July 11, 2025 • 40 mins
Call of Duty: WW2 pulled from PC following reports of remote code exploit trolling players with 'Notepad pop-ups, PC shutdowns' and desktop wallpaper of a lawyer
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So I was talking to my cousin dot this week
and she told me she just spent three hundred dollars
on a Colon cleanse. Three hundred dollars.
Speaker 2 (00:09):
Thats a lot.
Speaker 1 (00:10):
She could have got the same thing from Taco Bell
for four nine nine. Welcome to Security this week. I'm Carl,
It's Dwayne and Patrick, and we're here to make you
laugh to keep from crying about what happened this week
(00:32):
in security. Here last one? All right, Quantis you know
Quantas the Australian airline hit Sorry, I.
Speaker 3 (00:42):
Mean, why should they be excluded from the fun, right?
Speaker 2 (00:44):
Right?
Speaker 1 (00:45):
So they were hit by a cyber attack, leaving six
million customer records at risk of a data breach. Were
they actually breached or were they just at risk?
Speaker 4 (00:54):
So this article is super confusing. It's likely to have
been stolen and I'm waiting for more information to come
out about this because you know, it says Quantus is
warning of a significant amount of customer data that.
Speaker 2 (01:06):
Has likely been stolen.
Speaker 4 (01:08):
Okay, right, But then they sent out these very cryptic
messages to their users saying we'll let you know more later.
And then in here it says names, contact details, birth
dates and frequent flyer numbers were compromised. Okay, but then
in two paragraphs it down it says no frequent flyer
accounts were compromised, nor passwords, pins and logins.
Speaker 1 (01:32):
So okay, so they don't know what the hell's going on.
Speaker 3 (01:35):
I think it's they don't have the data of what
they know what could have been comp but they don't
have evidence that it was xfiltrated.
Speaker 1 (01:42):
And so that's the problem with digital data is that
you know, you make a copy, there'sn't really any record
of who copied it into what.
Speaker 3 (01:50):
Well, it can be, it can be if your edge
services are sophisticated enough, but yeah, most most people's are.
Speaker 4 (01:55):
Yeah, if you're auditing, well, and it depends, I mean
you can bypass edge, Well you can't. I mean, honestly,
the data is encrypted on the way out the door.
You have no idea what.
Speaker 3 (02:05):
Well, and a lot of times the logs aren't protected,
so you can edit the logs sure.
Speaker 4 (02:08):
Yeah right, yeah, and and you can take pass that
they're not logging like most people aren't looking for data
X fil over DNS or data X fill over SMB
or whatever. Right, So if you're only looking at web traffic.
Speaker 1 (02:20):
I think I agree with you, but I'm not sure.
Speaker 4 (02:24):
I'm just going to keep throwing out acronyms, right until
give me a bowl, until Karl agrees with me, at
me a.
Speaker 1 (02:30):
Ball and a spoon, and I'll just keep eating the soup,
all right. So so we don't really know it's the
bottom line.
Speaker 4 (02:37):
Yeah, No, they're not really sure, and they're still investigating,
which is frustrating, I'm sure to the public. The companies
don't want to say yeah, you know quickly, oh my god, yeah,
we lost everything, right, because it opens them up to
legal issues.
Speaker 1 (02:54):
But here's the deal. If you have a Quantus account
and you buy tickets online with it and go change
your password, it's not that difficult.
Speaker 4 (03:01):
Yeah, that's probably not a bad idea. Yea, you have
change your password. You should probably have a credit monitoring
service or something along those lines, just in case somebody
got personally identifiable information they could use against you.
Speaker 2 (03:11):
That sort of thing.
Speaker 1 (03:11):
Freeze your credit, all the usual things.
Speaker 3 (03:14):
Oh yeah, yeah, that's the new honest.
Speaker 2 (03:16):
Yeah, got to freeze your credit.
Speaker 4 (03:17):
The thing I love about this is a lot of
people go, wow, Quantus is a big organization and six
million records. That's a lot of data and it's really
personal information. God that the attack must have been like
uber complicated. It must have been like something you'd see
in mission if possible with the reverse engineering of firm
we're on a plane that got carried into it, like.
Speaker 1 (03:37):
Or something Dwayne would do.
Speaker 4 (03:39):
Yeah, And really we see these attacks on large organizations
coming down to mostly sophisticated social engineering attacks.
Speaker 1 (03:49):
It.
Speaker 4 (03:50):
One of our listeners in the discord had mentioned a
book Ghost in the Wire, and I had never read it,
and it was by Kevin Mitnick. And you know, I'll
be honest, I I was always turned off by Kevin
Mitnick because he was he was so much like it
always seemed like he's like, oh my god.
Speaker 3 (04:04):
He didn't find him sexy.
Speaker 2 (04:12):
I'm not even going to touch that.
Speaker 3 (04:14):
I would agree with. He was.
Speaker 1 (04:16):
Right there with I don't know.
Speaker 4 (04:18):
I never met him, but he seemed like the type
of guy in the news who was like, I'm the
best hacker on the planet. And actually, if you listen
to the book, read the book, whatever it is that's audible,
he's He wasn't. He was a very humble guy, but
very very smart, and ninety nine percent of his attacks
were social engineering. Yeah, he was really good at pretending
(04:39):
to be a phone switch field guy and calling into
you know, nine x and getting them to do things.
Speaker 1 (04:46):
Wow.
Speaker 3 (04:46):
Right, he knew more than they did.
Speaker 4 (04:48):
Yeah, absolutely, And he knew all the lingo, and he
knew when he was hacking quote unquote banks, he knew
the fact that they required a daily code, and the
daily codes for Bank of America there were one hundred
of the daily codes. For certain other banks there were
five of them. And he had a way of manipulating
one branch into giving him the codes. Like he would
(05:09):
call up and say, oh, you know, for me to
give you this account detail, I need you to verify
a code, verify the B code for me, and they go, oh, yeah,
be code is green, you know green donkey today You'd
be like, oh no, that's not the one I have, right,
So they'd end up giving him the whole list, and
then he would call another bank and he would use them.
So he's very very good at social engineering people. And
(05:29):
this is the same type of thing we're still seeing this, right,
And he was doing this in the eighties, right, We're
still seeing this today where people assume want to believe
the person calling them is in the organization and people
in general want to be helpful. Right, We all do
well except for Patrick Dwyane.
Speaker 1 (05:48):
I think we ought to write a screenplay where the
criminals employ these social engineering tactics, you know, to do
the kind of stuff that's actually going on, because you
know what happens in Hollywood gets a hold of this
stuff and they're not accurate about these but you got
to be really good.
Speaker 3 (06:08):
Social engineering is difficult at first, and then it just
gets easier. It's like acting. One of the mit Nick's
most interesting events was he walked onto a nine x
or an AT and T service truck and convinced them
he was a supervisor. I heard the story, and he
took their manuals and therefore he had even more information
(06:30):
about the networks and things like that. But he dressed
them down and said, you guy, what are you guys doing?
You know, you really kind of and he basically just
live the part. And that's tough because you can't just
hang up you're in the truck.
Speaker 4 (06:43):
He actually went into a phone like switching station at
night and security guard caught him, pulled him up into
the sock and was like, you know, what the heck
are you doing here? And he was like, you know what,
I I was just showing my buddy here my office.
I work here. I'm on the third floor. I'm right
(07:05):
next to you know, so and so and so and so.
Any knew names of people on the third floor. And
the guy was like, bs, who's your boss? Yeah, and
he said, my boss is you know, Susan so and so.
Feel free to call her and he said, I'm gonna
and he called her and he was like, yeah, you know,
I got a person here. Whatever he says, he reports
to you. And he was like, let me talk to her.
(07:25):
Let me talk to her. And he gets on the
phone and.
Speaker 3 (07:27):
She's like, who the hell are you And he's like, yeah, I.
Speaker 2 (07:29):
Know, I know.
Speaker 4 (07:29):
This guy's giving me a hard time, right, And the
guard wasn't listening to the other side and he hung
up and he's like, right, dude, you could do what
you want. She says, just give me this stun and
he was like, oh, okay, cool right. So and just
that type of clod there's very few people who could
pull that off.
Speaker 3 (07:43):
Yeah yeah, bomb bomb disarmors probably in that same category.
Speaker 2 (07:47):
Yep.
Speaker 1 (07:48):
Well, before we leave the story, I want to give
a shout out to Stu. That's who on mastedon sent
me this story. So he's at Shelway get Mastered on social.
That's s eight e l w Ig at masdonon dot social.
So I think we ought to give Stu a lock
pick set.
Speaker 2 (08:05):
What do you think? Yeah?
Speaker 4 (08:06):
Amen, reach out ste and we will. We'll send a
pick set along. Absolutely hopefully we're not getting in trouble
with any of these pick sets. We've been sending them
to a lot of different countries out there, and I'm
not sure that that's fine.
Speaker 1 (08:16):
They're perfectly legal to own, right, I mean it's.
Speaker 4 (08:19):
Fine in some places, yes, sure, it's fine. In other
places not so much.
Speaker 1 (08:24):
Oh well, okay, sending them to Malaysia or anything.
Speaker 4 (08:27):
Right, Yeah, it's fine. No, they wouldn't take packages from
me anyways.
Speaker 3 (08:31):
Any So, while we were ruminating, I looked at there's
about twenty six million people in Australia. So this is
if you think about like most of Quantas's customers are
probably Australia, more than half of them. Would think, that's
a pretty big percentage of the adult population. Oh yeah, yeah,
so this is and this is one of the most
trusted organizations in Australia. So This is a big hit
(08:54):
to them. This is maybe a wake up call.
Speaker 2 (08:57):
Yeah. Yeah.
Speaker 4 (08:58):
And like I said, the social engineering angle has been
around for a very long time. It's decades, well sorry,
not decades, hundreds of years millennia.
Speaker 2 (09:08):
Yeah.
Speaker 4 (09:08):
We used to call them con men, right, swindlers. People
would come up and try and con you out of
your money or whatnot, and pretend that they knew something better,
or who they were or whatnot. This has been going
on forever, so yeah, I would think we're not stopping
it anytime soon with technology, let's put it that way.
Speaker 2 (09:23):
Yep.
Speaker 1 (09:23):
All right, all right, I just met a message stew
so hopefully he'll get back to us and we'll get
him out of lock pick set and see that's how
easy it is, folks. Cool recommend a story and if
we use it, you get swag. All right. So the
next one is Ingram Micro suffers a global outage as
internal systems inaccessible denial service. Yeah. Ingram Micro is huge.
