April 26, 2025 • 39 mins
Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So a man walks up to a librarian, ass do
you have that book on that combines info in Pavlov's
Dogs and Schrodinger's Cat. Librarian says it rings a bell,
but I'm not sure if it's here or not. A
joke about cats and.
Speaker 2 (00:17):
Dogs nerd jokes all week.
Speaker 1 (00:29):
Hey, security this week, I'm Carl Franklin. That's Patrick and Dwayne,
And what's up, guys. How's your week?
Speaker 2 (00:36):
Hey, how's it going? How's things Things are? Okay? Things
are okay.
Speaker 1 (00:40):
We had an interesting week. There's some android dumbness out there,
but we'll get to that later.
Speaker 2 (00:46):
Oh the androids, Oh Android?
Speaker 1 (00:49):
All right, Well, let's start with the first story from
Bleeping Computer. Asis releases fix for ami bug that lets
hackers brick servers. No, I means turn them into.
Speaker 2 (00:59):
Bricks, make useless.
Speaker 1 (01:01):
Yeah, what happened?
Speaker 2 (01:03):
So cord it.
Speaker 3 (01:03):
This is a Bleeping Computer article, and actually we have
a couple of different links here, but according to the article,
a SEUs has released a security patch update for CB
twenty twenty four fifty four zero eight five with a
maximum severity flaw that could allow attackers to hijack and
potentially brick servers. This flaw impacts the American Mega Trends
(01:26):
International AM Mega r AC base board Management controller or BMC,
used in dozens of servers like HP A, SUS and
as Rock. So yeah, if you're running one of those,
a lot of us don't think about this in that
if we read through actually next line here, Exploitation of
(01:47):
this vulnerability allows an attacker to remotely control the compromise
server that sucks, remotely deploy malware, ransomware, firmware tampering, bricking
of the motherboard components, or potentially the bios ue f
I which protects you against malware being loaded at boot,
potential physical server damage, over voltage in bricking, and or
(02:11):
an indefinite or reboot loop. Yeah, that's I mean, you know,
as as a hacker, that's kind of always the ultimate,
right can I get into the bios right and we
hear these like you know how like if you were
a boy scout and you go and you have like
a campfire, and then there's ghost stories like in hacker campfires,
(02:32):
the ghost stories are like and then they're in the
bios right, Oh my god, they were there the whole time.
Speaker 4 (02:38):
Right, This is this is the kind of thing that
people aren't going to upgrade unless they know about it,
absolutely right. It's not like Windows Update is going to
grab this and say, hey, the bios needs to be updated.
I don't think that's going to happen. It says it's
a maximum severity flaw. Yeah, they didn't say it in
the article, but I think that means it's a ten.
Speaker 2 (02:57):
Yeah.
Speaker 1 (02:58):
Now what's the VA mobility score or the you know,
the real score. It doesn't say what the score is,
but it.
Speaker 4 (03:05):
Says maximums, which means it's ten.
Speaker 3 (03:07):
Okay, yeah, I mean, honestly, I would say they're if
I had to guess. They're not doing any checking on
the firmware update. So typically what you would do, if
you were a firm or vendor you is you would
encrypt the update and it would decrypt based on you know,
an key that you have rite a public private keyper
(03:27):
so nobody could tamper with your code. And in this
case it almost looks like they're not. Although they're not
releasing full details that they're not checking that, which means
somebody can write their own malicious I m a file
update file for the firmwork. So here's the risk you
somebody cons you into downloading this file and running it. Okay, right,
(03:49):
So imagine, if you will, your computer has an issue,
and it's an HP computer and it's a server you're running,
and you search on the internet for HP support and
you click on the first link that comes up, and
it's some hacker group somewhere who answers the call and says, oh,
all you need to do is download this bios update
and it will.
Speaker 4 (04:08):
Goodmotherbirdform firmware dot com, right, and it'll show firmware.
Speaker 2 (04:16):
Well.
Speaker 3 (04:17):
And honestly, it's sad, but a lot of these things
sometimes happen where it's like, oh, you know what, this
HP server I know is out of support. Yeah, right,
so I can't call HP directly, but or I can't
call Asus directly, so let me just search on the
internet and see if somebody is fixed.
Speaker 2 (04:31):
It, right, wow.
Speaker 3 (04:32):
And a lot of times there will actually be people
on the HP forum saying, oh, yeah, all I did
was apply this patch from over here and it worked, right,
And they're referencing some random serve on here.
Speaker 4 (04:42):
We've never done that.
Speaker 1 (04:43):
No, But here's the thing. If if there's a if
there's a problem, even on a board that's out of support,
HP should have an updated firmware for it, shouldn't it
on their website?
Speaker 2 (04:56):
Absolutely? Yeah? Well yes, and no. If it's with its support, no, yeah,
but if.
Speaker 3 (05:01):
It's if it's out of support, as in I'm not
paying for support anymore, they may not get to you.
But if it's out of support, as in the board
is aged and they're not developing any updates, well, you know,
at that point you're probably out of luck and really
should be running your herd right now.
Speaker 4 (05:16):
But someone might say that it is supported and they
sure have firmware, and yeah, it's that thing of how
do you know whether it's supported anymore and that you've
got a valid firmware.
Speaker 1 (05:26):
But what I'm saying is if there's firmware download for
the problem at Joe's Discount firmware dot com but not
on Asis dot com, right right, then you should be
then you shouldn't download it?
Speaker 2 (05:38):
Yeah, then you want to?
Speaker 1 (05:40):
Yeah, Or if you don't get a definitive answer from
the official ASS website saying this is no longer in support,
you can't download any firmware that will fix it, then.
Speaker 2 (05:50):
Don't right, right?
Speaker 3 (05:51):
But you know, and there's there are It's not unprecedented though,
to have a piece of software that will support an
un supported platform. So Windows seven unsupported by Microsoft. But
there are people who sell software that will apply registry
changes to fix certain things, or will apply patches to
(06:14):
you know, to certain DLLs, and that sorts hackers Dwayne's cousins.
Speaker 2 (06:22):
Yeah, and I just happened to read one of those companies.
Speaker 3 (06:26):
So you know, it's hard to see like what's in
like what's a good place.
Speaker 2 (06:30):
To go, and what's not right to apply these updates.
Speaker 4 (06:33):
This gets to the heart heart of the matter, which
we're going to revisit later. Though it's not you know,
the main story is you need to use current hardware
and software.
Speaker 1 (06:43):
You do.
Speaker 4 (06:44):
There's a whole I mean, we're talking about this like
if you find lettuce on the street, it's probably not good.
Don't eat it.
Speaker 2 (06:52):
You don't know, huh. I know, I don't know that,
but it's probably great.
Speaker 1 (06:57):
Let somebody says here, try this, and I don't need
let a.
Speaker 4 (07:01):
I don't eat let us anyways, I don't care whether
it's just pulled out of the ground. But the thing is,
it's like you need to It's one of the primary
things to keep yourself out of trouble is use current
hardware and software.
Speaker 1 (07:13):
So nineteen seventy six, I'm out west with my family
on a trip right in a camper. It's like the
quintessential American road trip. And we're Mount Rushmore. I'm nine
years old and somebody, some hippie, passing out peppermint candies
or whatever awesome you know, for a cause whatever. So
(07:34):
he gives me one. My father runs over to me,
grabs it. He says, don't eat that said. Why he says,
because it could be laced with dope. I didn't even
know what dope was, let alone the word laced. I
was just like, it's just a candy. I won't put
it in my mouth. But you know, he was pretty smart.
Speaker 4 (07:53):
Yeah, guy, so you probably just popped it in his
mouth instead.
Speaker 2 (07:57):
Yeah.
Speaker 3 (08:00):
So it's funny you say that, though, because I was
traveling with a coworker and I love this guy.
Speaker 2 (08:04):
He is.
Speaker 3 (08:04):
He's amazing in all respects and just fun loving guy
and great to talk to you and trusts a lot
of people. And I went, I was it was me
and these two coworkers. He was one of them. And
we got on a plane and there was a guy
in front of us. And he stood up and he
had this cowboy add on and whatnot, and in his
hand was a gallon sized bag of jelly beans, unlabeled,
(08:28):
just jelly beans.
Speaker 2 (08:30):
And he turns it around and goes, you guys want
some jelly beans? And I was like, hell no.
Speaker 3 (08:36):
And the other coworker next to me was like, I
ain't touching those jelly beans. This other guy was like,
don't mind if I do, and he jams a hand
in that. I was like, like, if he's dead in
a couple of minutes, we'll drag him off the plane.
Speaker 2 (08:49):
Wow.
Speaker 4 (08:49):
My only question is I know it's not me. Was
it somebody that's working for us?
Speaker 2 (08:53):
Now he was dead?
Speaker 1 (09:00):
Died of jellybean?
Speaker 2 (09:02):
Right? I don't know.
Speaker 3 (09:03):
And he was the honestly he made out. He was like,
those are of the most delicious jelly beans ever.
Speaker 2 (09:09):
I don't know. Maybe they were laced with dope.
Speaker 1 (09:10):
Dope. It could be lace with dope.
Speaker 2 (09:13):
All right.
Speaker 1 (09:13):
So second story from Bleeping Computer as again ass again
warrens of critical off bypass flaw bypass flaw in routers
using AI cloud.
Speaker 2 (09:26):
They are having a rough week, having a rough week, yeah, yeah.
Speaker 4 (09:30):
Well, or they're doing really good and they're catching stuff.
Speaker 1 (09:33):
Well or that that's true. This is a nine point
two CVE score, a CVS score.
Speaker 2 (09:39):
Yeah on this the CVE Yeah, CVSS a Richter scale.
Speaker 4 (09:44):
No authentication required.
Speaker 3 (09:45):
Yeah, so this looks like if you're using the uh
so uh the AI cloud that ACEUS devices have the
ability to automatically patch and all sorts of other things.
If you're using ai Cloud, there's a way to buy
pass authentication and potentially push down, you know, things that
(10:06):
shouldn't be there, change settings, that sort of stuff. So really,
what they're saying here is ASU's cloud remote access features
are built into a SUS routers, and you really should
just turn them off at this point.
