Security Now Episode 874 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here as always. Well, actually, you know what Steve said, it was kind of a slow week. There's still, it seems to me plenty to talk about. We'll start with a look at service NS. W's new driver's license. Steve talked about how insecure it was last week. This week, their response, you won't believe it. Express VPN is the first VPN to pull out of India. We'll tell you why. There's a critical cellular modem chip defect. Does anybody care? And then Steve is gonna look at past keys. Once again, in light of Apple's announcement that they're gonna support it. What is the key critical deficiency of Pasky? Steve identifies it coming up next on security. Now podcasts you love from people you trust. This is TWiT. This is security. Now with Steve Gibson episode 874 recorded Tuesday, June 7th, 2022.
Leo Laporte (00:01:03):
Pass keys. Take two. Security now is brought to you by ITProTV. Give your team an engaging it development platform to level up their skills. Volume discounts. Start at five seats. Go to itpro.tv/securitynow, and make sure to mention S N three zero to your designated it pro TV account executive to get 30% off or more on a business plan. And buy JumpCloud. Your complete platform for identity access and device management works smarter, not harder by securing SSO MDM, MFA and more from one pane of glass fully evaluate JumpCloud for free today at cloud.jumpcloud.com/securitynow and help your organization move to a modern secure hybrid work model. And by BitWarden, get the password manager that offers a robust cost effective solution that can drastically increase your chances of staying safe. Online. Get started with a free trial of teams or enterprise plan and get started for free across all devices as an individual user@ bitwarden.com/twit.
Leo Laporte / Steve Gibson (00:02:16):
It's time for security. Now the show we protect you, your loved ones, your privacy, your wallet online with this guy right here. Steve Gibson from grc.com. Hi Steve. Hey Leo. Great to be with you again for what is this? This is the first, no, yeah. The first episode of June. Yeah. Yeah. I believe June. How did we get here? I know, I know. So I, along with you and Micah watched and enjoyed yesterday's worldwide developer conference, keynote mm-hmm <affirmative> and I saw in passing their mention of pass keys and as, and something occurred to me that I hadn't thought about before, and I initially put it in miscellaneous because it just, it didn't seem that big a deal, but the more I thought about it and wrote about it, the more I realized that there might be something significant that we're just all kind of glossing over while we're rejoicing about apple, Google, and Microsoft adopting this technology.
Leo Laporte / Steve Gibson (00:03:26):
So, and it was kind of a slow week, which doesn't that happened that often in security. Yeah. It's the only show where we celebrate slow weeks <laugh> and so I was sort of thinking, well, I don't, I don't wanna talk about that. I don't wanna talk about that. I don't wanna talk about that. You know, so we have things to talk about. We're gonna talk about the response that service new south Wales provided about their response to all of the news, which we covered last week of their very insecure apparently hard to spoof. So they said digital driver's license express VPN is the first VPN to pull the plug on India. We're gonna talk about that. Our sponsor. Yeah. Yeah. Also turning off the internet has turned out to become a common practice among some re repressive regimes. Oh yeah. For an interesting reason.
Leo Laporte / Steve Gibson (00:04:24):
The windows Lina exploit, Lina, Italy, we talked about that it is exploded into the wild, not surprisingly. Yeah. And there's another windows word URL scheme, which has been uncovered, which could be exploited. We've got a critical cellular modem chip defect, which has surfaced. And maybe I'm the only one who's not worried about it. We'll see. Also we've got an interesting consequence of us sanctions, which is that named ransomware is being impacted as a consequence and also in a separate story, ransomware is beginning. We have, as a consequence of these KTI leaks, we learned that some new development are in the ransomware sphere is taking aim at our systems' boot firmware. Oh, that the U E F I, which is not where we want them going next, but they're going to we've got a bit of a rat and a bit of closing the loop feedback then, and we're gonna talk about, I, I titled today's podcast pass keys, take two, because four weeks ago, we, it was the title of the podcast.
Leo Laporte / Steve Gibson (00:05:41):
And I need a little bit of follow up that I think all of our listeners will find very interesting. Yeah. I'm looking forward to that. One of our listeners redacted in the chat room has noted that on your show notes at least on the Mac, the Mac interprets this number 8 74 for six, seven twenty two as a phone number. And <laugh>, I don't know what'll happen if I, if I dial it, but I don't think I will. I just thought that was kind of, that was kind of interesting. That is interesting. Yes, huh. Huh. I've never noticed that before. Thank you, redacted. I don't know what country code that is. I have noticed. And, and I've never asked you about this. I've noticed that sometimes the, on my pad, at least safari doesn't show the symbols that other browsers show they've got, they've got little missing icon squares.
Leo Laporte / Steve Gibson (00:06:27):
Like yeah. Like why is this hard? <Laugh>, it's a fun, it's a fun thing, Steve. Ah, okay. Yeah. I think that whatever font you're using there, it doesn't have those Unicode characters, I think honestly, by now every font should have, but you know, there's potentially, I think 65,000 Unicode a character. I mean, it's just such a large number. You're not gonna, you, you don't want to put that all in a font set. So occasionally some wing dings to get, to turn into squares. Yeah. You'd need to have the add on RO if you put that. Yeah, no kidding. <Laugh> every, font's a hundred megabytes. Our show today brought to you by it pro TV. I know, you know, it pro TV. I know many of you are members of it pro TV, the best place for it training. We always talk about what a great idea it is for individuals to become it professionals through it pro TV.
Leo Laporte / Steve Gibson (00:07:22):
We don't talk a lot about the business side of this, but it pro TV has a business plan. That's great for your it team. Just like individuals, your it team needs to keep it skills up. It needs to keep it certs up. It needs to learn new skills. And with it pro TV, you're gonna give them something they'll actually use and then it'll benefit your business. So it's a win all around ITProTV makes content that is so engaging, so entertaining and yet so informative. People love it. In fact, on average 80% of users who start a video, finish it, go all the way through, which is always a good sign. You know, they don't bail out halfway through ITProTVs got great content because they have great trainers. They call 'em ed entertainers, people who are experts in the field and who have a passion for what they're talking about, that passion comes through and makes it more exciting, more interesting to watch them more engaging.
Leo Laporte / Steve Gibson (00:08:22):
They always have fun while they're doing it. So your, your team will be learning and enjoying. All of the episodes are cut up into 20 and 30 minute chunks. They can watch during a lunch hour or a break. Their binge worthy content will get them trained in every area you need for your it team. I mean, honestly, if you're not continuously training, you're falling behind the tech industry is constantly evolving, right? There's new threats, new software, new certs new questions for the old certs there's new system upgrades, there's new cyber threats. It pro TV offers the training and perspective that you need to handle this modern world of technology. Your it team deserves it pro TV, and you deserve an it team trained up to handle any eventuality. You can get all the training and certifications for your team done in one place.
Leo Laporte / Steve Gibson (00:09:18):
Every vendor, every skill you need for it. Team training, Microsoft, of course, Cisco Linux, apple training, security training cloud. So much more at a total of 5,800 hours worth of engaging up to date content. And I mean it, when I say up to date, they have seven studios running all day. So the content's always getting updated. It moves from the studio to the library within 24 hours. You're looking at the absolute freshest information. And of course the it pro TV business plan has a dashboard that makes it great and easy for you to justify the spend. You can track your team's results, manage seats, assign, and unassigned team members to different content. You can access monthly usage reports. And by the way, it's not just the whole track. You can pick an individual episode say, well, you need to learn more about this, or they may come to you.
Leo Laporte / Steve Gibson (00:10:05):
In fact, honestly, this is more likely I wanna boss. I wanna learn more about crypto, great it pro TV. You can have all the metrics you need to justify to the boss while you're spending that money. And you'll have a team that is really up to date and very, very effective. It's, it's a money safer in the long run. They spend less time solving problems. They solve more problems. You could assign full courses, individual episodes you'll get insights into your team's viewing patterns, their progress great visual reports. So you could print up a report and say, see boss, this is worth it. It pro TV, individual plans. Yes. We talk about that all the time, but don't forget your it team. Give them the development platform. They need to level up their skills while enjoying the journey for teams from two to 1000, it pro TV's got something for you.
Leo Laporte / Steve Gibson (00:10:54):
Volume discounts start at just five seats. And if you go to it pro.tv/security, now it pro.tv/security now, and mention S and 30 to your it pro TV account executive 30% off or more on a, on a business plan. That's I mean, no one gives a 30% discount. That's a great deal. It pro.tv/security now. And that's just because you're hearing this on security now, but do use that offer code SN 30, cuz you'll get the 30%, but also Steve will get the credit it pro.tv/security. Now offer code SN three zero picture of the week. Mr. Gibson. <Laugh> yeah. So this one, this is not, you know, a high brow, but it's just a fun little Diddy. So the caption on this picture reads, I don't get it. <Laugh> we keep changing. We, we keep, we keep changing the password and we still have a leak <laugh> and so, and, and, and the picture is two people standing in front of a, you know, a corporate bulletin board where, and like in 20, you know, 48 point type, it says today's security access code 5, 5, 5, 2, 3 at again.
