Transcripts

Security Now Episode 890 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

... (00:00:00):
It's time for security. Now. Steve Gibson is here. We've got a lot planned for you. We'll talk about yet another country joining. The growing list of countries prohibiting Google Analytics. What's Google gonna do about it? There are some proposals. We'll also talk about Google's V3 Manifest for Chrome It block the blockers. What are you gonna do about that? And an inside look at Lock Pit. The number one ransom program. They just got hacked. Aw, it's all coming up. Next on Security Now. Podcasts you love

Speaker 2 (00:00:35):
From people you trust. This is twit.

Leo Laporte (00:00:44):
This is Security now with Steve Gibson. Episode 890. Recorded Tuesday, September 27th, 2022 Dark Net Politics. This episode of Security Now is brought to you by Grammarly. Get more time in your day with confidence in your work with Grammarly. Go to grammarly.com/securitynow to sign up for a free account. And when you're ready to upgrade to Grammarly Premium, you'll get 20% off just for being a listener and by Secure Works. Are you ready for the inevitable cyber threats? Secure Works detects evolving adversaries and defends against them with a combination of security analytics and threat intelligence direct from their own counter threat unit. Visit secureworks.com/twit to get a free trial of contagious extended detection and response, also known as xdr. And by drata. Security professionals are undergoing the tedious and arduous task of manually collecting evidence with Drata. Say goodbye to the days of manual evidence collection and hello to automation.

Leo Laporte / Steve Gibson (00:01:54):
All done at drata speed. Visit dratacom/twit to get a demo and 10% off implementation. It's time for security now to show where you get really down and dirty with the technology and well, not that way dirty, You know what I mean? You get really into it. But this guy right here, Steve Gibson, he is the technology wizard we all look to when it comes to understanding better what's going on in the digital world. Hi Steve. Hello Leo. Great to be with you for our last episode of September where, what happened So quick, it's just, so now we're starting into the fourth quarter of 2022 for episode eight 90. So a lot of stuff to talk about. It was a busy week in the security world. We're gonna examine Europe polls, which is the sort of the policing force, the enforcement side of the EU government, their desire to retain data on non-criminal EU citizens, which is not technically legal.

Leo Laporte / Steve Gibson (00:03:06):
And we look at the fourth EU nation, speaking of not legal, to declare that the use of Google Analytics is an illegal breach of the gdpr. we're gonna look at the question of whether teapot has been caught. Seems like, and Mozilla says it's no fair that operating systems bundle their own browsers. So here we go again. Meanwhile, Chrome's forthcoming, V3 manifest, threatens add-on ad blocker extensions and past Chrome vulnerabilities are leaving embedded browsers vulnerable, which is an aspect of Chrome we'd never talked about before. Or chromium rather the engine. Ugh. Windows 11 actually gets a useful feature. No, and yeah, I know it happened. No <laugh> really. That's amazing. And some US legislation proposes to improve open source software security. We revisit the Iranian Albanian cyber conflict. Now that we know how Iran got into Albania's networks and after what important and interesting bit of listener feedback about multifactor authentication, fatigue, and a quick spin ride update. We're gonna look at some new trends in the dark underworld with the leak of another major piece of cyber crime malware. Thus today's podcast is titled Dark Net Politics.

Leo Laporte / Steve Gibson (00:04:46):
Very nice. Well, as long as we're gonna do that, Maybe I should take a break right now and talk about one of my favorite little companies, coincidentally out of Ukraine. It's Grammarly and Favorite because they have saved me for many a grammatical error. Perhaps I should put it that way. I bet you Grammarly would've said maybe you wanna put that in a different way. <laugh>. That's the beauty of Grammarly. Look, I consider myself a good writer. I consider myself a great speller. I use spell check and I use Grammarly because it's nice to have a little help as you're communicating grammarly's all in one writing tool is, it's all about clear, concise communication. That's what it's all about. So that you can be confident and clear and efficient, writing emails and reports and presentations. You could finish your work quickly and confidently with Grammarly knowing it's spelled and it makes sense and it's intelligible, it's clear, it's understandable.

Leo Laporte / Steve Gibson (00:05:47):
And what's great about Grammarly is it understands there are different kinds of writing. So it knows the difference between an email and a company report. And it works appropriately. You can use Grammarly for free. It's free to download. It works where you do. You can even go to the Grammarly page and paste in a paragraph, see what it thinks about it. I like having Grammarly in my browser, the browser plugin. So everywhere I'm writing, whether it's Google Docs or I use the browser for a lot of work, it's there watching. It's so easy to make mistakes. You're sitting in Gmail writing an email. It's an important email. So easy to make mistakes. Send, press, send and then go, Oh, did I? Yes I did. The free version of Grammarly. The free one offers comprehensive spelling, grammar, and punctuation suggestions. So it's instantly proofreading and providing suggestions as you write.

Leo Laporte / Steve Gibson (00:06:43):
So your writing always comes across as professional. Mistake free. And when you hit the send button, hey, it's O, it's okay, it's done. Now I think, and I bought Grammarly Premium because that also has all of the above, but a clarity focused sentence, rewrite engine that says that sentence was maybe a little long convoluted. It might be easier to understand if you wrote it this way. And I don't always take its suggestions, but it's really valuable to see how somebody else might interpret a sentence so that I can make my writing clear. Cause that's the whole point, right? I'm not trying to be creative here. I'm not James Joyce. I'm trying to write something that communicates. It makes it easier to get through work, email, get back to the important projects, get an instant take on how your message comes across. They've got a tone detector.

Leo Laporte / Steve Gibson (00:07:31):
This is free also, by the way. And Lisa uses this because she's the ceo, she's the boss, she's in a hurry. So he, emails are usually one sentence very quick. Sometimes Grammarly say, you know, might wanna soften the tone on that so people don't take it the wrong way. And I know that Lisa really appreciates that cuz she's not trying to sound bruss, but sometimes, cuz she's in a hurry. It does Grammarly helps her make it sound better. You'll always make the right impression with Grammarly. And because they're in Ukraine. I really like paying for Grammarly Pro cuz I wanna support them doing great work in a very tough world. There's another reason I love Grammarly, which no one else is gonna appreciate, but their AI uses Lisp and I'm <laugh>. It's one of the best known uses of Lisp, but I'm a fan of that as well.

Leo Laporte / Steve Gibson (00:08:15):
Get more time in your day with confidence in your work with Grammarly. Go to grammarly.com/securitynow. Please do use that so they know you heard it here. You can sign up for a free account when you're ready to upgrade because you did that grammarly.com/security. Now you get 20% off cuz you listen to the show 20% off G R A M M A R L Y grammarly.com/security. Now it's a really great tool and I'm one of those guys. Oh, I have perfect grammar. It's no shame to use it and it's so helpful. I have no problem anymore. I just feel like this is what I need, need. And I'm always surprised when you remind us that it's from Ukraine. Yeah, because to do this, I mean you can't be working through an English Ukrainian translate. Oh, no, no, no. You have to know the language. Well really, really know the target language.

Leo Laporte / Steve Gibson (00:09:11):
Well, I think, I don't know, I should look into this, but I think that they were AI experts first and really it's about the training. So Grammarly does come in other languages. It's about the training material and it's really kind of clever what they've done. Wow. Yeah, it's really, they need to be A E I O U experts. <laugh>. Back to the picture of the week, Mr. Gibson. So this one was just one I've had in the queue for a while. It shows a fishing line descending down into the frame from off frame. On the end of it is a hook with a worm stuck there. And we've got two fish that are sort of eyeing this looking like easy prey. And the smaller one of the two is saying, be careful. It could be an online scam. Yikes. <laugh>. And it's a fish indeed scam.

Leo Laporte / Steve Gibson (00:10:04):
It's a fishing scam. Oh, so <laugh>. Okay, so an interesting conundrum caught my eye last week, the European Data Protection Supervisor, who will just say E dpss for sure. European Data Protection Supervisor, which is it's the European Union's Independent Supervisory Authority, chartered with monitoring European institutions and bodies to assure that they respect citizens rights to privacy and obey their own data protection rules. This EDPs S filed a lawsuit with the European Court of Justice against the European Union and Europe poll. And as I mentioned at the top of the show, Europe Poll is the law enforcement or policing division. So going back a few months to January of this year, EDPs that supervisory agency published the results of a three year investigation. They said that they had found the Europol, this law enforcement agency of the EU had secretly collected, secretly collected large troves of personal information on EU citizens dating back years even if those persons had not committed any crimes or were under any investigation of any kind.