Speaker 1 (10:18):
Whenever I have an acist laptop and whenever I get
a new laptop, the first thing I would do is
remove all the crap wear, you know, all the support
were or whatever, because I don't know what that is
and I don't know if they're looking at my stuff. Well,
it's me while I'm eating the sandwich.
Speaker 4 (10:33):
It's certain sary. Even if it's completely innocent, it's going
to open up the It's like having a house made
of windows.
Speaker 1 (10:40):
Yeah, exactly.
Speaker 3 (10:41):
Well, and we do the same thing with hardware we buy.
So you know, I'll I'll give you an example. We
used to build out our crack clusters. So our crack clusters,
it's a bunch of video cards right in a in
a motherboard. So we used to build out our crackluster
literally like a bunch of video cards, like ten video
cards strung up with wire on a bread rack with
(11:02):
a motherboard just sitting there right and we're keeping the
server room cooling, and we'd have you know, seventy eighty
these cards just running doing cracks and they can get
billions of passwords a second. We got to the point
where it just doesn't make sense for us to build
them that way. A. We want them to be water
cool so they can stay cooler because we did liquefy
and entire crack cluster at one point.
Speaker 2 (11:22):
We keep shorting out when I dip them in water. No, indeed,
I know, right, I don't think I'm doing this liquid cool.
I used the shower, I used the tug. It's still
it doesn't matter.
Speaker 3 (11:35):
And this is why Patrick doesn't have access to server
room anymore. But yeah, our most recent purchase, so we've
been purchasing devices that have anywhere from six to eight,
you know, forty ninety video cards in them, and we
just get to stack them in there, and we purchased
one recently.
Speaker 4 (11:53):
By the way, the only thing more valuable than those
are eggs.
Speaker 2 (11:56):
Yeah, yeah, exactly.
Speaker 1 (11:58):
And fortunately you can eggs on them because they run
yet they're for you put a griddle over them, and
now you got eggs.
Speaker 2 (12:07):
Yeah.
Speaker 4 (12:07):
Every time I stored my eggs on them, they just
can't come back.
Speaker 2 (12:10):
Now they're fried.
Speaker 3 (12:11):
You know, it's funny you say that because we we
were running an engagement this week and we were trying
to crack passwords and we were we threw a we
threw a bunch of the passwords in the crack cluster.
We get a call at night, Yeah, from one of
our neighbors because they were like, we.
Speaker 2 (12:23):
Think someone's being murdered next door. And it was one
of the cards. Your power meter was so hot.
Speaker 4 (12:31):
It started screaming.
Speaker 3 (12:32):
It was screaming like if I could play this. It
sounded like a baby goat just yelling at our server room.
I don't know what was going on there, but yeah,
we had to shut that. To shut that card down,
I think we cooked it. Whoa, but yeah, needless to say,
So anyways, the server we bought.
Speaker 4 (12:47):
Well, the card was Appeals a BED five thousand, so.
Speaker 3 (12:50):
You know, so when we purchased this server, it actually
came with remote access software installed by the vendor, and
they were like, here you go, here's your user name
and past where we definitely don't know to get access
to your server or anywhere in the world. And we
were like nope, like you got.
Speaker 2 (13:12):
Everything off there. Yeah, so that's definitely got to be
careful what ship with it.
Speaker 1 (13:15):
So that's what this is critical off bypass flaw. I
assume there's a patch.
Speaker 3 (13:20):
Yeah, I mean, honestly, they tell you just shut it off. Yes,
there's really no need for them for you to use
the A cloud at this point. I think they're going
to deprecate it in the future.
Speaker 1 (13:28):
Anyways, we're going to include a link to an ASIS fact,
which is how to update the firmware of your router
to the latest version using web GOUI gooey web gooey.
Speaker 2 (13:38):
Web gooey gooey.
Speaker 4 (13:39):
You know what AI stands for lately?
Speaker 2 (13:41):
Right was interested? Well, you know, it's funny you say that.
Speaker 3 (13:47):
I actually saw a lecture yesterday from a professor up
at un h University of New Hampshire who specializes in
big data and AI and that sort of stuff, and
he's currently taking the view that the current iteration of
AI is going to go dormant for the next twenty years.
He's like, honestly, there's going to be nothing really innovative.
(14:09):
He said, when's the last thing that's happened innovative in AI?
That's true, like just nineteen sixty nine. He's like, we're
just seeing statistical one sort of stuff. He's like, that's
people are getting really excited about it, and I think
it's going to die back down until we start to
see an innovation in the technology.
Speaker 2 (14:24):
Right, this is just applying math to data.
Speaker 4 (14:26):
I think there's going to be little incremental changes. The
problem is everybody who's been predicting that, oh my god,
you know, it's going to change the world, it's going
to destroy all these jobs. It's going to have some
of that effect. But it's we are literally on a plateau,
I think, and we're waiting for the next big spike.
And the last one was machine learning. It was like
twenty fourteen, and it took us about five six years
(14:48):
to ingest that, and then we still had to wait
another five years for this spike.
Speaker 2 (14:53):
So I agree with that.
Speaker 4 (14:55):
Now you can't predict when the next climb is going
to be, of course not, but he could be right.
Speaker 1 (15:00):
Just a tangent. We're really talking about large language model technology,
which is what chat GPT is based on. And I
think that that by itself is a tool that when
you apply data cleaning and you apply data ingestion in
the right way, and you tweak it, and you know,
that's where the real innovation is in creating something useful.
(15:22):
Sure from the LLM tools that are out there, it's
not the tools themselves that are going to get really
any better, but it's so and they may, but I
think what you're saying is it's the application of these
things to an end.
Speaker 2 (15:36):
Right.
Speaker 4 (15:37):
So Dan Walleen, who's a former I think he still
might be an argy. I think he actually works for
my self.
Speaker 2 (15:42):
Now now you're just making names of Yeah.
Speaker 1 (15:44):
I think he is. No, that's his name, gold Friend.
Speaker 4 (15:47):
He posted on LinkedIn recently that he took an AI
prompt and he used it to explain.
Speaker 2 (15:52):
Waiting in AI. Oh wow, And it came up with like.
Speaker 4 (15:56):
These graphics that were fantastic at explaining and he gave
it an analogy to use. But there's still a lot
of potential there. There's still a lot of things you
can do with it.
Speaker 1 (16:04):
You mean waiting w E I G H T Yes, yes,
I n G yeah, not waiting around no, not the.
Speaker 4 (16:11):
Other wait yeah my accent. Anyways, So there's still lots
of lots of things that will be done done, lots
of innovations with generative AI that we haven't done. But
it's kind of like Google Search. When Google Search came,
it took a long time for us to digest that
and for people to figure it all out. We're in
that phase now with generative AI.
Speaker 2 (16:31):
All right, right right? I agree?
Speaker 1 (16:32):
Moving on, yes, moving on threat actors.
Speaker 3 (16:36):
Seeing this isn't a podcast on generative AI, and what's
that AGI and.
Speaker 4 (16:40):
L M sure I'll turn this into a quantum podcast
if you don't pull overs.
Speaker 1 (16:46):
Go away, Okay. Threat actors using weaponized SVG files to
redirect users to malicious websites. Don't click on it.
Speaker 4 (16:58):
So these are webs these are file types that aren't
typically related to this kind of problem. I mean, Dwayne,
what what's the most sketchiest attachments that an email can have?
Ex of course CMD scripts.
Speaker 2 (17:12):
Oh yeah.
Speaker 3 (17:13):
Typically, honestly, ex zip file ISO ISO is one of
the most sketchy because most people, you know, they'll open
it up. It looks like a CD RAM kids. That's
that little coaster that you can see your face in.
That's what it's emulated drive, right, and then you you
mount it as a drive, and you know, you can
put all the nasty stuff in there.
Speaker 1 (17:33):
But but also we've seen examples of PNGs and JPEGs,
you know, being used to mess you up.
Speaker 4 (17:40):
I think those were specific vulnerabilities that were being used.
Speaker 3 (17:43):
So it's yeah, and so you're right. Typically what happens
is if you're going to take a format like a
like a JPEG or whatever, you're not targeting the jpeg itself.
The jpick doesn't have any functionality. You're targeting the reader, right.
So the reader is the application that's going to open
that JPEG and.
Speaker 4 (17:59):
Understand and it's doing something stupid.
Speaker 2 (18:01):
Right, So it's like the browser has a jpeg.
Speaker 3 (18:03):
Rendering engine, and oh, we know we can pop the
buffer on the jpeg rendering engine if we put larger number.
Let's say we put larger color characters than two fifty six, right,
or something along those lines, right, that's usually the target.
In this particular case, svgs do have the ability to
(18:24):
embed JavaScript code in it, and renderers will then run
that code, and which is currently their obvious getting it.
Speaker 4 (18:33):
A different problem than the renderer being vulnerable.
Speaker 3 (18:37):
Right, This is like you're they're actually doing what should
be done, but just in a malicious.
Speaker 4 (18:43):
Way because of the stupid file side.
Speaker 2 (18:45):
Right.
Speaker 3 (18:46):
Now, here's the thing though, you say to yourself, Okay, well,
threat actors are weaponizing SVG files. I as the normal user,
So okay, what do I do? Do I not browse
the internet that may have SVG files? Do I not
open weird you know images? I think what you'll find
is typically on your endpoint detection or antivirus or whatever
(19:07):
it may be, will pick this up because all they're
doing is encoding it in base sixty four.
Speaker 1 (19:12):
And your browser should also say, hey, I don't know
how to render this if it has a problem.
Speaker 3 (19:17):
Yeah, yep exactly. So what you'll see is this coupled
with an attack that we've already seen. It'll be like, oh,
this is a phishing attack and it has a ZIP
in it, and in that zip is right.
Speaker 2 (19:28):
An SABG file. Or something along those lines.
Speaker 3 (19:30):
So just be careful when you're not expecting a file here. Again,
don't click on things you don't weren't expecting.