Leo Laporte / Steve Gibson (00:12:20):
Yes. Yeah. Wonder where that leak could possibly be occurring. That's a mystery anyway. Okay. So in a follow up to the quite unflattering coverage, the tech press, including this podcast gave to the new south Wales, ridiculously insecure digital driver's license, someone over at service at S w was told that they needed to offer a rebuttal. So here's the official reply from service NSW <laugh> that starts out this issue. And like, which issue, like take your pick. This issue is known and does not pose a risk to customer information. Okay. The blogger has manipulated their own digital driver's license information on their local device. Yeah. yeah. Uhhuh, right? Yeah. the no other customer data or data source has been compromised. Oh, they thought it was a breach or something. Well there, well, okay. Completely misunderstood it. Yeah. Yeah. maybe it also does not pose any risk in regard to unauthorized access or changes to backend systems such as drives.
Leo Laporte / Steve Gibson (00:13:55):
And of course, no one ever said it did, but you know, it's good that it doesn't. Then they said importantly, if the tampered license was scanned by police, the real time check used by NSW police, and they said scanning mobile pole would show the correct personal information as it calls on drives. So drives is apparently the name of their backend database. Oh, you mean like a physical driver's license? <Laugh> yeah. Well, I'm glad we did this. Oh, then they said upon scanning the license, it would be clear to law enforcement that it has been tampered with. Right. Yeah. Since nothing that's being displayed can be trusted. So the offline aspect of this is apparently not very useful. So they're, they're basically saying, well, just don't trust it. Okay. And oh, but, but Leo here's the kicker. Oh, altering the DDL is against the law.
Leo Laporte / Steve Gibson (00:14:59):
Oh no. So no one will, will do that. No. A lot of law biting people there. So, you know, it's kind of like a fake ID, which I would imagine is also against the law, but no one's ever used. One of those, finally, the DDL has been, you know, fortunately independently assessed by cyber specialists and is more secure than the plastic card. And <laugh> exactly like, okay. You know, were these by chance, the same cyber specialists who came up with the systems design in the first place, our, our, our our geeks tell us it's safe and, and really what does more secure than the plastic card mean? How can the security of a physical card be compared against a software solution? You know, after all, everyone, all we says that all software has bugs. A physical card doesn't have software bugs seems like that might be more secure.
Leo Laporte / Steve Gibson (00:16:09):
And of course we talked last week about the difficulty of acquiring the paper and the printer. And apparently it's got some, some multi-layer laminated sandwich with a different color. So you look at the side of the card and you see a little orange Stripe or something. Anyway, you know, at least now we know why nothing happened three years ago, back in 2019, when the egregious and completely avoidable problems with this system were first publicly displayed service NSW, apparently employed the now famous, these are not the droids. You're looking for diversion by claiming that, you know, the DDL system is working exactly the way we intended. And you all just don't understand why this is what we want. So that is such a cover your ass response. Unbelievable. Really, it really is. Yeah. Well, you know, government here to help you okay. Express VPN, as you reminded our listeners, a, a sponsor of the TWiT network has last Thursday announced that it would be removing all of its India based VPN servers in response to a ni to a new cybersecurity directive issued by the Indian cert, the Indian computer emergency response team, bonds team.
Leo Laporte / Steve Gibson (00:17:38):
However, that doesn't necessarily mean, they said that users of express VPN will be out of luck. Express VPN wrote that quote, rest assured our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. How do they, I guess you, the pool that's interesting. Interesting. Yeah. Yeah. you, you, as long as you were able to route those IPS, or you could put a router there to somewhere else, not silver. Yeah. There you go. Yeah. Right. So they, they, they said these virtual India servers will instead be physically located in Singapore and in the UK. Okay. So what happened, cert India will be enforcing new controversial data retention requirements that are set to come into effect three weeks from today on June 27th. These new rules require VPN service providers to store subscribers, real names, contact details, and IP addresses assigned to them for at least five years. India's cert stated that the user data being logged will only be requested for the purposes of cyber incident response, which of course could be anything protective and preventative actions related to cyber incidents.
Leo Laporte / Steve Gibson (00:19:16):
So the cert after I'm sure a, a lot of pushback, they clarified that this rule does not apply to corporate and enterprise VPN solutions. And they're only aimed at those operators who provide proxy like services to quote general internet subscribers slash users. In other words, do any, and all VPN service providers in their statement, express VPN said the new data law intended to fight cyber crime is incompatible with the purpose of VPNs, which are designed to keep users online activity. Private. The law is also overreaching and so broad as to open up the window for potential abuse. And in addition to the new rules, which are called cybersecurity directions they also require firms to report incidents of security, lapses, such as data breaches and ransomware attacks within six hours of noticing them, you know, we've, I think in the us, what was it? 72.
Leo Laporte / Steve Gibson (00:20:28):
So <laugh> six hours in India. India's move has not only sparked privacy concerns, but has been criticized as ambiguous and overly broad with many pointing out a lack of clarity on the scope of incidents that come under purview of this upcoming directive. Excuse me, in a statement, the, in the internet freedom foundation said such excessive requirements for collecting and handing over data will not just impact VPN service providers, but VPN users as well, harming their individual, Liberty and privacy in the absence of sufficient oversight and a data protection framework to protect against misuse such requirements at the potential to enable mass surveillance, which you know, has, has got to be what's actually going on here. You know, and unfortunately this feels more like the future, which we're heading toward than the past we are receding from. Or that is receding from us.
Leo Laporte / Steve Gibson (00:21:36):
<Laugh>, you know, governments are increasingly becoming uncomfortable with the idea of having no means to surveil their citizens and others who reside within their borders. So, you know, the great DEC description debate is far from over and speaking of pulling a plug what do Algeria, Iraq, Jordan Sudan, India, and Syria all have in common. Their governments have reacted to out of control, cheating on tests by high school students by completely shutting down their national internet service during the period of time that desks are being taken. Oh, go try that here. Holy man. <Laugh> I know holy I was thinking the same thing, Leo, can you imagine that like you, no. I mean, you couldn't, it, it, it must be, although I don't think it is really, but you'd have to imagine that those countries use of the internet is sort of, you know, circumstantial or not core, as you said, you could not do that in the United States.
Leo Laporte / Steve Gibson (00:22:52):
No, but anyway, so the most recent instance of this occurred last week two, actually, and this week in Syria, which scheduled a series of four planned outages, each lasting three and a half hours, the first two occurred, as I said last week. And the next two, actually one is set for today. And one on the 12th, the outages are performed via BGP by removing serious routing from the global internet. Oh, that's one way to stop cheating. <Laugh> holy cow, thus cutting it off completely from the rest of the world. That's mind boggling. It is I in this day and age Leo, I mean, and that's why you think that the only way it could be possible would be that it's just like Syria doesn't depend on the internet to the degree that we do, but how could that be anyway, prior to Syria implementing the, these exam blackouts which began in 2016, te it turns out, I mean, this actually was a problem. Test questions would begin appearing on social media sites, 30 to 60 minutes before each exam, thus allowing cheating students to circulate correct answers and compromise the integrity of the tests. So now as hundreds of thousands of Syrian high school students sit to take their national exams, Syria is taking the extreme proctoring measure of shutting down national internet access.
Leo Laporte / Steve Gibson (00:24:36):
Wow. The pressure on Syrian students is great since their performance on these standardized tests, largely determines what higher education options they will have access to, which in turn D largely controls their economic futures. Doug, mattery the director of internet and analysis at Kenk said the stakes for the exams are so high. That there's an assumption that everyone is cheating. So the exam blackouts operate in Syria both by blocking, well, actually, if you pull out BGP, you know, hardwired and mobile internet access in the hours before the exams, as paper tests are printed and physically distributed across the country. So in order to minimize leakage, they already like, like print. Like, I mean, the ink is still wet on these things when, when the students get them in order to, to keep them from escaping and they went one step further and just pulled their BGP routing from the internet.
Leo Laporte / Steve Gibson (00:25:47):
And as I said, the strategy is not only being used in Syria, Iraq previously drew criticism from digital human rights groups for ordering local internet providers to shut down during school exams in the summer of 2015, the academic related internet shutdowns have been reported in India as well. And last year, more than 25 million people faced a mobile internet shutdown in the Indian state of Rostan during a local teacher eligibility exam. So I guess even the teachers were cheating. <Laugh> amazing. Well, that's what happens when you have these high stakes exams? Yes. I mean, yes. France does this, a lot of countries do this. They're all at the same time, on the same day in the Countrywide, which is why they can shut down the whole country. But right. I mean, I guess there's a agreement among the citizenry that this is important. We're gonna do this, right.
Leo Laporte / Steve Gibson (00:26:44):
We're just all going to, you know, go ahead, go fight the bulletin. Yeah. That's pretty wild. Wow. Wow. So Lina just love that name is under active exploitation. So under the heading of, well that didn't take long, we have last week's Microsoft mess, which Kevin Beaumont named Felina, as we know, after the <laugh> the area code of Felina, Italy, which appeared in one of the exploit documents. I recall this is the Ms. Hys D T colon slash slash protocol vulnerability that was being abused through office all versions of office. And by using an RTF extension on the file, you are bypassing the, the protected viewing mode. So it's now under widespread and quite aggressive attempts of abuse. A most likely Chinese state aligned threat actor has been observed attempting to exploit this Felina, vulnerability targeting government entities in Europe and in the us, the enterprise security firm proof point.