Leo Laporte / Steve Gibson (00:11:34):
In other words, data collection without cause or oversight, which is a violation of privacy laws in Europe. So the EDPs used its regular regulatory powers. This is after it learned of this back in January to order Europe poll to filter its database, deleting any and all information they had on European Union citizens that have not committed any crimes over the past six months. It ordered Euro poll to scrub this database, all of its databases by January of 2023. Okay, so now the reason for the lawsuit, which was filed just last week was that the EDPs said that EU lawmakers went behind its back and passed new legislation in June to allow Europol to retroactively keep all of its previously collected information in reaction to that action in June, the EDPs said it had strong doubts as to the legality of this retroactive authorization. And now the EDPs says that this new development actively subverts its independence and authority and wants the court to invalidate the new legal amendments and stay its original decision because of this legislative and enforcement in fighting the EDPs legislation and lawsuit are highly controversial topics among law enforcement officials in an official response in January defending its massive data collection.

Leo Laporte / Steve Gibson (00:13:12):
Euro Poll said, and they're probably right about this, that deleting this data will impact its ability to analyze complex and large data sets at the request of EU law enforcement. And that it would hinder the eus ability to detect and respond to threats such as terrorism, cyber crime, international drug trafficking, and of course what's coming next. Child abuse and others, many of which involve transnational investigations at a very large scale. And as I said, they're arguably correct in that assumption. I mean, the problem is of course abuse of this massive collection and dataset. So the reason these are difficult problems is that both sides of the dispute can be correct from from their own perspective. 21st century crime fighting will be enhanced by massive machine learning used for data analysis. But it's also true that enormous databases of sensitive and personally identifiable information need at the very least robust safeguards.

Leo Laporte / Steve Gibson (00:14:26):
And there's no better safeguard than the deletion of all such data for non-criminal citizens. So anyway, I just thought it was interesting that they're basically fighting with themselves over what it is that they should do, even with governments being well intentioned. Will remember our friend Bert Hubert, who resigned from his posting in the Netherlands because a branch of his government was trying to push to or pass the limits of the safeguards and boundaries that had previously put in player put place for a reason. So they said, if you haven't committed crime in the last six months, no information about you. But what about a fingerprint database or a DNA database? What if you committed a crime two years ago and we've got your fingerprints on record? Right? And you're saying no, you're not allowed to have any dna. You're not allowed to have any fingerprints if I haven't committed for last six months.

Leo Laporte / Steve Gibson (00:15:20):
I think there's a reason you have to imagine, have imagine that post that criminals who have been convicted are permanently in a system and not subject to that six months deletion. But then it should say it, nobody who's ever been convicted of a crime or could be, right. If you've never been convicted of a crime, he shouldn't be in there. I agree with that. That absolutely agree with. But it says of six months for the last six months it does. Which implies that if you did it seven months ago, Oh no, you still gotta delete it. And I think that actually does hinder police work unreasonably. Yeah, I agree. So again, it's one of these dilemmas where we could do anything we want. We just have to decide what we wanna do. And there are opposing forces that have arguments in both directions. Yeah, I understand privacy is yeah, great.

Leo Laporte / Steve Gibson (00:16:17):
But yeah, maybe that's the rule. If you haven't committed a serious, maybe you should be a serious crime, not a petty theft, but a serious misdemeanor or felony, then we have the right to keep your fingerprints and DNA for as long as we want. Right? Yeah. Well, and a couple weeks ago, the way I phrased this about privacy and encryption was that if you had absolute privacy, then that would allow individuals to absolutely escape responsibility. And so it's the system we have in the US with a search warrant is conditional privacy where we're protected against illegal search and seizure as the phrase goes. But if you convince a judge that there is reason, no reason to suspect that the interests of the people will be served by incrementally breaching some privacy, a search warrant, then it can be granted. And in that instance within the limits of that warrant, an individual's privacy, which is not absolute, is then removed for the sake of enforcement.

Leo Laporte / Steve Gibson (00:17:39):
Anyway, while we're in the neighborhood, Denmark has become the fourth EU member joining Austria, France and Italy to rule that the use of Google analytics is illegal in Denmark. The Danish Data Protection Agency ruled this week, actually it was last week, that the use of Google Analytics inside the country is not compliant with the gdpr. The agency told local companies to either adjust the tool for increased privacy and actually there are no useful adjustments as we'll see in a second and or stop using it. The beginning of an explanation published last Wednesday, it said, quote in January, 2022, the Austrian Data Protection Authority issued a decision on the use of Google Analytics by an Austrian organization. So that was January of this year. Since then, the Austrian Data Protection Authority has issued another decision on the use of the tool and several decisions have also been issued by the French Data Protection Authority.

Leo Laporte / Steve Gibson (00:18:49):
Most recently in June, the Italian Data Protection Authority issued a decision on the use of the tool. The tool meaning Google Analytics. In all of these cases, the supervisory authorities found that the use of Google Analytics under the given circumstances was unlawful. The senior legal advisor at the Danish Data Protection Agency said the GDPR is made to protect the privacy of European citizens. This means among other things that you should be able to visit a website without your data ending up in the wrong hands. We've carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures. Since the decisions by our European colleagues, we have looked into the tool and the specific settings available to you when you intend to use Google Analytics. This has been particularly relevant as Google following the first Austrian decision has begun to provide additional settings in relation to what data can be collected by the tool.

Leo Laporte / Steve Gibson (00:20:00):
However, our conclusion is that the tool still cannot without more be used lawfully. So organizations in Denmark that employ Google Analytics, which is on so many websites including ours, I might add, Does this mean I can't have any more Denmark listeners? Okay, so that's really a question, right? Is like the fact that the GDPR technically reaches us and so we have to be compliant if EU citizens come to websites in the us. So anyway, it's uses widespread and organizations in Denmark after this order must assess whether their possible continued use of the tool takes place in compliance with data protection law. And the ruling here says it can't. And if it's not the case that they can be compliant, the organization must either bring its use of the tool into compliance or if necessary discontinue using the tool. So there are now four countries which have all said it's not possible for the tool to be used in compliance regardless if it's settings.

Leo Laporte / Steve Gibson (00:21:19):
The senior legal advisor said a very important task for the Danish Data Protection Agency is to give guidance to citizens about their rights and to give guidance to Danish organizations in how they comply with data protection law. As is the case with data protection law, we at the Danish Data Protection Agency are neutral to technology and therefore have no interest in either approving or banning certain products. We are not at all empowered to do so following the decisions of our European colleagues. However, we've experienced a great demand for guidance in relation to specifically Google Analytics, and we have therefore made an effort to look into this specific tool more closely. So the message from the Danish, the Danish Data Protection Agency, is that any enterprises websites that are within Danish jurisdiction, or again actually within the reach of the eu gdpr, which use Google Analytics, must put in place a plan to bring their use into compliance by implementing supplementary measures.

Leo Laporte / Steve Gibson (00:22:30):
We'll get to that in one second. And they said, if it is not possible to implement effective supplementary measures, you must stop using the tool and if necessary, find another tool that can provide web analytics and allows for compliance with data protection law. Boy, Google must be really getting some headaches with all this. For example, they said by not transferring personal data about visitors to unsafe third countries. Okay, so what are these supplementary measures that could be taken? Well, it turns out that France, the second of the four EU countries to object to Google's analytics, invest in some technical resources to provide a document which answers the question. The document dated July 20th of this year, a little over two months ago, is titled Google Analytics and Data Transfers, How to make your Analytics Tool compliant with the gdpr. Okay, that's what the French document explains.

Leo Laporte / Steve Gibson (00:23:32):
It says the Court of Justice of a European Union, C J E U in its ruling 16 July, 2020, invalidated the privacy shield. A mechanism that provided a framework for transfers of personal data between the European Union and the United States. The US legislation does not offer sufficient guarantees in the face of the risk of access by the authorities, particularly intelligence services to the personal data of European residents. Following these formal notices, many actors have sought to identify the technical settings and measures that can allow to maintain the use of Google Analytics while respecting the privacy of internet users. However, simply changing the processing settings of the IP address is not sufficient to meet the requirements of the C jeu, especially as these continue to be transferred to the us. Another idea often put forward is the use of encryption of the identifier generated by Google Analytics or replacing it with an identifier generated by the site operator.

Leo Laporte / Steve Gibson (00:24:46):
However, in practice this provides little to no additional guarantee against possible re-identification of data subjects, mainly due to the persistent processing of the IP address by Google. The fundamental problem that prevents these measures from addressing the issue of access of data by non-European authorities is that of direct contact via an HTTPS connection between the individuals. Now they call it a terminal, but that we know that's PC and browser or device and browser. The individual's terminal and servers managed by Google, the resulting requests allow these servers to obtain the IP address of the internet user as well as a lot of information about his terminal. This information may realistically allow the user to be re-identified and consequently to access his or her browsing on all sites using Google Analytics. Of course this is a hundred percent true a app, 100% technically accurate. Same thing when you do a Google search, but okay, yeah, yeah.