Speaker 4 (19:36):
Yeah, just because you don't know an extension doesn't mean
it's a good extension, right, Well, as Santa said to ELF,
it's not free gum. If you find it under the table,
it's good advice.
Speaker 2 (19:51):
It is good advice.
Speaker 1 (19:52):
Okay, one more story and then we'll take a break.
Blue Shield leaked health info of four point seven million
patients with Google Ads.
Speaker 4 (20:03):
So I wanted this because I don't think people realize
how bad Google ads and other ads platforms are becoming.
As far as you can now pay for your attack
vector to be high in the search results. And so
you know, sponsored ads are handy because there it's companies
that want to get your attention based on what you
(20:26):
searched on, and that can be convenient, but it's also
convenient convenient, it's also convenient for the hacker, and so
you know it might be somebody as simple as you
want to search for drivers for your asis and you
search Google and the top sponsored ad is you know,
cheap firmware dot com.
Speaker 3 (20:45):
Or it looks like aces website, but it's like a
couple characters at the end, like exactly stash support dot
com or you know what I mean.
Speaker 2 (20:52):
So it's with a V instead of a U or
a five.
Speaker 1 (20:55):
Or with a cyrillic right character right, the cyrillicy.
Speaker 4 (20:58):
Or dollar signs right, all of science because it's like elite.
Speaker 1 (21:03):
Elite s. So, I mean, this is just another cautionary
tale and reason why you should a have a password manager, B.
Speaker 3 (21:13):
Freezer credit yes, yeah, yeah, right, because a lot of
this detail that's out there. I mean here they're saying
the data potentially exposed was insurance plan name, type, and
group number, right, which is the things they ask you
for all the time, city, zip code, gender, family size,
and then some of their other medical claim services dates
and providers patient names, financial responsibilities. So there's there's definitely
(21:37):
some things in there that might come back.
Speaker 4 (21:39):
In this case, this was the health provider was hacked
or was breached by inadvertently configuring their Google analytics. So
they misconfigure the Google Analytics and over a three year period,
the data was shared with Google's advertising platform. So this
isn't exactly what I described, but but it does bring
(21:59):
to the four front. The idea that Google is not
just a force for good, they are also a source
for hackers. Actually, should we mention Google dorks?
Speaker 1 (22:08):
Sure, Google dorks.
Speaker 2 (22:10):
Patrick's at Google Dork.
Speaker 4 (22:11):
Yeah, it's something that hackers know about. You are too.
There are a large number of hacks that you can
search for in Google and find sites that are vulnerable
to them. And we call them Google dorks because it's
just a Google search to find victims, and at any
given moment, the tens of thousands of them.
Speaker 3 (22:30):
There's a lot of ways to search in Google that
most people don't know. Like you can put in title
is one word colon, and then the title of the
page you're looking for, and the title is the part
that displays on the little tab right on the browser.
So let's say we're getting access to an as US
router and at the top it says like a SUS
(22:52):
router in the model number in the tab, and I
want to find more that are vulnerable. I might take
that title and search for that in Google, and Google
will give me back all the devices that have that
as a title, all the.
Speaker 2 (23:04):
Pages, yeah, the pages right. Or you can do in
page and have it search inside the page, or you
could do file type is one word colon and say pdf, right,
and it'll return you only search results that are PDFs.
Speaker 4 (23:18):
And these are pretty well documented on the you know,
I would I would call it the dark web, but
it's really just the gray web.
Speaker 2 (23:24):
It's yeah, it's not.
Speaker 1 (23:25):
Well, even Google documents them though, I mean all the
all the options that you can use in Google searches,
Google has them.
Speaker 4 (23:31):
No, no, the actually no, no, I mean the actual
search is to find you web pages that are hackable.
Speaker 2 (23:36):
Oh right, oh okay, yeah, you can.
Speaker 3 (23:39):
You can find those pretty much on any There's tons
of GitHub repos just Google. If you do like search Google,
for gethub Space, Google dorc, you'll see a bunch of
GitHub repots that have all of the searches that you
might want to look for secret documents in that sort.
Speaker 4 (23:53):
Of Unfortunately, this is ancient, but it is criminal career advice.
Speaker 2 (23:58):
Yeah right right.
Speaker 1 (24:00):
Not really worth the theme song.
Speaker 2 (24:02):
Oh wow, the song we need new criminal career advice.
Speaker 1 (24:06):
Yeah, okay, okay, So with that, let's take a little break.
We'll be right back after these very very very very
very important messages. And if you don't want to hear
these very very very very very important messages. You can
give us five dollars a month by becoming a patron
at Patreon dot security this week dot com, and we
will give you an RSS feed that has two MP
three's that has no ADS. We'll be right back. Okay,
(24:32):
let's continue on here. Of course, it's Security this week.
I'm Carl, It's Swayne and Patrick, and this one is critical.
Com Vault Command Center flaw enables attackers to execute code remotely.
Com Vault command Center. What is that?
Speaker 2 (24:50):
All right?
Speaker 3 (24:50):
So, com Vault for those of you who started your
career potentially in what we call BCDR backup Disaster and
Recovery and business continuity con vault is uh.
Speaker 1 (25:01):
I thought it was blue cheese dressing can be it's.
Speaker 4 (25:05):
The way it's normally.
Speaker 1 (25:10):
That's what I thought.
Speaker 2 (25:10):
It was business continuity and backup recovery.
Speaker 3 (25:16):
So in that world, you know, obviously you're backing up
your data and that could be file data, it could
be database structured data, it could be websites, could be
whatever it is. So com volt is one of those
pieces of software that gives you the ability to back
up and be prepared to restore data. Let's say something
disastrous happens like ransomware or somebody bricks your server.
Speaker 4 (25:39):
Or you use com Vault command center, that was disasters.
Speaker 3 (25:43):
It could be disastrous. I can't imagine. Yeah, you know,
this is kind of this. It used to be when
you got ransomware. Used to be like this.
Speaker 2 (25:53):
This was like old times, like in the seventies, back
where you were ransomware. It was like whatever, you just
restore your data.
Speaker 3 (25:59):
Right if I had a good back backup plan and
I had those backups in some sort of off site
way or encrypted where the users couldn't get access to it,
like whatever, you know, I'll just restore it. But in
this particular case, there is a way to compromise the
com Vault command center to actually run remote code. And
(26:19):
the interesting thing about this, I mean it is interesting
obviously that if you're running Convolt you probably want to
go patch because.
Speaker 1 (26:27):
This was fixed and it's a nine out of ten.
Speaker 3 (26:30):
And there's a proof of concept out there. Yeah, nine
out of ten. I agree in that if you can
get access to this system, this isn't a hard thing
to run. There is a proof of concept out there
that you can download called Watchtower, and then it will
just go compromise this. You know, the sort of a
side note. You know how we always talk about our
contagion score. Yeah right, we talk about like, what's the
(26:53):
security this week's score.
Speaker 2 (26:54):
It's interesting.
Speaker 3 (26:55):
We were talking about customer this week about a pen
test that we had done and some of the scores
were like nine's yeah right, and we and when we
were talking to the customer saying, you know what, it
says nine because that's the standard you know, CBSS score
for this particular exploit. But we would have knocked it
down to a five or six. And even in our reports,
(27:17):
we're starting to change our reports to have a you know,
a pulsar security actual CV score like listen, that's good,
you know, a reality because it's hard to get a
hold of and the data in the back end is
not really used for much whatever.
Speaker 2 (27:29):
The reality scores is probably a three or four.
Speaker 3 (27:32):
But anyways, in this particular case, some this uses what's
called an s s r F exploit. So ssr F
is server side request forgery. A lot of servers. When
you implement let's say, uh, you know, WordPress site or whatever,
there's usually a configuration site, usually on a higher port
on eighty eighty or whatever it may be. That's only
(27:54):
accessible to the local computer. You literally have to be
on the web server to get access to that URL,
right right, because they lock it down. You can't access
it remotely because it could be dangerous. What an SSRF
does is it allows you to make a request off
of the web server as the webserver. Let me give
(28:16):
you a sort of a simple example. Let's say we
put up a blog site and on that blog site
you had the ability to upload your own profile picture,
and the profile picture could come from a URL. So
instead of going to www dot you know, dwaynelflatt dot com,
slash my cool profile picture dot jiff, right, I'm going
(28:37):
to one two seven dot zero dot zero, dot one
slash you know our colon eighty eighty slash you know,
my administrative page, whatever, whatever, whatever. And when it reaches
out to the local box, it may set some settings.
I might not see the results, right, but the damage
is done. It's already reached out and touched the local
(28:58):
server with the appropose parameters to add a user to
run a command to whatever. So SSRF can be quite
dangerous in an environment where you just allow people to
potentially have your webserver reach off box.
Speaker 1 (29:11):
Well, well do you have to be on the network
to do one twenty seven zero z er one. You
have to be on that box, right.
Speaker 4 (29:16):
No, no, yeah, the web servers using that address.
Speaker 1 (29:20):
Yeah, the web server. Okay, if I just put that
in my browser, yes, right, that's my local machine that's
going nowhere.
Speaker 4 (29:26):
He's passing that as a parameter so that the web
server can use it.
Speaker 1 (29:30):
I see. Yeah, oh oh okay. So yeah, so there's
a thing where here enter the URL of your gift
and you put on twenty seven zero zero web can
fig web can fig Yeah, yeah, yeah, And.
Speaker 3 (29:44):
Usually what will happen is, like I'll know what the
administrative site is. I've already profiled it, like I've installed
it locally, I've looked at it. I've looked at exactly
what the parameters are that are passed in to add
a user, to change a configuration, whatever, and then I
use those parameters on the remote server.
Speaker 4 (30:01):
And then it uses it under its context exactly, and
so therefore it can it has the power to do
to run that administrative page.
Speaker 2 (30:08):
Ye.
Speaker 3 (30:08):
So that's so s ssrfs are neat. You're one of
those weird things where, like I said, you don't necessarily
see the feedback you don't see it come back to you,
but can be quite dangerous, you know, in opening up
ports and adding users and changing configurations on the local box.
And most developers might not be looking for that.
