required to do so after which their fin spy system was used in a Turkish operation that preyed upon anti-government protestors. We talked about this at the time legal complaints filed by reporters without borders nets politic and the society for civil rights.
Leo Laporte & Steve Gibson (01:01:19):
Also the European center for constitutional and human, all accused fin Fisher of failing to abide by European export regulations, including the requirement to obtain a permit granting trade to non EU countries by the federal office of economics and export control. Fin spy was created back in 2016 and has been linked to customers, including the governments of Egypt, Baja, Bangladesh, Ethiopia, Oman, Saudi Arabia, and Venezuela, according to the NGO's investigation, they said, quote, there are urgent indications that the Munich based company conglomerate sold the spy software fin spy to the Turkish government without the approval of the federal government, and thus contributed to the surveillance of opposition figures and journalists in Turkey. So about a year and a half ago in October, 2020 German authorities rated fin Fisher's corporate offices, two associated businesses, and the residences of directors and executives leading to the recent announcement that fin Fisher accounts were seized and operations halted. So it's very likely the end of that operation, you know, not the end of all, you know, mobile spyware sales, unfortunately, but at least one fewer.
Leo Laporte & Steve Gibson (01:02:49):
Recall that three weeks ago, during our cracks on cracks off episode, we mentioned the attack on Envidia networks and that the attackers subsequently ex infiltrated about a terabyte of Invidia's data, which paradoxically included some expired Envidia driver, signing certificates. Those certificates were then immediately used to sign malware. And I was put at the time over how and why windows would choose to honor drivers signed by certificates that were expired at the time of their signing. That still remains a mystery. The mystery that no longer remains regards a couple of the perpetrators behind that, and apparently many other re very hope high profile attacks, including the likes of Microsoft Envidia Samsung Okta, and Yusof with many of them resulting in massive data leaks. The group calls itself, lapses spelled L a P S U S an additional trailing dollar sign appended. And despite the trailing dollar sign and their high profile victim list, most lapses members are believed to be teenagers driven mainly by their goal.
Leo Laporte & Steve Gibson (01:04:16):
Actually, I, I don't think we can say most cuz we don't know how big the group is, but we found nine, seven teenagers were arrested. Yeah. Yes. In addition to the, these most recent two who were age 16 and 17 they made the news last week when they appeared at the high corner youth court in London charged with a of cyber offenses. The names of both men being minors are being kept private and both were released on bail. They've both been charged with three counts of unauthorized access with intent to impair operation of or hinder access to a computer. And two counts are fraud by false representation. In additionally, the 16 year old has also been charged with one count of causing a computer to perform a function, to secure unauthorized access to a program, which you know, is gobbly go for their hackers or legal lease for their hackers.
Leo Laporte & Steve Gibson (01:05:19):
And the pair appears to be part of a larger group because also last week as you said, Leo the city of London police, which is leading the in in the international investigation into lapses, announced that it had arrested seven people all between the ages of 16 and 21 in the UK alone in the us, our FBI is looking into the group's illegal activities and is seeking information concerning the lapses members involved in the compromise of computer networks, belonging to multiple us based companies. The FBI said these unidentified individuals took credit for both the theft and dissemination of proprietary data that they claim to have illegally obtained. The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions. So, you know, we've got a, an inter agency issue that in, in the UK, they're, they're not disclosing the names of these individuals.
Leo Laporte & Steve Gibson (01:06:26):
The FBI is saying, well, thank you. We understand that, but we need to know. So I imagine that'll happen while it's still unclear how many active members the gang has and what roles each of them play based on telegram chats. It's believed that it, they, that they at least have affiliates, if not core members located all over the world, speaking multiple languages, including English, Russian, Turkish, German, and Portuguese their bail and release was said to have conditions. And I would bet that one of those conditions is an utter and total parental enforced ban from any use of any internet connected devices, you know, while this case moves through the courts. If so that might explain why around the time of the news of the arrests lapses told it's nearly 58,000 telegram followers among whom I'm sure is the FBI that some of its members would be taking a vacation on quote.
Leo Laporte & Steve Gibson (01:07:40):
But those recent arrests haven't put a dampener on the larger group's activities because last week, 70, 70 gigabytes of data belonging to the software services giant globe BANT were leaked on March 30th, Gantt whose headquarters are in Luxemburg said they're currently conducting an exhaustive investigation and that it's taking strict measures to prevent further incidents. I bet they are it's too bad. They didn't do that beforehand. Okay. And I titled this not so wise one a week ago, last Tuesday bit defender published the results of their close examination of the very popular wise family of security and surveillance oriented internet connected cams. And it will surprise no one to learn that they found problems nor that the problems were extremely critical. Given the application, these webcams are typically deployed for, right. I mean, they're being sold as let's use this for security. And as I said at the top of the show, I utterly love the details and our listeners will too.