Speaker 4 (09:47):
Yeah yeah, I mean forty eight billion in revenue, oh
my god, so not a not a small organization.
Speaker 3 (09:54):
But the company hasn't confirmed that it was a cyber attack.
Speaker 2 (09:56):
Oh but they have, they have.
Speaker 3 (09:59):
Since this article.
Speaker 4 (10:00):
Yeah, so July six, let's see ingram Micro confirmed the
ransomware attack on July six and launched an investigation with
cybersecurity experts. So they confirmed that it was a ransom
ransomware attack. Okay, so but initially you're right in this
article they said nothing.
Speaker 1 (10:17):
So this was July fourth.
Speaker 3 (10:19):
Yeah, let's talk about the state of the art of
ransomware right now. So ransomware gets in your environment very often.
It gets in your environment and it tries to stay
undetected for an amount of time. Some of them use
six hundred and sixty six hours, which is actually a
long time, so that they can propagate, so it can
infect other servers, and then they ex filtrade data so
(10:42):
that they can coerce you into saying, hey, we have
private communications, we have copyrighted this, we have that stuff
that will embarrass you, stuff that will hurt your reputation,
stuff that you don't want leaked. They get that data
and then they get ready and they encrypt, and when
they encrypt everything, when they can, they destroy the backups.
So if you don't have offline air gap backups, off
(11:05):
site backups, then they're going to destroy those as well.
And so now they've got they give you a demand
and if you say, no, we're not paying it. We
have backups. Okay, well maybe you do, maybe you don't.
But if you do have the backups, you can you
can just restore. But what if they have data that
you really can't afford to let them publish?
Speaker 2 (11:24):
Yeah, right?
Speaker 4 (11:25):
Extortion, Yeah, yeah, it's actually that's that what Patrick just
described as called triple extortion. So you have single extortion
where they just maybe steal data or and or ransomware,
but don't take it offline, double extortion where they may
encrypt it and pull a little bit of data offline,
and triple extortion where they actually might take that data
(11:45):
if you don't pay them and go to the Federal
Communication and Trade Commission and file a complaint that you
haven't notified the world that you were hacked. So that's
happened too, where we've seen a ransom our organization go,
you know, hey, pay us. The company said no, and
they said okay, and they went to the FTC and
(12:06):
they filed the complaint saying, oh, guess what these guys
can act.
Speaker 1 (12:09):
So you go to the ft and said, yeah, those
guys that are complaining, they're the ones that stole my data.
Speaker 3 (12:14):
I don't think that changes the reaction. No, I don't
think that changes it.
Speaker 2 (12:17):
It doesn't.
Speaker 3 (12:18):
So still, so yeah, you really Not only do you
have to prevent these kinds of infections, but you have
to be prepared for them with good backups. You have
to make sure that you know the data offline. I'm
not saying you shouldn't have online communications, but you shouldn't
be stupid. Okay, If all right, folks, that's it.
Speaker 1 (12:36):
Patrick says, don't be stupid.
Speaker 4 (12:38):
Don't be stupid. Just don't be stupid, thanks Patrick, Just
be smart, and that sums up the show.
Speaker 2 (12:43):
We're done.
Speaker 3 (12:43):
So there was a major.
Speaker 1 (12:44):
Corporation because if you're stupid, I won't.
Speaker 3 (12:47):
Say which major corporation.
Speaker 1 (12:48):
See now wait wait, wait, stand with me now. If
you're stupid, see, bad things will happen to.
Speaker 3 (12:56):
You more often they're smart things. Bad things happen to
smart people do. But wow, but let's talk about something. Well,
let's talk about something. So I know of a major
corporation that I've encountered long ago. I won't say the
name that had some code they wanted to start getting
involved in open sourcing code, and they didn't open source
(13:17):
a project because the comments that they had had in
the comments would have been embarrassing to the company, and
they saw at least they delayed going open source. Huh,
that shouldn't happen. You have to what you have to
watch out for, you have to write everything is if
it's going to go public. I don't write an email.
Very rarely do I write an email that I wouldn't
(13:38):
be comfortable being in public. I might not want it
to be in public, but I wouldn't be embarrassed by
my language. I wouldn't be embarrassed by my choice of words.
Speaker 1 (13:47):
Oh no, no, I mean that's it. And in an
open source project, if somebody has a complaint or a
problem and they point out a bug or something, hey great,
thank you, you know, and then you fix it and
you move on. But if your response is like, oh,
I'm going to hide all these comments, right wow?
Speaker 3 (14:02):
Yeah, Well, I mean there are companies that do say
things behind closed doors that they shouldn't, and when the
legal discovery comes in and they have to reveal those
that that that you know, that gets that stuff gets
out in the public. The best way to not have
embarrassing stuff come to fruition is to not have embarrassing stuff.
Speaker 1 (14:20):
And that's that's right. Just be awesome, be smart and
be awesome.
Speaker 3 (14:24):
Don't be evil. Wait a minute, that's taken.
Speaker 1 (14:28):
Do no harm, boy, that one's gone out the windows.
Speaker 2 (14:34):
Do less harm there?
Speaker 1 (14:36):
Well, no, do no harm.
Speaker 3 (14:37):
Just follow your own frickin' rules.
Speaker 1 (14:40):
All right. So new service now flaw, let's attackers enumerate
restricted data. What is service now?
Speaker 2 (14:48):
Uh?
Speaker 4 (14:50):
Service now or SNOW as as we call it, We
always look for the SNOW agent anytime we're breaking into
a computer. SNOW does a lot of things. It can,
you know, do auditing, It can do all sorts of
administrative things on a computer, that sort of stuff. So
you generally are going to run into this in an organization.
Not this isn't something you're going to have at home. Right,
(15:12):
sounds very convenient, I know, right, yeah, yeah, we've seen
several of these, so it depends on which packages of
service now they're using. But if you take a look
at the what's what they this article says, it says
service now flaw allows attackers to enumerate restricted data. And
anytime we hear enumerate restricted data, it's one of two things.
(15:35):
It's either pulling information out of directories that a user
shouldn't have access to. So it's an application that may
have access to files in a privileged way, or it
might be a database. In this case, it looks like
it's a database. Users may not have access to query
service now to see information, right, so I might not
be able to say, like, show me all of the
(15:58):
issues assigned to a particular person or whatever might be.
But what it does do is at the bottom, say
the number of rows that you know have been sent
back to your twenty right, it tells you how many
exist there. Okay, so you say I can't see those rows,
but it is doing something. It is running the command
so a quick sequel injection, and you can go and say, okay, cool,
(16:23):
tell me all of the you know, issues with different computers.
And if the first letter of the first column of
the database is an a, uh, you know, delay for
a couple of seconds, so on and so forth.
Speaker 3 (16:34):
Yeah, so it's basically doing that one character at a time.
But because of automation, it's possible right.
Speaker 1 (16:41):
Now, if they had a quantum computer, if they got
a yeah.
Speaker 4 (16:44):
Medialy so here again is still now this was discovered
by Varonus is a they're a security software company, so
I don't entirely understand why they were in the middle
of it. Maybe they were just testing it out for fun.
So it's good we're not seeing this as an attack
that's being used in the wild. However, it still blows
(17:08):
my mind. And I know I've said this many times
on this podcast that sequel injection is still a thing, right,
but it is right, Yeah.
Speaker 3 (17:17):
Yeah, And they have a self registered user that you
can basically go in and you're supposed to have limited capabilities,
but this vulnerability gives them much more data.
Speaker 2 (17:26):
Yeah.
Speaker 4 (17:27):
So if you are running service now go out and patch.
There's a CVE associated with this, it's CVE twenty twenty
five three six four eight.
Speaker 3 (17:37):
But was really really just signed that discovered all over
a year ago.
Speaker 1 (17:41):
Wow.
Speaker 4 (17:42):
So yes, it was discovered by veronus in twenty twenty
four and it was assigned the CVE twenty twenty five
three six four eight, which means it wasn't actually didn't
go actually into the CVE system until twenty twenty five.
Speaker 1 (17:54):
Wow.
Speaker 4 (17:55):
So it's very it's been public recently, but it's existed
for a long time for a little while.
Speaker 3 (18:00):
Yeah, it's just that that's a long time.
Speaker 4 (18:02):
It is a long time, so they're okay. So a
lot of us talk about responsible disclosure. Let's go down
that path real quick. Responsible disclosure is where I find
a vulnerability, a zero day in a piece of software,
and I go to the organization that creates that software
and I explain it to them, and I go to
their security department and say, hey, found this thing. Gives
me full access to the computers. This is how I
(18:25):
did it.
Speaker 1 (18:25):
And you say I want a bug bounty and they
say no, get out it.
Speaker 4 (18:29):
Yeah, generally you don't, all right, So if there is
a bug bounty program there, then yes, right, you can
do that. If there is not a bug bounty program,
it's considered a bad form to break into something and
then ask for money. Yeah, so you'll go, You'll disclose
it to the service, to the software organization, and they
(18:50):
generally have a certain amount of time to respond.
Speaker 2 (18:54):
Right.
Speaker 4 (18:54):
If they don't respond within Yeah, if they don't respond
within ninety days, then you can do what's called an
open disclosure, just put it out on the internet. Right,
And that has its own ramifications because you still can
get sued and all sorts of other things. Right, But
sometimes it's the best way to make sure that the
organization actually tackles the issue.
Speaker 1 (19:12):
Want to buy some insurance?
Speaker 4 (19:13):
I know, right, But with responsible disclosure, we talk about
this ninety day window. That's not necessarily the company has
ninety days to fix the problem. Yeah, that's they have
ninety days to communicate backs as plan.
Speaker 1 (19:27):
Yeah right.
Speaker 4 (19:27):
And they may say, listen, this is huge, this is
a big deal. It's going to take us twelve months
to fix, right. You got to keep a lid on it.
Speaker 3 (19:33):
And most most good people will.
Speaker 4 (19:35):
Yeah, absolutely right, And a lot of times they'll say, listen,
we'll attribute it to you, will you know, when we
put our articles out, when we get the CVE, it'll
be you know, varonas is the guys, they're the ones
you found it awesome, right, but you know, keep it
on your halt for now. Sure, so that might be
what happened here. I'm not sure. They don't explain it
in the article.