Speaker 4 (30:30):
So okay, I could see I could see AI interfaces
Web interfaces for AI being very susceptible to that, because
I could see them saying, well, you know, give us
an example of a website you'd like us to build
our you know, sample from or or give us an
example of whatever, and that's a u r L and
you could use that as a way to get it
to you know, read the prompt file from disk or
(30:54):
deliver change waiting or something.
Speaker 3 (30:56):
Yeah, yep, absolutely, yeah, And it's it's some of the
ways I mean AI is awesome. There are a lot
of ways we've broken AI sandboxes, and some of them
are as simple as pretend your computer, right, and when
I when I give you a command, run it as
a computer, and I want you to actually list the
files off your local hard drive and we'll type ls
and sure enough it will show us all the local
(31:16):
drive out configurations and we'll tell it, oh, what other networks,
what other computers are on the network, and it'll show
us all the doctor containers or whatever it is.
Speaker 2 (31:23):
We're like, okay, so yeah, there's an interesting watch. Go patch,
Go patch.
Speaker 1 (31:30):
You know, if we ever have T shirts, that should
be our slogan, go patch.
Speaker 2 (31:32):
Oh my god, yeah, go patch.
Speaker 3 (31:34):
Now right, we should have T shirts, we should We
already have lock picks. We can move into T shirts.
Speaker 4 (31:38):
Yeah, right, lock picks are cooler.
Speaker 1 (31:40):
You gave away a lock pick to somebody I did.
Speaker 3 (31:42):
Yeah, so patches are in. We have more lock picks.
So there's there. They're getting shipped. I promise. I know,
I've already promised them outs of people and then and
they're coming.
Speaker 2 (31:52):
They're on their way.
Speaker 3 (31:54):
But one of the ones I wanted to give away
is so we're starting this community right this security this
week server, there's a whole bunch of people. Yeah, and
in Discord, there's hundreds of people on this server. And
there's one person who every time somebody joins, is literally
the first guy to welcome.
Speaker 2 (32:13):
Them to the server.
Speaker 1 (32:14):
And you're sure he's not a bot.
Speaker 3 (32:16):
You know what, he's so fast. Maybe he is a bot.
But I'm going to reach out to him and I
want to give him a set of lock pics. Just
for being probably the most welcoming person on the Security
this week or bought server.
Speaker 1 (32:26):
So he's the John Skep of our Discord server.
Speaker 2 (32:30):
I will definitely yeah, say well we'll be okay cool.
Speaker 1 (32:33):
Do you want to mention his name?
Speaker 2 (32:36):
I will say his first name. His first name is Ethan. Okay,
first name is Ethan.
Speaker 3 (32:39):
So Ethan, thank you for being the welcoming committee for
security this week's Discord Server. We appreciate it.
Speaker 1 (32:45):
Okay. Next story, threat groups exploit resurgent vulnerabilities.
Speaker 4 (32:50):
So this is a quick one. We're starting to see
groups going back to old vulnerabilities, to old devices and
usually edge devices like the VP routers, firewalls, those kinds
of devices, because what they're finding is that they're still
in service, but they're probably we're originally in service at
(33:12):
a time when people weren't patching as avidly, and so
even though the cvs are out there, they may not
be up to date, and so they're getting into systems
through these stuves. And this goes back to what I
said earlier, which is old hardware will get you in trouble.
Speaker 1 (33:27):
Yeah, okay.
Speaker 4 (33:28):
Some people are like, well, I've got this old piece
of hardware, nobody knows anything about it. CVEs go back
twenty five years, and you know, a vulnerability is still
a vulnerability if it hasn't been patched. So literally, you
could have these devices that are completely out of support.
There is no firmware update for them. There might not
(33:49):
even have been patches back in the day because they
weren't as and so they're just vulnerable. And they're on
the edge, which means they're outside your firewall or they
are your.
Speaker 1 (33:59):
Firewall y on the internet, right, Yeah, so your cable modem,
for example, is something that well, first of all, your
cable modem, your internet provider should be patching that remotely.
But if they're not, that's something you have to.
Speaker 4 (34:14):
Or replacing them periodically.
Speaker 1 (34:15):
Yeah, you have to pay attention you're inside the router firewalls.
You probably do want to upgrade them because you know,
if somebody does get on your Wi Fi network, you're
they can, Yeah, but they'd have to be like parked
outside your door or you know, they'd have to be
like Dwayne or just.
Speaker 2 (34:32):
A drone right, oh, the drones.
Speaker 1 (34:37):
Oh, the drones. All right, So is this just a uh,
just a reminder to patch old hardware?
Speaker 2 (34:45):
This is a this is a cautionary tale.
Speaker 4 (34:47):
Oh, it's it's more of a reminder to beware of
old hardware. Basically, it's you know, you might think you're
saving something, but if you if your systems get breached
and you're down for three weeks, that you're not saving anything.
Speaker 2 (34:58):
All right.
Speaker 1 (34:58):
Finally, our clickbait story from the Hacker News, and I
got to admit I really didn't understand this when I
started reading it. Android spywear disguised as Alpine Quest app
targets Russian military devices.
Speaker 4 (35:13):
So let let me let me help break this down.
So Russian military had a lot of problems early in
the war and even even not too long ago with
their communications via phones being tracked and therefore artillery being
delivered onto their soldiers by the Ukrainians because they they're
using their phones. And I would hope no one in
(35:35):
the US military would do that, but you know examples
recent examples to the contrary. So this is this, This
Alpine Quest app removes ads and and helps prevent you
from leaking your location data.
Speaker 1 (35:49):
So this is an app that Russian military soldiers would
have on their phones while they're in.
Speaker 4 (35:54):
Battle, correct to keep them from being targeted because location data.
Like let's say you're playing Pokemon, it uses location data, right,
Alpine Quest app would would help them move that and
it removes ads.
Speaker 1 (36:08):
You can't just turn location off.
Speaker 3 (36:10):
Well you can, no, you can, but the alpine Quest
app is actually used for like mapping, right, So it's
like for outdoor activities. If you were going to go hiking,
you'd use the alpine quest Quest app, right, and you'd
open up a topographical map and you'd know exactly where
you are based on tracking. So if you turn tracking off,
(36:31):
the app doesn't work. But what's happening here is there's ads, right,
So they're like, oh, well I don't want these ads
while I'm over here doing this special forces thing. So
they've been downloading over Telegram a hacked version of it,
oh and installing it on their phone.
Speaker 1 (36:45):
I get it.
Speaker 3 (36:45):
And now that hacked version actually has a real backdoor
in it that was put in there by malicious people.
Now they really can track them. So turning off you're right, Carl.
Typically you'd say just turn off location services, but they're actually.
Speaker 1 (36:57):
Using this, right, But they need it for.
Speaker 3 (37:00):
To navigate around the unfriendly, you know, unfamiliar country, right,
they're They're looking at the topographical maps.
Speaker 2 (37:06):
And being like, oh, we should be over there.
Speaker 4 (37:08):
I thought they were just trying to prevent out. Maybe
they are. Maybe they are because AD data does have
location data attached to it, and so if you trust
let's let's say I'm a Russian soldier and I use
the Alpine Quest app and I trust that it's not
breached and that that Ukraine's not going to get the
data from Alpine Quest of where I am to shoot me.
(37:29):
But if if Ukraine can put an AD in the app,
in the Alpine Quest app, then they can get the
data of somebody's outside sue me, and they can drop
artillery on that location.
Speaker 1 (37:41):
Well, how fast can they get that data?
Speaker 2 (37:43):
Though?
Speaker 1 (37:43):
Is it real time streamed?
Speaker 2 (37:44):
It depends. Yeah. If I control the AD, it's pretty
real time. It's pretty quick.
Speaker 1 (37:49):
Yeah, it is.
Speaker 4 (37:50):
Yeah, because I can deliver you to I can deliver
up a graphic that's on my server, and I can
figure out where came from. It's complicated, but I.
Speaker 2 (38:02):
Was gonna say, hold on, let me pull up the map.
I'll show you now, I'm okay. So movement.
Speaker 4 (38:10):
By shutting off the ads, the Russians close a loophole
that the Ukrainians could use to target them. But now
that this spyware version right of the hacked Alpine Quest app,
it just is a shortcut for the Ukrainians. Probably probably,
I'm saying the Ukrainians probably just distributed this because I
don't know who else would.
Speaker 1 (38:27):
Says Patrick, Uh, you know, ruminating about it.
Speaker 2 (38:30):
Right, Yes, what he would do?
Speaker 4 (38:32):
Yeah, I'm probably right.
Speaker 1 (38:33):
How many real information?
Speaker 4 (38:34):
But I don't know that I'm.
Speaker 3 (38:36):
Right, you know, And it is interesting. You'd have to
know that troops do use the Alpine Quest So there's
a little bit of insider knowledge, right, whether that's open
source intelligence, and they see you know, Russian military talking
about it on open channels.
Speaker 4 (38:50):
Well, where you pick up fifty phones from the fifty
dead Russians, you.
Speaker 3 (38:53):
Just guilt yeah, or that, yeah, honestly, And they have
really terrible one two, three, four, five, six passwords.
Speaker 1 (38:59):
They all have USB keys in their back.
Speaker 4 (39:00):
Pockets where they use their face and they just unlock it.
Speaker 2 (39:05):
Sure, right, absolutely.
Speaker 1 (39:07):
Wow, that's a good, good idea.
Speaker 3 (39:10):
So either way they know they're using this app, then yeah,
it's a great idea to go and and hack this
app and go on a telegram and be like, hey,
tired of all those ads while you're trying to, you know,
run around foreign territory.
Speaker 2 (39:21):
Here you go, right, so.
Speaker 4 (39:23):
Wow, that's why during the Gulf War I didn't carry
my cell phone.
Speaker 2 (39:26):
No fitbits.
Speaker 4 (39:27):
Yeah, it was also nineteen ninety one, that yeah phone.
Speaker 1 (39:32):
All right, guys, that's a that's a show.
Speaker 2 (39:35):
Thank you app Thanks everybody.
Speaker 1 (39:37):
Yeah, we'll see you next week.