Leo Laporte & Steve Gibson (01:09:00):
And you will, Leo of the authentication bypass that bit defender found, which I'll describe in a minute, the most distressing part of the story. Well, the equally distressing part of the story is the fact that a bit defender group has been working with wise or perhaps better stated attempting to work with wise for three years to get these three critical problems, which they uncovered resolved back on March 6th, 2019 bit defender made first contact with wise and asked for a P G P key via their support form. You know, and as we know, that's standard practice. Now you ask a vendor for a P a PG P key, which will you to securely communicate with them, which involves the disclosure of extremely, potentially extremely sensitive details that they don't want exposed anymore than the discoverer Watson exposed, no response. Oh, they waited a week on March 15th, 19 three years ago, bit defen a little more now bit defender made a second attempt at getting in touch with offender.
Leo Laporte & Steve Gibson (01:10:25):
Still, no response, apparently unrelated on April 22nd wise released an update for wise cam version two to version or 0.9 0.4 0.37, which reduced the risk for unauthenticated access to the contents of the SD card that the camera might have, but still no contact with bit defenders research team. So this looks like it was just coincidental. The next day four point 10.3 point 50 was released for wise cam pan one version one with the same risk reduction for unauthenticated access to the contents of the SD card. So that looked like, you know, they did the same firmware update to a different product that was April 23rd a month goes by and bit defender thinks well, okay, let's reserve some CVE numbers for what we will eventually be publishing. So they did that. So that's may June, July, August, September four months and wise released wise cam version two, that happened to fix one of the three CVEs that had been issued, but not the most critical one.
Leo Laporte & Steve Gibson (01:11:51):
September, October burn. No. Oh, wow. Actually along with, so that was September 24th, 2019. Now we move to November 9th, 2020, and the vendor fixed a, a different one of the CVEs through an app update. The next day, finally wise a knowledges the reception from a year and a half before and assigns an internal contact at wise to deal with bit defender. Two days later, bit defender sends the advisory to them and a proof of concept nine months pass silence on August 31st, 2021 bid defender follows up on patch progress. Hello, is anybody there? September 13th, 2021. So what two weeks from August 31st of September 13th bit defender notifies the defender. Oh, it actually probably was exactly two weeks. They waited nothing happened. So they said, okay, we're gonna publish four and a hun four and a half months pass, which brings us to January 29th, 2022. Why released firmware to fix the unauthenticated access to the contents of the SD card issue, which is one of the biggest problems. Okay. So that was on January 29th being again like, like ridiculously responsible bit defender waited 60 days from January 29th to March 29th on March 29th, they published their report.
Leo Laporte & Steve Gibson (01:13:44):
I've said it before, and I'm sure this won't be the last time I say it again. There is something fundamentally wrong with the idea, the way we have everything set up today that an independent security research group must expand this level of effort to not only first reverse engineer and examine a product whose security is critically important to its users, but to then face an utterly unresponsive product publisher, an attempt for three years, to get them to fix critical flaws in the operation of their surveillance, interconnected webcams, and look at the catch 22. That bit defender is then in the only way to leverage responsibility from what from wise to get wise, to get off the dime would be to go public with the news and the details of the flaws, but doing so. So would immediately place all of Wise's gazillion webcam users at significant risk.
Leo Laporte & Steve Gibson (01:14:59):
And even if details were withheld, we from, from a, from like a partial disclosure by bit defender, we've all seen many instances where just telling the bad guys where to look for vulnerabilities is all that's necessary. Those wearing black hats could certainly follow in bit defender's footsteps. So a bit defender had little true choice other than to wait and push and poke and prod and hope that wise would eventually open a responsible dive. Again, they couldn't risk any like drawing any attention to the wise cams because other people could figure out how to exploit them. And the, and the problems were really bad. And what I loved is it just rich that Wises cybersecurity team, like they have one finally said they appreciated the responsible disclosure provided by bit defender on the vulnerabilities. Yeah, I bet they did three years, bit defender, patiently waited because of bit defenders ethics, you know, essentially wise had bit, bit defender over a barrel.
Leo Laporte & Steve Gibson (01:16:17):
Okay. Oh. So get a load of this truly amazing classic remote connection authentication bypass is just the best thing ever when connecting a client is required to log onto the camera, right? The, the camera running a service, so will consider it to be the server, the, the, the client being a user on a webpage or, or whatever a client is require to log onto the device. Of course, because you don't want everyone to have access to your webcam by definition the client and the webcam share a 1 28 bit secret key. Okay. That's good. Security webcam has 128 bit secret key burned into it. The client is required to know it. Appreci shared key. Good security, no problem there. So the client initiates its connection by sending an CTL, no IO control command with the ID of its hex, 27, 10 upon receiving a, you know, it, the, the, the, the, the cam will accept a TCB connection.
