Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So, guys, I don't know if you knew this, but
Facebook is cracking down on users by implementing some new
rules regarding their profiles. So now if you update your
relationship status more than three times, it automatically changes to unstable.
Is that per day? Well, this is a very special
(00:30):
episode of Security this week. I'm Carl Franklin, That's Patrick Hines,
and that's Dwayne the Flott. Hey, guys, hey, where's it?
Speaker 2 (00:36):
God? I thought you're going to say this is a
very special episode of Blossom. That's what I thought too.
Speaker 3 (00:40):
Like we're all children to be awesome. Oh my god, Yeah,
you're bringing back horrible memories for me, my ambiolic. So
this is Freeze your credit now. And that's because the
last story we're going to talk about is specific steps
that you can take.
Speaker 1 (00:57):
To protect yourself. Super important that and fraud is so important. Yeah,
if you want to just you know, go to securitydoweek
dot com. This is episode one eight and or search
for freezer credit now and you can find the link
will be the last link in the list. Very very important.
You should share it far and wide and everybody. Everybody
should do this, even Grandma Franklin's right.
Speaker 2 (01:18):
So, but before we get to that.
Speaker 1 (01:20):
Before we get to that, there's lots of reasons why
you should freeze your credit, including the following stories from
Bleeping Computer. Mozilla warns Windows users of critical Firefox sandbox
escape flaw. For those who don't know, we programmers think
of a sandbox as a sort of a place where
(01:40):
software runs, where it can't reach outside of its little
area and into your computer. And that's what a browser is.
It's a sandbox. And so that's why browsing is generally
considered safe now anyway, it wasn't always.
Speaker 2 (01:57):
So, only by people who don't know.
Speaker 1 (02:00):
Yeah, nothing's safe for Dwayne, right, Gwaine doesn't like sandboxes.
Speaker 2 (02:05):
So this affects the latest versions of Firefox. And there's
a patch available, so as usual patch, right.
Speaker 4 (02:14):
Yeah, yeah, And so the danger of going outside of
a sandbox, though is you guys are absolutely right. A
sandbox is meant to contain code, right, So, like on
your iPhone, each and every app is sandboxed, right, so
app one can't access data from app to It's almost
like virtualization, Yeah, exactly, yeah, very similar virtualization. You're absolutely right,
(02:36):
and you only get access to the underlying system through
API calls and that sort of stuff. So if you
can break outside that sandbox, you can potentially get access
to all sorts of other apps or even in this case,
potentially control the computer.
Speaker 1 (02:50):
So yikes. Yeah, So in a browser that's running on Windows,
let's say, breaking out a sandbox means accessing Windows. In
Windows itself, we have this idea. We have a process
and every and this is just for memory, not disc.
But every application runs in its own process space, so
it can't access the memory of other applications that are running.
(03:11):
It wasn't always that way, not until Windows NT, and
before that we had all these crashes u A E.
Remember u AE user exception I don't know, and before
that even even more. And that's because applications weren't fundamentally
separated from each other, so they occasionally write over each
other's memory. But they can still because their Windows applications,
(03:34):
they can access the DISC. But a browser can't do that.
It's truly a sandbox. It can only play with its
castles and pails and shovel.
Speaker 4 (03:42):
That's what you're going to say, with itself, go blind
that way.
Speaker 1 (03:47):
Say that Harry palms the Harry palms in and yeah, Okay, so.
Speaker 2 (03:56):
This is a classic patch story.
Speaker 1 (03:58):
Yeah. Yeah, we have a couple. We have a couple of.
Speaker 2 (04:00):
Yeah, they have a couple of every day.
Speaker 1 (04:02):
Yeah, all right, So if you using Firefox, get the latest,
it'll tell you too. You run Firefox and it says, hey, dummy,
there's a new version available. You want to download it
now and say, yes, that's it. That's all you can do. Okay,
Oracle Health breach compromises.
Speaker 2 (04:19):
So let's do some foreshadowing here.
Speaker 1 (04:23):
Yes, and foreshadowing.