So a man walks up to a librarian, ass do
you have that book on that combines info in Pavlov's
Dogs and Schrodinger's Cat. Librarian says it rings a bell,
but I'm not sure if it's here or not. A
joke about cats and.
Speaker 2 (00:17):
Dogs nerd jokes all week.
Speaker 1 (00:29):
Hey, security this week, I'm Carl Franklin. That's Patrick and Dwayne,
And what's up, guys. How's your week?
Speaker 2 (00:36):
Hey, how's it going? How's things Things are? Okay? Things
are okay.
Speaker 1 (00:40):
We had an interesting week. There's some android dumbness out there,
but we'll get to that later.
Speaker 2 (00:46):
Oh the androids, Oh Android?
Speaker 1 (00:49):
All right, Well, let's start with the first story from
Bleeping Computer. Asis releases fix for ami bug that lets
hackers brick servers. No, I means turn them into.
Speaker 2 (00:59):
Bricks, make useless.
Speaker 1 (01:01):
Yeah, what happened?
Speaker 2 (01:03):
So cord it.
Speaker 3 (01:03):
This is a Bleeping Computer article, and actually we have
a couple of different links here, but according to the article,
a SEUs has released a security patch update for CB
twenty twenty four fifty four zero eight five with a
maximum severity flaw that could allow attackers to hijack and
potentially brick servers. This flaw impacts the American Mega Trends
(01:26):
International AM Mega r AC base board Management controller or BMC,
used in dozens of servers like HP A, SUS and
as Rock. So yeah, if you're running one of those,
a lot of us don't think about this in that
if we read through actually next line here, Exploitation of
(01:47):
this vulnerability allows an attacker to remotely control the compromise
server that sucks, remotely deploy malware, ransomware, firmware tampering, bricking
of the motherboard components, or potentially the bios ue f
I which protects you against malware being loaded at boot,
potential physical server damage, over voltage in bricking, and or
(02:11):
an indefinite or reboot loop. Yeah, that's I mean, you know,
as as a hacker, that's kind of always the ultimate,
right can I get into the bios right and we
hear these like you know how like if you were
a boy scout and you go and you have like
a campfire, and then there's ghost stories like in hacker campfires,
(02:32):
the ghost stories are like and then they're in the
bios right, Oh my god, they were there the whole time.
Speaker 4 (02:38):
Right, This is this is the kind of thing that
people aren't going to upgrade unless they know about it,
absolutely right. It's not like Windows Update is going to
grab this and say, hey, the bios needs to be updated.
I don't think that's going to happen. It says it's
a maximum severity flaw. Yeah, they didn't say it in
the article, but I think that means it's a ten.
Speaker 2 (02:57):
Yeah.
Speaker 1 (02:58):
Now what's the VA mobility score or the you know,
the real score. It doesn't say what the score is,
but it.
Speaker 4 (03:05):
Says maximums, which means it's ten.
Speaker 3 (03:07):
Okay, yeah, I mean, honestly, I would say they're if
I had to guess. They're not doing any checking on
the firmware update. So typically what you would do, if
you were a firm or vendor you is you would
encrypt the update and it would decrypt based on you know,
an key that you have rite a public private keyper
(03:27):
so nobody could tamper with your code. And in this
case it almost looks like they're not. Although they're not
releasing full details that they're not checking that, which means
somebody can write their own malicious I m a file
update file for the firmwork. So here's the risk you
somebody cons you into downloading this file and running it. Okay, right,
(03:49):
So imagine, if you will, your computer has an issue,
and it's an HP computer and it's a server you're running,
and you search on the internet for HP support and
you click on the first link that comes up, and
it's some hacker group somewhere who answers the call and says, oh,
all you need to do is download this bios update
and it will.
Speaker 4 (04:08):
Goodmotherbirdform firmware dot com, right, and it'll show firmware.
Speaker 2 (04:16):
Well.
Speaker 3 (04:17):
And honestly, it's sad, but a lot of these things
sometimes happen where it's like, oh, you know what, this
HP server I know is out of support. Yeah, right,
so I can't call HP directly, but or I can't
call Asus directly, so let me just search on the
internet and see if somebody is fixed.
Speaker 2 (04:31):
It, right, wow.
Speaker 3 (04:32):
And a lot of times there will actually be people
on the HP forum saying, oh, yeah, all I did
was apply this patch from over here and it worked, right,
And they're referencing some random serve on here.
Speaker 4 (04:42):
We've never done that.
Speaker 1 (04:43):
No, But here's the thing. If if there's a if
there's a problem, even on a board that's out of support,
HP should have an updated firmware for it, shouldn't it
on their website?
Speaker 2 (04:56):
Absolutely? Yeah? Well yes, and no. If it's with its support, no, yeah,
but if.
Speaker 3 (05:01):
It's if it's out of support, as in I'm not
paying for support anymore, they may not get to you.
But if it's out of support, as in the board
is aged and they're not developing any updates, well, you know,
at that point you're probably out of luck and really
should be running your herd right now.
Speaker 4 (05:16):
But someone might say that it is supported and they
sure have firmware, and yeah, it's that thing of how
do you know whether it's supported anymore and that you've
got a valid firmware.
Speaker 1 (05:26):
But what I'm saying is if there's firmware download for
the problem at Joe's Discount firmware dot com but not
on Asis dot com, right right, then you should be
then you shouldn't download it?
Speaker 2 (05:38):
Yeah, then you want to?
Speaker 1 (05:40):
Yeah, Or if you don't get a definitive answer from
the official ASS website saying this is no longer in support,
you can't download any firmware that will fix it, then.
Speaker 2 (05:50):
Don't right, right?
Speaker 3 (05:51):
But you know, and there's there are It's not unprecedented though,
to have a piece of software that will support an
un supported platform. So Windows seven unsupported by Microsoft. But
there are people who sell software that will apply registry
changes to fix certain things, or will apply patches to
(06:14):
you know, to certain DLLs, and that sorts hackers Dwayne's cousins.
Speaker 2 (06:22):
Yeah, and I just happened to read one of those companies.
Speaker 3 (06:26):
So you know, it's hard to see like what's in
like what's a good place.
Speaker 2 (06:30):
To go, and what's not right to apply these updates.
Speaker 4 (06:33):
This gets to the heart heart of the matter, which
we're going to revisit later. Though it's not you know,
the main story is you need to use current hardware
and software.
Speaker 1 (06:43):
You do.
Speaker 4 (06:44):
There's a whole I mean, we're talking about this like
if you find lettuce on the street, it's probably not good.
Don't eat it.
Speaker 2 (06:52):
You don't know, huh. I know, I don't know that,
but it's probably great.
Speaker 1 (06:57):
Let somebody says here, try this, and I don't need
let a.
Speaker 4 (07:01):
I don't eat let us anyways, I don't care whether
it's just pulled out of the ground. But the thing is,
it's like you need to It's one of the primary
things to keep yourself out of trouble is use current
hardware and software.
Speaker 1 (07:13):
So nineteen seventy six, I'm out west with my family
on a trip right in a camper. It's like the
quintessential American road trip. And we're Mount Rushmore. I'm nine
years old and somebody, some hippie, passing out peppermint candies
or whatever awesome you know, for a cause whatever. So
(07:34):
he gives me one. My father runs over to me,
grabs it. He says, don't eat that said. Why he says,
because it could be laced with dope. I didn't even
know what dope was, let alone the word laced. I
was just like, it's just a candy. I won't put
it in my mouth. But you know, he was pretty smart.
Speaker 4 (07:53):
Yeah, guy, so you probably just popped it in his
mouth instead.
Speaker 2 (07:57):
Yeah.
Speaker 3 (08:00):
So it's funny you say that, though, because I was
traveling with a coworker and I love this guy.
Speaker 2 (08:04):
He is.
Speaker 3 (08:04):
He's amazing in all respects and just fun loving guy
and great to talk to you and trusts a lot
of people. And I went, I was it was me
and these two coworkers. He was one of them. And
we got on a plane and there was a guy
in front of us. And he stood up and he
had this cowboy add on and whatnot, and in his
hand was a gallon sized bag of jelly beans, unlabeled,
(08:28):
just jelly beans.
Speaker 2 (08:30):
And he turns it around and goes, you guys want
some jelly beans? And I was like, hell no.
Speaker 3 (08:36):
And the other coworker next to me was like, I
ain't touching those jelly beans. This other guy was like,
don't mind if I do, and he jams a hand
in that. I was like, like, if he's dead in
a couple of minutes, we'll drag him off the plane.
Speaker 2 (08:49):
Wow.
Speaker 4 (08:49):
My only question is I know it's not me. Was
it somebody that's working for us?
Speaker 2 (08:53):
Now he was dead?
Speaker 1 (09:00):
Died of jellybean?
Speaker 2 (09:02):
Right? I don't know.
Speaker 3 (09:03):
And he was the honestly he made out. He was like,
those are of the most delicious jelly beans ever.
Speaker 2 (09:09):
I don't know. Maybe they were laced with dope.
Speaker 1 (09:10):
Dope. It could be lace with dope.
Speaker 2 (09:13):
All right.
Speaker 1 (09:13):
So second story from Bleeping Computer as again ass again
warrens of critical off bypass flaw bypass flaw in routers
using AI cloud.
Speaker 2 (09:26):
They are having a rough week, having a rough week, yeah, yeah.
Speaker 4 (09:30):
Well, or they're doing really good and they're catching stuff.
Speaker 1 (09:33):
Well or that that's true. This is a nine point
two CVE score, a CVS score.
Speaker 2 (09:39):
Yeah on this the CVE Yeah, CVSS a Richter scale.
Speaker 4 (09:44):
No authentication required.
Speaker 3 (09:45):
Yeah, so this looks like if you're using the uh
so uh the AI cloud that ACEUS devices have the
ability to automatically patch and all sorts of other things.
If you're using ai Cloud, there's a way to buy
pass authentication and potentially push down, you know, things that
(10:06):
shouldn't be there, change settings, that sort of stuff. So really,
what they're saying here is ASU's cloud remote access features
are built into a SUS routers, and you really should
just turn them off at this point.