Leo Laporte / Steve Gibson (00:25:56):
They said only solutions allowing to break this contact between the terminal and the server can address the issue. So they should ban Google <laugh> seriously. Well, yeah. Yeah. I same. So I don't understand if the same thing happens when I do a Google search and you don't want it to happen when I with analytics, well just ban Google. Let's see what happens then. <laugh>. So, okay. So beyond the case of Google Analytics, they said this type of solution could also make it possible to reconcile the use of other analytics tools with the GDPR rules on data transfer. Okay, so that all makes sense. The issue is that the user's machine and web browser or terminal, as they say here, is posting its analytics directly to a Google domain. So its incoming IP address is always known to Google to resolve this. The French recommendations, and this is in this formal document that they published, are that a proxy server would be a possible solution.

Leo Laporte / Steve Gibson (00:27:01):
They say in view of the criteria mentioned above, one possible solution is the use of a proxy server to avoid any direct contact between the internet user's terminal and the servers of the analytics tool. In this case Google. However, it must be ensured that this server fulfills a set of criteria in order to be able to consider that this additional measure is in line with what is presented by the E D P B, whoever they are in this recommendations of 18 June, 2021. Indeed, such a process would correspond to the use case of Pseudonymization. Yeah, Pseudonymization before data export. They said as data in these recommendations, such an export is only possible if the controller has established through a thorough analysis that the pseudonymized personal data cannot be attributed to an identified or identifiable individual, even if crosschecked with other information. It's therefore necessary beyond the simple presence of a request from the user's terminal to the servers of the analytics tool to ensure that all of the information transmitted does not in any way allow the person to be re-identified even when considering the considerable means available to the authorities likely to carry out such.

Leo Laporte / Steve Gibson (00:28:25):
So in other words, they're talking about really being serious about erecting a barrier between the EU citizens and anyone downstream of this barrier. And they specify what is entailed. They said the server carrying out the appification must therefore implement a set of measures to limit the data transferred. The C N I L, which is the group that created this document, considers in principle the following as necessary, the absence of transfer of the IP address to the servers of the analytics tool. If a location is transmitted to the servers of the measurement tool, it must be carried out by the proxy server. And the level of precision must ensure that this information does not allow the person to be re-identified. For example, by using a geographical mesh ensuring a minimum number of internet users per cell. So they're just giving some samples and the replacement of the user identifier by the proxy server to ensure effective sudo pseudonymization.

Leo Laporte / Steve Gibson (00:29:38):
The algorithm performing the replacement should ensure a sufficient level of collision i e a sufficient probability that two different identifiers will give an identical result after hash. Okay? Now we start to have a problem because if you do this, then you are breaking the point of analytics, which is to identify the activity of the site, although you are keeping the specific user who's visiting the site secret. So you are getting an pseudonymized per user data still. Also, they've specified the removal of referrer information from the site. That's a problem for analytics because analytics wants to know where you are, are on the site, which is what the refer information in the query that in the query header provides. Also the removal of any parameters contained in the collected URLs. That is URL tales, UTMs, also URL parameters which may also cause a leakage of information.

Leo Laporte / Steve Gibson (00:30:56):
Also reprocessing of information they said that could be used to generate a fingerprint such as user agents to remove the rarest configurations that can lead to re-identification. So make those all look the same. The absence of collection of cross site or lasting identifiers, a CRM ID or any sort of a unique ID and the deletion of any other data that could lead to re-identification. In other words, it is a daunting task. They go on to say that proxy server must also be hosted in conditions that ensure that the data it processes will not be transferred outside the European Union to a country that does not provide a level of protection substantially equivalent to that provided within the European economic area.

Leo Laporte / Steve Gibson (00:31:50):
More and more what we're seeing here is kind of the way they would like the internet to be in the EU coming into a head-to-head collision with the current operation of the internet and asking for huge changes. Establishing a proxy would be a lot to ask for the typical website that just wants to use analytics because it was two lines of JavaScript code and they got all this amazing information for free. We wanna know how many people visit our site. Yeah. And which pages and what search terms brought them there and all this cool stuff. The Google analytics, a Google analytics proxying service could be set up somewhere in the eu. Then EU websites would point their Google analytics JavaScript to that services domain instead of to analytics.google.com. In that way, the visitors to any of these GDPR compliant Google Analytics using websites would have their browsers queried the proxy on their behalf.

Leo Laporte / Steve Gibson (00:33:08):
Since the proxy would be terminating their TLS connections, it would be able to strip identifying information from the query, make any changes. It wanted to insert randomization to confuse finger printers and so on. So we have another example here of the growing tension between privacy and commerce and what they're asking for is feasible, but boy, are they gonna enforce it? Are they gonna require it? And it would require setting up a local proxy within the jurisdiction of any country or countries that wanted to enforce this level of anonymization through something like Google Analytics and route all the queries through it before it then goes to Google for their data crunch. And who runs the proxy and sees the information on the proxy. Well, so I saying sounds like a data grab that that would need to be in the eu and yeah, it's gonna be another sense, a third eyeball to watching this and see what happens. But their point of course is that it's not leaving the us, it's not leaving the EU for the US. And so it is a solution to the problem. But boy, it's a heavy lift in order to get, in order to change the operation of something which has been in place already, what Leo? Like 15 years or it's gonna dramatically when you use Google Analytics, I don't get any individual information about visitors at all. Right. You don't. But Google does presumption. Google does. That's their complaint. Something with it. Yeah.

Leo Laporte / Steve Gibson (00:35:03):
By the way, if I were to run a local analytics program, I would get all of that information, I'd get all the IP addresses and everything. This just seems so wrongheaded to me. I don't understand. I know I understand what they want. I don't understand how they think this is gonna get them there. Yeah. Well and again, it's like now we have to agree to cookies wherever we go. Thank you very much. Oh yeah, that's really good. Oh boys, that's solved that problem. <laugh>. Okay. In last week's network breach review, we were just talking about the Uber and rockstar game breaches and belief that both quite public intrusions were perpetrated by the same teenager. So I just wanted to note for the record that last Thursday the City of London police detained a 17 year old from Oxford Shire on hacking related charges and inate his first rodeo <laugh>.

Leo Laporte / Steve Gibson (00:36:04):
While UK officials have not released the suspect's name or other details about his arrest, the teen is widely suspected of being Teapot. A member of the Lapsis gang who recently breached Uber and rockstar games. And I would love to know how this kid was tracked down. As I mentioned when we talked about this before, he seemed to be extremely braggadocious about these breaches. And the more one struts around crowing, the more clues you inadvertently leave behind. Well, and this is the same kid that already has been arrested for the Microsoft hack, the earlier lapses hack. That's what they're saying. So this kid, not only is he braggadocious, not learning a lesson <laugh>, he was, he's currently on parole for that. Oh goodness. Or a probation I think not parole probation on probation for that. It's only probably the fact that he's a minor that he is saving him at this point. That's right. That's right. Well I wonder if felonies wonder if flas gang or just this guy, frankly felonies, there's felony, felony cyber intrusion. Yeah. And he's using, in every case he's used as social engineering, it's posing as somebody and give me your two factors kind of thing. Okay. Okay. So let's take a break and then we're gonna talk about Mozilla saying it's no fair, it's no fair. It's no fair, it's not fair mock.

Leo Laporte / Steve Gibson (00:37:43):
Okay, moving right along. I'm still kind of trying to figure out what we're gonna do at about these GDPR things. Cuz we that's now what, four or five countries that won't allow analytics. Everybody who is asked to rule on it rules the way they have to. Yeah. Which is, it is a breach of the gdpr and it's, and it's I think mostly because GDPR considers IP addresses. I I p right? That that's a pi. I rather personally identify information. Yes. And that we know that that does is that IP dresses tend to be relatively static, but they're also going way further talking about unique tokens and refer headers. Yeah. And I mean they're getting aggressive. I mean this is France saying u la la.

Leo Laporte / Steve Gibson (00:38:36):
Okay. Oh, you said I wanted to take a break. It's time for a word from Secure Works. Perfect timing. By the way. Secure Works is a leader in cyber security building solutions for security experts by security experts. Secure Works offers superior threat detection and rapid incidents response all while making sure customers are never locked into a single vendor. SecureWorks offers an open extended detection and response platform contagious X D R Y. If you listen to this show, you know why in 2022, Cyber crime this year will cost the world 7 trillion in a few years by 20 25, 10 0.5 trillion in 2021 ransomware totaled 20 billion in damages. A attacks occurred every 11 seconds. They estimate by 20 31, 10 years later, ransomware will cost more than 10 times more, 265 billion a year and there'll be a ransomware strike every two seconds. I think they're actually coming in low, to be honest.