Speaker 2 (04:24):
So if you're a member of Oracle Health community, you're
going to get a message, a letter from them, probably,
and the letter will say something that we believe your
data might have been breached or it was breached. This
is the kind of information and as a as a
as a recompense for destroying your life, we're going to
offer to give you some third party identity theft protection insurance. Yeah,
(04:50):
it might be LifeLock, it might be something from you know,
Aqua Fax or Experience, but it's it's what they pick,
right and.
Speaker 1 (04:58):
And we should know. But that it's after the fact
your data has already been breached. Oh yeah it is.
Speaker 2 (05:04):
And the reason they're doing this is because now you're
more of a candidate for identity theft. So let's say
Oracle Health. Let's say Carl uses Oracle Health and I
know he doesn't, but let's say he did, and he's
in a breach. And let's say some bad guy. Let's
just pick Dwayne, you know, not for any specific reason,
is the bad guy, and say that Dwayne.
Speaker 1 (05:23):
Now that is so unbelievable.
Speaker 2 (05:25):
D Dwayne now has access to information about Carl. And
you can call Carl up and say, hey, you know,
I'm here with your accountant. I know that you, you know,
living at this address, and I know you're doing this
and that, and you know you had this appointment recently,
and I just want to make sure we're just following
up to make sure that everything worked out all right,
and see if you want to prepay at a lower
(05:46):
rate for the copay for the next visit or something
like that where he can trick you into give you
a credit card. Yeah, it's social engineering. It doesn't even
have to be against Carl. It could be against someone
somewhere else because now I have more information about Carl.
And so these these companies say, well, we're going to
give you some identity theft protection in case in the
next three to six months someone tries to do a
(06:07):
denty theft, even though the risk is forever right, and
the idea is that, Okay, now, now our conscience is clear,
you can't blame us, because in the next five months
someone else will have a problem. You'll have to blame them.
Speaker 1 (06:19):
Right, I'll be there, bro.
Speaker 2 (06:20):
And the problem is all of this is cumulative. The
amount of data on the dark web about everyone, including
their social Security number, is now well established. So this
is one of those things where it's the end of privacy.
The private end of privacy was a long time ago.
Let's just go to acceptance of that.
Speaker 1 (06:36):
Now we have to accept that your stuff is out
there and Dwayne can find it. He could always find it,
but now now Dwayne's sun could find it, right right,
little Dwayne Junior.
Speaker 2 (06:47):
Actually Dwane sound's pretty smart. The stupid kid in Dwayne's class,
Dwayne's kids class.
Speaker 1 (06:53):
Now we should also mention that it's probably still a
good idea to go to have I been poned, put
in your email address and see if you your data
has been breached. But that doesn't mean that somebody has
got your social Security number.
Speaker 2 (07:09):
I just saw an article from our friend about our
friend Troy, where he admitted he got he got phished.
Speaker 1 (07:15):
He did, ye saw that.
Speaker 2 (07:18):
Don't be so happy.
Speaker 5 (07:19):
Dwayne's like, I've been trying to get that guy forever.
I mean, he finally clicked it worked, But you know
it was more of a like, hey, this can happen
even to someone who's like, you know, really well versed
in this stuff. Sure was a mail Chimp email saying
that he was being accused of of spamming, and he's like,
(07:42):
oh no.
Speaker 2 (07:42):
And it looked so legit he clicked on it. What
he should have done is he should have gone to
his mail chip account seeing if there's any notifications and
delve it that way instead of clicking on the link
right now.
Speaker 4 (07:52):
According to the article which he responded to, he was
tired and jet lagged and that's why he clicked on it.
Speaker 1 (07:58):
Well, he lives in Australia, and the rest the world
doesn't live in Australia, so you know he's traveling a
lot and far.
Speaker 2 (08:05):
He's not even in Sydney. He's like up on the
Gold Ghost.