Speaker 1 (19:55):
But okay, this seems like a good time to take
a break. So we'll be back after these very important messages.
And as a reminder, if you don't want to hear
these messages, give us five bucks a month. Come on,
that's a latte and you can get an ad free
feed from Patreon. Dot Security Thisweek dot com. Stay tuned
(20:16):
and you're listening to Security this Week. I'm Carl Franklin,
That's Dwayne Laflant and Patrick Hines. We are trying to
laugh to keep from crying about this week's news. Uh,
some really interesting stuff coming up, including one of my
favorite new words. Ruckus.
Speaker 3 (20:30):
You knew Ruckus, You've been using Ruckus for a long time.
Speaker 1 (20:33):
What's all this? Ruckus? Soon over here? Ruccus Networks leaves
severe flaws unpatched in management devices. You were just talking
about this. Why would they leave it unpatched?
Speaker 2 (20:45):
And I don't even want to talk about this.
Speaker 4 (20:49):
It's not awesome. I mean, this is all bad, sad,
So okay, Ruckus. This back up a little bit. Ruckus Wireless.
The RUGUS puts out wireless products, wireless access points, wireless
central controllers, that sort of stuff. So, and they generally
manage really large environments. We're talking you know, college campuses
and like large event venues and that sort of stuff.
Speaker 2 (21:12):
So they're not companies like.
Speaker 3 (21:17):
Just getting just getting maybe jazz jazz.
Speaker 4 (21:22):
So needless to say, it's not they're not This isn't
something you're going to just implement it your house. I'm
sure there are people who have RUCKUS at their house
because they have high and wireless systems. But it's it's
triggered something like this yourhouse. Now, Patrick's got Patrick's doing
all right, he.
Speaker 2 (21:36):
Doesn't need.
Speaker 4 (21:39):
But the thing is, lots of these style of companies,
these you know, I'll call them IoT because they are
their little devices, right, little computers without a monitor and
keyboard on it. A lot of these little devices have firmware,
and a lot of the organizations think because that firmware
is in there, nobody's gonna be able to look at it,
nobody's gonna be able to figure out what's in there. Right,
(22:00):
So we're safe. That's the because it's made of plastic.
Plastic is awesome. Plastic plastic. It's the most secure thing
on the planet. That's why they make tanks out of plastic.
Oh wait, hey, Sparky, come here. Plastic burns.
Speaker 3 (22:17):
I mean, all the tanks I've ever built are made
of plastic because they're models.
Speaker 2 (22:22):
Yeah, all the time.
Speaker 4 (22:25):
So apparently there's a fair number of issues with RUCKUS devices.
Speaker 3 (22:32):
There's a lot of issues. That's a big list.
Speaker 4 (22:34):
Let's go down the list. See yeah, buckle up. CB
twenty twenty five forty seven. A hard coded secret that
allows you to bypass authentication that's bad and admin level
access that's bad, right, using just regular HTTP headers and API. Oh,
(22:55):
that's like hard coded, like you pull you look inside
the operating system and there's just a secret there and
you only Oh, let me pull that out of the
code and let me just use that.
Speaker 5 (23:03):
If the secret equals my secret, hey, I gotta let
them in. I got some advice. If people can see it,
it's not a secret anyhow. Path traversal, which may may
allow you to read said secret.
Speaker 3 (23:22):
Well, I mean, what's at the authentication bypass with OL
path traversal right exactly.
Speaker 4 (23:27):
So CVE twenty twenty five for two is a path
traversal book.
Speaker 1 (23:33):
We talked about path traversal. That's essentially if you have
a path string, yeah, right, and and your your web
server allows you to navigate outside of the web root
file to folder, that's bad.
Speaker 2 (23:47):
That is very very bad.
Speaker 1 (23:49):
So that's what this thing did.
Speaker 4 (23:51):
C twenty five four hard coded default public and private
SSH keys. Anybody can connect to this vulnerable device as.
Speaker 2 (24:02):
R oh with root access.
Speaker 4 (24:03):
Oh, by pulling the the SSH key off of the
off the device. Well, it would be really hard if
you couldn't see file. Oh wait, no, the one before it.
You can actually see that file.
Speaker 3 (24:15):
So well, at least there's no command injection. But wait
twenty twenty five four four nine six' one command. Injection
any authenticated user can supply an UNSANITIZED ip address to
AN os. Command that's always an interesting. One whenever routers
give you the ability to ping a host on the,
(24:36):
network generally they're they're pushing that out to an operating.
Speaker 1 (24:39):
Star, sorry, well, listen there's four or five, more but
you need you need on.
Speaker 3 (24:43):
But, wait, yes you, know but, wait there's a four
more you know?
Speaker 2 (24:46):
This wait a.
Speaker 3 (24:47):
Minute in its, defense indeed includes a jailed. Environment that's, nice.
Speaker 1 (24:53):
But there's a built in jail break using a week
hard coded password to gain root x.
Speaker 4 (24:58):
On, yeah and then the root the root user of
the s S h user has a private and public
keypair that's hard. Coded there's encrypted usernames and passwords that
are completely, well.
Speaker 1 (25:10):
Idiots wrote this. Software, boy more than, that what idiot's
bosses allowed them to publish? IT i, mean.
Speaker 3 (25:16):
What's funny is they they they did things like the
jailed environment for security. Reasons, yes and then they just
kind of like forgot that people had copies of the
hardware with the software on it that they could look.
Speaker 1 (25:31):
At they left the keys hanging on the vault.
Speaker 3 (25:33):
DOOR i think they just missed the idea that a
hacker could get a copy of their their device and
just read the code and then reverse. Engineering, yeah that's
that's that's what it seems like to.
Speaker 1 (25:43):
Me.
Speaker 4 (25:43):
Right, well In ruckus device the said this isn't a new.
Company ruckus has been around a long long, time so
who knows how long these exploits have potentially been in
there or how many of their other products have the
same type of coding, style, right because they're the same
developers And, Carl, Yes i'm Gonna i'm gonna push. Back
they're all, Right they're potentially not. Idiots, okay potentially a
(26:05):
lot of developers aren't like, you, right who who knows
security and who as their coaching are thinking what happens?
IF i THINK i Think, carl when he's writing, code
he has a Little dwyane in a little package, finish
what if could Access, well it's, this here's the.
Speaker 1 (26:25):
Thing Most i'm not putting my keys and a canfig
file and checking it into.
Speaker 3 (26:28):
GitHub most web developers don't realize that browser side security
controls are not secure because we get access to the
control the browsers and by the same, measure they, think, oh,
well you know this is built into the firmware of the.
Device no one can get. That yeah we. Can we
can reverse engineer the, device we can get the operating,
system we can see everything that you put on that.
(26:49):
Device and they just. Don't they're missing that point that
seems to be the common thread.
Speaker 1 (26:53):
Here. Yeah anytime a customer asked, me AND i Developed
blazer applications for a, living and every time a customer
asked me should we Use blazer server or web, ASSEMBLY i,
say give me one reason why you shouldn't Use blazer.
Server give me one reason why you should use web.
Assembly what is your? Motivation because if you can keep
everything behind the firewall and server and show no code
(27:15):
to the, user that's what you want from a security.
Speaker 2 (27:18):
Perspective, yeah, yeah, ABSOLUTELY i.
Speaker 3 (27:20):
Agree you can still screw that.
Speaker 4 (27:22):
Up oh you sure you. Can you, can but it's
a lot. Harder, yeah it's a lot. Harder, Yeah but it's.
Harder you have to work.
Speaker 1 (27:27):
Harder it's a lot.
Speaker 2 (27:28):
Harder, yeah, absolutely.
Speaker 3 (27:29):
YEAH i think that's the missing thing. Here This this
development team thinks that anything on the device is. Hidden,
yeah and it just clearly. Isn't by the, way that reminds.
Me i'm actually doing a talk At Michelle Larubusta Monte's
Security intersection in The Intersection. October, yeah the security intersection.
Speaker 1 (27:51):
Though oh. Nice, yeah so the On blazer security security
in A blazer, Application so how to cross the teas
and dot the. Eyes that's going to be. Fun Maybe
i'll put a link to.
Speaker 2 (28:04):
That, AWESOME i love it all.
Speaker 1 (28:06):
Right so with, ruckus are these? Patched? So uh see
anywhere where it says, YEAH i was.
Speaker 4 (28:13):
Gonna, say according to the, article they reached out several
times and heard. Nothing So i'm not if they're in
the middle of a, patch if they work gone to.
Patch usually the cvs are issued after a. Patch BUT
i haven't tracked all of these down because it looks
like it's going to take me like a week worth
of work to figure out how many patches came out
for the thirty five.
Speaker 3 (28:34):
Cvs it says at the, bottom, no with no patches
available and no clear information on when they might be.
Speaker 1 (28:40):
Released this Was july, Ninth so hats off To Bill
tullis for this investigator report.
Speaker 2 (28:46):
Here good, Job yeah that Was.
Speaker 3 (28:49):
Yeah let's hope That ruccus doesn't have a hit team
or else he's in.
Speaker 1 (28:52):
Trouble, yeah, no, kidding, right that's tools they might.
Speaker 3 (28:58):
Use it's more like travel around in a car that
has big letters that says hit.
Speaker 2 (29:03):
Team, yeah that's, right hit team.
Speaker 1 (29:07):
Run. Okay next Story Cisco Unified Communications, Manager STATIC ssh credentials.
VULNERABILITY i hate it When cisco has, vulnerabilities but you
must hate it a. Lot, yeah they tend, to you,
KNOW i want to believe That cisco is secure. Product
(29:27):
you have such.
Speaker 3 (29:27):
A massive product Based, yeah and it's been around a long.
Speaker 4 (29:30):
Time it's not Like cisco's a new organization, either, right
so they have to build upon the stuff that they've
been building for the last thirty five, years which is
always TO.
Speaker 3 (29:39):
I would like to see more big companies do What
microsoft did when they just, said, look we're taking we're
taking a year off from leasing new. Stuff it's all
about security right. NOW i think every third year needs
to be that.
Speaker 4 (29:50):
WAY i was going to, say, well and if that's the,
CASE i Mean microsoft really should kill off past the.
Speaker 2 (29:56):
Hash but you know.
Speaker 3 (29:56):
What, Happen they need to do it again this.
Speaker 1 (29:59):
Year you also got to have billions of dollars to
be able to take a year, off you know you.