Leo Laporte / Steve Gibson (00:39:43):
How do you make sure your organization is not the next victim? I think it's worse than that. Right? The answer is secure. Worktags xdr. You need it. Secure Work Stages provides superior detection identifying over 470 billion security events per day, prioritizing the true positive alerts, eliminating alert noise, and allowing organizations to focus on the real threat. In addition, Taags offers unmatched response with automated response actions to eliminate threats before damage is ever done. Whether your organization has a limited IT staff and budget, or you run a well funded fully staffed security operations center, you'll get customized support with SecureWorks contagious managed xdr. You can easily leverage SecureWorks experts to investigate and respond to threats on your behalf so that you can cut dwell times, decrease operational burden, reduced cost. And with 24 7 by 365 coverage, whether you experience a Christmas day outage or half your team is out sick you can trust that Secure Works is behind you.

Leo Laporte / Steve Gibson (00:40:48):
Many companies are facing a shortage. Of course, these days of security, talent, hiring and retention, much harder than ever. Secure Works customizes the approach and the coverage level you get in order to give you exactly what you need. Bottom line SecureWorks acts as an extension of your security team on day one, alleviating cyber security talent gaps. What happens if you've already found an intruder in your system? Don't worry, I want you write down this number 1-800-BREACHED. That number will connect you with the SecureWorks Emergency Incident Response Team. They can provide you with immediate assistance 24 7 in responding to and remediating a possible cyber incident or data breach at Secure Works. You'll learn more about the ways today's threat environment is evolving and the risks they can present to your organization. They've got case studies, they've got reports from their counter threat unit and more. Visit secureworks.com/twit to get a free trial of Contagious.

Leo Laporte / Steve Gibson (00:41:46):
That's secureworks.com/twitt. Secure works defending every corner of cyberspace. All right, Steve on with the show. Oh cyberspace. Let me turn on your microphone as he defends every corner <laugh> of cyberspace. And that's what I said. Back to our little corner of cyberspace. So Mozilla says No fair. They recently published a 66 page Sour Grapes document complaining that they don't own any major platform, whereas Google, Apple, Meta, Amazon and Microsoft each do. And that each of those major players bundles their respective browsers with their operating systems and quite naturally sets them as the operating system default in the home screen or dock. And that as a result, for most people, this placement is sufficient and they will never see or pursue the extra steps necessary as Mozilla says to discover alternatives. One of my favorite observations, the tyranny of the default. So this paper is titled Five Walled Gardens, Why Browsers are Essential to the Internet and How Operating Systems are holding them back.

Leo Laporte / Steve Gibson (00:43:09):
And they might have titled the document Why Firefox is losing market share and it's no fair. Now I know that doesn't make me seem very sympathetic. I actually am. I love Firefox. You and I Leo talk about it all the time using it right now. Yep, yep. I've been a Firefox user as my primary browser on every one of my machines for decades. Firefox is the default registered URL handler on every one of my PCs. If a link is clicked, Firefox receives it. What I am aggrieved by is the constant annoyance of the other non Firefox browsers, which seeing that they are not the chosen one, use every opportunity to suggest that my browsing experience could be greatly enhanced if I were using them to view that page. So Mozilla's 66 page paper amounts to them making a truly compelling case. I mean there's no question that this is going on.

Leo Laporte / Steve Gibson (00:44:13):
We know it is a compelling case for exactly how screwed they are going forward. They blame the OS vendors for putting their own self-interest first. Welcome to America. It's unclear to me what this is actually about. Is this a prelude to another browser war's antitrust lawsuit? I hope not. But some of the language in the 66 page complaint, which is what it actually literally is a complaint does appear to be paving the ground for something. And they sort of made an offhand reference to wouldn't it be all better if we could come to an agreement sort of thing. <laugh>. So Google is currently funding Mozilla to the tune of 450 million per year in return for Firefox defaulting to Google as its search engine. So there's the tyranny of the default for you. Again, this tone this time working in Firefox's favor on December 27th, 2011. So 11 years ago, Wired magazine published why Google continues to fund Firefox.

Leo Laporte / Steve Gibson (00:45:30):
And their subhead was Google has its own web browser. So why is the company renewing its revenue deal with Mozilla? The answer is simple. They write, Google makes money by putting eyeballs in front of ads and almost a quarter of the web's eyeballs use Firefox. Now I was sad to read that 11 years ago cuz that's decidedly no longer the case. The 2022 market share for the top four browsers is Google Chrome, obviously in first place at 77.03%. Safari in second place at 8.87%. Mozilla Firefox holding to third place at 7.6899999999999995%. And to me, surprising Microsoft Edge in a fourth place at only 5.83%, I think it's clear that safari's edge is thanks to the gazillion iPhones and iPads since the Mac os while it's there, it would not be making nearly as huge a dent. But bless its little digital heart, Firefox is hanging in there at number three still nicely and somewhat amazingly edging out edge by nearly two percentage points.

Leo Laporte / Steve Gibson (00:46:48):
But it's unclear what Firefox's future is. They laid off, was it 25% of their workforce a year ago? And their deal with Google I think is up for something in 2023 is when this, I think it was a three year deal for Firefox and Mozilla. So people have said, oh it's, it behooves Google to keep Firefox alive cuz it keeps them from seeming like a monopolistic entity for antitrust purposes. Who knows? But anyway, I just thought I'd put a note about the 66 page boohoo note from Mozilla. It's like, yeah, sorry. You don't have an operating system platform of your own and Leo, you and I know how bad a monoculture is. The idea that everybody is using the same singular chromium engine is bad cuz it means those mistakes are universal when they are found. Exactly. Yeah, yeah. Plus, well I just want competition.

Leo Laporte / Steve Gibson (00:47:56):
I want a variety. Yep, it's good. Safari's doing all right. But web kit is in its way like chromium kind of a dominant right engine. I need Mozilla to succeed. We may have to just start raising money for 'em or something if Google pulls out. So back in November of 2020, Google announced what they called manifest V3 for chromium and chrome. And we talked about it at the time. As I talk as get into this, some of our listeners will go, Oh yeah, I remember the concern back then was the deleterious effect that it would have on ad blockers. That is this V3 manifest, which comes as no surprise to Google critics. So as you may recall when we were talking about this before, Google is changing the way Chrome's extensions function rather than allowing individual extensions to receive, examine and either drop, modify or forward each of the browsers outgoing requests.

Leo Laporte / Steve Gibson (00:49:05):
It has as has always been allowed until now under manifest v3, there's a new API called declarative net request and it operates sort of the way its name suggests if you're into APIs that is it's declarative rather than what's the reverse of declarative? I'm blanking on the word imperative. Yeah, imperative. Okay. So this declarative net request allows extensions to modify and block network requests in what Google calls a privacy preserving and performant way. Implicit, Okay. No, I'm keep talking. It actually is that they did say performant. Yeah. So what this actually means is that Google remains in control. What occurs under manifest v3, which by the way is on its way rolling out, is rather than intercepting a request and modifying it procedurally, that was the word I was looking for, instead of declarative procedural, procedural modifying it procedurally the extension registers with Chrome asking it to evaluate and modify requests like matching requests on its behalf.

Leo Laporte / Steve Gibson (00:50:37):
The extension declares a set of rules and we're not sure how many there may be, but ad blockers need a gazillion, if you've ever seen the rule set on an ad blocker, it just makes you just eyes water. So the extension declares a set of rules, patterns to match requests and actions to perform when matched the browser engine. Chrome then modifies network requests as defined by these rules. So you can see it's a completely different way of operating and it's got the ad blocker extensions a little nervous. Google claims that quote, using this declarative approach dramatically reduces the need for persistent host permissions. And I don't, they're not wrong mean this is an elegant way of solving the problem, but it definitely eliminates control from extensions that they have historically had. Thero is also tightening down on limiting the power of ex extensions and Google cynics are suggesting that it's a move to protect its advertising revenue.

Leo Laporte / Steve Gibson (00:51:48):
Of course they are. So it's for this reason that the Vivaldi browsers lead developer took the time to post last Friday that come hell or high water, those are my words, not his Vivaldi's ad blocking would continue to be effective even in the face of manifest three in his post on Friday, Julian wrote The move to manifest V3 makes it more difficult to run content blockers and privacy extensions in Chrome. While some users may not notice a difference, users who use multiple extensions or add custom filter lists may run into artificial limitations set by Google. He says perhaps wise to move away from Chrome. He says, as Vivaldi is built on the chromium code, how we tackle the API change depends on how Google implements the restriction. The assurance is whatever restrictions Google add in the end will look into removing them. You say finished Our mission will always be to ensure that you have the choice.