Leo Laporte / Steve Gibson (00:28:03):
I think their Israeli based said it blocked attempts at exploiting this remote code execution flaw being tracked as you know, CVE 20 22 31 90 with a CVSs, a 7.8, no fewer than 1000 fishing messages containing a lure document, which were sent to targets. Proofpoint said this campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from the IP 45 7 6 5 3 2 5 3. The attack payload is a base 64 encoded PowerShell script, which functions as a downloader to retrieve a second PowerShell script from a remote server named seller hyphen notification.live. The second expanded script checks for the presence of virtualization, cuz you know, that's one of the ways that, that these scripts are analyzed as they're stuck in a VM in order not to get, you know, in order to create containment. So now increasingly scripts are in malware are checking to see whether they're being run under virtualization.
Leo Laporte / Steve Gibson (00:29:22):
In which case they don't do anything bad. It, so a checks for virtualization steals information from local browsers. And in, in the write up of this, there was a list of like all of the passwords that this thing attempts to exfiltrate from every browser that we know about and also mail clients and file services. It conducts local machine reconnaissance and then zips it all for exfiltration back to IP address 4, 5, 7, 7 do one 50 six.one seven nine. The fishing campaign has not been linked to a previously known group, but Proofpoint said that given the specificity of the targeting and the power shells payloads, it has wide ranging reconnaissance capabilities. Eh, they didn't think it was an amateur. They believed it to be mounted by a nation state level actor. The, the vulnerability, you know, as we know from Microsoft remains unpatched with Microsoft urging customers who I guess who ask you know, they're not being proactive to disable the protocol, to prevent the attack vector and in the absence of a security update, the great guys over at zero patch, you know, numeral zero P a T c.com have released one of their unofficial micro patches to block the ongoing attacks against windows systems.
Leo Laporte / Steve Gibson (00:30:58):
Let's see, we're the first Tuesday of the week. So next, the next Tuesday, the 14th, hopefully we're gonna see that this thing gets updated and fixed zero pouches, zero patches, founder Miya sack said it doesn't matter which version of office you have installed or if you have office installed at all, the vulnerability could also be exploited through other attack vectors. Proofpoint said that the extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a Target's computer. So this coupled with the tight targeting of European and local us governments led them to suspect a campaign that has a state aligned source. And as we sign off from this follow up, let's all remember that as I noted last week, when this nightmare began, it was the middle of April, about a month and a half ago when this was responsibly reported by a credible security research group as being at the time mid-April under active exploitation.
Leo Laporte / Steve Gibson (00:32:17):
The, the report was made to Microsoft's security response center. The group providing the report provided a copy of the, in the wild real world, Microsoft occupa office document, which demonstrated the nature of the exploit, but because the exploit didn't immediately reproduce itself and fall at the feet of the Microsoft RC guy, he just blew it off saying it wasn't a security problem. Well, it certainly is now and a, a different windows URL schema can be abused. Leo, I'm gonna take a sip of water. Okay. Let's tell our listeners how we're here, listening to this. <Laugh> okay. <Laugh> our show today brought to you by our great sponsor JumpCloud. I gotta tell you a little bit about JumpCloud. It's an interesting company with an interesting idea. And of course it's a security company, you know, because you're listening to this show you with they figure, well, you're probably interested in cybersecurity.
Leo Laporte / Steve Gibson (00:33:25):
It's obviously a top of mind issue for any organization. In fact, many of 'em are spending the lion share their it budget to buy more complicated cybersecurity tools, to hire expensive hard to find staff, to integrate and run those tools. But it doesn't have to be that way. You can have good security without more complicated security. In fact, it might be the fact, the case that the more complicated it is, the less secure it is. Here's a solution the right solution to solve your specific needs will not overburden your overworked it and security staff, but it can keep you safe. It's called JumpCloud JumpClouds recognized by G2. As a leader in five categories is a top five security vendor. There are a thousand plus positive reviews on G2, more than 150,000 companies use G2 today. Well, maybe I better explain what JumpCloud is before I go much farther.
Leo Laporte / Steve Gibson (00:34:22):
It really is a smart choice for somebody who wants to simplify security and give yourself complete protection. Number one, and we, we talk about it all the time. You can reduce 98% of issues that lead to cyber incidents by just a few simple things, multifactor authentication, right? Applying least privilege access that old zero trust thing. We talk about keeping your systems patched and then protecting your data and using Annie malware. Those are five things. You do those right. 98% of the issues go away. You can reduce it sprawl with JumpCloud, reducing administrative overhead, reducing complexity. You can do more with the resources you have complexity just leads to user fatigue. Misconfigurations brittle systems. Simplicity is a great thing in security. If you can do it and do it right, JumpCloud includes zero trust granting secure access is, you know, can be a very complicated thing, lots of rules and so forth, not with JumpCloud JumpCloud makes it seamless for you to provision and grant access just to those things and employee needs.
Leo Laporte / Steve Gibson (00:35:36):
And it all comes from a single integrated platform. Especially these days with hybrid work people in the office, people at home it's just, it's kind of a nutty situation, but JumpCloud was designed for this JumpCloud, makes it easy for administrators to securely manage users, devices, and access, and not just in the office, but wherever they are, you've got one platform that protects you everywhere. I want you to fully evaluate JumpCloud and you can do it for free right now at cloud.jumpcloud.com/security. Now help your organization move to a streamlined, modern, secure hybrid work model with JumpCloud cloud.jumpcloud.com/security. Now, before you go out and buy a dozen new tools to solve all these problems, get the most important stuff done, right? With one tool that does it all. Jumpcloud JumpCloud, it's cloud.jumpcloud.com/security. Now we think I'm so much for their support of security now and, and the efforts Steve is making to secure us all now back to Mr.
Leo Laporte / Steve Gibson (00:36:51):
G. So last week I opened our coverage of the latest Microsoft mess by stating, you know, we have a new head buried in the sand, quite pervasive, Microsoft office zero day remote code execution, vulnerability, which is now being used in attacks. And of course I was referring to the, the, the issue we were just talking about, which is now since then exploded in the wild. And of course I, the head beared in the sand I was referring to was Microsoft's decision to ignore the early warning that they were given a month beforehand. And last week, I also observed that this Ms D T colon slash slash protocol scheme, wasn't a bug. It was a feature and that this would make its remediation all the more difficult, because it could not simply be turned off globally since there might well be some users who were dependent upon that feature. Because again, it's not a bug, unfortunately it's a feature which has now been revealed to be insecure. And it's not alone. We're back here today because sure enough, another similar feature of windows has just surfaced this time. It uses a different scheme. This one is search hyphen Ms. Colon slash slash protocol bleeping. Computer reported that a security researcher by the name of Matthew Hickey, a co-founder of hacker house found a way to combine a newly discovered Microsoft office, Ole object flaw, because yes, as we've commented, Leo Ole is still with us.
Leo Laporte / Steve Gibson (00:38:36):
You could combine this Olay object flaw with the search hyphen Ms. Colon protocol handler to open a windows search window from a word document and by search windows, we mean that an a windows Explorer search results window will open showing a list of files to run. But that list of search results that search result files can be sourced from a hacker controlled remote server, anywhere Whoopie the result can be an extremely convincing. Your software must be upgraded to proceed style attack. It's convincing because the dialogue runs from windows. I mean, it, it is a windows dialogue. And so it's not gonna be, you know, like in the browser or stuck within some borders anywhere. It is coming from windows. And although it's triggered by an untrusted word document, which the U the user can have received through any channel such as spoofing mail, it also can be zero click bad guys can use this hack by sending fishing emails claiming to be security, updates, or patches that need be that need to be installed.
Leo Laporte / Steve Gibson (00:40:00):
The object Olay flaw that Matthew Hickey found bypasses. What would normally be a confirmation dialogue, which would pop up which word would show if you were trying to use the search hyphen Ms. Colon slash slash protocol scheme. Now that gets suppressed, making these very convincing looking and, you know, Fasten your seatbelt. And you know, this might not trick and probably would not trick listeners of this podcast, but we've made our computers so complex that most users have, you know, no idea what's going on. And legitimate software does open popups telling us that we need to upgrade this or that. So often that it's become commonplace. Microsoft, as I mentioned, did incorporate a warning confirmation dialogue in an attempt to prevent the abuse of this confusion, but most, but you know, this most recent hack arranged to bypass those warnings. And it, it seems to me that, you know, I mean, again, this, this, there are a whole bunch of protocol handlers in word that can be abused.