Leo Laporte & Steve Gibson (01:17:46):
Then the wise cam receives this packet with the ID 27 10, which induces it to generate a random nos value, which it encrypts with its 128 bit shared secret key. Okay. That's great. It sends the encrypted blob to the client by the design of this simple protocol. The client must have that same 128 bit shared secret key, which it uses to decrypt the cameras randomly chosen no value. It had then encrypted to authenticate itself to the camera, which it does by returning the properly decrypted camera nos using an I O C TL command with the ID 27, 12 instead of 27, 10. So 27, 10 initiates the, a handshake asks the camera to generate Anot which it encrypts this hundred 28 bit shared secret, sends the encrypted blob back to the client client that has the same 128 bit shared secret key. Decrypts it. And then returns it to the camera with the under the command 27 12, the camera receiving the 27 12 I O C TL compares the nuns that was hopefully decrypted by the connecting client to the value that it's stored locally. And only if they match will the authentication succeed and the connection be accepted. And after that, the client is free to do whatever it wishes with the camera, right? No problem. Simple shared secret, you know, workable protocol. Here's what the bit defender guys found.
Leo Laporte & Steve Gibson (01:19:53):
The way the wise firmware works is that upon receiving that initial 27, 10 command, it generates and stores the knots for subsequent comparison and it then encrypts it and sends it to the client. But if the client never sends the 27 10 command in the first place, the nonsense value stored in am remains set to all zeros. I just love this. So all, any attacker needs to do to gain full access to any original or only just, you know, patch, just what earlier last month or any unpatched cam is to connect and skip issuing the first 27 10 command, which asks the camera to begin the authentication handshake. Instead, an attacker simply first sends the second 27, 12 command with an all zeros authentication. Since that will always match the camera's default null nos, anyone can log into anyone's wise cam. You can see why bit defender said, holy crap, three years ago, anyone.
Leo Laporte & Steve Gibson (01:21:34):
And, but you do have to have physical access. You have to be on the wifi, right? You can't do this from the internet or can no, no, no, no, no. It, it, it is a network attack. Okay. So the, the, the camera needs to be exposed. You, you have to have, you have to be able to connect to the camera, right? So if it's behind a Nat router, you wouldn't be able to, but if there were some reason that somebody had had put their wise cam on the internet, then anybody can access it. Wow. Okay. Bid defender wrote after authentication, we can full, fully control the device, including motion control, pan, and tilt, disabling, recording to SD turning the camera on or off among other things. We cannot view the live audio and video feed though, to get this because it is encrypted under that same unknown to a remote attacker shared private key.
Leo Laporte & Steve Gibson (01:22:34):
However they wrote, we can bypass this restriction by Daisy chaining, a stack buffer overflow, which leads to remote code execution as detailed in part two, they said for the sta act buffer overflow, when processing I O CTL with ID 27, 76, the device does not check whether the you're not gonna believe this Leo, whether the destination buffer is long enough before copying the contents onto the stack. Well, there you go, exploiting, this vulnerability is straightforward through the I O C TL with ID 27 76. We can set which servers to use to connect to the cloud. This seems to be a debugging function that allows the selection of production, beta or internal API servers. When sending a request, we specify the length of the buffer in the first bite. Then the buffer itself, they said this content is then copied onto the stack into a fixed 40 hex, which is 64 bite length buffer.
Leo Laporte & Steve Gibson (01:23:51):
Even though the specified size in the first bite is taken as a signed in. Okay. Now a signed in that is a bite will have a maximum size of seven F because the signed bit that we were talking about a few weeks ago, that's gotta be off for the, for the signed it to have a positive value. Still seven F seven F is 1 27. So that's enough to override a 64 bite buffer and and allow the to be overwritten and run. The attacker provided code. The third and final flaw they found is unauthenticated access to the contents at the SD card. When inserting an SD card into the camera, they said the contents of the SD card, including the recordings can be accessed via the web server listing on port 80 without authentication. This is enabled by the fact that after an SD card is inserted a SIM link to the card, Mount directory is automatically created in the www directory, which is served by the web server.