Speaker 3 (30:04):
Do, Yeah i'm just saying Billion security is a, feature
it's an important. Feature it's a feature everybody. Wants and
now we're finally getting the.
Speaker 1 (30:14):
Attention you don't Want ruckus, security you Want microsoft.
Speaker 3 (30:18):
Security, well and, again it's been a while since they
said we're declaring like a moratorium and we're going to
go back to. Training but Remember WINDOWS xp service back. Too,
yeah and they got serious and it stayed serious for a.
WHILE i DON'T i don't really know the temperature right
now on. That there's still some PEOPLE i know From
microsoft that have serious religion on, security but there's definitely
(30:40):
could do with another. Thing but but, THEN i have
never Heard cisco, say, yeah this is the year of.
Security we're going to go through and hunt these. Things,
YEAH i don, know it's just as of a thousand.
Speaker 4 (30:51):
Cuts but coming to the the, Article cisco has the
unified Must, YEAH i, know, Right cisco's unified Communications manager OR,
cucm is something that is used In cisco's environment as
a collaborative sort of enterprise, suite so it manages, voice, video,
messaging mobile.
Speaker 2 (31:12):
Presences there's all sorts of.
Speaker 4 (31:13):
Stuff but the interesting thing about it as well is
that it's designed for high, scalability so that means you
can have eighty thousand users per. Cluster so these aren't
managing small, environments so it makes it extra important if you,
will if a you, know a remote attacker can get
(31:35):
root level privileges on those. Devices, yeah if you're running these,
devices you're definitely going to.
Speaker 2 (31:41):
Want to go. Patch, yeah that's, It it's all of.
Speaker 1 (31:45):
It go, Patch go, patch all, right go. Pats can
we talk about THE cv score in how accurate it? Is?
Speaker 2 (31:53):
Yeah, well so THE cv score is it? Ten? Oh
indicators have? Compromise hold?
Speaker 1 (31:59):
On hold?
Speaker 4 (31:59):
On actually this looks like this is super easy to. Explait,
yeah and it's hard maybe, right and it's hard to.
Mitigate you can't just, upgrade there's no. Patch you've got
to go and either well you can't upgrade to a new.
Version yeah there, Is, yeah there is a patch file to,
apply but still, yeah, absolutely so admins are urged upgrade
(32:22):
to fifteen S u three, okay or apply the cs
c W p two seven seven five to five, patch
which sounds like that's a point fix because this thing's.
Speaker 1 (32:35):
So you said there's not a, patch but there's a, patch.
Speaker 4 (32:37):
Right so, yeah, yeah there was an intermediary. Patch and
then they finally came out with like a full hold.
Speaker 3 (32:44):
Up there's no. Workaround there's no way to go and
just remove the vulnerable. Account you have to, patch, yeah
without ripping the core operating system, out.
Speaker 1 (32:53):
But you have to.
Speaker 3 (32:54):
Patch so, okay, good all, right patch it's a ten
ten ten's a little. Hyperbaric BUT i, mean is this
the type of software you would put out on The.
Speaker 1 (33:03):
INTERNET i don't.
Speaker 4 (33:04):
KNOW i DON'T i think you. WOULD i, MEAN i
think it's entirely. Possible if you're talking about supporting collaboration
between eighty thousand.
Speaker 1 (33:11):
Users, yeah you're on The.
Speaker 4 (33:13):
Internet there's very few organizations in the world that have
eighty thousand users internally that are going to be. Collaborating,
Right so my gas is these you'll you'd find these devices.
Speaker 1 (33:22):
Accessible, well you haven't seen my next, company which is
going to be Called Glicky Glocky walk and it's going
to be uh social.
Speaker 3 (33:33):
Media you know how when you when you look at
coins for for their for their their level like excellent
and perfect and, yeah you know mint they have they
have criteria that, says, well if you can see these,
lines then it's, this and if you can't see, them then.
This we need that for these. Cvs we need to
know what these numbers are based. On are they based
on the fact that it's a ten because you have
(33:56):
to deployed on the, internet you, know in most case
is you, know it gives you complete total access without.
Authentication we need more of those kind of, guidelines AND
i don't know if that's.
Speaker 1 (34:07):
Provided, well we provide a sort of uh we did
you know off the hip kind of contagion, score but
it's Just dwayne's opinion of how how likely are you
to get?
Speaker 3 (34:19):
This But i'd love to see the. Ability i'll breakdown
on why that.
Speaker 1 (34:24):
NUMBER i Agree, patrick you, know, yeah we need to
hire more.
Speaker 3 (34:28):
People i've definitely seen. It it didn't make.
Speaker 1 (34:31):
Sense, yeah all.
Speaker 4 (34:32):
Right so so according according to my my digging into THE,
cve here for the last five, seconds it actually, yeah
for the last five, seconds it actually it actually. Is
there are default s s h hard coded credentials that
were left in by mistake from. Development, okay so once
(34:55):
you know THE ssh credentials, there it's not hard to
s sh any of these devices and give it the
user name and password and then you're.
Speaker 1 (35:03):
In, jeez and it's a known username and.
Speaker 2 (35:06):
Password well now it.
Speaker 1 (35:07):
Is it's like in the. Manual, no but it's like
in the, manual, right like admin admin kind of. Thing.
Speaker 4 (35:13):
Yeah, yeah that's a good. Question i'm looking, now may
post it.
Speaker 1 (35:17):
Later, okay if you want to know the answer to,
that go to our discord at discord Doth security this
week dot. Com all, right shall we get to the
clickbait the most important security issue that we encountered in
the last.
Speaker 2 (35:31):
Week this one's near and dear to my.
Speaker 1 (35:32):
Heart call Of DUTY ww two pulled FROM pc following
reports of remote code exploit trolling players with notepad pop
ups AND pc shutdowns in desktop wallpaper of a. Lawyer,
yeah we that is a.
Speaker 3 (35:47):
Mouthful so so we were talking about this a little
bit before And duane was, mentioning you have to be
in a lobby with somebody who's trying who exploits.
Speaker 1 (35:55):
This in a, lobby meaning in the, room.
Speaker 3 (35:57):
So it's not like they can Just, yeah the law is,
basically you, know where you start to, game but it's
random oh okay, player, right but it's not like having
it installed on your your system will automatically make you.
Vulnerable but being in a lobby with somebody who has
exploits it's a way to get at somebody in the.
Speaker 1 (36:16):
Game SO i don't play the. Game so obviously the
lobby is like the first room you get, into, right, yeah.
Speaker 4 (36:20):
Yeah so you'll you'll watch the, game you create your you,
know the look at your character and the load out
and that sort of, stuff what type of you, know
guns and whatnot you.
Speaker 1 (36:28):
Want there's a nefarious player who knows about this exploit
in the lobby with. You that's when you're in trouble.
Speaker 4 (36:33):
Exactly, Yeah and so it's it's interesting that this this
game was released in twenty. Seventeens that's a while, ago,
Right so you, say, okay, well why the, influx why
the Big oh my, gosh it's happening, now, Right so
What microsoft? Does microsoft has The Xbox app obviously on The,
xbox but they have it on YOUR pc where you
(36:54):
can download games and you can play games but you
can also be a part of Their xbox Game. Pass
xbox Game pass for those of you who are gamers
out there is the best money in gaming right. Now
like for short money a, MONTH i think it's ten
bucks a, month you get access to hundreds and hundreds
of games.
Speaker 1 (37:11):
And get you get more than you can, play more.
Speaker 4 (37:13):
Than you could ever. Play but you also get access
to Like day one. Drops, so like Like day, one
a huge hit comes out And microsoft releases, it and
in there they HAVE ea tied in, There bethesda's That,
like there's tons of really good games studios in. There
it's not just you, know anything that comes From.
Speaker 1 (37:30):
Microsoft and what is this thing called Game?
Speaker 2 (37:32):
Pass Game, Pass, yeah it's, awesome all.
Speaker 4 (37:35):
Right you can play the games up in the, cloud
so you could play them off your, phone you could
use Your steam deck to load them up and play
them on the. Cloud there's all sorts of really cool
ways to interact with Game. Pass, Well call Of Duty
World War two just came out in Game. Pass so
that's why there's this huge influx of players playing this
old game that came you know it was from nine years,
(37:58):
ago eight years. Ago is because it's The it's because
it was just dropped on Game, pass so everybody downloads
because it doesn't cost him, anything and they decided to
try it.
Speaker 1 (38:09):
Out but there's a SPECIFIC pc version of this game
that has the exploit in. It and then just days
after the, release after these reports that came, in they pulled.
It so if you haven't downloaded it and played it
when it first came, out you're.
Speaker 3 (38:27):
Okay you were vulnerable in only in the. Lobby it
seems like it doesn't seem like it's.
Speaker 1 (38:31):
And only for a few days right before They.
Speaker 4 (38:34):
Yeah and that's that's actually pretty, typical honestly for exploits
in games is usually their lobby. Exploits, sometimes like a
lot of times it's, HEY i have a hacked lobby
that can give you infinite, experience, right and you'll join
that lobby and then connect to that particular person and
then they'll run up a couple of hacks to give
(38:55):
you infinite experience or infinite equipment or there's still, money
or in this case actually were launching like notepad and
or pop up windows on your computer saying you, know
NOW i own your computer in.
Speaker 1 (39:06):
That, yeah, yeah, yeah. Geez.
Speaker 2 (39:09):
Yeah it makes me.
Speaker 1 (39:09):
Sad it is. Sad you can't even play a freaking game,
anymore you, know and it's gracious on what's this world coming?
Speaker 4 (39:16):
To this is the guy Who i'm constantly playing games and,
like how WOULD i break this game to get?
Speaker 1 (39:21):
It?
Speaker 3 (39:22):
EXECUTION i, mean this is CALLED i mean in other,
games it's called griefing when you find a way to
like crash the server or do something like. This the
part that makes this more newsy is the fact that
it's like they can run an. Exploit they, can they
could actually do. Damage they could actually steal credit card,
information they could steal passwords from your browser. Cash that
(39:44):
makes this a bigger deal than if they're just able,
to you, know mess up your.
Speaker 1 (39:48):
Game, yep no, bueno no. Bo, well if you're not
sufficiently scared, enough then well yeah you're not paying. Attention
we'll we'll be back next week for some. More, hey
don't forget to go to Our discord channel and hang. Out,
yeah just don't Ask dad for anything, real, okay see yuh,
bye bye bye.