Leo Laporte / Steve Gibson (00:41:18):
This creeping feature, it is insidious. And it appears to be unavoidable as products mature in the case of windows, this, what has now become an incredibly complex system has been created that no one fully understands. And I mean, that's seriously, you know, I mean the, the office group or the size of a company themselves, and they're producing stuff, having some interaction that of over on the window side, because they need this or that feature added. And you're, you're just gonna get mistakes in this process. Security, as we know is unforgiving and only one mistake is all that's required to, for a bad guy to get in. In this particular instance of overengineered complexity, there are many similar protocol handlers, which can be triggered by Microsoft word documents often without requiring any user interaction. And once again, Microsoft apparently just doesn't get it. Or at least they don't want to. When bleeping computer asked Microsoft how they planned to resolve this most recent foible, Microsoft replied quote, this social engineering technique requires a user to run a malicious document and interact with a list of executables from an attacker specified network share. We recommend users practice safe computing habits, and to only open files that come from trusted sources.
Leo Laporte / Steve Gibson (00:43:06):
Duh, the whole point is that the abuse of these protocol handlers allows for the creation of zero click exploits against users who merely open documents or for the creation of extremely convincing spoofs, which hide what's really going on. So when Microsoft says we recommend users practice safe computing habits, well, the users think they are, I mean, you know, they don't wanna do anything bad on purpose, but it happens anyway, grumble. Okay. what is billed as a critical UNAK U N I S SOC I'm sure. SOC is system on a chip vulnerability affecting millions of Android smartphones. Probably isn't anything to worry about if you were worried by headlines that you saw like that. I don't think there's anything to be too concerned about. Checkpoint went to the trouble of reverse engineering, the firmware of a widely used cellular modem chip set, and they uncovered a buffer overflow, which could be exploited to hang the chip, but there's no suggestion that attacker provided code could be injected.
Leo Laporte / Steve Gibson (00:44:33):
And even if it could be, it's unlikely that much damage could be done since the chip set in question here is only running on a tiny subsystem of the entire device, you know, it's the cellular modem. And while in theory, there could be some damage done in this case, it just creates a denial of service, you know, meaning that the service crashes, but the headlines were followed by breathless statements, such as a critical security flaw has been uncovered in UNAK smartphone chip set that could be potentially weaponized to disrupt a smartphone's radio communications through a malformed packet. Well, yeah, that's true. The company in question UNAK is based in Shanghai and is the world's fourth largest mobile processor manufacturer following media tech, Qualcomm, and apple. So, I mean, they're significant. They currently account for around se 11% of all system on a chip components.
Leo Laporte / Steve Gibson (00:45:43):
The problem has been patched after having received a somewhat surprisingly high CVSs of 9.4. So that seemed high to me for a denial of service on a cellular radio. But I suppose the fact that an adversary could simply send a malformed packet to crash a handset's radio seemed like a big worry. And I, you know, to whomever assigned this CVS in any event, Google will actually will be pushing an update in their June, 2022 release for Android. And I do congratulate checkpoint for their reverse engineering work, as I've noted before, it seems wrong to me that widely used proprietary products need to, to like, to be reverse engineered, to have their security verified by third party. You know, but that's the closed source world we live in today. And, you know, increasingly it's, it seems clear that having the source in the open the source for, for very important, significant components of the ecosystem should, should be a requirement really of, of somebody agreeing to license it and put it and put it in, you know, in a large number of devices.
Leo Laporte / Steve Gibson (00:47:09):
So ransomware sanctions are causing trouble for the ransomware credence. Yay. In an interesting bit of ransomware news sanctions are turning out to have quite an impact on the ransomware business. The problem is that even though the attackers are not law abiding they're as we know anything, but their victims are so enterprises, which have been hit by a ransomware a and are now being held at ransom are legally prohibited from making any ransom payments through any mechanism, even if they wanted to Mandis research paper published last Thursday was titled to Hades and back UNC 2165 shifts to lock bit to evade sanctions. And that headline requires a bit of explanation, which Mandy then provides. They explained the us treasury department's office of foreign assets control O a C sanctioned, the entity known as evil Corp back in December of 2019, citing the group's extensive development and use and control of the dry deck's malware ecosystem.
Leo Laporte / Steve Gibson (00:48:36):
Since the sanctions were announced, evil Corp affiliated actors appear to have continuously changed the ransomware they use. And I have a chart from the Mandiant report showing a block of time when they were using bit PAER. Then they shifted to Doppel PAER and then for a while they were using wasted locker. Then they used Hades for a while, then Hades phone, phone Nick's locker, and then finally Hades pay load bin. So again, continually making these changes over time. They said specifically, following an October, 2020 OFAC advisory, there was a cessation of wasted locker activity and the emergence of multiple closed, closely related ransomware variants in relatively quick succession. In other words, the names were changing, but not much else was changing these developments. They wrote suggested that the actors faced challenges in receiving ransom payments following their ransomwares public association with evil Corp Mandiant they wrote has investigated multiple lock bit ransomware intrusions attributed to UNC 2165, a financially motivated threat cluster that shares numerous overlaps with the threat group publicly reported as evil Corp, UNC 2165 has been active since at least 2019 and noticed when that occurred.
Leo Laporte / Steve Gibson (00:50:25):
So, yep. Somebody knew popped up perhaps changing their name and almost exclusively obtains access to victim networks via the fake updates infection chain tracked by Mandiant as UNC 1543 previously, they said we've observed UNC 2165 deploy Hades ransomware based on the overlaps between UNC 2165 and evil Corp. We assess with high confidence that these actors have shifted away from using exclusive ransomware variance to lock bit a well known ransomware as a service in their operations, likely to hinder attribution efforts in order to evade sanctions. So Mandy's paper then delves into all the details of the intelligence that they collected to track these activities and to draw these conclusions. But I mostly wanted to make the observation, which I thought was interesting that just as the KTI gang apparently shut down and disbanded due to the trouble they caused for themselves by siding. So clearly with Russia and then falling under the Russian sanction umbrella, thus being unable to receive ransom payments from the west.
Leo Laporte / Steve Gibson (00:51:51):
Similarly, us treasury department sanctions on many other ransomware operators prevent them to from receiving payment from us resident victims. So that, so the prior practice of building up a big public reputation, no longer serves the financial interests of these ransomware gangs. The, the next thing I want to talk about is what this is in the middle of which, or, or, or picks up on, which is the fact that the ransomware groups have now been spotted successfully compromising motherboard firmware. One of the consequences of CTI's boasting to about how they side with Russia, as we talked about a couple times, is that somebody within the CTI membership who had good access to what was going on leaked a bunch of the internal chats from the, you know, that was always meant to stay private. So the following leaked message posted exactly one year ago on June 7th, coincidentally 2021, it reads, and this is, this is good English, considering that it was probably a native Russian speaker from someone named stern, he wrote hi, things are good.
Leo Laporte / Steve Gibson (00:53:22):
I apologize for not immediately responding. I haven't communicated through a, to that's what it says. Maybe that's, I don't <laugh> know a typo or something haven't communicated through a, to, for a long time and Leo for what it's worth. I don't, I doubt that you or I have ever communicated through to, I just I I'd just say it probably means something in the hacker world. I don't know. Yeah. So stern said, I haven't seen what you wrote now. I'm finishing a full report on the mechanism of operation of the Intel, me, you know, Intel management engine controller and the AMT technology based on it recovered a bunch of undocumented commands using reverse meaning reverse engineering interface, dump, and fuzzing. Unfortunately, the starting theory based on the presentation of embed slash positive technologies, reporters was not confirmed in the form in which they presented it, but, okay.
Leo Laporte / Steve Gibson (00:54:30):
So that was probably referring to back at the time, a report of vulnerabilities in the Intel management engine. So this guy jumped on those, rubbing his hands together, thinking, oh, cool. You know, I'm gonna go pursue this. So he's saying, unfortunately, the starting theory, based on the presentation of embed slash positive technologies, reporters was not confirmed in the form in which they presented it, meaning, you know, it wasn't what they said, but he stayed with it. He said, but there is another legal mechanism to activate AMT. But so far it has not reached the working software. At the moment, I make a sniffer buffer that provides the H H ECI interface because it is all configured in U E F I, then the sniffer took a little longer after I fully restore the command set, the POC will be prepared. There are ideas. If we talk about the topic of U E F I, then this is not just a load dropper, but also perhaps some demon of the level of S M M processors system management mode processors.
Leo Laporte / Steve Gibson (00:55:46):
He said, plus since now I have tightly studied the management engine controller. The idea is to test such functionality as rewriting the SPI flash drive through it. Usually this controller is allowed to write to the flash drive, which cannot be said about the processor. And some commands were found that are responsible for this functionality. So bottom line is in this posting, which was leaked from Conti from, and, and this was made the, the original posting was from a year ago. This guy is saying I have achieved what I needed to as a consequence of this reverse engineering of the Intel management engine firmware on the motherboard of pretty much everything.