Leo Laporte & Steve Gibson (01:25:03):
This card, the card contents can be viewed through the hello CGI functionality located at slash CGI hyphen bin slash hello, dot CGI. Then the files can be downloaded through the slash SD path slash path. The SD card also holds the cameras log files before writing them to the card, the device XOs the content with a hex 90, like why not very strong protection. These log files can contain sensitive info such as the unique ID and the shared private key, which can then be used to connect remotely and view the stream in real time. Because now we're able to decrypt the stream, having obtained the shared private key, the good news here such as it is, and that's not much is that the third and the second and third generation wise cams can be updated to cure these various problems. The bad news is that the first generation cameras have been abandoned by wise and wise has said that they do not plan to support or update them in the future.
Leo Laporte & Steve Gibson (01:26:24):
The only thing we could hope for, for anyone who has early first gen wise cameras, is that maybe the press that this is now finally after three years, generating with the negative publicity of having critically broken and trivial to hack first generation webcams might cause wise to change their minds. They, I mean, unless it's burned into actual RO, there is no reason, or maybe they have no, they didn't provide a means for updating the firmware. I, I can't explain. There's just, there's they say, there's not a gram to update the firmware, not a memory that seems hard to believe it does. It sounds, seems more likely that they're just like, well, those are too old. Yeah. And, and they were only 20 bucks, right? I mean, yeah. It was an amazing, an amazing little camera for the price. Right. But you know, wise, you know, and, and this is what we see right.
Leo Laporte & Steve Gibson (01:27:23):
With bottom of a IOT vendors that just wanna sell their stuff and not be bothered with security. Unfortunately it, you know, they, they, they, you know, they tried to have it secure, but nobody audited their stuff. Right. It's all proprietary. It's just trust us. You know, we got this it's oh, 128 bid encryption, military grade. Can't get in there. Yes. Just, you know, drop the first half of the handshake and and do the latter half and you and handshake with all zeros and you're in. Wow. Yeah. Yeah. Two tweets from listeners from someone whose name as the NAS his Twitter handle is at, with the NAS. He said, thanks for your recommendation. I just finished the first Baba verse book. All I can say is thanks for the recommendation. It was a lot of fun. He said, and Ray Porter's narration, he said, particularly of Guppy is spot on.
Leo Laporte & Steve Gibson (01:28:27):
Yeah. You're missing out on that. It's pretty good. He does. Guty his Admiral act bar. So he's talking like this. It's great. It's really funny. That would be great. Yeah. Ray, Porter's really a talent and he kind of brings a Martian Andy weirs, the Martian style too, which is great. Nice. Yeah. Scott Cleveland tweeted at SG GRC a few weeks ago. You and Leo were talking about the Bob averse. We are Legion. We are Bob books and he said, thank you, exclamation port point. He said, it's so hard to narrow down when scrolling through audible, what I will like your suggestions are pretty much spot on automatic win for me. So thank you, Scott. And I said, if the qual then I'm, then it occurred to me. If the quality of my recommendations is to hold, I should probably note that book number four is noticeably dragging.
Leo Laporte & Steve Gibson (01:29:26):
Yeah. it's still okay. But Dennis appears to be running out of new ideas for his bobs. He's reusing the ideas he already has. And I have to say he's built an extremely interesting and clever Bob averse using subspace com links and virtual reality in clever and, you know, given a suspension of disbelief, feasible ways like within this universe, but perhaps it should have been left at a trilogy. Yeah. I'm halfway through book two. Maybe I'll just stop at three. Yeah. I think you should. Yeah. But you know, still there is, there is more fun stuff happening. Oh. have you run across the others yet? Yes. Yes. The others exist. In fact, he's just now encountering them for real. So I'm excited. Exciting need you, you. Yes. It, it, they are really, really, really, I mean, they're a, I mean, bad. Yeah.
Leo Laporte & Steve Gibson (01:30:30):
Yeah. You know, and the, and seeing how they get taken care of is worth finishing the, the trilogy Peter F Hamilton's aliens from, is it falling dragon? I can't remember the Pandora star. Maybe it's Pandora star. The ones that just kind of, yeah, they're great. They look like MOS the MOS. Yeah. Yeah. That's my favorite evil alien. And, and, and they were nonbiological right. And they were quad Quadra quad quadr laterally symmetrical. Yeah. Right. So they had like four feet and they were sort of RA kinda like Dex except, you know, you know, bad. Yeah. Hey, real quick. Follow up from the chat room. Would it be safe to use a wise cam V one behind a firewall? I think so. Yeah. Cuz it needs access from the outside world. Yes. So you, it, it, the, the threat model is that, that you might have mapped a port through it so that you had access to the camera directly, remotely.