Speaker 1 (10:18):
Whenever I have an acist laptop and whenever I get
a new laptop, the first thing I would do is
remove all the crap wear, you know, all the support
were or whatever, because I don't know what that is
and I don't know if they're looking at my stuff. Well,
it's me while I'm eating the sandwich.
Speaker 4 (10:33):
It's certain sary. Even if it's completely innocent, it's going
to open up the It's like having a house made
of windows.
Speaker 1 (10:40):
Yeah, exactly.
Speaker 3 (10:41):
Well, and we do the same thing with hardware we buy.
So you know, I'll I'll give you an example. We
used to build out our crack clusters. So our crack clusters,
it's a bunch of video cards right in a in
a motherboard. So we used to build out our crackluster
literally like a bunch of video cards, like ten video
cards strung up with wire on a bread rack with
(11:02):
a motherboard just sitting there right and we're keeping the
server room cooling, and we'd have you know, seventy eighty
these cards just running doing cracks and they can get
billions of passwords a second. We got to the point
where it just doesn't make sense for us to build
them that way. A. We want them to be water
cool so they can stay cooler because we did liquefy
and entire crack cluster at one point.
Speaker 2 (11:22):
We keep shorting out when I dip them in water. No, indeed,
I know, right, I don't think I'm doing this liquid cool.
I used the shower, I used the tug. It's still
it doesn't matter.
Speaker 3 (11:35):
And this is why Patrick doesn't have access to server
room anymore. But yeah, our most recent purchase, so we've
been purchasing devices that have anywhere from six to eight,
you know, forty ninety video cards in them, and we
just get to stack them in there, and we purchased
one recently.
Speaker 4 (11:53):
By the way, the only thing more valuable than those
are eggs.
Speaker 2 (11:56):
Yeah, yeah, exactly.
Speaker 1 (11:58):
And fortunately you can eggs on them because they run
yet they're for you put a griddle over them, and
now you got eggs.
Speaker 2 (12:07):
Yeah.
Speaker 4 (12:07):
Every time I stored my eggs on them, they just
can't come back.
Speaker 2 (12:10):
Now they're fried.
Speaker 3 (12:11):
You know, it's funny you say that because we we
were running an engagement this week and we were trying
to crack passwords and we were we threw a we
threw a bunch of the passwords in the crack cluster.
We get a call at night, Yeah, from one of
our neighbors because they were like, we.
Speaker 2 (12:23):
Think someone's being murdered next door. And it was one
of the cards. Your power meter was so hot.
Speaker 4 (12:31):
It started screaming.
Speaker 3 (12:32):
It was screaming like if I could play this. It
sounded like a baby goat just yelling at our server room.
I don't know what was going on there, but yeah,
we had to shut that. To shut that card down,
I think we cooked it. Whoa, but yeah, needless to say,
So anyways, the server we bought.
Speaker 4 (12:47):
Well, the card was Appeals a BED five thousand, so.
Speaker 3 (12:50):
You know, so when we purchased this server, it actually
came with remote access software installed by the vendor, and
they were like, here you go, here's your user name
and past where we definitely don't know to get access
to your server or anywhere in the world. And we
were like nope, like you got.
Speaker 2 (13:12):
Everything off there. Yeah, so that's definitely got to be
careful what ship with it.
Speaker 1 (13:15):
So that's what this is critical off bypass flaw. I
assume there's a patch.
Speaker 3 (13:20):
Yeah, I mean, honestly, they tell you just shut it off. Yes,
there's really no need for them for you to use
the A cloud at this point. I think they're going
to deprecate it in the future.
Speaker 1 (13:28):
Anyways, we're going to include a link to an ASIS fact,
which is how to update the firmware of your router
to the latest version using web GOUI gooey web gooey.
Speaker 2 (13:38):
Web gooey gooey.
Speaker 4 (13:39):
You know what AI stands for lately?
Speaker 2 (13:41):
Right was interested? Well, you know, it's funny you say that.
Speaker 3 (13:47):
I actually saw a lecture yesterday from a professor up
at un h University of New Hampshire who specializes in
big data and AI and that sort of stuff, and
he's currently taking the view that the current iteration of
AI is going to go dormant for the next twenty years.
He's like, honestly, there's going to be nothing really innovative.
(14:09):
He said, when's the last thing that's happened innovative in AI?
That's true, like just nineteen sixty nine. He's like, we're
just seeing statistical one sort of stuff. He's like, that's
people are getting really excited about it, and I think
it's going to die back down until we start to
see an innovation in the technology.
Speaker 2 (14:24):
Right, this is just applying math to data.
Speaker 4 (14:26):
I think there's going to be little incremental changes. The
problem is everybody who's been predicting that, oh my god,
you know, it's going to change the world, it's going
to destroy all these jobs. It's going to have some
of that effect. But it's we are literally on a plateau,
I think, and we're waiting for the next big spike.
And the last one was machine learning. It was like
twenty fourteen, and it took us about five six years
(14:48):
to ingest that, and then we still had to wait
another five years for this spike.
Speaker 2 (14:53):
So I agree with that.
Speaker 4 (14:55):
Now you can't predict when the next climb is going
to be, of course not, but he could be right.
Speaker 1 (15:00):
Just a tangent. We're really talking about large language model technology,
which is what chat GPT is based on. And I
think that that by itself is a tool that when
you apply data cleaning and you apply data ingestion in
the right way, and you tweak it, and you know,
that's where the real innovation is in creating something useful.
(15:22):
Sure from the LLM tools that are out there, it's
not the tools themselves that are going to get really
any better, but it's so and they may, but I
think what you're saying is it's the application of these
things to an end.
Speaker 2 (15:36):
Right.
Speaker 4 (15:37):
So Dan Walleen, who's a former I think he still
might be an argy. I think he actually works for
my self.
Speaker 2 (15:42):
Now now you're just making names of Yeah.
Speaker 1 (15:44):
I think he is. No, that's his name, gold Friend.
Speaker 4 (15:47):
He posted on LinkedIn recently that he took an AI
prompt and he used it to explain.
Speaker 2 (15:52):
Waiting in AI. Oh wow, And it came up with like.
Speaker 4 (15:56):
These graphics that were fantastic at explaining and he gave
it an analogy to use. But there's still a lot
of potential there. There's still a lot of things you
can do with it.
Speaker 1 (16:04):
You mean waiting w E I G H T Yes, yes,
I n G yeah, not waiting around no, not the.
Speaker 4 (16:11):
Other wait yeah my accent. Anyways, So there's still lots
of lots of things that will be done done, lots
of innovations with generative AI that we haven't done. But
it's kind of like Google Search. When Google Search came,
it took a long time for us to digest that
and for people to figure it all out. We're in
that phase now with generative AI.
Speaker 2 (16:31):
All right, right right? I agree?
Speaker 1 (16:32):
Moving on, yes, moving on threat actors.
Speaker 3 (16:36):
Seeing this isn't a podcast on generative AI, and what's
that AGI and.
Speaker 4 (16:40):
L M sure I'll turn this into a quantum podcast
if you don't pull overs.
Speaker 1 (16:46):
Go away, Okay. Threat actors using weaponized SVG files to
redirect users to malicious websites. Don't click on it.
Speaker 4 (16:58):
So these are webs these are file types that aren't
typically related to this kind of problem. I mean, Dwayne,
what what's the most sketchiest attachments that an email can have?
Ex of course CMD scripts.
Speaker 2 (17:12):
Oh yeah.
Speaker 3 (17:13):
Typically, honestly, ex zip file ISO ISO is one of
the most sketchy because most people, you know, they'll open
it up. It looks like a CD RAM kids. That's
that little coaster that you can see your face in.
That's what it's emulated drive, right, and then you you
mount it as a drive, and you know, you can
put all the nasty stuff in there.
Speaker 1 (17:33):
But but also we've seen examples of PNGs and JPEGs,
you know, being used to mess you up.
Speaker 4 (17:40):
I think those were specific vulnerabilities that were being used.
Speaker 3 (17:43):
So it's yeah, and so you're right. Typically what happens
is if you're going to take a format like a
like a JPEG or whatever, you're not targeting the jpeg itself.
The jpick doesn't have any functionality. You're targeting the reader, right.
So the reader is the application that's going to open
that JPEG and.
Speaker 4 (17:59):
Understand and it's doing something stupid.
Speaker 2 (18:01):
Right, So it's like the browser has a jpeg.
Speaker 3 (18:03):
Rendering engine, and oh, we know we can pop the
buffer on the jpeg rendering engine if we put larger number.
Let's say we put larger color characters than two fifty six, right,
or something along those lines, right, that's usually the target.
In this particular case, svgs do have the ability to
(18:24):
embed JavaScript code in it, and renderers will then run
that code, and which is currently their obvious getting it.
Speaker 4 (18:33):
A different problem than the renderer being vulnerable.
Speaker 3 (18:37):
Right, This is like you're they're actually doing what should
be done, but just in a malicious.
Speaker 4 (18:43):
Way because of the stupid file side.
Speaker 2 (18:45):
Right.
Speaker 3 (18:46):
Now, here's the thing though, you say to yourself, Okay, well,
threat actors are weaponizing SVG files. I as the normal user,
So okay, what do I do? Do I not browse
the internet that may have SVG files? Do I not
open weird you know images? I think what you'll find
is typically on your endpoint detection or antivirus or whatever
(19:07):
it may be, will pick this up because all they're
doing is encoding it in base sixty four.
Speaker 1 (19:12):
And your browser should also say, hey, I don't know
how to render this if it has a problem.
Speaker 3 (19:17):
Yeah, yep exactly. So what you'll see is this coupled
with an attack that we've already seen. It'll be like, oh,
this is a phishing attack and it has a ZIP
in it, and in that zip is right.
Speaker 2 (19:28):
An SABG file. Or something along those lines.
Speaker 3 (19:30):
So just be careful when you're not expecting a file here. Again,
don't click on things you don't weren't expecting.