Speaker 4 (40:08):
Guys bye
So I was talking to my cousin dot this week
and she told me she just spent three hundred dollars
on a Colon cleanse. Three hundred dollars.
Speaker 2 (00:09):
Thats a lot.
Speaker 1 (00:10):
She could have got the same thing from Taco Bell
for four nine nine. Welcome to Security this week. I'm Carl,
It's Dwayne and Patrick, and we're here to make you
laugh to keep from crying about what happened this week
(00:32):
in security. Here last one? All right, Quantis you know
Quantas the Australian airline hit Sorry, I.
Speaker 3 (00:42):
Mean, why should they be excluded from the fun, right?
Speaker 2 (00:44):
Right?
Speaker 1 (00:45):
So they were hit by a cyber attack, leaving six
million customer records at risk of a data breach. Were
they actually breached or were they just at risk?
Speaker 4 (00:54):
So this article is super confusing. It's likely to have
been stolen and I'm waiting for more information to come
out about this because you know, it says Quantus is
warning of a significant amount of customer data that.
Speaker 2 (01:06):
Has likely been stolen.
Speaker 4 (01:08):
Okay, right, But then they sent out these very cryptic
messages to their users saying we'll let you know more later.
And then in here it says names, contact details, birth
dates and frequent flyer numbers were compromised. Okay, but then
in two paragraphs it down it says no frequent flyer
accounts were compromised, nor passwords, pins and logins.
Speaker 1 (01:32):
So okay, so they don't know what the hell's going on.
Speaker 3 (01:35):
I think it's they don't have the data of what
they know what could have been comp but they don't
have evidence that it was xfiltrated.
Speaker 1 (01:42):
And so that's the problem with digital data is that
you know, you make a copy, there'sn't really any record
of who copied it into what.
Speaker 3 (01:50):
Well, it can be, it can be if your edge
services are sophisticated enough, but yeah, most most people's are.
Speaker 4 (01:55):
Yeah, if you're auditing, well, and it depends, I mean
you can bypass edge, Well you can't. I mean, honestly,
the data is encrypted on the way out the door.
You have no idea what.
Speaker 3 (02:05):
Well, and a lot of times the logs aren't protected,
so you can edit the logs sure.
Speaker 4 (02:08):
Yeah right, yeah, and and you can take pass that
they're not logging like most people aren't looking for data
X fil over DNS or data X fill over SMB
or whatever. Right, So if you're only looking at web traffic.
Speaker 1 (02:20):
I think I agree with you, but I'm not sure.
Speaker 4 (02:24):
I'm just going to keep throwing out acronyms, right until
give me a bowl, until Karl agrees with me, at
me a.
Speaker 1 (02:30):
Ball and a spoon, and I'll just keep eating the soup,
all right. So so we don't really know it's the
bottom line.
Speaker 4 (02:37):
Yeah, No, they're not really sure, and they're still investigating,
which is frustrating, I'm sure to the public. The companies
don't want to say yeah, you know quickly, oh my god, yeah,
we lost everything, right, because it opens them up to
legal issues.
Speaker 1 (02:54):
But here's the deal. If you have a Quantus account
and you buy tickets online with it and go change
your password, it's not that difficult.
Speaker 4 (03:01):
Yeah, that's probably not a bad idea. Yea, you have
change your password. You should probably have a credit monitoring
service or something along those lines, just in case somebody
got personally identifiable information they could use against you.
Speaker 2 (03:11):
That sort of thing.
Speaker 1 (03:11):
Freeze your credit, all the usual things.
Speaker 3 (03:14):
Oh yeah, yeah, that's the new honest.
Speaker 2 (03:16):
Yeah, got to freeze your credit.
Speaker 4 (03:17):
The thing I love about this is a lot of
people go, wow, Quantus is a big organization and six
million records. That's a lot of data and it's really
personal information. God that the attack must have been like
uber complicated. It must have been like something you'd see
in mission if possible with the reverse engineering of firm
we're on a plane that got carried into it, like.
Speaker 1 (03:37):
Or something Dwayne would do.
Speaker 4 (03:39):
Yeah, And really we see these attacks on large organizations
coming down to mostly sophisticated social engineering attacks.
Speaker 1 (03:49):
It.
Speaker 4 (03:50):
One of our listeners in the discord had mentioned a
book Ghost in the Wire, and I had never read it,
and it was by Kevin Mitnick. And you know, I'll
be honest, I I was always turned off by Kevin
Mitnick because he was he was so much like it
always seemed like he's like, oh my god.
Speaker 3 (04:04):
He didn't find him sexy.
Speaker 2 (04:12):
I'm not even going to touch that.
Speaker 3 (04:14):
I would agree with. He was.
Speaker 1 (04:16):
Right there with I don't know.
Speaker 4 (04:18):
I never met him, but he seemed like the type
of guy in the news who was like, I'm the
best hacker on the planet. And actually, if you listen
to the book, read the book, whatever it is that's audible,
he's He wasn't. He was a very humble guy, but
very very smart, and ninety nine percent of his attacks
were social engineering. Yeah, he was really good at pretending
(04:39):
to be a phone switch field guy and calling into
you know, nine x and getting them to do things.
Speaker 1 (04:46):
Wow.
Speaker 3 (04:46):
Right, he knew more than they did.
Speaker 4 (04:48):
Yeah, absolutely, And he knew all the lingo, and he
knew when he was hacking quote unquote banks, he knew
the fact that they required a daily code, and the
daily codes for Bank of America there were one hundred
of the daily codes. For certain other banks there were
five of them. And he had a way of manipulating
one branch into giving him the codes. Like he would
(05:09):
call up and say, oh, you know, for me to
give you this account detail, I need you to verify
a code, verify the B code for me, and they go, oh, yeah,
be code is green, you know green donkey today You'd
be like, oh no, that's not the one I have, right,
So they'd end up giving him the whole list, and
then he would call another bank and he would use them.
So he's very very good at social engineering people. And
(05:29):
this is the same type of thing we're still seeing this, right,
And he was doing this in the eighties, right, We're
still seeing this today where people assume want to believe
the person calling them is in the organization and people
in general want to be helpful. Right, We all do
well except for Patrick Dwyane.
Speaker 1 (05:48):
I think we ought to write a screenplay where the
criminals employ these social engineering tactics, you know, to do
the kind of stuff that's actually going on, because you
know what happens in Hollywood gets a hold of this
stuff and they're not accurate about these but you got
to be really good.
Speaker 3 (06:08):
Social engineering is difficult at first, and then it just
gets easier. It's like acting. One of the mit Nick's
most interesting events was he walked onto a nine x
or an AT and T service truck and convinced them
he was a supervisor. I heard the story, and he
took their manuals and therefore he had even more information
(06:30):
about the networks and things like that. But he dressed
them down and said, you guy, what are you guys doing?
You know, you really kind of and he basically just
live the part. And that's tough because you can't just
hang up you're in the truck.
Speaker 4 (06:43):
He actually went into a phone like switching station at
night and security guard caught him, pulled him up into
the sock and was like, you know, what the heck
are you doing here? And he was like, you know what,
I I was just showing my buddy here my office.
I work here. I'm on the third floor. I'm right
(07:05):
next to you know, so and so and so and so.
Any knew names of people on the third floor. And
the guy was like, bs, who's your boss? Yeah, and
he said, my boss is you know, Susan so and so.
Feel free to call her and he said, I'm gonna
and he called her and he was like, yeah, you know,
I got a person here. Whatever he says, he reports
to you. And he was like, let me talk to her.
(07:25):
Let me talk to her. And he gets on the
phone and.
Speaker 3 (07:27):
She's like, who the hell are you And he's like, yeah, I.
Speaker 2 (07:29):
Know, I know.
Speaker 4 (07:29):
This guy's giving me a hard time, right, And the
guard wasn't listening to the other side and he hung
up and he's like, right, dude, you could do what
you want. She says, just give me this stun and
he was like, oh, okay, cool right. So and just
that type of clod there's very few people who could
pull that off.
Speaker 3 (07:43):
Yeah yeah, bomb bomb disarmors probably in that same category.
Speaker 2 (07:47):
Yep.
Speaker 1 (07:48):
Well, before we leave the story, I want to give
a shout out to Stu. That's who on mastedon sent
me this story. So he's at Shelway get Mastered on social.
That's s eight e l w Ig at masdonon dot social.
So I think we ought to give Stu a lock
pick set.
Speaker 2 (08:05):
What do you think? Yeah?
Speaker 4 (08:06):
Amen, reach out ste and we will. We'll send a
pick set along. Absolutely hopefully we're not getting in trouble
with any of these pick sets. We've been sending them
to a lot of different countries out there, and I'm
not sure that that's fine.
Speaker 1 (08:16):
They're perfectly legal to own, right, I mean it's.
Speaker 4 (08:19):
Fine in some places, yes, sure, it's fine. In other
places not so much.
Speaker 1 (08:24):
Oh well, okay, sending them to Malaysia or anything.
Speaker 4 (08:27):
Right, Yeah, it's fine. No, they wouldn't take packages from
me anyways.
Speaker 3 (08:31):
Any So, while we were ruminating, I looked at there's
about twenty six million people in Australia. So this is
if you think about like most of Quantas's customers are
probably Australia, more than half of them. Would think, that's
a pretty big percentage of the adult population. Oh yeah, yeah,
so this is and this is one of the most
trusted organizations in Australia. So This is a big hit
(08:54):
to them. This is maybe a wake up call.
Speaker 2 (08:57):
Yeah. Yeah.
Speaker 4 (08:58):
And like I said, the social engineering angle has been
around for a very long time. It's decades, well sorry,
not decades, hundreds of years millennia.
Speaker 2 (09:08):
Yeah.
Speaker 4 (09:08):
We used to call them con men, right, swindlers. People
would come up and try and con you out of
your money or whatnot, and pretend that they knew something better,
or who they were or whatnot. This has been going
on forever, so yeah, I would think we're not stopping
it anytime soon with technology, let's put it that way.
Speaker 2 (09:23):
Yep.
Speaker 1 (09:23):
All right, all right, I just met a message stew
so hopefully he'll get back to us and we'll get
him out of lock pick set and see that's how
easy it is, folks. Cool recommend a story and if
we use it, you get swag. All right. So the
next one is Ingram Micro suffers a global outage as
internal systems inaccessible denial service. Yeah. Ingram Micro is huge.