Speaker 1 (08:07):
I think, wait out there yet. So but the thing
that I want to mention is that you know there's
there's two prongs to your security. One is use a
password manager number one hundred percent, change your passwords. Go
to have I been poned whatever those accounts are. Those
are the ones you definitely need to change your password
for and use use something like bitworden or one pass
(08:29):
I think is the one you guys use right, one
m M yeah, I love one password. It's a password.
And then you know, then you have to lock your credit,
which is what we're going to talk about at the
end of the show. But this is the perfect example
of why you shouldn't because you know what, every show,
it's like every show, somebody there's a breach and millions
(08:49):
of records are leaked, and many of them contain social
security numbers.
Speaker 2 (08:54):
If even one of them, it's becoming redundant.
Speaker 1 (08:56):
It contains your information with a social security number. Now
the whole dark web has your social Security number. Yeah,
associated with your name, an address or whatever.
Speaker 2 (09:05):
Yeah, it's just CUMU. It's just it's it's starting to
become redundant.
Speaker 1 (09:09):
Now. Now Oracle. Oddly enough, Oracle has been in the
news quite a bit. Recently.
Speaker 4 (09:15):
Oracles had some pretty major breaches and we've afforded we
haven't talked about them much, but.
Speaker 2 (09:20):
They deny the Yeah, Oracle, the shaggy defense continues to
have the shaggy defense.
Speaker 1 (09:27):
They're constantly like, no, that wasn't us. And then there
were Oracle customers.
Speaker 4 (09:31):
Who came out were like, but that's our data, that's
my user name and password, and they were like, yeah, yeah,
but we said it was an Oracle Cloud. What that
looks like, that's Oracle Legacy Cloud. Did you get the
different and not Oracle Cloud?
Speaker 2 (09:44):
And we're like, no, what dude, it's the same data.
Speaker 4 (09:47):
Yeah. So, needless to say, Oracle has been hammered.
Speaker 1 (09:51):
Well, the listening they have in common. The thing they
have in common is the name Oracle, right, and Cloud
like come on? Yeah? Uh no boy? All right, So
this this next story is pretty interesting to me because
we all know that when AI comes along, you can
either be afraid of it or you know, you could
use it, right, And so here's Microsoft using AI to
(10:14):
go after cybersecurity threats. Yeah, this one's interesting. Microsoft launches
AI agents to automate cybersecurity amid rising.
Speaker 4 (10:24):
I think it's fine if it's identifying. No, so get
this agents agent? When when you start talking about agents
for those of you haven't dug into the sort of
gend the AI world. They have agency when you have
agents that yeah, exactly, Carl, they have agency. They can
do things on your behalf.
Speaker 1 (10:44):
Yeah.
Speaker 4 (10:45):
So like one of the things that these agents will
do is automatically detect phishing and then calling it up
for you.
Speaker 2 (10:52):
Yeah, and then where's my DOCU sign that I needed
to sign to buy my new house.
Speaker 1 (10:56):
Clearly, that's the problem.
Speaker 2 (11:01):
I think we're coming to that nanny state where I
don't want a tool to prevent prevent me from harm.
I wanted to warn me from harm. If I don't
want to take kids and never let them get near
a street because then if they ever get out, they're dead.
I want to teach them how to cross the street.
I want them to understand what the risks are. And
(11:21):
that's I think that's a problem we have right now.
We're trying to protect users from things where eventually something's
going to get through and then the and we get
this fatigue of you know, warning fatigue or God, this
is the sixth email this week that was valid that
I didn't get because it blocked it.
Speaker 4 (11:40):
So, according to the article, they'll have automated phishing detection,
which will autonomously handle routine fishing alerts, allowing security teams
to focus on more complex threats. Enhance data protection. These
agents help safeguard sensitivity of information by automating data protection tasks.
Improved identity management AI agent's assistant managing and securing user identities,
(12:05):
reduced manual workload by automating high volume tasks, and security
proactive threat response. The agents use AD to detect, investigate,
and respond to security incidents, respond to incidents and overall threats,
and then seamless integration with Defender and triv I think.
Speaker 2 (12:25):
We have to get used to I'm sorry, Dave, I
can't do that exactly right.