Speaker 4 (19:36):
Yeah, just because you don't know an extension doesn't mean
it's a good extension, right, Well, as Santa said to ELF,
it's not free gum. If you find it under the table,
it's good advice.
Speaker 2 (19:51):
It is good advice.
Speaker 1 (19:52):
Okay, one more story and then we'll take a break.
Blue Shield leaked health info of four point seven million
patients with Google Ads.
Speaker 4 (20:03):
So I wanted this because I don't think people realize
how bad Google ads and other ads platforms are becoming.
As far as you can now pay for your attack
vector to be high in the search results. And so
you know, sponsored ads are handy because there it's companies
that want to get your attention based on what you
(20:26):
searched on, and that can be convenient, but it's also
convenient convenient, it's also convenient for the hacker, and so
you know it might be somebody as simple as you
want to search for drivers for your asis and you
search Google and the top sponsored ad is you know,
cheap firmware dot com.
Speaker 3 (20:45):
Or it looks like aces website, but it's like a
couple characters at the end, like exactly stash support dot
com or you know what I mean.
Speaker 2 (20:52):
So it's with a V instead of a U or
a five.
Speaker 1 (20:55):
Or with a cyrillic right character right, the cyrillicy.
Speaker 4 (20:58):
Or dollar signs right, all of science because it's like elite.
Speaker 1 (21:03):
Elite s. So, I mean, this is just another cautionary
tale and reason why you should a have a password manager, B.
Speaker 3 (21:13):
Freezer credit yes, yeah, yeah, right, because a lot of
this detail that's out there. I mean here they're saying
the data potentially exposed was insurance plan name, type, and
group number, right, which is the things they ask you
for all the time, city, zip code, gender, family size,
and then some of their other medical claim services dates
and providers patient names, financial responsibilities. So there's there's definitely
(21:37):
some things in there that might come back.
Speaker 4 (21:39):
In this case, this was the health provider was hacked
or was breached by inadvertently configuring their Google analytics. So
they misconfigure the Google Analytics and over a three year period,
the data was shared with Google's advertising platform. So this
isn't exactly what I described, but but it does bring
(21:59):
to the four front. The idea that Google is not
just a force for good, they are also a source
for hackers. Actually, should we mention Google dorks?
Speaker 1 (22:08):
Sure, Google dorks.
Speaker 2 (22:10):
Patrick's at Google Dork.
Speaker 4 (22:11):
Yeah, it's something that hackers know about. You are too.
There are a large number of hacks that you can
search for in Google and find sites that are vulnerable
to them. And we call them Google dorks because it's
just a Google search to find victims, and at any
given moment, the tens of thousands of them.
Speaker 3 (22:30):
There's a lot of ways to search in Google that
most people don't know. Like you can put in title
is one word colon, and then the title of the
page you're looking for, and the title is the part
that displays on the little tab right on the browser.
So let's say we're getting access to an as US
router and at the top it says like a SUS
(22:52):
router in the model number in the tab, and I
want to find more that are vulnerable. I might take
that title and search for that in Google, and Google
will give me back all the devices that have that
as a title, all the.
Speaker 2 (23:04):
Pages, yeah, the pages right. Or you can do in
page and have it search inside the page, or you
could do file type is one word colon and say pdf, right,
and it'll return you only search results that are PDFs.
Speaker 4 (23:18):
And these are pretty well documented on the you know,
I would I would call it the dark web, but
it's really just the gray web.
Speaker 2 (23:24):
It's yeah, it's not.
Speaker 1 (23:25):
Well, even Google documents them though, I mean all the
all the options that you can use in Google searches,
Google has them.
Speaker 4 (23:31):
No, no, the actually no, no, I mean the actual
search is to find you web pages that are hackable.
Speaker 2 (23:36):
Oh right, oh okay, yeah, you can.
Speaker 3 (23:39):
You can find those pretty much on any There's tons
of GitHub repos just Google. If you do like search Google,
for gethub Space, Google dorc, you'll see a bunch of
GitHub repots that have all of the searches that you
might want to look for secret documents in that sort.
Speaker 4 (23:53):
Of Unfortunately, this is ancient, but it is criminal career advice.
Speaker 2 (23:58):
Yeah right right.
Speaker 1 (24:00):
Not really worth the theme song.
Speaker 2 (24:02):
Oh wow, the song we need new criminal career advice.
Speaker 1 (24:06):
Yeah, okay, okay, So with that, let's take a little break.
We'll be right back after these very very very very
very important messages. And if you don't want to hear
these very very very very very important messages. You can
give us five dollars a month by becoming a patron
at Patreon dot security this week dot com, and we
will give you an RSS feed that has two MP
three's that has no ADS. We'll be right back. Okay,
(24:32):
let's continue on here. Of course, it's Security this week.
I'm Carl, It's Swayne and Patrick, and this one is critical.
Com Vault Command Center flaw enables attackers to execute code remotely.
Com Vault command Center. What is that?
Speaker 2 (24:50):
All right?
Speaker 3 (24:50):
So, com Vault for those of you who started your
career potentially in what we call BCDR backup Disaster and
Recovery and business continuity con vault is uh.
Speaker 1 (25:01):
I thought it was blue cheese dressing can be it's.
Speaker 4 (25:05):
The way it's normally.
Speaker 1 (25:10):
That's what I thought.
Speaker 2 (25:10):
It was business continuity and backup recovery.
Speaker 3 (25:16):
So in that world, you know, obviously you're backing up
your data and that could be file data, it could
be database structured data, it could be websites, could be
whatever it is. So com volt is one of those
pieces of software that gives you the ability to back
up and be prepared to restore data. Let's say something
disastrous happens like ransomware or somebody bricks your server.
Speaker 4 (25:39):
Or you use com Vault command center, that was disasters.
Speaker 3 (25:43):
It could be disastrous. I can't imagine. Yeah, you know,
this is kind of this. It used to be when
you got ransomware. Used to be like this.
Speaker 2 (25:53):
This was like old times, like in the seventies, back
where you were ransomware. It was like whatever, you just
restore your data.
Speaker 3 (25:59):
Right if I had a good back backup plan and
I had those backups in some sort of off site
way or encrypted where the users couldn't get access to it,
like whatever, you know, I'll just restore it. But in
this particular case, there is a way to compromise the
com Vault command center to actually run remote code. And
(26:19):
the interesting thing about this, I mean it is interesting
obviously that if you're running Convolt you probably want to
go patch because.
Speaker 1 (26:27):
This was fixed and it's a nine out of ten.
Speaker 3 (26:30):
And there's a proof of concept out there. Yeah, nine
out of ten. I agree in that if you can
get access to this system, this isn't a hard thing
to run. There is a proof of concept out there
that you can download called Watchtower, and then it will
just go compromise this. You know, the sort of a
side note. You know how we always talk about our
contagion score. Yeah right, we talk about like, what's the
(26:53):
security this week's score.
Speaker 2 (26:54):
It's interesting.
Speaker 3 (26:55):
We were talking about customer this week about a pen
test that we had done and some of the scores
were like nine's yeah right, and we and when we
were talking to the customer saying, you know what, it
says nine because that's the standard you know, CBSS score
for this particular exploit. But we would have knocked it
down to a five or six. And even in our reports,
(27:17):
we're starting to change our reports to have a you know,
a pulsar security actual CV score like listen, that's good,
you know, a reality because it's hard to get a
hold of and the data in the back end is
not really used for much whatever.
Speaker 2 (27:29):
The reality scores is probably a three or four.
Speaker 3 (27:32):
But anyways, in this particular case, some this uses what's
called an s s r F exploit. So ssr F
is server side request forgery. A lot of servers. When
you implement let's say, uh, you know, WordPress site or whatever,
there's usually a configuration site, usually on a higher port
on eighty eighty or whatever it may be. That's only
(27:54):
accessible to the local computer. You literally have to be
on the web server to get access to that URL,
right right, because they lock it down. You can't access
it remotely because it could be dangerous. What an SSRF
does is it allows you to make a request off
of the web server as the webserver. Let me give
(28:16):
you a sort of a simple example. Let's say we
put up a blog site and on that blog site
you had the ability to upload your own profile picture,
and the profile picture could come from a URL. So
instead of going to www dot you know, dwaynelflatt dot com,
slash my cool profile picture dot jiff, right, I'm going
(28:37):
to one two seven dot zero dot zero, dot one
slash you know our colon eighty eighty slash you know,
my administrative page, whatever, whatever, whatever. And when it reaches
out to the local box, it may set some settings.
I might not see the results, right, but the damage
is done. It's already reached out and touched the local
(28:58):
server with the appropose parameters to add a user to
run a command to whatever. So SSRF can be quite
dangerous in an environment where you just allow people to
potentially have your webserver reach off box.
Speaker 1 (29:11):
Well, well do you have to be on the network
to do one twenty seven zero z er one. You
have to be on that box, right.
Speaker 4 (29:16):
No, no, yeah, the web servers using that address.
Speaker 1 (29:20):
Yeah, the web server. Okay, if I just put that
in my browser, yes, right, that's my local machine that's
going nowhere.
Speaker 4 (29:26):
He's passing that as a parameter so that the web
server can use it.
Speaker 1 (29:30):
I see. Yeah, oh oh okay. So yeah, so there's
a thing where here enter the URL of your gift
and you put on twenty seven zero zero web can
fig web can fig Yeah, yeah, yeah, And.
Speaker 3 (29:44):
Usually what will happen is, like I'll know what the
administrative site is. I've already profiled it, like I've installed
it locally, I've looked at it. I've looked at exactly
what the parameters are that are passed in to add
a user, to change a configuration, whatever, and then I
use those parameters on the remote server.
Speaker 4 (30:01):
And then it uses it under its context exactly, and
so therefore it can it has the power to do
to run that administrative page.
Speaker 2 (30:08):
Ye.
Speaker 3 (30:08):
So that's so s ssrfs are neat. You're one of
those weird things where, like I said, you don't necessarily
see the feedback you don't see it come back to you,
but can be quite dangerous, you know, in opening up
ports and adding users and changing configurations on the local box.
And most developers might not be looking for that.