Leo Laporte / Steve Gibson (00:56:37):
So the conversations among the KTI members have shed light on the syndicates attempts to search for vulnerabilities related to the management engine firmware and bios right protection. They reverse engineered the system to locate undocumented commands and vulnerabilities in the management engine interface achieved code execution in the management engine to access and rewrite the SPI flash memory and dropped system management mode level implants, which could be leveraged to modify the OS kernel. That is the operating system running that is booted on this motherboard. The leaked chats showed that the work ultimately resulted in proof of concept code last summer that can obtain system management mode code execution by gaining control over the management engine, after obtaining initial access to the host through traditional vectors like fishing malware or supply chain compromise. Basically we, we were always talking about how you get in to a machine and then often you need to elevate your privilege.
Leo Laporte / Steve Gibson (00:57:54):
And what you're probably doing is looking to see where you are, and then moving laterally. Now this group, some members somewhere have developed the technology to go down rather than out and across that is they are now able to infiltrate the firmware of motherboards security researchers who have been privy to these chat logs have observed that quote, the shift to management engine firmware gives attackers a far larger pool of potential victims to attack and a new avenue to reaching the most privileged code and execution modes available on modern systems. And of course, as we know, and as I mentioned in my notes that I deleted or somehow didn't make it in, into the show notes it's, it's enough trouble getting people to update, to update their operating systems and their application software. The bad guys know that there is a, a serious update log or lag rather in, in getting that to happen.
Leo Laporte / Steve Gibson (00:59:12):
So imagine how many more systems firmware is never touched. And to that add the fact that I'm sure many of us here listen to this podcast, cuz we tend to have propellers spinning on our heads, have done for more updates I've encountered. And I'm sure everybody has encountered warnings saying basically leave the leave the firmware that you have alone, unless something that like there's some hardware problem that you are that you're coming here to update your firmware for. That is if it's not broke, don't fix it. And so the, the, this, this notion in firmware land is still sort of pre viral. It's the only reason to update firmware would be to, to, to fix some hardware level compatibility problem. Not because there might be something evil crawling around in there that you want to update. So as a consequence, I mean, I'm sure the majority of systems that are out and running are using firmware that has never been updated since the system was first installed.
Leo Laporte / Steve Gibson (01:00:34):
Despite the fact that this podcast has covered multiple firmware problems. And it was one of those apparently a year ago that got a member of the Conti group, or at least somebody posting in the KTI secure chat channel that, Hey, you know, I figured this out, we, now, if we can run code in the user's OS, we can now infiltrate their U AFI bios and, and get persistence and, and complete invisibility from, from, from traditional anti malware Yao. It, it really is if you have, I mean does don't most PCs now have in the firmware, a signing certificate for the firmware? I know they do for the boot, right? The secure boot, right, right. Is the firmware not is checked. There's there's no way for it to check itself. No, of course be because you know, it, duh, you, you, it, the, the, the root is the ultimate authority.
Leo Laporte / Steve Gibson (01:01:42):
Right. And so there there's no one there's no third party, no higher authority. Yeah, go ahead. Yeah. boy, that seems like something you might want to put in bios or something somewhere. Well, what you really want is to like rigorously, right. Protect this. And, you know, in the old days you had motherboards with jumpers and some server motherboards will still have a, a physical right. Protect jumper. Right. That, that will just, you know, disable the ability for the firmware to be modified. Well, that protects, that protects bios, but it doesn't protect U E F I cuz that's on the hard drive, right? Well, no, what I, and you write to that all the time, I think. Yes. Yeah. The, yeah, well, the, the UFI is the, is on the motherboard. There, there is some, some information stored on the hard drive, but of course you're able to put new hard drives in and the UFI survives.
Leo Laporte / Steve Gibson (01:02:36):
So the UFI is actually that's good in, well is in is in N VRA. All I know is from installing Linux and stuff. If you put a new hard drive in it, wouldn't boot, cuz you don't have an operating system on it. Right. if you install a U AFI an aware operating system, it is gonna write some stuff on the ah right drive. But so that's so that's like the boot sector yeah. On the partition. But, but it's the, but U E F I is, is, is that stuff that you get to by hitting F two it's it's confusing. Cause it's, there's some of it's in firmware, but some of it's in software, isn't it? So, well, it it's, the what's in software is what the U E F I bios boots to and executes. But if you deleted your U a I partition on a hard drive, you wouldn't boot.
Leo Laporte / Steve Gibson (01:03:21):
Right. Right. Right. So there is, there is firmware UFI, but there's also software UFI and right. Are they talking about something that modifies firmware? Yes. Yes. That that's where the Intel management engine and system management mode and all of that is, oh dear. Yeah. It's so they're talking about going down and physically modifying the firmware on the motherboard. So it doesn't matter if you reformat your drive or if you install a new operating system or you do anything. Wow. Wow. Yeah. And I, I, I imagine before, long since the, the, since the U the U E F I firmware it, it has known bugs. We've talked about them on the podcast. It's got known bugs in the motherboard firmware, and tho that is not being updated. And as I said, it's hard enough to get operating systems updated and applications. I get bio updates all the time though.
Leo Laporte / Steve Gibson (01:04:18):
Right. I mean, don't, I, I mean, well, and that's the problem is that the fact that you get bios updates means that the bios is not protected against being modified. Right. It can be modified by software. That's right. Yeah. That's right. Yep. Yep. And once the, once something bad gets in there, it, because the bios is updating itself, it can disable the, the self update so that it will, no, the bios will no longer accept an update after it becomes malicious. Mm. Wow. I mean, it's, it's, it's really bad. Wow. And, you know, and, and this is the situation we've created for ourselves. Yep.
Leo Laporte / Steve Gibson (01:05:03):
I had a fun piece of era to share from at an Olo. I think that's how I pronounce his name. He said at SG GRC security now era Erata Grover, the Muppet was blue. <Laugh> okay. Not green don't mess with that. He said is not green. You're probably thinking of Oscar, the grouch. And he said, just trying to save you from the Muppet mafia who will not tolerate inaccuracies <laugh> and I should, I, I hope, hope I don't disappoint you if, if I have no idea what color any of them are. I know that the cookie monster was blue, cuz I had a cookie monster with big goo eyes. That was the, it was the early GRC mascot. But how funny as for Grover and no idea grouch, no idea. Or Oscar, Oscar, the grouch. Yeah. Yeah. Lives in a garbage can.
Leo Laporte / Steve Gibson (01:06:00):
Yeah. Oh and several service NSW, digital drivers license owners that is, we've got listeners, not surprisingly who have these DDLs right. And they assured me, they have not tampered with them, so that's good. Good boys. Yes. They, they did. They did note that a simple screen capture would fool no one because the screen incorporates a number of animated effects, which, you know, that's where all the time got spent. Right, right. Doing animation instead of the crypto, there's a flower that animates in the upper left hand corner and the phone's inertial positioning is used to animate a large multicolored flower in the background wallpaper <laugh> so, so you look at it and then you turn it back and forth and you know, oh, you can't fake that. Whoa. Oh no. Leo that's high tech. Yeah. Yeah. So if only its developers has given as much thought to the security of the device as they gave to its, you know, flash it's better than plastic that's right.
Leo Laporte / Steve Gibson (01:07:10):
And Larry Wilson tweeted and as closing the loop, he said, I think you've undersold the benefit of triple E encrypting and going from 2 56 bits to 7 68 bits because those are log rhythms and adding represents multiplying the growth in security is immense compare the difference between 64 bit keys and 1 28 bit keys. And okay. So Larry was referring to Bryant McDermid, Mick D's question. I replied to last week about whether triple E encrypting with 2 56 bit keys. Each time would be equivalent to taking the sum or the product of those bits. Now I answered correctly, but in rereading Brian's question, I could see what Larry meant. Brian asked, Hey Steve, quick question. If I encrypt a file with a 2 56 bid encryption three times with three different passwords, what is the resulting bit strength? Is it 2 56 plus 2 56 plus 2 56 or 2 56 times 2 56 times 2 56.
Leo Laporte / Steve Gibson (01:08:27):
I answered Brian's question correctly in that the resulting bit strength is the sum of the individual separate encryption key lengths. But as we know each single additional bit of key strength that we add doubles, the number of PO of all possible keys. Since you have all of the original number of keys, when that new bid is off and all of the original number of keys again, when that new bid is on. So obviously each bit you add doubles the total number. So encrypting three times with 2 56 bits, each time would resulted two to the 768 possible keys, which is a ridiculously large number, which I for the heck of it put in the show notes, just because it's kind of glorious. I mean, I don't, I didn't even count the groupings by three or the digits. It is a huge number. There is an EAX command that will turn that into you know, whatever it is, 180 gazillion.
Leo Laporte / Steve Gibson (01:09:41):
I will do that for you. Oh. And like, it'll speak it for you. It doesn't speak it. It actually spells it out in English. Oh my Lord. And has man ever run out of names for those groups of three, you know? Oh God. Yeah. Right. I mean, isn't that? Why Google? There's a Google cuz that's a one with a hundred zeros. Yeah. This has more than that. Yeah. So I mean, at some point we, someone must have given up naming these decade, these well it's based on a kind of Latin base. So you could probably deduce it. Oh, <laugh> great. <Laugh> please. Nobody tweet me the answer. Actually it wouldn't fit in a tweet. So we're safe and Leo let's take our last break and we're gonna talk about pass keys. I am going to use the calculator soup. Uhoh word to number converter.