Speaker 4 (12:30):
I was thinking the same thing, like when it shuts
all the servers off and it's like, I thought there
was a virus there, And they're.
Speaker 1 (12:35):
Like, we've we've heard stories in the news of people
who are using these agents to go out on their
behalf and do things like cancel or fund. This was
a good one to find an airline ticket at the
best price. The guys said, hey, go find me a
flight to you know, Honolulu.
Speaker 2 (12:55):
And bought it.
Speaker 1 (12:56):
And the next two and it actually bought it and
get this. It wasn't a good so to add insult
to injury, not only did I not ask you to
buy it, but you bought it at a terrible price.
Speaker 4 (13:07):
It's it's like giving a kid your credit card. Yeah,
go find a good flight for you that.
Speaker 1 (13:11):
But I was I was thinking about this because I
was listening to Freakonomics radio podcast, which is a great podcast,
by the way, and the books are great. So episode
six hundred and twenty seven and six hundred and twenty
eight twenty eight being the latest one they're out there. Yeah,
is on sludge, and sludge is a new term for
(13:32):
red tape or bureaucratic entanglements appropriate.
Speaker 2 (13:36):
Yeah, you young kids have your own language.
Speaker 1 (13:39):
Well, basically what it is is it's all of the
things that you've signed up for subscription wise that you
forgot about and they still come around every year and
they charge you, like, oh, what's this three hundred dollars charge? Oh,
well this is that thing, right, And so I've heard
of people using AI agents to go find those things.
That's awesome and cancel them. But how do you but
(14:02):
how do you know which ones to cant? I didn't
I don't want to cancel that.
Speaker 4 (14:05):
The only way I could figure to do this easily
is cancel my credit cards, all of them, and they
just get to see. Eventually there'll be a service like
I won't have lights on in the house, and they'll
be like, you.
Speaker 2 (14:17):
May still be obligated under the auto renew to pay
ith true, and so you might have that last year
of you know, you got to keep track of what
you're what you're doing. It's it's no, yeah, just because
the digital ages here doesn't mean you don't have responsibility.
Speaker 1 (14:30):
Well, I look through my bank statements every month and
I look and see and try to identify what everything is.
And when there's something I don't understand, I map that too.
And all right, let's be honest. My wife does this right,
She's great at it. And she says, Carl, what the
heck is this three hundred dollars charge. It just happened
to me a while ago, and it was a service
that I had bought that I hadn't used in a year,
(14:52):
and I basically emailed them and said, look, I know
I signed up for this, it's been over a year
since I've used it. You can check and see my usage,
and I would really like to cancel. It's not that
I didn't like it, it's just that they have no
use for it now. And great they did, they just
canceled it.
Speaker 2 (15:09):
Yeah, some of them are very reasonable. Yeah.
Speaker 4 (15:11):
Yeah, well, and you could go down that entire other path.
My sister actually has notifications on her credit cards for
every purchase. Wow, every purchase. Like her phone's going off constantly.
She's like, oh okay, oh okay.
Speaker 2 (15:26):
She's a bit obsessive.
Speaker 4 (15:27):
I was like, wow, that's I was like, what did like,
is somebody buying big things? She's like, no, no, no, no,
that was like a candy bar across the street. I
was like, holy crap, like impressive.
Speaker 1 (15:37):
But she doesn't have to approve or disapprove it, right, No,
she doesn't. She just knows.
Speaker 4 (15:42):
So's the nice thing about that is is if she
saw something come in like it, maybe it's only like
a nineteen dollars service or hell. You know, I've always thought, listen,
if I were to go out and steal a bunch
of credit cards.
Speaker 1 (15:54):
Which you've probably done again, what I would do.
Speaker 4 (15:58):
What I would do is I would set up a
recurring charge once a month, and each of those credit
cards for like ninety nine cents, and I would call
it something like, uh, you know, I don't know, electric
service or insurance, yeah exactly, whatever wouldn't matter. Not a
lot of money, not ninety nine cents. Nobody's going to
go and track it down and figure out what the
hell it is. But you steal a million credit cards
(16:18):
and you're raking in the dough every month, and nobody's ever.