Speaker 4 (09:47):
Yeah yeah, I mean forty eight billion in revenue, oh
my god, so not a not a small organization.
Speaker 3 (09:54):
But the company hasn't confirmed that it was a cyber attack.
Speaker 2 (09:56):
Oh but they have, they have.
Speaker 3 (09:59):
Since this article.
Speaker 4 (10:00):
Yeah, so July six, let's see ingram Micro confirmed the
ransomware attack on July six and launched an investigation with
cybersecurity experts. So they confirmed that it was a ransom
ransomware attack. Okay, so but initially you're right in this
article they said nothing.
Speaker 1 (10:17):
So this was July fourth.
Speaker 3 (10:19):
Yeah, let's talk about the state of the art of
ransomware right now. So ransomware gets in your environment very often.
It gets in your environment and it tries to stay
undetected for an amount of time. Some of them use
six hundred and sixty six hours, which is actually a
long time, so that they can propagate, so it can
infect other servers, and then they ex filtrade data so
(10:42):
that they can coerce you into saying, hey, we have
private communications, we have copyrighted this, we have that stuff
that will embarrass you, stuff that will hurt your reputation,
stuff that you don't want leaked. They get that data
and then they get ready and they encrypt, and when
they encrypt everything, when they can, they destroy the backups.
So if you don't have offline air gap backups, off
(11:05):
site backups, then they're going to destroy those as well.
And so now they've got they give you a demand
and if you say, no, we're not paying it. We
have backups. Okay, well maybe you do, maybe you don't.
But if you do have the backups, you can you
can just restore. But what if they have data that
you really can't afford to let them publish?
Speaker 2 (11:24):
Yeah, right?
Speaker 4 (11:25):
Extortion, Yeah, yeah, it's actually that's that what Patrick just
described as called triple extortion. So you have single extortion
where they just maybe steal data or and or ransomware,
but don't take it offline, double extortion where they may
encrypt it and pull a little bit of data offline,
and triple extortion where they actually might take that data
(11:45):
if you don't pay them and go to the Federal
Communication and Trade Commission and file a complaint that you
haven't notified the world that you were hacked. So that's
happened too, where we've seen a ransom our organization go,
you know, hey, pay us. The company said no, and
they said okay, and they went to the FTC and
(12:06):
they filed the complaint saying, oh, guess what these guys
can act.
Speaker 1 (12:09):
So you go to the ft and said, yeah, those
guys that are complaining, they're the ones that stole my data.
Speaker 3 (12:14):
I don't think that changes the reaction. No, I don't
think that changes it.
Speaker 2 (12:17):
It doesn't.
Speaker 3 (12:18):
So still, so yeah, you really Not only do you
have to prevent these kinds of infections, but you have
to be prepared for them with good backups. You have
to make sure that you know the data offline. I'm
not saying you shouldn't have online communications, but you shouldn't
be stupid. Okay, If all right, folks, that's it.
Speaker 1 (12:36):
Patrick says, don't be stupid.
Speaker 4 (12:38):
Don't be stupid. Just don't be stupid, thanks Patrick, Just
be smart, and that sums up the show.
Speaker 2 (12:43):
We're done.
Speaker 3 (12:43):
So there was a major.
Speaker 1 (12:44):
Corporation because if you're stupid, I won't.
Speaker 3 (12:47):
Say which major corporation.
Speaker 1 (12:48):
See now wait wait, wait, stand with me now. If
you're stupid, see, bad things will happen to.
Speaker 3 (12:56):
You more often they're smart things. Bad things happen to
smart people do. But wow, but let's talk about something. Well,
let's talk about something. So I know of a major
corporation that I've encountered long ago. I won't say the
name that had some code they wanted to start getting
involved in open sourcing code, and they didn't open source
(13:17):
a project because the comments that they had had in
the comments would have been embarrassing to the company, and
they saw at least they delayed going open source. Huh,
that shouldn't happen. You have to what you have to
watch out for, you have to write everything is if
it's going to go public. I don't write an email.
Very rarely do I write an email that I wouldn't
(13:38):
be comfortable being in public. I might not want it
to be in public, but I wouldn't be embarrassed by
my language. I wouldn't be embarrassed by my choice of words.
Speaker 1 (13:47):
Oh no, no, I mean that's it. And in an
open source project, if somebody has a complaint or a
problem and they point out a bug or something, hey great,
thank you, you know, and then you fix it and
you move on. But if your response is like, oh,
I'm going to hide all these comments, right wow?
Speaker 3 (14:02):
Yeah, Well, I mean there are companies that do say
things behind closed doors that they shouldn't, and when the
legal discovery comes in and they have to reveal those
that that that you know, that gets that stuff gets
out in the public. The best way to not have
embarrassing stuff come to fruition is to not have embarrassing stuff.
Speaker 1 (14:20):
And that's that's right. Just be awesome, be smart and
be awesome.
Speaker 3 (14:24):
Don't be evil. Wait a minute, that's taken.
Speaker 1 (14:28):
Do no harm, boy, that one's gone out the windows.
Speaker 2 (14:34):
Do less harm there?
Speaker 1 (14:36):
Well, no, do no harm.
Speaker 3 (14:37):
Just follow your own frickin' rules.
Speaker 1 (14:40):
All right. So new service now flaw, let's attackers enumerate
restricted data. What is service now?
Speaker 2 (14:48):
Uh?
Speaker 4 (14:50):
Service now or SNOW as as we call it, We
always look for the SNOW agent anytime we're breaking into
a computer. SNOW does a lot of things. It can,
you know, do auditing, It can do all sorts of
administrative things on a computer, that sort of stuff. So
you generally are going to run into this in an organization.
Not this isn't something you're going to have at home. Right,
(15:12):
sounds very convenient, I know, right, yeah, yeah, we've seen
several of these, so it depends on which packages of
service now they're using. But if you take a look
at the what's what they this article says, it says
service now flaw allows attackers to enumerate restricted data. And
anytime we hear enumerate restricted data, it's one of two things.
(15:35):
It's either pulling information out of directories that a user
shouldn't have access to. So it's an application that may
have access to files in a privileged way, or it
might be a database. In this case, it looks like
it's a database. Users may not have access to query
service now to see information, right, so I might not
be able to say, like, show me all of the
(15:58):
issues assigned to a particular person or whatever might be.
But what it does do is at the bottom, say
the number of rows that you know have been sent
back to your twenty right, it tells you how many
exist there. Okay, so you say I can't see those rows,
but it is doing something. It is running the command
so a quick sequel injection, and you can go and say, okay, cool,
(16:23):
tell me all of the you know, issues with different computers.
And if the first letter of the first column of
the database is an a, uh, you know, delay for
a couple of seconds, so on and so forth.
Speaker 3 (16:34):
Yeah, so it's basically doing that one character at a time.
But because of automation, it's possible right.
Speaker 1 (16:41):
Now, if they had a quantum computer, if they got
a yeah.
Speaker 4 (16:44):
Medialy so here again is still now this was discovered
by Varonus is a they're a security software company, so
I don't entirely understand why they were in the middle
of it. Maybe they were just testing it out for fun.
So it's good we're not seeing this as an attack
that's being used in the wild. However, it still blows
(17:08):
my mind. And I know I've said this many times
on this podcast that sequel injection is still a thing, right,
but it is right, Yeah.
Speaker 3 (17:17):
Yeah, And they have a self registered user that you
can basically go in and you're supposed to have limited capabilities,
but this vulnerability gives them much more data.
Speaker 2 (17:26):
Yeah.
Speaker 4 (17:27):
So if you are running service now go out and patch.
There's a CVE associated with this, it's CVE twenty twenty
five three six four eight.
Speaker 3 (17:37):
But was really really just signed that discovered all over
a year ago.
Speaker 1 (17:41):
Wow.
Speaker 4 (17:42):
So yes, it was discovered by veronus in twenty twenty
four and it was assigned the CVE twenty twenty five
three six four eight, which means it wasn't actually didn't
go actually into the CVE system until twenty twenty five.
Speaker 1 (17:54):
Wow.
Speaker 4 (17:55):
So it's very it's been public recently, but it's existed
for a long time for a little while.
Speaker 3 (18:00):
Yeah, it's just that that's a long time.
Speaker 4 (18:02):
It is a long time, so they're okay. So a
lot of us talk about responsible disclosure. Let's go down
that path real quick. Responsible disclosure is where I find
a vulnerability, a zero day in a piece of software,
and I go to the organization that creates that software
and I explain it to them, and I go to
their security department and say, hey, found this thing. Gives
me full access to the computers. This is how I
(18:25):
did it.
Speaker 1 (18:25):
And you say I want a bug bounty and they
say no, get out it.
Speaker 4 (18:29):
Yeah, generally you don't, all right, So if there is
a bug bounty program there, then yes, right, you can
do that. If there is not a bug bounty program,
it's considered a bad form to break into something and
then ask for money. Yeah, so you'll go, You'll disclose
it to the service, to the software organization, and they
(18:50):
generally have a certain amount of time to respond.
Speaker 2 (18:54):
Right.
Speaker 4 (18:54):
If they don't respond within Yeah, if they don't respond
within ninety days, then you can do what's called an
open disclosure, just put it out on the internet. Right,
And that has its own ramifications because you still can
get sued and all sorts of other things. Right, But
sometimes it's the best way to make sure that the
organization actually tackles the issue.
Speaker 1 (19:12):
Want to buy some insurance?
Speaker 4 (19:13):
I know, right, But with responsible disclosure, we talk about
this ninety day window. That's not necessarily the company has
ninety days to fix the problem. Yeah, that's they have
ninety days to communicate backs as plan.
Speaker 1 (19:27):
Yeah right.
Speaker 4 (19:27):
And they may say, listen, this is huge, this is
a big deal. It's going to take us twelve months
to fix, right. You got to keep a lid on it.
Speaker 3 (19:33):
And most most good people will.
Speaker 4 (19:35):
Yeah, absolutely right, And a lot of times they'll say, listen,
we'll attribute it to you, will you know, when we
put our articles out, when we get the CVE, it'll
be you know, varonas is the guys, they're the ones
you found it awesome, right, but you know, keep it
on your halt for now. Sure, so that might be
what happened here. I'm not sure. They don't explain it
in the article.
Speaker 1 (19:55):
But okay, this seems like a good time to take
a break. So we'll be back after these very important messages.