Leo Laporte / Steve Gibson (01:10:35):
Good. Since I don't have EAX on this machine convert this number. Let's see if it, if it can do it, it broke it. <Laugh> yeah. Oh, and I mean it is big. It's it never came up with an answer. That's ridiculous. 1, 5, 5, 2, 5 1 8 0 9 2. No, no, no, no, no, no need to. No need that's funny. This is, this is too big. All right. Oh, it has to be less than 200 characters. So yeah, it's too big. <Laugh> I bet EAX will do it. It's a big numb, but we'll we'll handle it. I will I will check into it. Our show today brought to you by BitWarden. Nobody should have to remember all your passwords and even more importantly, nobody should reuse passwords bit. Warden's the only open source. Yes. Cross platform windows. Maclin iOS, Android, everywhere. That can be used both at home and at work.
Leo Laporte / Steve Gibson (01:11:42):
Yes. They have a business version on the go, works on all phones and is trusted by millions. That should be enough. We could just stop the ad right now. Well, I'll give you a little more with BitWarden. You can securely store credentials across personal and business worlds, actually, which is really cool. If you could do the business plan, every person in the office has a personal vault. In fact, that's how you start. You set your personal vault up because BitWarden's open source. It's always free to have a personal vault free forever. They're not gonna come to you and say, oh, nevermind, you don't get a free win anymore. So you set up that personal vault and then you join the business organization. Now you've got a vault for all your passwords and a separate vault, a separate vault for the business passwords. That's great.
Leo Laporte / Steve Gibson (01:12:25):
And you know what bit word's just does something great. We mentioned this before, but I wanna mention it again. They call it username generator. They're integrating with three popular email forwarding services that also happen to be open source, simple login, a non-ad and Firefox relay. Now let me show you what happens here. I am going to open my BitWarden. I'll zoom in a little bit. I'll open the generator zoom in. Now of course I can generate a password and you know, we love all of these. I always like to put little little punctuation in there. Let's make it really long, 128 characters. Now that's a password, right? Completely random. Generate another one, another one, another one, another one put on your clipboard. No problem. But look at this. This is new user name so I can have a plus addressed email.
Leo Laporte / Steve Gibson (01:13:18):
So I can say who I want to do this with. I can make it Gmail or whoever else I want to be. I can use a catchall email with my domains configured catchall inbox. So I can specify that or I can have a random word thrower 63 40. And then as you, as you correctly, point out, this could be this could go to Firefox relay. This could go to ND or Addy and simple login. So it's gonna create a username and a email address. That's unique. That's unique for this website. Why would you wanna do that? Well, a lot of reasons, first of all, now you have a second thing. You know, you have a, you're not using your well known email address. You're using a unique email address. In addition to your password. If hackers are doing credential stuffing, that stops 'em cold, cuz they're going around looking for other logins with the same address they already know.
Leo Laporte / Steve Gibson (01:14:16):
Well, you never use that address again. It's also great because if somebody sells your email, you know, if you sign up for something and they sell your email to a marketer, you know, immediately who did it, this is such a great idea. And it's part of BitWarden and it's free forever for life. Adding another layer of security and privacy to your account. You can have an API key for your individual account with a chosen service. So you can have any service you want. You can select the desired options and once generated a new alias instantly registered to your account. So you use the API key. You go to say, let's say Firefox relay. That's your new email address using unique usernames, email addresses and passwords for every account. I mean, it's awesome. Obviously I've gotta use two factor BitWarden supports that strongly encourage that.
Leo Laporte / Steve Gibson (01:15:10):
In fact, I use my UBI key with BitWarden. So even if somebody were to somehow magically guess my super long master password on BitWarden, I still don't have to worry because right here I have my UBI key and nobody can turn on BitWarden on any machine unless they've got this baby. So that's a very handy feature. Another reason you'll love BitWarden, not required. You can use an authenticator. You don't even, I think you probably cannot use two factor, but why would you do that? Why would you do that? I just think, look, this is the thing about BitWarden because it's open source. They're thinking about every possible angle. As long as we need passwords, we need BitWarden bit. Warden's a must need for your business too fully customizable adapts to your business needs. They have a great feature called BitWarden, send it's a fully encrypted method, sent sensitive information, text or files.
Leo Laporte / Steve Gibson (01:16:01):
The other end does not need a BitWarden account. You can generate obviously unique secure passwords for every site. Bit warden is GDPR CCPA, the California privacy act HIPAA SOC two compliant because it's an incident end-to-end encrypted fault by the way, helps mitigate phishing attacks because you're fill in. You know, I have that little plugin on my Firefox. You got it on Chrome as well. I think every browser I have that little fillin it's not gonna fill in on a Phish site. It's only gonna fill in, in the real site teams, organization plan $3 a month per user. It lets you share private data securely with coworkers across departments, the entire company, the BitWarden enterprise organization plan, just $5 a month per user individuals basic free accounts, yours forever unlimited number of passwords. You can upgrade any time to a premium account for less than a buck a month.
Leo Laporte / Steve Gibson (01:16:52):
Family organization plan $3 33 cents a month for up to six family members. All the premium features look until some magic day in the future. When you don't need passwords, you need BitWarden. The only open source cross platform password manager that could be used at home on the go at work's trusted by millions of individuals, teams, and organizations worldwide free trial. If you wanna do the teams or enterprise plan or get started for free, as I said, always free forever across all devices as an individual user go to, but please do me a favor, go to BitWarden.com/twi. So they know you saw it on security now, cuz we wanna keep these guys advertising with us because we believe in it. It's so important. I want everybody to know about it. Bit warden.com/twi. I, you can use a plus address if you want, if you wanna use Gmail or whatever, just so clever.
Leo Laporte / Steve Gibson (01:17:47):
Such a good idea. All right. Now Steve has been thinking about past keys <laugh> so, so is this gonna eliminate passwords forever? I originally had these thoughts filed under miscellaneous cuz I didn't wanna make a big deal about it, but the more I thought about them, the more they grew. And as I said, no other news of the week rose to any greater significance. So I decided that to sort of more formally take a second look at PAs keys in the wake of yesterday's apple WWDC presentation. So a bit of an at SG GRC tweet storm arose from our listeners F yesterday, following the keynote. Yes. Apple against it. Yeah. Yeah, because where apple made a 0.0, highlighting their forthcoming adoption of the re of the essentially the revised and much more practical 5 0 2 public key authentication system under the unofficial designation, which has taken hold of past keys.
Leo Laporte / Steve Gibson (01:18:56):
And as we know, that was our, the title of our podcast on May 10th, four weeks ago. And so I, I wanted to thank and acknowledge all of those who took the time to tweet what I think set most people off was that this was the first time outside of squirrel that we've seen the very squirrel like use of a QR code to allow logging onto someone else's machine using an identity stored in the user smartphone. We haven't seen that from Google yet. But if apple does it, then, you know, Android will have to follow. So I imagine it's just a matter of time. One thing I did not highlight when I first talked about this four weeks ago was the uncomfortable unanswered questions surrounding manufacturer lock in apple seems quite uninterested in allowing me to send and receive iMessages from my windows, desktop, you know, being an avid iPhone and iPad user, this imposes a constant and very real inconvenience for me.
Leo Laporte / Steve Gibson (01:20:07):
If I was, if I was using a Mac, no problem from a Mac, I have access to my iMessages, but not from windows. And I've sort of come up with a work around using iCloud for windows in order to send things over into the apple world and then, you know, stick them in a, in a posting or, or, or an iMessage. But you know, it's more work than it should be. So I worry that Apple's use of this past keys. Technology will be similarly and characteristically and apple only solution synchronizing only among Apple's authentication devices and not to windows and Android. And, and that's a huge practical problem for past keys adoption, which squirrel never had. So I wanna make sure that everyone understands what the difference is, cuz there is a takeaway from this and, and why we're almost certainly heading for trouble, which, you know, among all the celebration.
Leo Laporte / Steve Gibson (01:21:17):
No one seems to have talked about this yet. Okay. So why is that important? Both systems Fido and squirrel share the common property that the authenticating client, a smartphone, a fob or a PC creates a public key pair for a website, the process of registering the user's identity to that website just involves providing the remote website with only the public key of the pair. And that's the essence of both approaches that's Fido and squirrel subsequently verifying any user's identity amounts to verifying that the user is holding the matching private key. So to perform that verification, the website sends a, a random, unique non it's, a challenge to the user's authenticator, which signs it using its private key, which it never lets go of. The signed blob is returned to the site, which verifies the signature using the public key that it originally received from the client during its registration.
Leo Laporte / Steve Gibson (01:22:42):
This is not, so's it very different from public key crypto in general, how you would verify assigned email for instance, when I say you an email, that's all. Yes. That's all it is. Yeah. I mean that, that, that that's exactly what it is. The, the pu everybody has your public key and you sign your email using your private key and they're able to verify the signature on the email, which, which proves that it came from you or at least you, someone holding the private key and because apple has widespread biometric identification they have a really good way of verifying your you. I don't know if you caught this. I thought this was very squirrel. Like they said, well, what if you go to a what if you log into a site of the library, a computer you don't own, and did you catch this?