Leo Laporte / Steve Gibson (00:53:04):
So Julian notes that the entire existing V2 api, I'm sorry, Yeah, the existing V2 API continues to be present for Chrome's enterprise users. So that means that it's only the consumer who is being hit with this restriction and that all of the existing code remains accessible somewhere. So it's gonna be interesting to watch this one shake out. While Firefox, as I've said is my default URL handler, I do often use Chrome for ad hoc internet research. I edit this podcast, the show notes that were that's in front of us are done in Google Docs every week and things have grown so horrendous on the net that I could not live without an effective ad blocker any longer. If Chrome really does become an advertising browser and makes the ability to suppress the insanity that too many webpages have become, they might drive a move back to Firefox.

Leo Laporte / Steve Gibson (00:54:13):
So I'm with you and I use Gore Hills, you block origin just like you and by the way, it has a built in cookie banner blocker among other things. It's one of the annoyances features. But do you think there's a legitimate security reason for Google to insist on manifest v3? Yes. In other words, that web content API is potentially insecure, it's potentially a problem, right? Yes. It's known as the web request API and I mean it literally is a call each extension in turn and let them each look at it, modify it, drop it, or forward it. So I mean these extensions as they are now are in the pipeline. And so this is why they use the word performance, right? Because if an extension takes a long time to think about one of these queries that's been handed to it, the whole process slows down.

Leo Laporte / Steve Gibson (00:55:25):
So what Google is doing is Google is trying to compromise here and it's a legitimate attempt to compromise. They're saying we're we are going to build a screaming fast pattern matching engine. You put the matches in you want and it'll be a big red XS machine. You put the regular expressions in that you want matched the changes you want made, we'll do them for you. So what that does is of course it completely eliminates this pipeline, this per extension processing pipeline, which both gives us the US Google, the users, everybody more security and potentially substantially greater speed because Google is saying we're who knows what they're gonna do. They might at launch time when all the extensions are in place and have registered their list of red RegX work, Google could compile it into some screaming fast blob that just queries go in and the results immediately come out the other end. So they can't do that now with the V2 architecture. They need to move to this V3 model and once again it's gonna be a trade off. Extensions are gonna lose some power.

Leo Laporte / Steve Gibson (00:56:56):
I wish we could find some sort of compromise and I wish it didn't look so much like Google wanted to preserve their ad business. I know. And Leo, that keeps coming up. The idea unfortunately that the entity offering a browser, which is the thing that displays ads, is the revenue for that entity. I mean it creates, it's a built in conflict of interest. Of course. Same thing when YouTube search results top the Google search results. Yeah, you can go on and on Google self deals all the time. Yeah. Okay. So here's one that had never occurred to me before. While we're on the topic of Chrome, a group known as Newman, N U M E N Cyber labs have published extensive writeups on a pair of older and long since fixed chrome vulnerabilities. CVE 20 21, 38 0 3 and 20 22, 13 64. Both were Chrome zero days patched in October 21st, 2021 and April of 2022 respectively.

Leo Laporte / Steve Gibson (00:58:16):
And either one could be used at the time for remote code execution attacks against Chrome users. What's interesting and chilling about Newman's observation is that they warn that even though these two security flaws have been patched in the main chrome, chromium core and chrome browser, the patch gap that exists in software that uses Chrome's web kit engine as they're built in browser means that many mobile apps are still vulnerable to this including, and they use this as an example, the most recent release of Skype, which is subject to a zero day remote code execution flaw because it uses the chromium core and has not been patched even though chromium was the most recent one in April and the previous one in October of last year. I thought that was a fascinating observation and one, as I said, we've never considered, I often talk glowingly about how the chromium guys jump on a report of a new zero day and often push out an update only a day or two later.

Leo Laporte / Steve Gibson (00:59:38):
But implications that incorporate Chrome's web kit, engine chromium are taking a snapshot of the engine and may be far more lackadaisical about keeping that engine snapshot up to date. After all it's working. Why bother with it? Well why indeed after all the chromium engine as we know is truly a work in progress moving target. But that's anathema to projects that wanna build from essentially static libraries. I would be willing to bet that very few of them are pushing out new release builds of their application because one of their component dependencies in this case chromium was updated. And as we know, those chromium updates are happening all the time. So to me it seems unlikely in the extreme that apps are being that responsible. So any and all of such applications, and again they showed on the screen Skype being taken over, might well be inheriting and existing with Chrome's historical vulnerabilities.

Leo Laporte / Steve Gibson (01:00:57):
This again is another good reason for Google never to talk about them no matter how old they are. But unfortunately these Newman guys did a complete takedown of both of these. So any app that is using an unup updated chromium now who sees what Newman Cyber Labs has published can start poking at any embedded browser engines to see if they're able to take the app over remotely. So it's a chilling thing that we never really talked about, but it's a consequence of a browser engine being so complex being inherently a moving target. Yet we get this as they called it, the patch gap between when the library was taken and when it was, what version they're using and when it was built into their app. And are they even bothering, do they even care? Yikes. Okay, we all know that I'm not a big fan of Windows 11.

Leo Laporte / Steve Gibson (01:02:06):
That's primarily because of the lies we were told about its hardware system requirements from the beginning, which never made a lick of engineering sense and which sure enough were eventually acknowledged to be untrue. I remember <laugh> Paul and Mary Jo saying, Oh yeah, yeah, yeah, that's that, that's, that's not true. Although I'm gonna add that. Last week we started talking about a new feature that's rolling out in 22 2 of Windows 11 that does perhaps explain eighth generation Intel and T TPM 2.0 and it has to do with a virtualization and I can't remember the exact details, but it perhaps then does make sense that they knew this was coming as a security update and they wanted to make sure it was supported and that if you were using when it's, and they didn't wanna drop, they didn't tell anybody yet subsequent well and they didn't want to allow a subsequent update to Windows 11 to suddenly say, Oh we're sorry.

Leo Laporte / Steve Gibson (01:03:09):
Yes. You can't have the Windows 11 update because your chip is too old. Yeah. Let me look at the notes from last week cuz you deserve the info. Anyway, as best as I can interpret it there is a hint at why Microsoft chose eighth gen as the dividing line a year ago. Except, what was that hint <laugh>? They didn't put in the notes, they just said we'll tell you about it. But I'm, as I remember, it has something to do with virtualization. Interesting. Yeah. So there may be kind of a reason for it. Right. So some new hardware level thing Yes. That the eighth gen chips have that the previous ones don't. Precisely. And Windows until now has not dependent upon that. Exactly. Well because it ran on all the chips. Right. So and that may be why they say we won't promise to support it if you run in on all hardware, they are allowing people to do that. But you won't get this security new security feature. Right. So, So it's still unclear on Windows 11. Well whether I will be eventually forced to move away from Windows 10 or whether Microsoft will eventually take no for an answer. I'm still happily, I'm sitting in front of Windows seven right now. Works great and they leave me alone <laugh> <laugh>.

Leo Laporte / Steve Gibson (01:04:36):
Anyway, it's a race between episode 9 99 and when Windows 10 is no longer in support, let's just put it that way. That's right. So we'll see Anyway. Okay. So in at least one instance it looks like they've done something useful. Believe it or not, Microsoft will finally at long last be adding default brute force protection into Windows elevens, notoriously insecure SMB file and printer sharing user authentication. So it's called the SMB authentication weight rate limiter. What concept? Who would've ever imagined you could do that with a computer? Wow. It turns out Leo, you need an eighth generation <laugh>, no Intel processor in order to do rate limiting. You can't have it. It's not that you could not had it on a and Windows 95 could not have done rate limiting. Never. Never in a million. It's too advanced. Yes it is an advanced technology. It was reverse engineered from where is that place where the UFOs are all seen there?

Leo Laporte / Steve Gibson (01:05:52):
Yeah. Area 51. Yeah. Yeah. It came out of area 51. Yeah <affirmative>. They said, okay, we don't know. We're unable to crack these alien computers cause they won't let us keep guessing passwords <laugh>. They slow us down. Huh? Isn't it too bad we can't put that into windows. We'll have to wait till Intel's eighth generation processors. Anyway, we finally have it. It's currently being tested by insider builds as its name suggests. This new advanced feature from the aliens will significantly rate lift rate limit brute force attacks against a Windows 11 SMB service. So anyone who either deliberately or in inadvertently exposes their SMB services on port 4 45 to the public internet, as so many people seem unable to keep from doing, they will receive a modicum of protection with the release of Windows 11 Insider pre bill build 25,000 2 0 6 dev channel. Today the SMB server service now incorporates a two second default delay.