And as a reminder, if you don't want to hear
these messages, give us five bucks a month. Come on,
that's a latte and you can get an ad free
feed from Patreon. Dot Security Thisweek dot com. Stay tuned
(20:16):
and you're listening to Security this Week. I'm Carl Franklin,
That's Dwayne Laflant and Patrick Hines. We are trying to
laugh to keep from crying about this week's news. Uh,
some really interesting stuff coming up, including one of my
favorite new words. Ruckus.
Speaker 3 (20:30):
You knew Ruckus, You've been using Ruckus for a long time.
Speaker 1 (20:33):
What's all this? Ruckus? Soon over here? Ruccus Networks leaves
severe flaws unpatched in management devices. You were just talking
about this. Why would they leave it unpatched?
Speaker 2 (20:45):
And I don't even want to talk about this.
Speaker 4 (20:49):
It's not awesome. I mean, this is all bad, sad,
So okay, Ruckus. This back up a little bit. Ruckus Wireless.
The RUGUS puts out wireless products, wireless access points, wireless
central controllers, that sort of stuff. So, and they generally
manage really large environments. We're talking you know, college campuses
and like large event venues and that sort of stuff.
Speaker 2 (21:12):
So they're not companies like.
Speaker 3 (21:17):
Just getting just getting maybe jazz jazz.
Speaker 4 (21:22):
So needless to say, it's not they're not This isn't
something you're going to just implement it your house. I'm
sure there are people who have RUCKUS at their house
because they have high and wireless systems. But it's it's
triggered something like this yourhouse. Now, Patrick's got Patrick's doing
all right, he.
Speaker 2 (21:36):
Doesn't need.
Speaker 4 (21:39):
But the thing is, lots of these style of companies,
these you know, I'll call them IoT because they are
their little devices, right, little computers without a monitor and
keyboard on it. A lot of these little devices have firmware,
and a lot of the organizations think because that firmware
is in there, nobody's gonna be able to look at it,
nobody's gonna be able to figure out what's in there. Right,
(22:00):
So we're safe. That's the because it's made of plastic.
Plastic is awesome. Plastic plastic. It's the most secure thing
on the planet. That's why they make tanks out of plastic.
Oh wait, hey, Sparky, come here. Plastic burns.
Speaker 3 (22:17):
I mean, all the tanks I've ever built are made
of plastic because they're models.
Speaker 2 (22:22):
Yeah, all the time.
Speaker 4 (22:25):
So apparently there's a fair number of issues with RUCKUS devices.
Speaker 3 (22:32):
There's a lot of issues. That's a big list.
Speaker 4 (22:34):
Let's go down the list. See yeah, buckle up. CB
twenty twenty five forty seven. A hard coded secret that
allows you to bypass authentication that's bad and admin level
access that's bad, right, using just regular HTTP headers and API. Oh,
(22:55):
that's like hard coded, like you pull you look inside
the operating system and there's just a secret there and
you only Oh, let me pull that out of the
code and let me just use that.
Speaker 5 (23:03):
If the secret equals my secret, hey, I gotta let
them in. I got some advice. If people can see it,
it's not a secret anyhow. Path traversal, which may may
allow you to read said secret.
Speaker 3 (23:22):
Well, I mean, what's at the authentication bypass with OL
path traversal right exactly.
Speaker 4 (23:27):
So CVE twenty twenty five for two is a path
traversal book.
Speaker 1 (23:33):
We talked about path traversal. That's essentially if you have
a path string, yeah, right, and and your your web
server allows you to navigate outside of the web root
file to folder, that's bad.
Speaker 2 (23:47):
That is very very bad.
Speaker 1 (23:49):
So that's what this thing did.
Speaker 4 (23:51):
C twenty five four hard coded default public and private
SSH keys. Anybody can connect to this vulnerable device as.
Speaker 2 (24:02):
R oh with root access.
Speaker 4 (24:03):
Oh, by pulling the the SSH key off of the
off the device. Well, it would be really hard if
you couldn't see file. Oh wait, no, the one before it.
You can actually see that file.
Speaker 3 (24:15):
So well, at least there's no command injection. But wait
twenty twenty five four four nine six' one command. Injection
any authenticated user can supply an UNSANITIZED ip address to
AN os. Command that's always an interesting. One whenever routers
give you the ability to ping a host on the,
(24:36):
network generally they're they're pushing that out to an operating.
Speaker 1 (24:39):
Star, sorry, well, listen there's four or five, more but
you need you need on.
Speaker 3 (24:43):
But, wait, yes you, know but, wait there's a four
more you know?
Speaker 2 (24:46):
This wait a.
Speaker 3 (24:47):
Minute in its, defense indeed includes a jailed. Environment that's, nice.
Speaker 1 (24:53):
But there's a built in jail break using a week
hard coded password to gain root x.
Speaker 4 (24:58):
On, yeah and then the root the root user of
the s S h user has a private and public
keypair that's hard. Coded there's encrypted usernames and passwords that
are completely, well.
Speaker 1 (25:10):
Idiots wrote this. Software, boy more than, that what idiot's
bosses allowed them to publish? IT i, mean.
Speaker 3 (25:16):
What's funny is they they they did things like the
jailed environment for security. Reasons, yes and then they just
kind of like forgot that people had copies of the
hardware with the software on it that they could look.
Speaker 1 (25:31):
At they left the keys hanging on the vault.
Speaker 3 (25:33):
DOOR i think they just missed the idea that a
hacker could get a copy of their their device and
just read the code and then reverse. Engineering, yeah that's
that's that's what it seems like to.
Speaker 1 (25:43):
Me.
Speaker 4 (25:43):
Right, well In ruckus device the said this isn't a new.
Company ruckus has been around a long long, time so
who knows how long these exploits have potentially been in
there or how many of their other products have the
same type of coding, style, right because they're the same
developers And, Carl, Yes i'm Gonna i'm gonna push. Back
they're all, Right they're potentially not. Idiots, okay potentially a
(26:05):
lot of developers aren't like, you, right who who knows
security and who as their coaching are thinking what happens?
IF i THINK i Think, carl when he's writing, code
he has a Little dwyane in a little package, finish
what if could Access, well it's, this here's the.
Speaker 1 (26:25):
Thing Most i'm not putting my keys and a canfig
file and checking it into.
Speaker 3 (26:28):
GitHub most web developers don't realize that browser side security
controls are not secure because we get access to the
control the browsers and by the same, measure they, think, oh,
well you know this is built into the firmware of the.
Device no one can get. That yeah we. Can we
can reverse engineer the, device we can get the operating,
system we can see everything that you put on that.
(26:49):
Device and they just. Don't they're missing that point that
seems to be the common thread.
Speaker 1 (26:53):
Here. Yeah anytime a customer asked, me AND i Developed
blazer applications for a, living and every time a customer
asked me should we Use blazer server or web, ASSEMBLY i,
say give me one reason why you shouldn't Use blazer.
Server give me one reason why you should use web.
Assembly what is your? Motivation because if you can keep
everything behind the firewall and server and show no code
(27:15):
to the, user that's what you want from a security.
Speaker 2 (27:18):
Perspective, yeah, yeah, ABSOLUTELY i.
Speaker 3 (27:20):
Agree you can still screw that.
Speaker 4 (27:22):
Up oh you sure you. Can you, can but it's
a lot. Harder, yeah it's a lot. Harder, Yeah but it's.
Harder you have to work.
Speaker 1 (27:27):
Harder it's a lot.
Speaker 2 (27:28):
Harder, yeah, absolutely.
Speaker 3 (27:29):
YEAH i think that's the missing thing. Here This this
development team thinks that anything on the device is. Hidden,
yeah and it just clearly. Isn't by the, way that reminds.
Me i'm actually doing a talk At Michelle Larubusta Monte's
Security intersection in The Intersection. October, yeah the security intersection.
Speaker 1 (27:51):
Though oh. Nice, yeah so the On blazer security security
in A blazer, Application so how to cross the teas
and dot the. Eyes that's going to be. Fun Maybe
i'll put a link to.
Speaker 2 (28:04):
That, AWESOME i love it all.
Speaker 1 (28:06):
Right so with, ruckus are these? Patched? So uh see
anywhere where it says, YEAH i was.
Speaker 4 (28:13):
Gonna, say according to the, article they reached out several
times and heard. Nothing So i'm not if they're in
the middle of a, patch if they work gone to.
Patch usually the cvs are issued after a. Patch BUT
i haven't tracked all of these down because it looks
like it's going to take me like a week worth
of work to figure out how many patches came out
for the thirty five.
Speaker 3 (28:34):
Cvs it says at the, bottom, no with no patches
available and no clear information on when they might be.
Speaker 1 (28:40):
Released this Was july, Ninth so hats off To Bill
tullis for this investigator report.
Speaker 2 (28:46):
Here good, Job yeah that Was.
Speaker 3 (28:49):
Yeah let's hope That ruccus doesn't have a hit team
or else he's in.
Speaker 1 (28:52):
Trouble, yeah, no, kidding, right that's tools they might.
Speaker 3 (28:58):
Use it's more like travel around in a car that
has big letters that says hit.
Speaker 2 (29:03):
Team, yeah that's, right hit team.
Speaker 1 (29:07):
Run. Okay next Story Cisco Unified Communications, Manager STATIC ssh credentials.
VULNERABILITY i hate it When cisco has, vulnerabilities but you
must hate it a. Lot, yeah they tend, to you,
KNOW i want to believe That cisco is secure. Product
(29:27):
you have such.
Speaker 3 (29:27):
A massive product Based, yeah and it's been around a long.
Speaker 4 (29:30):
Time it's not Like cisco's a new organization, either, right
so they have to build upon the stuff that they've
been building for the last thirty five, years which is
always TO.
Speaker 3 (29:39):
I would like to see more big companies do What
microsoft did when they just, said, look we're taking we're
taking a year off from leasing new. Stuff it's all
about security right. NOW i think every third year needs
to be that.
Speaker 4 (29:50):
WAY i was going to, say, well and if that's the,
CASE i Mean microsoft really should kill off past the.
Speaker 2 (29:56):
Hash but you know.
Speaker 3 (29:56):
What, Happen they need to do it again this.
Speaker 1 (29:59):
Year you also got to have billions of dollars to
be able to take a year, off you know you.
Speaker 3 (30:04):
Do, Yeah i'm just saying Billion security is a, feature
it's an important. Feature it's a feature everybody. Wants and
now we're finally getting the.