Leo Laporte & Steve Gibson (01:31:38):
And unfortunately that means other people could too. And of course, that's another reason why our topic for the day port knocking will be of, I think, great interest to some of our listeners. Yes, indeed. David LA Meer, he said, hi, Steve. I recently bumped into the author of no script on Twitter. He said, when I mentioned I'd abandoned it long ago, he encouraged me to take a fresh look. So I found the website, he said, looking at the usage page, it does appear that the program has been updated slash adjusted to the realities of the modern web. And he said, I know you also so gave up on it long ago, but this was, this was interesting enough. I thought maybe it was time for a revisit of no script. He said, and no, I haven't actually tried playing with it myself yet, or I'd include my experience here.
Leo Laporte & Steve Gibson (01:32:34):
Okay. So David, thank you. And I wanted to share that with the little tidbit with our listeners. I appreci sheet, knowing that no script hasn't thrown in the towel yet despite its name. And I, it occurred to me that the author is probably suffering the same dilemma I am with spin, right? Renaming his program. Some script really doesn't pack the same punch. Oh, well, it's some scripts. It's some script because you need some script, but you know, you can't do no script. Our development groups, discoveries with spin, right. Strongly indicate that spin right's future with solid state mass storage is guaranteed. The perhaps maybe even more so than it ever was with spinning media. But I can't change the name even though someday nothing will be spinning anymore. It's still gonna be spin. Right.
Leo Laporte & Steve Gibson (01:33:35):
I love it. All right, let's get knocking. I hear you knock in, but you can't come in. But first let's talk about our sponsor Kolide. I love the idea behind Kolide, which is instead of security, being a top down issue in a company, it should really be handled in such a way that your users are part of the Kolide is a new take on end point management that asks the question, how can we get users more involved as opposed to old old school you know, dev management tools like MDM, which is basically just saying, no, you can't do that. It's very, you know, paternalistic locks down your employees, devices without considering their needs or educating them in any way. Collide is a better way to do this. It's built by like-minded security practitioners who saw in the past just how much MDM was disrupting their end users.
Leo Laporte & Steve Gibson (01:34:36):
Frustrating. 'em so badly. And this is the real problem. They throw up their hands, just, you know, forget about it. And so stop using the company devices and start using their personal laptops, which is frankly worse. Of course, for security Kolide, K O L I D E is, is completely different. In fact, you're seeing, I'm putting up on the screen, some examples of Kolide messages, your employees might get in slack telling them, you know, if they've done something here's one that says looks like you have two Salesforce customer download exports that have been sitting in your downloads for, for more than 14 days, please navigate to the following two files, delete them, then empty the track, and then you have a button. I fixed it, check again. This is a really great way of getting users involved in their own security. And of course, as a side effect, making them much more secure instead of locking down a device, Kaly takes a user focused approach that communicates security recommendations to your employees directly on slack.
Leo Laporte & Steve Gibson (01:35:38):
So after you set it up, device security turns from a top down, you know, we know what's best black and white stayed into a dynamic conversation that starts with end users installing the endpoint agent on their own. They do the thing on, on their own. That's a great way to get them involved, but also to get their buy-in. It happens right inside their first slack message. It's a guided process. It's very easy. They like it too. I've noticed users love it because it makes them feel empowered. It even makes 'em kind of feel a little bit more responsible for their own security. And from then on codal regularly send recommendations when a device is in an insecure state, things like you, you know, just the screen lock, not being set correctly to something more nuanced, like getting people to secure two factor backup codes sitting in their download folder.
Leo Laporte & Steve Gibson (01:36:28):
You know this is just honestly a brilliant idea. And because it's talking directly to the users, it's educating them about the company's policies and how to best keep their devices secure, using real, tangible examples, not theoretical scenarios. It's just brilliant. It's completely cross platform, Linux, Mac, and windows. It puts end users first. And I know sometimes the it department says I don't trust those guys, but honestly, it's all your job is better and easier if they're enrolled. If they're behind you, they say, yeah, yeah. I wanna work with you to make our company safe. Get endpoint management that puts the user first Kolide, K O L I D E. Visit Kolide.com/Security Now to learn more, you can activate a 14 day trial today. See how your users like it. You don't need a credit card to do that. Kolide.Com/Security Now, in fact, you'll even get a goody bag of Kolide swag after signing up for a new trial.
Leo Laporte & Steve Gibson (01:37:25):
Just a little way of saying thank you. I think this is such a great idea. Make security part of your day to day operation and get end users involved, Kolide, Kolide.com/Security Now on we go with a little knocking with Steve Gibson, knock don't knock it. Don't knock it. Okay. So our listeners have heard me over and over and over lament, the dangers of having exposed ports on the public internet. There's the problem of a, a recognizable server or service that is in some way protected, but with a password which can be brute forced in the background over time. Or, I mean, equally problematic is a, a, a service that has, you know, strong authentication, but above in the service itself, a perfect example is this open SSL bug. You know, there, there's nothing that you need to authenticate about connecting to a, you know, establishing a Ts connection.