Leo Laporte / Steve Gibson (01:07:02):
That's what the aliens usually. So they didn't wanna change anything cuz that might have broken something. There might be some magic there. It uses a two second default delay after each failed inbound ntlm authentication attempt. This means that if an attacker previously sent, for example, 300 brute force attempts per second from a client for five minutes, thus 90,000 username and password guesses. Now the same number of attempts would take 50 hours rather than five minutes. Somewhat sad to be celebrating such a simple measure that could have been implemented any time in the last 20 years, but better late than never.

Leo Laporte / Steve Gibson (01:07:54):
Also, as I mentioned, two senators, two US senators, Rob Portman who, who's an Ohio Republican, and Gary Peters, a Michigan Democrat, introduced a bill last Thursday in a bid to strengthen the security of open source software together. They co-sponsored the bipartisan, and I love this one, it's securing open, so securing open source software act and when I looked at it I realized it was the SOS Software Act. So securing an open source software act, the goal is to help protect federal and critical infrastructure systems by strengthening the security of open source software. And what do you think got their attention? Yep. The legislation comes after a hearing convened by Portman and Peters on the log for Jay incident at the beginning of the year. And it would direct our favorite agency s a, to help ensure that open source software is used safely and securely by the federal government critical infrastructure and others.

Leo Laporte / Steve Gibson (01:09:01):
Now how they actually do that remains to be seen. The SOS software Act directs SISs A to develop a risk framework cuz you know if you're gonna be a bureaucrat, you gotta have a framework, a risk framework to evaluate how open source code is used by the federal government. Apparently they don't know. Now CS a oh, we're gonna have a risk framework to evaluate how open source software code is used by the federal government. CSA would evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CI a to hire professionals with experience are gonna get some money experience developing open source software to ensure that government and the community work hand in hand and prepare to address incidents like the log for J vulnerability.

Leo Laporte / Steve Gibson (01:10:02):
Yeah, let's, let's prepare. Additionally, the legislation requires the office for management and budget to issue guidance to federal agencies. Wow. On this secure usage of open source software and establishes a software security subcommittee on the cs, a cyber security advisory committee. So the CSA Cyber Security Advisory Committee will have a software security subcommittee that is used by the OMB or something. So good luck. Yeah. I have a healthy skepticism of bureaucracy and legislators. It's unclear to me that they will ever get anything. Right. But if the federal government wants to hire a bunch of open source software folks who have been working up till now for free to help in any way they can then seems like it could. Could be good. It could help.

Leo Laporte / Steve Gibson (01:10:58):
Recall that we talked a couple of weeks ago about the Albanian government's unexpectedly strong reaction to Iran's cyber attack on their infrastructure due to Iran being upset with Albania for providing sanctuary to a group of disaffected I Iranians, that was the ME K group. Albania closed Iran's embassy and ejected Iran's ambassadors from the country. We believed, without many facts to back it up, that Iran had been maintaining a presence inside of Albania's government networks for quite some time before the attack. That meant that when Iran's rulers said, Let 'em have it, Iran's cyber warfare, people simply had to flip a switch. Well now last week some new information has come to light. The SIS A and FBI said last Wednesday that at that hackers connected to Iran's military spent 14 months inside the networks of the Albanian government prior to launching the ransomware attack that caused widespread damage in July.

Leo Laporte / Steve Gibson (01:12:12):
The FBI did not specify which Iranian Hacking Group was behind the incident, but explained that in their investigation they found the hackers exploited an internet facing Microsoft SharePoint. Through a well known and long since repaired vulnerability CVE 20 19 0 6 0 4, that CVE has been classified by cybersecurity experts as one of the most exploited bugs throughout 2020 having been abused by both nation states and ransomware groups. According to the alert, the hackers were able to maintain continuous access to the network for more than a year, frequently stealing emails through throughout 2021. By May of 2022, the actors began moving laterally and examining the network, performing wider credential theft across Albanian government networks. This all preceded the July cyber attack that crippled the country's government. The FBI confirmed reports from Reuters and researchers that the attacks were launched due to albania's involvement with the group known as me. K Albania, as we talked about when we talked about this a couple weeks ago, has allowed about 3000 members of the group to settle near Duras the country's main port.

Leo Laporte / Steve Gibson (01:13:42):
The agency said that in July of 2022, the hackers quote launched ransomware on the networks leaving an anti ME K message on desktops. So we have a perfect example of a while why Albania should have updated their instance of SharePoint shortly after patches for the vulnerability were made available. And B, why having passive intrusion detection present waiting and watching inside networks can no longer be considered a luxury. We know that try as we might, real world security is imperfect and the bad guys only need to find a single imperfection and one of those bits of imperfection might take the form of a single well meaning employee. So it's most likely that the bad guys will eventually succeed if they are trying hard enough. Therefore, in a truly effective and secure solution, must assume that a compromise will occur sooner or later. That being the case, immediate detection of such an intrusion is every bit as critical as attempting to keep the bad guys out in the first place. And the entire government of Albania learned the lesson of not having done either of those two things. They didn't patch SharePoint when it was fixed and they were completely unaware that they were hosting Iranian intrusion intruders in their networks for 14 months. Talk about an advanced persistent threat.

Leo Laporte / Steve Gibson (01:15:37):
A piece of closing the loop feedback from a listener and someone I know pretty well from the GRC news groups after hearing last week's discussion of the Uber attack, which was effective even in the presence of multifactor authentication, a well known contributor to our news groups posted his thoughts into the Security Now News group, which is one of the many that we have@news.grc.com. His handle in the groups is Farrick, F E R R I X, and his real world name is Greg. I was aware last week that something didn't feel right about my take on the multifactor authentication attack. Some people tweeted that it was likely an MFA fatigue attack and I think that they and Greg are correct. So here's how Greg, who by the way works in mfa multifactor authentication professionally explained what happened with the Uber contractor. He wrote. When reading about the Uber hack, Steve assumed some details about the MFA that led his discussion slightly astray.

Leo Laporte / Steve Gibson (01:16:50):
I work in providing MFA services for my day job, so I know a bit more pedantic detail than the average bear. If the MFA in question was a time based one time PA password OTP, as Steve said, then what he said about brute forcing codes would've also been correct. An attacker would've ha would've have in theory, brute force log on attempts with code 0, 0, 0, 0, 0, 0, 0 1, 0 0 0 2, et cetera, until matching the correct six digits. It would've been an entirely loud attack. I'm sorry, it would've been an extremely loud attack since there's a pretty limited time to log in with a current code before it moves out of the window. But that's not what happened here. He wrote, Uber is using push notification mfa, like what Okta and Duo do. The user or attacker tries to authenticate to some resource X. The MFA provider pushes a question to its app on the user's phone.

Leo Laporte / Steve Gibson (01:17:59):
Do you want to log into X with an approved button? The simple theory here is the attacker doesn't have the user's phone. There's no real way to attack the secure channel between the MFA provider and its app. And if the attacker repeatedly tries to log in, the user's phone would blow up with loads of spurious push requests to approve, which is very noticeable. The security model breaks either when users are naive or attackers are clever in particular ways. A naive user might approve an attackers push by rote even without thinking about it, or they might see the repeated attack push requests as well. It looks like something important is trying to run on x, I better approve it and thus be tricked. A clever attacker would schedule their attacks slowly and at opportune moments where the real user might be plausibly trying to log into the resource such as the beginning of the workday or after lunch.

Leo Laporte / Steve Gibson (01:19:06):
There's a normal, he said, background radiation using my term deliberately. You put it in quotes of false positive push requests that these complex systems generate as various things try to sign into other things. So it's very reasonable that a user might not realize that they're under attack and they might tap, except this is he says, Peren as far as I can tell what happened to the Uber external staffer. He says, Now let's talk about the limitation. I'm sorry about the mitigation. Uber has turned on to improve their security posture, often called verified push. The resource log on page now shows a short challenge number or a word. The smartphone app now says Logging into x click. The matching challenge then shows four or five multiple choice buttons. Now, it's not possible for the user to blindly approve anymore. They must select the button that matches the challenge, which they only know if they're actually looking at the X login page Else.