Speaker 1 (30:14):
Attention you don't Want ruckus, security you Want microsoft.
Speaker 3 (30:18):
Security, well and, again it's been a while since they
said we're declaring like a moratorium and we're going to
go back to. Training but Remember WINDOWS xp service back. Too,
yeah and they got serious and it stayed serious for a.
WHILE i DON'T i don't really know the temperature right
now on. That there's still some PEOPLE i know From
microsoft that have serious religion on, security but there's definitely
(30:40):
could do with another. Thing but but, THEN i have
never Heard cisco, say, yeah this is the year of.
Security we're going to go through and hunt these. Things,
YEAH i don, know it's just as of a thousand.
Speaker 4 (30:51):
Cuts but coming to the the, Article cisco has the
unified Must, YEAH i, know, Right cisco's unified Communications manager OR,
cucm is something that is used In cisco's environment as
a collaborative sort of enterprise, suite so it manages, voice, video,
messaging mobile.
Speaker 2 (31:12):
Presences there's all sorts of.
Speaker 4 (31:13):
Stuff but the interesting thing about it as well is
that it's designed for high, scalability so that means you
can have eighty thousand users per. Cluster so these aren't
managing small, environments so it makes it extra important if you,
will if a you, know a remote attacker can get
(31:35):
root level privileges on those. Devices, yeah if you're running these,
devices you're definitely going to.
Speaker 2 (31:41):
Want to go. Patch, yeah that's, It it's all of.
Speaker 1 (31:45):
It go, Patch go, patch all, right go. Pats can
we talk about THE cv score in how accurate it? Is?
Speaker 2 (31:53):
Yeah, well so THE cv score is it? Ten? Oh
indicators have? Compromise hold?
Speaker 1 (31:59):
On hold?
Speaker 4 (31:59):
On actually this looks like this is super easy to. Explait,
yeah and it's hard maybe, right and it's hard to.
Mitigate you can't just, upgrade there's no. Patch you've got
to go and either well you can't upgrade to a new.
Version yeah there, Is, yeah there is a patch file to,
apply but still, yeah, absolutely so admins are urged upgrade
(32:22):
to fifteen S u three, okay or apply the cs
c W p two seven seven five to five, patch
which sounds like that's a point fix because this thing's.
Speaker 1 (32:35):
So you said there's not a, patch but there's a, patch.
Speaker 4 (32:37):
Right so, yeah, yeah there was an intermediary. Patch and
then they finally came out with like a full hold.
Speaker 3 (32:44):
Up there's no. Workaround there's no way to go and
just remove the vulnerable. Account you have to, patch, yeah
without ripping the core operating system, out.
Speaker 1 (32:53):
But you have to.
Speaker 3 (32:54):
Patch so, okay, good all, right patch it's a ten
ten ten's a little. Hyperbaric BUT i, mean is this
the type of software you would put out on The.
Speaker 1 (33:03):
INTERNET i don't.
Speaker 4 (33:04):
KNOW i DON'T i think you. WOULD i, MEAN i
think it's entirely. Possible if you're talking about supporting collaboration
between eighty thousand.
Speaker 1 (33:11):
Users, yeah you're on The.
Speaker 4 (33:13):
Internet there's very few organizations in the world that have
eighty thousand users internally that are going to be. Collaborating,
Right so my gas is these you'll you'd find these devices.
Speaker 1 (33:22):
Accessible, well you haven't seen my next, company which is
going to be Called Glicky Glocky walk and it's going
to be uh social.
Speaker 3 (33:33):
Media you know how when you when you look at
coins for for their for their their level like excellent
and perfect and, yeah you know mint they have they
have criteria that, says, well if you can see these,
lines then it's, this and if you can't see, them then.
This we need that for these. Cvs we need to
know what these numbers are based. On are they based
on the fact that it's a ten because you have
(33:56):
to deployed on the, internet you, know in most case
is you, know it gives you complete total access without.
Authentication we need more of those kind of, guidelines AND
i don't know if that's.
Speaker 1 (34:07):
Provided, well we provide a sort of uh we did
you know off the hip kind of contagion, score but
it's Just dwayne's opinion of how how likely are you
to get?
Speaker 3 (34:19):
This But i'd love to see the. Ability i'll breakdown
on why that.
Speaker 1 (34:24):
NUMBER i Agree, patrick you, know, yeah we need to
hire more.
Speaker 3 (34:28):
People i've definitely seen. It it didn't make.
Speaker 1 (34:31):
Sense, yeah all.
Speaker 4 (34:32):
Right so so according according to my my digging into THE,
cve here for the last five, seconds it actually, yeah
for the last five, seconds it actually it actually. Is
there are default s s h hard coded credentials that
were left in by mistake from. Development, okay so once
(34:55):
you know THE ssh credentials, there it's not hard to
s sh any of these devices and give it the
user name and password and then you're.
Speaker 1 (35:03):
In, jeez and it's a known username and.
Speaker 2 (35:06):
Password well now it.
Speaker 1 (35:07):
Is it's like in the. Manual, no but it's like
in the, manual, right like admin admin kind of. Thing.
Speaker 4 (35:13):
Yeah, yeah that's a good. Question i'm looking, now may
post it.
Speaker 1 (35:17):
Later, okay if you want to know the answer to,
that go to our discord at discord Doth security this
week dot. Com all, right shall we get to the
clickbait the most important security issue that we encountered in
the last.
Speaker 2 (35:31):
Week this one's near and dear to my.
Speaker 1 (35:32):
Heart call Of DUTY ww two pulled FROM pc following
reports of remote code exploit trolling players with notepad pop
ups AND pc shutdowns in desktop wallpaper of a. Lawyer,
yeah we that is a.
Speaker 3 (35:47):
Mouthful so so we were talking about this a little
bit before And duane was, mentioning you have to be
in a lobby with somebody who's trying who exploits.
Speaker 1 (35:55):
This in a, lobby meaning in the, room.
Speaker 3 (35:57):
So it's not like they can Just, yeah the law is,
basically you, know where you start to, game but it's
random oh okay, player, right but it's not like having
it installed on your your system will automatically make you.
Vulnerable but being in a lobby with somebody who has
exploits it's a way to get at somebody in the.
Speaker 1 (36:16):
Game SO i don't play the. Game so obviously the
lobby is like the first room you get, into, right, yeah.
Speaker 4 (36:20):
Yeah so you'll you'll watch the, game you create your you,
know the look at your character and the load out
and that sort of, stuff what type of you, know
guns and whatnot you.
Speaker 1 (36:28):
Want there's a nefarious player who knows about this exploit
in the lobby with. You that's when you're in trouble.
Speaker 4 (36:33):
Exactly, Yeah and so it's it's interesting that this this
game was released in twenty. Seventeens that's a while, ago,
Right so you, say, okay, well why the, influx why
the Big oh my, gosh it's happening, now, Right so
What microsoft? Does microsoft has The Xbox app obviously on The,
xbox but they have it on YOUR pc where you
(36:54):
can download games and you can play games but you
can also be a part of Their xbox Game. Pass
xbox Game pass for those of you who are gamers
out there is the best money in gaming right. Now
like for short money a, MONTH i think it's ten
bucks a, month you get access to hundreds and hundreds
of games.
Speaker 1 (37:11):
And get you get more than you can, play more.
Speaker 4 (37:13):
Than you could ever. Play but you also get access
to Like day one. Drops, so like Like day, one
a huge hit comes out And microsoft releases, it and
in there they HAVE ea tied in, There bethesda's That,
like there's tons of really good games studios in. There
it's not just you, know anything that comes From.
Speaker 1 (37:30):
Microsoft and what is this thing called Game?
Speaker 2 (37:32):
Pass Game, Pass, yeah it's, awesome all.
Speaker 4 (37:35):
Right you can play the games up in the, cloud
so you could play them off your, phone you could
use Your steam deck to load them up and play
them on the. Cloud there's all sorts of really cool
ways to interact with Game. Pass, Well call Of Duty
World War two just came out in Game. Pass so
that's why there's this huge influx of players playing this
old game that came you know it was from nine years,
(37:58):
ago eight years. Ago is because it's The it's because
it was just dropped on Game, pass so everybody downloads
because it doesn't cost him, anything and they decided to
try it.
Speaker 1 (38:09):
Out but there's a SPECIFIC pc version of this game
that has the exploit in. It and then just days
after the, release after these reports that came, in they pulled.
It so if you haven't downloaded it and played it
when it first came, out you're.
Speaker 3 (38:27):
Okay you were vulnerable in only in the. Lobby it
seems like it doesn't seem like it's.
Speaker 1 (38:31):
And only for a few days right before They.
Speaker 4 (38:34):
Yeah and that's that's actually pretty, typical honestly for exploits
in games is usually their lobby. Exploits, sometimes like a
lot of times it's, HEY i have a hacked lobby
that can give you infinite, experience, right and you'll join
that lobby and then connect to that particular person and
then they'll run up a couple of hacks to give
(38:55):
you infinite experience or infinite equipment or there's still, money
or in this case actually were launching like notepad and
or pop up windows on your computer saying you, know
NOW i own your computer in.
Speaker 1 (39:06):
That, yeah, yeah, yeah. Geez.
Speaker 2 (39:09):
Yeah it makes me.
Speaker 1 (39:09):
Sad it is. Sad you can't even play a freaking game,
anymore you, know and it's gracious on what's this world coming?
Speaker 4 (39:16):
To this is the guy Who i'm constantly playing games and,
like how WOULD i break this game to get?
Speaker 1 (39:21):
It?
Speaker 3 (39:22):
EXECUTION i, mean this is CALLED i mean in other,
games it's called griefing when you find a way to
like crash the server or do something like. This the
part that makes this more newsy is the fact that
it's like they can run an. Exploit they, can they
could actually do. Damage they could actually steal credit card,
information they could steal passwords from your browser. Cash that
(39:44):
makes this a bigger deal than if they're just able,
to you, know mess up your.
Speaker 1 (39:48):
Game, yep no, bueno no. Bo, well if you're not
sufficiently scared, enough then well yeah you're not paying. Attention
we'll we'll be back next week for some. More, hey
don't forget to go to Our discord channel and hang. Out,
yeah just don't Ask dad for anything, real, okay see yuh,
bye bye bye.
Speaker 4 (40:08):
Guys bye
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.