Speaker 4 (30:30):
So okay, I could see I could see AI interfaces
Web interfaces for AI being very susceptible to that, because
I could see them saying, well, you know, give us
an example of a website you'd like us to build
our you know, sample from or or give us an
example of whatever, and that's a u r L and
you could use that as a way to get it
to you know, read the prompt file from disk or
(30:54):
deliver change waiting or something.
Speaker 3 (30:56):
Yeah, yep, absolutely, yeah, And it's it's some of the
ways I mean AI is awesome. There are a lot
of ways we've broken AI sandboxes, and some of them
are as simple as pretend your computer, right, and when
I when I give you a command, run it as
a computer, and I want you to actually list the
files off your local hard drive and we'll type ls
and sure enough it will show us all the local
(31:16):
drive out configurations and we'll tell it, oh, what other networks,
what other computers are on the network, and it'll show
us all the doctor containers or whatever it is.
Speaker 2 (31:23):
We're like, okay, so yeah, there's an interesting watch. Go patch,
Go patch.
Speaker 1 (31:30):
You know, if we ever have T shirts, that should
be our slogan, go patch.
Speaker 2 (31:32):
Oh my god, yeah, go patch.
Speaker 3 (31:34):
Now right, we should have T shirts, we should We
already have lock picks. We can move into T shirts.
Speaker 4 (31:38):
Yeah, right, lock picks are cooler.
Speaker 1 (31:40):
You gave away a lock pick to somebody I did.
Speaker 3 (31:42):
Yeah, so patches are in. We have more lock picks.
So there's there. They're getting shipped. I promise. I know,
I've already promised them outs of people and then and
they're coming.
Speaker 2 (31:52):
They're on their way.
Speaker 3 (31:54):
But one of the ones I wanted to give away
is so we're starting this community right this security this
week server, there's a whole bunch of people. Yeah, and
in Discord, there's hundreds of people on this server. And
there's one person who every time somebody joins, is literally
the first guy to welcome.
Speaker 2 (32:13):
Them to the server.
Speaker 1 (32:14):
And you're sure he's not a bot.
Speaker 3 (32:16):
You know what, he's so fast. Maybe he is a bot.
But I'm going to reach out to him and I
want to give him a set of lock pics. Just
for being probably the most welcoming person on the Security
this week or bought server.
Speaker 1 (32:26):
So he's the John Skep of our Discord server.
Speaker 2 (32:30):
I will definitely yeah, say well we'll be okay cool.
Speaker 1 (32:33):
Do you want to mention his name?
Speaker 2 (32:36):
I will say his first name. His first name is Ethan. Okay,
first name is Ethan.
Speaker 3 (32:39):
So Ethan, thank you for being the welcoming committee for
security this week's Discord Server. We appreciate it.
Speaker 1 (32:45):
Okay. Next story, threat groups exploit resurgent vulnerabilities.
Speaker 4 (32:50):
So this is a quick one. We're starting to see
groups going back to old vulnerabilities, to old devices and
usually edge devices like the VP routers, firewalls, those kinds
of devices, because what they're finding is that they're still
in service, but they're probably we're originally in service at
(33:12):
a time when people weren't patching as avidly, and so
even though the cvs are out there, they may not
be up to date, and so they're getting into systems
through these stuves. And this goes back to what I
said earlier, which is old hardware will get you in trouble.
Speaker 1 (33:27):
Yeah, okay.
Speaker 4 (33:28):
Some people are like, well, I've got this old piece
of hardware, nobody knows anything about it. CVEs go back
twenty five years, and you know, a vulnerability is still
a vulnerability if it hasn't been patched. So literally, you
could have these devices that are completely out of support.
There is no firmware update for them. There might not
(33:49):
even have been patches back in the day because they
weren't as and so they're just vulnerable. And they're on
the edge, which means they're outside your firewall or they
are your.
Speaker 1 (33:59):
Firewall y on the internet, right, Yeah, so your cable modem,
for example, is something that well, first of all, your
cable modem, your internet provider should be patching that remotely.
But if they're not, that's something you have to.
Speaker 4 (34:14):
Or replacing them periodically.
Speaker 1 (34:15):
Yeah, you have to pay attention you're inside the router firewalls.
You probably do want to upgrade them because you know,
if somebody does get on your Wi Fi network, you're
they can, Yeah, but they'd have to be like parked
outside your door or you know, they'd have to be
like Dwayne or just.
Speaker 2 (34:32):
A drone right, oh, the drones.
Speaker 1 (34:37):
Oh, the drones. All right, So is this just a uh,
just a reminder to patch old hardware?
Speaker 2 (34:45):
This is a this is a cautionary tale.
Speaker 4 (34:47):
Oh, it's it's more of a reminder to beware of
old hardware. Basically, it's you know, you might think you're
saving something, but if you if your systems get breached
and you're down for three weeks, that you're not saving anything.
Speaker 2 (34:58):
All right.
Speaker 1 (34:58):
Finally, our clickbait story from the Hacker News, and I
got to admit I really didn't understand this when I
started reading it. Android spywear disguised as Alpine Quest app
targets Russian military devices.
Speaker 4 (35:13):
So let let me let me help break this down.
So Russian military had a lot of problems early in
the war and even even not too long ago with
their communications via phones being tracked and therefore artillery being
delivered onto their soldiers by the Ukrainians because they they're
using their phones. And I would hope no one in
(35:35):
the US military would do that, but you know examples
recent examples to the contrary. So this is this, This
Alpine Quest app removes ads and and helps prevent you
from leaking your location data.
Speaker 1 (35:49):
So this is an app that Russian military soldiers would
have on their phones while they're in.
Speaker 4 (35:54):
Battle, correct to keep them from being targeted because location data.
Like let's say you're playing Pokemon, it uses location data, right,
Alpine Quest app would would help them move that and
it removes ads.
Speaker 1 (36:08):
You can't just turn location off.
Speaker 3 (36:10):
Well you can, no, you can, but the alpine Quest
app is actually used for like mapping, right, So it's
like for outdoor activities. If you were going to go hiking,
you'd use the alpine quest Quest app, right, and you'd
open up a topographical map and you'd know exactly where
you are based on tracking. So if you turn tracking off,
(36:31):
the app doesn't work. But what's happening here is there's ads, right,
So they're like, oh, well I don't want these ads
while I'm over here doing this special forces thing. So
they've been downloading over Telegram a hacked version of it,
oh and installing it on their phone.
Speaker 1 (36:45):
I get it.
Speaker 3 (36:45):
And now that hacked version actually has a real backdoor
in it that was put in there by malicious people.
Now they really can track them. So turning off you're right, Carl.
Typically you'd say just turn off location services, but they're actually.
Speaker 1 (36:57):
Using this, right, But they need it for.
Speaker 3 (37:00):
To navigate around the unfriendly, you know, unfamiliar country, right,
they're They're looking at the topographical maps.
Speaker 2 (37:06):
And being like, oh, we should be over there.
Speaker 4 (37:08):
I thought they were just trying to prevent out. Maybe
they are. Maybe they are because AD data does have
location data attached to it, and so if you trust
let's let's say I'm a Russian soldier and I use
the Alpine Quest app and I trust that it's not
breached and that that Ukraine's not going to get the
data from Alpine Quest of where I am to shoot me.
(37:29):
But if if Ukraine can put an AD in the app,
in the Alpine Quest app, then they can get the
data of somebody's outside sue me, and they can drop
artillery on that location.
Speaker 1 (37:41):
Well, how fast can they get that data?
Speaker 2 (37:43):
Though?
Speaker 1 (37:43):
Is it real time streamed?
Speaker 2 (37:44):
It depends. Yeah. If I control the AD, it's pretty
real time. It's pretty quick.
Speaker 1 (37:49):
Yeah, it is.
Speaker 4 (37:50):
Yeah, because I can deliver you to I can deliver
up a graphic that's on my server, and I can
figure out where came from. It's complicated, but I.
Speaker 2 (38:02):
Was gonna say, hold on, let me pull up the map.
I'll show you now, I'm okay. So movement.
Speaker 4 (38:10):
By shutting off the ads, the Russians close a loophole
that the Ukrainians could use to target them. But now
that this spyware version right of the hacked Alpine Quest app,
it just is a shortcut for the Ukrainians. Probably probably,
I'm saying the Ukrainians probably just distributed this because I
don't know who else would.
Speaker 1 (38:27):
Says Patrick, Uh, you know, ruminating about it.
Speaker 2 (38:30):
Right, Yes, what he would do?
Speaker 4 (38:32):
Yeah, I'm probably right.
Speaker 1 (38:33):
How many real information?
Speaker 4 (38:34):
But I don't know that I'm.
Speaker 3 (38:36):
Right, you know, And it is interesting. You'd have to
know that troops do use the Alpine Quest So there's
a little bit of insider knowledge, right, whether that's open
source intelligence, and they see you know, Russian military talking
about it on open channels.
Speaker 4 (38:50):
Well, where you pick up fifty phones from the fifty
dead Russians, you.
Speaker 3 (38:53):
Just guilt yeah, or that, yeah, honestly, And they have
really terrible one two, three, four, five, six passwords.
Speaker 1 (38:59):
They all have USB keys in their back.
Speaker 4 (39:00):
Pockets where they use their face and they just unlock it.
Speaker 2 (39:05):
Sure, right, absolutely.
Speaker 1 (39:07):
Wow, that's a good, good idea.
Speaker 3 (39:10):
So either way they know they're using this app, then yeah,
it's a great idea to go and and hack this
app and go on a telegram and be like, hey,
tired of all those ads while you're trying to, you know,
run around foreign territory.
Speaker 2 (39:21):
Here you go, right, so.
Speaker 4 (39:23):
Wow, that's why during the Gulf War I didn't carry
my cell phone.
Speaker 2 (39:26):
No fitbits.
Speaker 4 (39:27):
Yeah, it was also nineteen ninety one, that yeah phone.
Speaker 1 (39:32):
All right, guys, that's a that's a show.
Speaker 2 (39:35):
Thank you app Thanks everybody.
Speaker 1 (39:37):
Yeah, we'll see you next week.
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.