Leo Laporte / Steve Gibson (01:20:26):
The attacker would also have to communicate the correct challenge to the user in some out of bound way, which is a more difficult attack model. He finishes saying, Orthogonally, please note that the above discussion does not contemplate man in the middle attacks between a real user trying to log in and the resource X they're trying to access in that attack. The attacker can await the session to be validated, then steal the session to do their bidding. To mitigate that threat, the system would need to use a fishing resistant, an off solution such as a properly implemented 5 0 2 or notionally squirrel. So Greg, thank you for the clarification and I think he's probably exactly right. Yeah, that makes sense. Yep, yep. We actually heard that with earlier lapses attacks that they were using as authentication fatigue. Yeah, Yes, known as mfa. multifactor authentication fatigue where the user just finds finally says, Okay, fine, and let's the bad guy in.

Leo Laporte / Steve Gibson (01:21:30):
Okay, briefly, I'm now on book eight of the Silver Ships and all I can say is that anyone who enjoys science fiction stories has many wonderful original and different stories waiting for them. Each book places our characters whom we get to know quite well in different wonderful and interesting situations. As is evident from the fact that I'm already halfway through book eight, I'm having quite a difficult time putting them down and despite the fact that I've admittedly fallen head over heels for this fabulous 24 novel science fiction book series work on spin right is really coming along. I've been fixing every cosmetic thing that I can find for a while now, and I have one last known cosmetic thing to fix. It involves the mapping of spin rights. Now huge 16 megabyte data transfer blocks to one of spin right's screens. It's so-called graphic status display, which is a grid that represents the aerial storage of the media being tested.

Leo Laporte / Steve Gibson (01:22:44):
Originally, a single transfer block might have occupied more than one character cell in the graphic status display. I remember that that floppy discs would do that. So that used to be the case. I removed the logic from managing that cross sell mapping because it's simplified and sped up spin rights inner loop and nothing matters more than speed. But that, and since drives were so huge these days, there's no way that number of data transfer blocks on the drive would not be way more than the number of cells in the graphic status display. So I removed the logic for that and sped things up, but that also meant that for the first time on very small drives, since spin rights, new data transfer blocks are so large and I'll be allocating a minimum of one transfer block per text cell on the graphic status display. Not all of the GSD screen might be used on very small drives.

Leo Laporte / Steve Gibson (01:23:57):
I've ran across this cuz I've got a hundred megabyte virtual drive in virtual box where I do some of the testing and it went whoops visually anyway. So I'm fixing the case where that might happen and I expect I'll finish that work tonight. At that point, I won't know that spin right is not finished, but neither will I know that it is. So the last thing I will do before I turn the GRC news groups gang loose on spin right's. First fully functional alpha release will be to simulate various forms of actual data corruption. Then carefully watch it, always do the right thing, putting individually recovered sectors back into the right place. If anything there doesn't work, I'll fix it. Then spin right will be ready for the group's final external testing.

Leo Laporte / Steve Gibson (01:24:53):
And Leo, I'm ready for some final external water. This can be arranged. We have people who will bring you ddra oxide in a special container designed to retain all the co2 goodness. But first Duda, Yes, your, that's who's bringing you this portion of security. Now is your organization finding it difficult to achieve continuous compliance as it quickly grows in scales? Is manual evidence collection slowing your team down as G Two's highest rated cloud compliance software brought us streamlines your SOC two, your ISO 27 0 0 1, your P C I D ss, your gdpr, your HIPAA, and other compliance frameworks, and provides 24-hour continuous control monitoring. So you focus on scaling securely with a suite of more than 75 integrations. Draw easily integrates with your tech stack through applications like aws, Azure, GitHub, Okta, and CloudFlare. Countless security professionals from companies, including Lemonade Notion and Bamboo HR, have shared how crucial it has been to have draw data as a trusted partner in the compliance process.

Leo Laporte / Steve Gibson (01:26:06):
Their deep native integrations provide instant visibility into a security program and continuous monitoring to ensure compliance is always met. JDA allows companies to see all their controls to easily map them to compliance frameworks, so you'll gain immediate insight into framework overlap. Companies can start building a solid security posture from day one with drta achieve and maintain compliance as your business scales and expand their security assurance efforts using the drta platform. Jada's automated dynamic policy templates support companies new to compliance and help alleviate hours of manual labor. Their integrated security awareness training program and automated reminders ensures smooth employee onboarding and they're the only player in the industry to build on a private database architecture from day one, meaning your data can never be accessed by anyone outside your organization. All customers receive a team of compliance experts including a designated customer success manager. In addition, they have a team of former auditors who've conducted 500 plus audits and are available for support and counsel.

Leo Laporte / Steve Gibson (01:27:13):
So your success is their success with a consistent meeting cadence. They keep you on track and ensure there are no surprises or barriers, plus your calls ensure you're set up for success when your audits begin. Drta is personally backed by S vci, that's a syndicate of ciso, angel investors from some of the world's most influential companies. Say goodbye to manual evidence collection and hello to Automated compliance by visiting drta.com/twit. That's dt.com/twi drta bringing automation to compliance at drta speed. Thank you Drta for support and security now, and I apologize for getting your name wrong first through that Drta. All right, now it's time to talk about the subject of the day, Mr. G. So I brought us all some bad news Oh no. A couple weeks ago. Yes, with the rise of fishing as a service, but forewarned is forearmed, right? I've got some more bad news for us this week.

Leo Laporte / Steve Gibson (01:28:26):
I know <laugh>, one of the definitions of the word politics is the debate or conflict among individuals or parties having or holding or having or hoping to achieve power. Yeah it is in that sense of politics that I titled today's podcast, Dark Net Politics, Last Week's Leak of Today's Preeminent Lock Bit 3.0 Ransomware led to some very interesting discussion and conjecture by the industry's ransomware watching security researchers after the fall of Conti, which we covered. I remember all that crazy Costa Rica government nonsense lock bit 3.0 has risen to become the number one ransomware group in the ransomware industry, and I hate using that term, but there it is. Industry and they've been making something of a splash in the underground. They recently offered, get a load of this a thousand dollars to anyone who would permanently tattooed their group's logo on their body. Oh no.

Leo Laporte / Steve Gibson (01:29:38):
<laugh>, they had a number of takers. Oh no. Until they and I saw a photo of one until they terminated the offer. Yeah. Well, and Leo, we know where you have a tattoo of a logo, so of the logo of a company near and dear Yes, <laugh>. So today the group's operations are so extensive that Lock Bits victim count some weeks has been greater than all the other ransomware families combined ever since CTI's Leaks, which marked the beginning of CTI's end and the Curious Wind down involving the Costa Rican government that we covered Lock Bit has taken over the ransomware throne. Although business, and again, if you can call it that, I hate doing so, although business has been booming for the lock bit 3.0 group, things have recently shaken up a bit by a little known threat actor who claims that his group was able to compromise Lock Bits servers to obtain and leak the builder and key gen modules.

Leo Laporte / Steve Gibson (01:30:43):
Essentially all of the heart of the group's code. It seems that within this odd underworld, it's not possible to get too big or someone arrival or an insider will take you down. Since this is somewhat reminiscent of the leaks which occurred and triggered CTI's downfall, it raises the question whether this may be the beginning of the end. Also for Lock Bit as well. We'll see. Okay, so a threat actor going by the name Ali Ji, which was a Twitter account with no reputation, which was apparently created just to host this leak declaration announcement claims to have hacked several of Lock Bits servers and was able to obtain the lock bit 3.0 builder and the keys generator researchers at Cyber in grabbed and analyzed the leaked code and declared it to be real and complete. They said quote, looking at the published files, we could find the builder and key generator modules.

Leo Laporte / Steve Gibson (01:31:50):
The first of them build several executables that performed the encryption and loading phases of Lock bits, ransomware attack flow along with ransom note creation. Well, the record, which is a publication of Recorded Future, often does a great job when things like this happen of pulling things together and pulling security researchers. In this instance, I thought that some of what they reported was really quite interesting. So in what follows? I've merged some of the records reporting with my own interpretation and commentary, the leak of the lock bit 3.0 ransomware Encrypter was announced on Wednesday by Security Researcher. Now we would pronounce his name, Export his handle Export. But it's numeral three XP numeral zero rt. So in Leap Speak anyway, export announce this several experts and researchers confirm to the record that the builder works and allows anyone to create their own ransomware. There's the phrase of the week, allows anyone to create their own ransomware.

Leo Laporte / Steve Gibson (01:33:11):
In a message shared by export, someone allegedly connected to Lock Bit addressed the issue, attributing the leak to a disgruntled affiliate and dismissing the idea that what was stolen could be used by others to replicate what the ransomware group does. Of course, he would hope that's true. So this Lock Bit representative was quoted, An affiliate program is not a locker, it is a software package and most importantly, an impeccable reputation. Oh, gimme a break, <laugh> that no one, What is this guy smoking <laugh> that no one can tarnish? Oh, no matter what. Yes. No matter what software leaks occur, few people will pay to will. Sorry. Few people will agree to pay randomly to a pen tester without a reputation hoping for a successful dection and deletion of stolen data. Now, as I said, I don't know what this lock bit representative has been smoking, but no one ever wants to pay anything to any criminal who has breached their network.