Leo Laporte & Steve Gibson (01:38:48):
The problem there is a bug in the underlying service itself. And if the access to the port is completely unrestricted, then that means an incoming packet from any of 4.3 billion IPS is treated just like any other. So the, the solution to this is firewall rules and I'm, you know, I have three locations and I've got static links running in a triangle configuration between all three using strong firewall rules. I have the advantage that GRC is a set of fixed IPS. They will never change, but a cable modem rarely changes. I mean, you have to be offline or unplugged for a day. And then when you reconnect, you may get a different IP. You probably will, but I mean, I'll go years often with no IP change. And so the key is that that every endpoint knows its IP and knows the IPS of the other endpoints. It trusts and selectively allows packets on specific ports only from those IPS. And when they're TCP connections because of the need for a three way, handshake, IP cannot be spoofed. As we know, UDP spoof TCP, not.
Leo Laporte & Steve Gibson (01:40:24):
And of course we've talked about being stealth, you know GRCs shields up service likes the idea that, that you're not even your, your firewall, your router is not even saying to a, a requested connection. No, thank you. There's no port here, go away. Instead. It just drops the packet. There's just the, in this day and age, you know, technically by the original, you know, formal protocol rules of the internet, you should respond by saying, hi I got your packet, but you should know there's no service running here. Well, unfortunately that provides information out of a sea of IPS that there may not be service there that service, but there's something there maybe at a different port, so better just to let the packet die in a modern internet. Okay. So imagine that you, you, you want to make a service available or available to an IP, which is not static and not previously knowable, but could be anything yet.
Leo Laporte & Steve Gibson (01:41:47):
You simultaneously want all other services or that service at all. Other IPS, not to be available well since the way you enforce allowing a specific IP to connect to a specific port is with a firewall rule that, that permits packets in identifying themselves with a source IP and a destination port just specified what you want is essentially a means of on the fly, changing a firewall rule to permit a specific client anywhere on the public internet to get in. And the way there are several ways to do this generically, those are known as port knocking and the, the original old school port knocking was very clever. The idea is that in the machine with the firewall, which is publicly exposed to the internet, you run a service. And in Linux, it's known as knock D K N O C K D, and it's available.
Leo Laporte & Steve Gibson (01:43:07):
Linuxes haven't it's not that widely used, which is one of the reasons I wanted to talk about it today. It's there and it is cool. It runs monitoring the interface itself below the level of the T C P I P stack. So, and you have to have live PCAP installed in order to, to allow it to open a connection to the, to the raw interface. This service is script driven. It takes a config file that tells it what to do when it sees different things. So the idea is that when packets come down the wire to your IP and hit the machine if they're unsolicited from some random IP on some port that you don't have open, they just die. They, they hit the machine, they die, but, but the point is they, they cross the Nick to the guts of the computer where live PCAP and this knock D demon are able to see them.
Leo Laporte & Steve Gibson (01:44:24):
So imagine if this firewall, this machine had a CRI knock sequence, which is to say, send a packet to port 1, 0 1 92, then send a packet to 1 0 2, 3, 4, then send a packet to 3, 2 7, 6, 9, then send a packet to 5 0 7 4 3. The point is you can create an arbitrary long sequence, which has to be specified in the proper sequence to create an unlocking sequence, which the knock D demon will recognize, cuz it's watch all the incoming traffic to your IP. And if it sees a sequence of the proper packets, all coming from a, for one specific public IP, it then using its config file emits a command to your firewall, IP tables or whatever. It supports all of the different firewalls to selectively open a port to the IP that generated this correct knocking sequence. And what you now have is a means of, of having services, which are publicly available.
Leo Laporte & Steve Gibson (01:46:00):
But absolutely non-existent, it's also the case that your use of port knocking is, is invisible, unseen, unknowable. There's unless you tell people, there's no way for anyone to know that you're running a, a port knocker on your side and that by sending a specific sequence of packets would have any effect. And the good news is it's not very common. So people aren't expecting you to do it. The other piece of good news is this is actually pretty strong security. There are some problems. We'll talk about that. But from the, from the, on the pro side of this, we know that port numbers are 16 bits. So that, that means that a, a randomly chosen port carries 16 bits of entropy, essentially think of it as 16 bits of password. That means that four randomly selected ports, each carrying six Dean bits will give you 64 or eight randomly selected ports gives you 128 bits, okay.