Leo Laporte / Steve Gibson (01:23:32):
They showed a QR code. Well, that, that is squirrel. Like yeah. In fact that that's what squirrel allows. And it was part of my original demos of squirrel. And that's why so many people sent tweets is they said, Hey, Apple's using QR codes, right. With pass keys. And it's like, well good. Because that's a use case, which is important. I mean, I, I'm not don't don't get me wrong. I'm not imagining that squirrel is gonna get adopted we're we've or not, at least not yet. We've clearly we're going 5 0 2, but there is, there are a couple differences which are significant. Okay. So we, we have the private key websites have the public key. They send us something that is, they've never sent before, which we sign, they verify the signature, thus they know we have the private key exactly. As you said, Leo, like email where the two systems Fido and squirrel that is to say pass keys and squirrel crucially.
Leo Laporte / Steve Gibson (01:24:32):
And importantly differ is how those original key pairs are created. The 5 0 2 pass key system creates key pairs randomly, whereas squirrel calculates them deterministically. Okay. So remember that squirrel's primary design feature. The core concept behind squirrel from the start was the idea of using a single grand master key and hashing each website's log on domain to automatically create per domain public key pairs that simple innovation eliminates all need for dynamic synchronization of randomly generated, pass keys among devices because each separated device will, will derive the same per site, private key from one grand master key that they share. So you load that one master key into each of your various authentication authenticating devices under squirrel. And that master key generates all of the per domain subsidiary key pairs forever. Okay. But squirrel is not the system we're gonna get. And that almost might be deliberate since the system.
Leo Laporte / Steve Gibson (01:26:07):
It appears we're going to get really will create lock in. I I've read the glowing celebratory announcements about how apple, Google and Microsoft are gonna be implementing pass keys, but the tech press really needs to start asking. What about cross platform, Passkey sharing and interoperability, you know, awkward though, a username and password are the one thing they have going for them is that they are platform agnostic. Okay. In the near future, when you use an iPhone, an iPad or a Mac to register your identity as a pass key on a website that iPhone iPad or Mac creates a random public key pair, and the private key is held close and never released, which of course is important because releasing it would defeat the system security, apple will back it up securely to iCloud. And I'm sure they will freely synchronize all of a user's pass keys among the devices, apple controls, and that are the users, but is apple going to dynamically synchronize those private keys among Android and windows authentication devices?
Leo Laporte / Steve Gibson (01:27:36):
When pigs fly, if they keep their keys to themselves. And if Google and Microsoft each keep the private keys that they create to themselves, then we have a fragmentation disaster on our hands. You register a pass key on a windows device, but none of your apple devices will know that secret private key. So you can only log on with the device family, which originally registered at that website. Well, that's a mess in today's highly heterogeneous computing environment. The single most compelling benefit of password managers is that they are cross platform. Would anyone be comfortable using a password manager that was not now, I suppose if you are 100% all in on apple, which of course is what they want, then an apple only solution would be okay, but it's not clear how you could ever change your mind. You know, I'm all in on iPhone and iPad, but the things I need to do can only be accomplished with windows. And I dare say dos <laugh>. So as nice as Apple's pass key system may be. And as much as I'm a devoted iPhone and iPad user, I can't use Apple's past key system until I'm sure there will be a means for also using its past key registrations that, which I created on my iPhone or an iPad under windows, because would, would it be sufficient? We should be able to, yeah. Would it be sufficient to say here's your pub? Here's your private key?
Leo Laporte / Steve Gibson (01:29:30):
In other words, if I could take my private key, it's on my iPhone, obviously. And, and, and just send it to my Android phone and register it with past keys on my Android phone. Isn't that all I need is that private key? Yes. And for example, squirrel does that because that's the solution you have to be portable would be a part thing for apple to make it visible somehow. Right. All they have to do is put it up on a, on a QR code. What they're gonna say say is, oh no, because people don't understand the difference between public and private keys. Exactly. In fact, we know that cuz that's how NFTs keep getting stolen. Exactly. And so they're gonna give out their pop, private key and inadvertently, and then of course, all the jig is up. Apple is gonna hold this close.
Leo Laporte / Steve Gibson (01:30:18):
They're gonna synchronize their devices and they are never gonna allow those keys to get extra. Do you have one, but one private key, you wouldn't have you'd have a private key per person right? Per site. No, that's what, that's the difference. So it is a large amount of data then. Yes you don't. Oh, why don't they just, is that what squirrel does? I have my key that ultimately we squirrel. That was one key. Yeah. That's what we should do. I know in the long run, it could be tattooed on your inner thigh or something, but everybody should have that one private key. That's what I do with TTP. No, wouldn't want a tattoo. <Laugh> that was that. That is the squirrel gift one key, one key. And it allowed you to have anonymous log, secure hackable anonymous log on everywhere. That's because I'm me only.
Leo Laporte / Steve Gibson (01:31:10):
I have access to that. So that's right. That's not what Fido did. Fido generates them at random. Oh, that's a mistake. And SEP, I know it's bad. That's a mistake mean because now you have a PR, this is, this is just another password system. That's all it is. Because now you have a password, which is, it is different because the, the thing that's different is that is the, the dynamic authentication that, that the website sends you a challenge, which you sign and return. So what that means is all they have is your public key. Right? It doesn't matter if it escapes from them. The only that's the only thing we've achieved with Fido is that websites cannot remember how many times I said, squirrel gives websites, no secrets to keep. Right. Right. That's that's this eliminates breach problems, but this still is a terrible, it is problem.
Leo Laporte / Steve Gibson (01:32:04):
Why would they solve it that way? I, it seems so obvious that everybody should have, and then you solve it by if I have multiple accounts, for instance, with, for, for tax preparation software. I have multiple accounts. Cause I do my mother's thing. Right. My mother's taxes. So I could generate a private key for her that I would keep and a private key for me that I would keep. And I would've then multiple logins to a single site. Yep. But I still you're describing squirrel. Yes. You're describing a SQUI. One, one key per person. I don't understand why that's not obvious that's the right solution. And that's not what we got. I didn't realize that fi I should have listened more carefully when you're describing this. I didn't realize PAs key's generated a unique, private key for every site and app. That's, that's the thing about it.
Leo Laporte / Steve Gibson (01:32:52):
They, they have to, otherwise they'd be giving every site the same public key. Right. And that can't happen, you know, be because then, then you would have no you'd have no security. Yeah. So how do you solve that with Fido? You, you, well, the only way to do it is cloud sync. You need cloud synchronization. And so so my takeaway from this whole thing is U until apple, Google and Microsoft figure out like, like interoperability, interoperability. Yeah. Do not do this. Wait for a password manager, right. To support this. Right. Because what we need is the same cross platform capability that we have now with passwords, we need portability with need port. We need portability. Yes. And by the way, don't blame apple. This is the fi oh two spec. Right? Right. I'm not, I'm not blaming apple. No, no, no. Some people in chat Remar, this is not apple saying, oh, the one thing you could blame apple is if they decided not to make it portable.
Leo Laporte / Steve Gibson (01:34:03):
Cause they could make it portable. Right. We could also blame apple for not adopting squirrel. Well obviously they should have done that. <Laugh> wow. Wow. So I wonder though, if you're gonna use the PAKEs name, which presumably phyto, trademarked. No, it's not official. It's not, it's not official. Oh, it's just, no, it there's nothing called Passkey in Fido. Okay. They, the, the, the, the marketing people said, oh, instead of password, it's Passkey, but there's no there's no, requirement's not proprietary ownership of there's nothing. You could say that, oh, if you want, see, they could have trademarked it and then said, well, if you want to use the word PA's trademark, you've gotta have portability. They didn't do it fi well, remember phyto began with a dongle, right? Yeah. Yeah. That mean it, it was never meant to be like mass the way it has become.
Leo Laporte / Steve Gibson (01:34:59):
Right. And, and it's because they backed away from that and said, okay, well, we're not happy about it, but we'll let you use your phone. We don't think it's as good as a, as a token. But we, we tried to do tokens and no one bought them. Nobody's gonna buy tokens. We all have phones with strong. I mean, here's the good news. We all have phones with strong biometrics. Yeah. Yes. And secure enclaves. So they're, they're pretty good. In fact, I would argue if you have a, just have a UBI key without biometrics, they make 'em with biometrics. But if you have one without biometrics, you know, this, this isn't tied to me. If I lost it. No, no. Anybody could use it if, if the valet got ahold of it, right. By mistake when, when he was parking your car. Exactly. Yep. Whereas my phone, you know, you could get it, but you'd have to unlock it and you can't. Yep. And so the beauty is this leverages all of the work that apple is done on security and biometrics and, and privacy. Unfortunately they adopted Fido. Right. Which is a, is a separate key pair per site. And so you have to synchronize it, you gotta use the cloud and you don't end up with one key per person, which is what squirrel is. Yeah. How does squirrel solve this issue of unique public keys?