Leo Laporte / Steve Gibson (01:34:29):
Only the trust. Most trustworthy criminals. That's right. Only the criminals with a great reputation. Wait, what? And the reputations of underground criminals has little bearing on whether they get paid, they get paid if there's no alternative. Yeah, period. Yeah, Okay. But the records reporting noted that several cyber security experts express significant concern about that very prospect MSIs Soft's threat analysis. Brett Callow compared the situation to last year's leak of the builder for the Bauch locker ransomware. Brett said, Excuse me. As was the case when BA's loader leaked, we may well see other threat actors use lock bits, which would obviously complicate attribution. Adding to what Brett said, Huntress senior security researcher, John Hammonds said less skilled adversaries gravitated to the Bauch ransomware tool because it was simple to customize and use. Unfortunately, it wasn't the same quality as this one and recorded future's own ransom expert Alan Liska said his team has identified more than 150 new in quotes, ransomware groups just this year.

Leo Laporte / Steve Gibson (01:35:58):
Most of them are using Stolen Conti or code. Alan said quote at this time last year, recorded Future was collecting from about 45 active dlss that that's short for dedicated leak sites today. That's more than 100. He said there is a real proliferation of ransomware groups most using leaked stolen code from other ransomware groups. This is the same reason why the emergence of fast fishing as a service, as I was talking about, is so disturbing. The emergence of turnkey services allows who are not those who are not skilled enough to assemble the required infrastructure to no longer need to what you know it's been done for them in return for a piece of their action. Dick O'Brien, the principal Intelligence Analyst for semantics threat Hunter team said it's a near certainty that we will see other attackers reuse lock bit's source code according to O'Brien Lock bit's. Success is partly due to the fact that it has a very effective malware payload. Dick said that other ransomware operators could replace their payloads with rebranded variance of lock bit and you could see some aspirate groups use this to launch their own ransomware operations.

Leo Laporte / Steve Gibson (01:37:28):
I have to excuse me for a second. I've run out of ads. So <laugh>. Yeah, we can ask our editor to remove that. These guys are so grandiose, it's so amazing. I know no one is gonna use our stolen stuff because they're not us and it's O only. We can bless this with our reputation. It's like, again, what? They're awful. Anyway, researchers have linked more than 1029 attacks to lock bit since the group began its operation in 2019. The group was considered a marginal player until just last year when it launched Lock Bit 2.0, a new version of its initial ransomware as a service platform. The group revamped again, launching Lock Bit 3.0 this past summer and quickly supplanted CTI as the most prolific criminal organization. The gang had at least 68 victims just last month, 68 victims in August, so more than two a day on average, including a crippling attack on a hospital about an hour southeast of Paris that disrupted its medical imaging, patient admissions and other services.

Leo Laporte / Steve Gibson (01:38:51):
As we've seen the cybersecurity firm Dragos attributes about one third of ransomware attacks targeting industrial systems in the second quarter of this year to lock Bit and Hunts Labs. John Hammond explained that the latest edition of Lock Bit had new features and functionality to encrypt files faster than ever before. He said the leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to both encrypt and decrypt files. I have a just for side interest, a slide showing the relative distribution by number of attacks of ransomware and a lock bit is out in first place with Conti in second, and then there's a like drop by two thirds for the rest of them. There are also Rans that we've talked about from time to time in his discussion with the record indicating a screenshot of the leaked configuration file. Hammond said, Anyone with this utility can start a full fledged ransomware operation that is so customizable.

Leo Laporte / Steve Gibson (01:40:10):
He said, Note how the ransom note can be completely changed. One small upside of the leak may be the security experts now have it too, so they're able to analyze and explore this builder software and potentially garner new threat intelligence that could thwart ransomware operations. At a minimum, the leak gives cyber security experts greater insight into the inner workings of lock with the message from lock Bit indicating that they have contracted developers and that they suffer as well from insider leaks. Aw record. Oh, I know. Poor babies. Poor bies recorded futures. Alan Liska said the leak could be a sign of disgruntled factions within the lock bid group. He said, quote, the large R aass groups ransomware as of service groups are notorious for paying their developers. I abs. Those are the initial access brokers. Remember the who find the way in and sell their access and other support staff very poorly.

Leo Laporte / Steve Gibson (01:41:18):
So it's not necessarily a surprise when someone retaliates John told the record that after the KTI leaks were made freely available, the KTI ransomware builder gained mass adoption from other threat actor groups wanting to quickly and easily spin up their own Rana aware operations money is the real motive and when a tool like this is made available. He said it enables anyone to run the racket. One thing to note is that though it is customizable, the encrypter still changes the victim wallpaper to say lock bit black and that cannot easily be changed. More skilled operators may attempt to change that or lower tier and less capable groups may prefer to have the legitimacy of looking like a lock bit attack. The bottom line on all this, driven by the promise of easy money was what was once a somewhat blessedly high level and high end form of devastating attack is rapidly moving down into and becoming a commodity available to far less capable criminals to use.

Leo Laporte / Steve Gibson (01:42:39):
And again, in retrospect, this was inevitable. The lack of true bulletproof enterprise cyber security, which enables an environment of porous security with the emergence of cryptocurrency, which solved the extortion payment problem together, has made massively profitable cyber extortion feasible like never before. And now the last tools required to make the perpetration of these cyber crimes trivial are falling into the hands of the script kiddies, God help us. Yeah, well, you know, can hope that they eat each other alive, that they just <laugh> just keep fighting and fighting and all that stuff. But goodly, and we did see that the sanctions against Russia are what killed Conti because they aligned themselves powerfully with the Russian government and with Russia and no one was able or willing to pay them, right, because they were Russian and they were now sanctioned. Yeah. What a story. Golly, Gale it's, it's this interesting world we live in and this show shows us in many ways how more and more interesting it gets with all these people.

Leo Laporte / Steve Gibson (01:44:06):
And Leo, what's so sad is think of all the resources being expended to fight this. Oh, I know. Oh, I know. I mean it's guaranteed employment for anybody who's interested in cyber, in cybersecurity. Absolutely. Yeah. Alright. We do this every Tuesday and if you're not completely dejected, I hope you'll come back again and do it again with us. Tuesday's 11:00 AM Pacific, I'm sorry, 1:30 PM Pacific, four 30 Eastern, 2030 utc. You right after Mac Break Weekly. You can watch us do it@live.twi.tv or after the fact on a podcast. Steve's got copies, actually, he's two unique copies of his website, grc.com. He's got the 16 Kilobit audio for the bandwidth impaired and he has the transcriptions written by Elaine Ferris. So you can read as you listen or use them to search or just read them stand alone, Get all the content that way. He also has 64 Kilobit audio.

Leo Laporte / Steve Gibson (01:45:07):
We do too at twit.tv/sn or on YouTube. There's dedicated channel or you can subscribe in your favorite podcast player. If you don't like the ads, it's okay. I understand. You can get an ad free version of this show by joining Club Twit, either 2 99 a month for just this show or a little bit more seven bucks a month, and you get all the shows a free you get. Shows that we don't actually put out in public, like Hands on Mac with Micah and Hands On Windows with Paul Thra and the Untitled Linux Show with Jonathan Bennett and Stacy's book Club and the Gizz Fizz. We use it to launch shows. It's a really great platform for that. That's where we launched this in space actually as seven bucks a month. Add free versions of all the shows, access to our great club TWI discord for chats all the time and all sorts of other fun stuff, special group events and so forth.

Leo Laporte / Steve Gibson / Jason Howell (01:45:59):
Plus the TWIT plus feed and all of that at twit.tv/club twit. Thank you in advance to all of our members. It really makes a big difference. It helps us out quite a bit. Let's see. I guess that means it's time to adjourn this session of security now but we will be back next Tuesday with Steve and Company. Thank you Steve Rdo. See you then buddy. Bye. Don't miss all about Android. Every week we talk about the latest news, hardware, apps, and now all the developer goodness happening in the Android ecosystem. I'm Jason Howell, also joined by Ron Richards, Florence Ion and our newest co-host on the panel When to Dow, who brings her developer chops. Really great stuff. We also invite people from all over the Android ecosystem to talk about this mobile platform we love so much. Join us every Tuesday, all about Android on twit tv.

All Transcripts posts