Leo Laporte & Steve Gibson (01:47:18):
Eight hun, and 128 bits. There, there are people on the internet who say, well, port knocking is security through obscurity. I would disagree. So was a password. Nobody knows what the password is. It's obscure, right? It's a secret. Well, so is the proper port knocking sequence a secret? The, the biggest problem with it has been solved in its evolution. But I, I like this just for its its clarity and its simplicity. The biggest problem is if somebody were able to somehow arrange to sniff the traffic between the client, sending the packet and the server receiving them. So at either end or somewhere in between, there is no prevention for a replay attack. So standard old school port knocking is not safe against replay attacks. On the other hand, I'm not suggest that this be the only security that your system would have. For example, I'm not suggesting that after providing the knocking sequence, the, the server you connect to doesn't have still its own security.
Leo Laporte & Steve Gibson (01:48:46):
Again, multilayers of security are good. This is another really intriguing and useful layer because it, it is able to hide the fact that there is a, that is a, a server accepting TCP connections without port knocking, that server will accept a TCP connection from anyone, because it might have to accept a connection from anyone that tells the bad guys. There's a server there listening on that port and they can go to town. If you put up another layer around your system, a port knocker, your, you look like your, you know, every single port on your machine is stealth, you know, different. The other kind of cool thing about port knocking is that it doesn't take a sophisticated client to be able to generate these. I've seen an example, for example, where tell net trying to initiate a connection will send three sin packets to a, to a, an IP that doesn't respond.
Leo Laporte & Steve Gibson (01:50:00):
So you could set up the, the knocker demon to, to look for three sin packets on, on the first port, then three sin packets on a second port. And, and so on. That would mean that you could just, you could just use a brain dead tail net which you tell, which you asked to connect to eight successive ports, which it will ultimately fail. You know, that each of those generated three connection attempts. So you've ended up sending a total of 24 packets. And now the knocker demon is satisfied. It sends a command to, to IP tables, opens up a, a, a, a rule, adds a rule to only accept incoming connections to the destination that you've specified for that knocking sequence, from whatever IP you're at. So even with the knock completed bad guys, can't see that you have anything open, cuz it is only open for the IP, which was the source of the knock packets.
Leo Laporte & Steve Gibson (01:51:15):
Anyway, my point is there is, it is, it is such a clever and cool idea that I wanted to share the concept with everyone. And it there are knock generators knocking clients, which will, which will do a much more clean job of establishing connections depending upon what kind of client you have. Okay. But I said that the problem was replay attacks, right? The evolution of this is ha which has occurred, is known as single packet authorization. And what we are missing from port knocking is that all we're taking advantage of is the fact of a packet hitting the firewall, not its contents, which means we're missing a huge opportunity that the cleverness of it is that it uses just the fact of the packet's arrival. But if we wanna step up our game, we do it with what's known as single packet authorization.
Leo Laporte & Steve Gibson (01:52:29):
There is, is a tool F w K N O P. And that stands for firewall knock operator. The guy behind it took this to the next level. There are, and again, it's on GitHub. All of this is free. All of it's open source and it has, it has had, you know, over time it's been scrutinized to death. Single packet authorization takes the IP of the source. That is the IP of the client. It encrypts it with a, with a, with a public key, which the user knows or private key or both or symmetric key and, and uses an H Mac in order to authenticate the result. And it sends one packet to a, to a pre-determined closed port on the destination, the agent, which is listening there gets the packet, uses its matching secret or its private key. That, that if, if you wanna use asymmetric encryption, you know, pub pub public key encryption is also supported.
Leo Laporte & Steve Gibson (01:53:52):
It authenticates the packet. It decrypts the packet. It verifies that the IP that it was contained in that envelope is the, is the source IP from which the packet came. And if only if all of that works, it then does whatever it's been configured to do, which could be anything. So now we have fully stealth, cryptographically, secure single packet authentication, which can be used to do lots of things. The, oh, the, I forgot to mention that some of the cool things that the, that the behind the scenes scripts can do is for example, it could open a port and also send a wake on land packet to a server on the land causing that machine to power up, you know, on the, like by command, in order to then provide services for the, what, what, whatever the port was that was opened. So it's all configurable the, this FW K N O P I've got links in the show notes it it's founder that cipher D C I P H E R D Y N e.org cipher dine.org.