Leo Laporte / Steve Gibson (01:36:17):
So I actually have in the, in the notes I said oh, I said the entire squirrel idea hit me after I had visited one of Dan Bernstein's cryptography site pages. And I have the link CR dot Y P dot T slash C D H dot HTML. You know, that's elliptic curve dippy Diffy Hellman. So on that page, Dan mentioned that to create, if you scroll down a little bit that you'll, you'll see some C code four line or three lines of C code, right? Oh, up right, right there, those three lines. So, so he explains, he mentioned it to create a private key using his curve 2, 5, 5, 9. You took any random 2 56 bits of entropy turned two specific bits off and one bit on, and you had a valid, private key. And from that you could derive its matching public key.
Leo Laporte / Steve Gibson (01:37:27):
What I realized that morning at IHOP, when I was working on spin, right. Six one, it just hit me like a flash of lightning. I realized that rather than starting with a completely random 2 56 bits of entropy, we could instead start with a 2 56 bit hash of a domain name. Oh, smart. And turned that into a private key. Smart. And that was it. Yeah. That's brilliant. So each domain has a unique, private key. It automatically gets calculated. Now I saved that on my end. Yes. Yes. So we could do the handshake. Yes. It, well, so, so, so we, we hash the domain name there's but it's a keyed hash, right? Re remember the H Mac. It, it is, is a cryptographic. It, it, so it's a keyed hash. So the, that key is your one thing, your, your identity as Leo is the key for the hash.
Leo Laporte / Steve Gibson (01:38:35):
That means that when you hash amazon.com and I hash amazon.com with our different keys, we get different private keys. So your identity is ha is it keys the hash of the domain name to create a private key, which, and you don't have to store it because it creates it every time you, you need it. You say, what domain do you wanna log on to and says, oh, in that case, this is your private key. Very simple and fast. Yeah. It's so, yes. I mean, it's just the right answer, right. So I guess, you know, if I, if I was guilty of anything, it was of not evangelizing this thing and spending a lot of time pounding on people and, you know, being, being like St. Evans Fard it wasn't, it would've been a pretty uphill bad. That was my, that was my worry. Fido already was rolling and had steam.
Leo Laporte / Steve Gibson (01:39:31):
And I was ti I mean, I, you know, I spent seven years on this and, and I, you know, I dropped spin right. Six one, and I'm so happy. I'm back to spin right. Six one now. Yeah. But anyway, this is the problem with fi oh two and with pass keys. And so my advice would be wait until an a third party, independent solution exists. If you li if you start creating pass keys with apple, unless, I mean, maybe they're gonna show the pass key on a QR code. I don't think so. There's just no way see they like this lock in. Yeah, of course. Yeah. They don't want to change a thing. Nope. So, so, you know, and so it means that when you create an, when you, when you register with an account on your iPad, apple will synchronize it in the same way.
Leo Laporte / Steve Gibson (01:40:26):
They do our messages right now. And it'll, and then your phone will know the pass key that the iPad generated on the fly and add it to your collection of pass keys. Wow. But you end up with hundreds of them. <Laugh> okay. Steve you're right. The world is wrong, damnit, but <laugh>, this is the, this is the world. People like you have to live in. I'm sorry to say, oh, I love this world. <Laugh> I'm just gonna quickly see if I can convert that long number. Oh my goodness. Oh my goodness. Number to, I'm gonna install an EAX package here. Oh, can't find it. Oh, well next time. Next time. Next time. Perfect. I bet EAX would do it happily. Wow. I, I wanna hear that. I wanna see this li has a integer that's called big numb. That is not tied to the register size.
Leo Laporte / Steve Gibson (01:41:32):
They could just go and go and go. Wow, go. That's one thing list does very well. Mr. Gibson, you are the man and they should have just damn well listened to you about squirrel. Gosh, darn. But you know, that's the world we live in. Yep. If you wish to hear this show at a 16 kilobit version sounding like a squirrel sounds like Thomas Edison on a cylinder or you wish to read along. Those are quite nice. Elaine Ferris writes those out as we speak, or the 64 kilobit audio. Steve's got all of that at his website, grc.com. Now, while you're at grc.com, first of all, set aside a few hours, cuz it's a rabbit hole you're gonna want to go down. There's all sorts of good stuff, free stuff. Things like shields up. But there's also his bread and butter, which is called spin, right?
Leo Laporte / Steve Gibson (01:42:29):
The world's best mass storage, maintenance and recovery utility. If you have a SSD or a hard drive, you need spin, right. 6.0 is a current version. Imminently. Steve will use 6.1. If you buy 6.0 now of course you'll get a free upgrade to 6.1. You'll also be able to participate in the ongoing development, which, you know, I, I say that it's pretty much done, I think, right. I mean just a few little eyes to all the hard, all the hard stuff is behind us. Yeah. And now it's matter of sort of re gluing the front end to the new back end. And that's what I'm in the process of doing <laugh> do not use wallpaper paste. That's all I'm saying. You should go to grc.com, get spin, right. Support Steve. And by the way, get a great tool that it will be very useful to you.
Leo Laporte / Steve Gibson (01:43:18):
Down the road, we have a show at our website shows 64 kilobit audio and video actually@twi.tv slash SN there's also YouTube channel. So if you wanna share it, for instance, if you heard something, then you said, you know, somebody's gotta hear this. You can go to that YouTube channel and just get that little snippet. There's also of course it's a podcast. So you can just go to any podcast player and subscribe, search for security. Now you should be able to find it. And that way you'll get it automatically. Every Tuesday. The minute we're done here, we record the show. 11 sorry. One 30 Pacific that's four 30 Eastern, 20, 30 UTC on you can watch us do it. Live.Twi.Tv, there's audio and video streams there. People will watch live often like to chat live. We have a wonderful chat room where they're they're all, you know, talking about what you're talking about.
Leo Laporte / Steve Gibson (01:44:11):
That's IRC dot TWiT do TV. We also have a fabulous discord chat that is unique to members of the club club. Twit has some real benefits among, among which are ad free versions of all of our shows access. Well, I'm on the wrong one. That's the tech guy let's go to security now, access to the discord. You see, every show has a discord channel, but not just that every geek topic under the sun has a discord channel. This is for club members, but it's a, it's an inclusive club, lots of fun people in here. We have our own Minecraft server. We have shows that are unique to the to the club, like our untitled Linux show and Stacy's book club. That's coming up by the way, on the 16th termination shot by Neil Stevens and great book long book though, if you wanna join us I think I will be joining amp because I'm loving this book and I want to talk about it.
Leo Laporte / Steve Gibson (01:45:09):
Tuesday, June 16th at 9:00 AM. Of course you can listen after the fact on our TWiT plus feed where things like this go, there's a, member's only fireside chat coming up, July 7th on the 16th of next month, Alex Lindsay and asking me anything Steve's did one some time ago. We still want you to do a vitamin D special or something like that. You've got a lot of health things you could talk about. It'd be kind of fun. I do. I know your business. There's no time. Just no time. I know. And just, just to follow up, the one reason we, you can't use one key for all your sites. Yeah. Is then you lose anonymity. Oh yes. It would be good point. It would be track trackable. Totally. You'd have no anonymity from one website to the next. Yes. That's why they create them randomly. Yep.
Leo Laporte / Steve Gibson (01:45:54):
That makes perfect sense. And that's but you, but you solved it. You do have though the burden of keeping a vault with all of those numbers in it, but, and that's why you have cloud, but those things can be leaked without harm, right. Because no one else has the private key, correct? Yeah. TWiT members, club, TWiT members, or non-members, if you wanna join seven bucks a month, TWiT TV slash club, TWiT there's corporate memberships available too. It's also yearly memberships. We kind of discourage that. But it, but some people say, I don't want a monthly bill. I just wanna pay once. Okay. Fine. Twit.Tv/Club TWiT. Well, that's it. Are you watching any good TV? You know, we are currently watching the good doctor. Yeah. That goes a long time. Cause <laugh> cuz there was the original one and then they made the good doctor.
Leo Laporte / Steve Gibson (01:46:49):
So you got many, many episodes. Yeah. Yeah. And, and it's by the creator of house. And of course that was a house was a good, was a classic series. So yeah, we're watching that and we got a backlog of things. Everyone is saying at the, that the Lincoln lawyer on Netflix is really good. I loved the movie I did too. Yeah. And so I'll have to look, apparently they, okay. Apparently this series is, is worth doing excellent. Excellent. I always asked Steve for recommendations for, for books and movies and TV shows. He's got good taste. Thanks Steve. We'll see you next time on okay buddy. Now. Bye.
Rod Pyle (01:47:22):
Hey, I'm Rod Pyle, editor of ad Astra magazine. And each week I'm joined by Tarik Malik the editor-in-chief over@space.com in our new this week in space podcast, every Friday Tark and I take a deep dive into the stories that define the new space age what's NASA up to when will Americans, once again set foot on the moon. And how about those samples from the perseverance Rover? When do those coming home? What the heck has Elon must have done now, in addition to all the latest and greatest and space exploration will take an occasional look at bits of space flight history that you probably never heard of and all with an eye towards having a good time along the way. Check us out on your favorite podcaster.