Leo Laporte & Steve Gibson (01:55:16):
And to go directly to the page is slash F w K N O P. There are clients for fedora red hat, Linux sent OS Debian Ubuntu open w RT free BS, D Mac OS open BSD, iPhone, Android SIG win and windows servers for all of the OS platforms and the desktop platforms, except for the mobile clients. Doesn't really make sense for obviously a mobile client to have a server GNU, PG support, H Mac support client, Nat penetration support service side NA support. Anyway it is a, it is a beautiful, complete win for anyone having a need that this particular approach solves. And again, in this day and age where we've got people you know, brute forcing servers are that are sitting exposed to all IPS when they don't need to be. I just, I kind of wanted to remind everybody this thing's been around since the early two thousands. I mean, the concept has I, it's just, it's very clever in terms of allowing authenticated, otherwise stealth access to servers you know, operating at arbitrary port ports
Leo Laporte & Steve Gibson (01:56:52):
And that's port knocking. Neat. Very neat. Can you, you could have a rolling port knock, I guess like a T O T P sort of could you, I don't think you really need one, you don't need one. Yeah. Well, I'm just thinking of the, what replay attack issue. Yes, very good point. And the way this guy solves the problem, he has solved it is it records a log of all the previous, ah, packets that have authenticated and it will never allow the same one to be used a second time. Perfect. Yeah. And it would have to be the same IP after all, so, right. So but, but he, he actually, you know, did think about the, the replay problem and he does it just by logging successes. He logs the, the small hash of the success. So the log isn't big. And if, if the packet it first has to match all the other proper criteria, which means it would, it could only be a replay.
Leo Laporte & Steve Gibson (01:57:53):
And if it is, if it matches all the criteria, then it checks to make sure it's never seen that before. Hmm. So you don't end up with a big log in any event. Hmm. Steve, you have done it again. Another great thrill gripping edition of Security Now for all of our listeners, Steve lives@grc.com, the Gibson research corporation, that's where you'll find spin, right? The world's finest mass storage, maintenance and recovery utility version six is current six. One is imminent. If you buy six, now you'll get six one automatically for free. You can also participate in the development. If you want grc.com while you're there, check out all the free bees, the forums shields up, all the utilities, Steve Wrights like in control. It's all there. Grc.Com. Along with his show, he hosts a couple of unique versions of this show on his website a 16 kilobit audio version for the bandwidth impaired.
Leo Laporte & Steve Gibson (01:58:48):
He also has a transcript carefully crafted by humans. Well, a human named Elaine. I love being human, human, lovely human. And you can read along as you listen, or our search to find parts of the show and so forth. That's all@grc.com also has a 64 kilo audio version as we do. We have video as well at twit.tv/sn. There's a YouTube channel dedicated to Security Now you can watch every show there all 865 of them. And well, they're not all video. So, so maybe you all ate 10 of them or whatever it is. I don't remember when we started video. And then of course you could subscribe in your favorite podcast client. You'll get it automatically that way. And if your client allows reviews, please leave us a five star review, share the good news about Security Now, if you wanna watch us through the show live, we do a Tuesdays right after Mac break weekly.
Leo Laporte & Steve Gibson (01:59:43):
That's usually sometime between one 30 and 2:00 PM, Pacific four 30 and 5:00 PM. Eastern 2030, UTC live.Twit.Tv. You can chat with us live. We still use IRC. Yes, we do at irc.twit.tv. But if you're a more modern type and you, you kind of refer to do the discord thing club, TWiT members get access to a wonderful discord, which is not just about the show, but about every other aspect of geek life, including coat and beer and wine and cocktails and ham radio and makers and movies and music, and on and on and on. This is part of our club TWiT it's kind of the clubhouse of club TWiT club. Twit membership also gets you ad free versions of everything we do and access to the TWiT plus feed, which includes well, among other things fireside chat with Steve from a couple of months ago, Paul Thurrott just did his Jeff Jarvis is coming up there's Stacy's book club, the untitled linux show, the GizFiz.
Leo Laporte & Steve Gibson (02:00:45):
There's lots of great stuff in club TWiT and all that for a mere seven bucks a month. And it's just month to month is no long term thing or anything like that. Just go to twit.tv/club TWiT. And by joining you really help us out. You smooth out the wrinkles. You let us do new stuff like this. We can space, which we launched on club TWiT and now have brought into the real world at twit.tv/twist. Again, that's a twit.tv/club TWiT. If you wanna know more, there's corporate memberships too. Steve, I will see you right back here next to Tuesday. Thanks for joining us in security here. I'll look forward to it. Bye. Hey, I'm Rod pile editor of Ad Astra magazine, and each week I'm joined by TARC. Mallek the editor in chief over@space.com in our new this in space podcast, every Friday TARC. And I take a deep dive into the stories that define the new space age what's NASA up to when will Americans, once again, set foot on the moon. And how about those samples in the perseverance Rover? When are those coming home? What the heck is Elon must have done now, in addition to all the latest and greatest and space exploration will take an occasional look at bits of space flight history that you've probably never heard of and all with an eye towards having a good time along the way. Check us out in your favorite podcast. Catcher
... (02:02:02):
Security.
... (02:02:02):
Now.