Speaker 1 (16:21):
Going to know except when they do when they jail. Right,
then there's the jail time. Could could you do this
podcast from jail? Dwayne? Oh? Yeah? Is that? Yeah?
Speaker 2 (16:30):
But I'm sure Commissary would be so full good buy
your safety with cigarettes so.
Speaker 1 (16:39):
So Microsoft thing. Who knows. But it's a little bit scary,
and I'm not going to be enlisting any agents to
do anything on my behalf anytime soon except maybe let
me know what's going on.
Speaker 2 (16:51):
I'm sure this will be as as successful as the
you know, the dotness servers and Hailstorm and any of
the other uh, you know, really great initiatives of Microsoft. Eventually,
something good will come out of this. But if this
is throwing because things against the wall and seeing what sticks.
Speaker 4 (17:09):
Yeah, although honestly I'm and this is good like counterintuitive
to what you might think. But I am super excited
about Hey, I agents, I am.
Speaker 2 (17:18):
Because you can manipulate them, well, you know how to hack.
Speaker 4 (17:21):
I want I want agents who have that. I want
AI that has agency that can go do things.
Speaker 2 (17:28):
Well, you don't want to do your bidding on other
people's systems, right.
Speaker 4 (17:32):
But who doesn't want like the Tony Stark, you know,
Jarvis system where you're like, hey, go analyze this or
particularly that, or what do you think of this?
Speaker 1 (17:40):
Or I agree with Dwayne. I just want to be awesome.
I just wanted to obey my rules. And if it
doesn't obey my rules, some you know, heads are gonna.
Speaker 2 (17:50):
Roll, Yes, your head probably, Yeah, No, I mean yeah,
I get the idea of the you know, the digit,
the personal assistant, the jarvist that doesn't remember that movie
that came on later about Jarvis and how he didn't
like workout. So I think another part of it is
that you really want to be able to hack these
agents because they won't have any of the defenses that
(18:12):
we've taught people to have. Oh.
Speaker 1 (18:13):
Absolutely, yeah.
Speaker 2 (18:14):
So there's gonna be a learning phase and things are
gonna get worse.
Speaker 4 (18:17):
Social social engineering of agents we got to come up
with a term for that.
Speaker 1 (18:21):
But yes, stagings agents. I like that. That's kind of
like shittiot's.
Speaker 2 (18:32):
All right, let's talk about Ingress nightmare.
Speaker 1 (18:34):
Yeah, let's talk about Ingress. What is Ingress and what
happened here? Uh?
Speaker 4 (18:39):
Yeah, so here Ingress is think like, so the Ingress
ENGINEX controller specifically for Kubernetes. So Kubernetes is a you know,
virtual containerization, containerization software, managed fleet management. Yeah, so think
about it as in, I want to run a small
piece of code. I don't necessarily want an entire virtual
(19:01):
machine there. I wanted just to do its particular function
to go away, very doctor like, right. The problem is
to manage all of those you need to have some
form of controller, something that orchestrates it all. And one
of the most popular controllers is this Ingress Engine X
controller that will help orchestrate and manage your Kupernetes. There
(19:24):
was just researchers have discovered that there was there is
a remote code execution flaw. So if you this is
one of those patch stories. If you do have Ingress
Engine X managing your Kubernetes year and I want to
go out and patch.
Speaker 1 (19:40):
That and Engine x is a web server. It's an
open source, high performance, very lightweight web server yep. And
that's used as usually as a riverse proxy load balancer
HTB cash. But it's very scalable and very efficient, and
it is usually the web browser I'm sorry, the web
server of choice in a doctor container, right, yeah.
Speaker 4 (20:03):
And associated with this are several CVEs. This isn't just one,
so you'll if you look at the article that we
we attached to this this particular podcast, you'll see there's
a couple of two, three, four different cvs here that
are patched. So you definitely want to go patch.
Speaker 1 (20:21):
All right, patcha patch patch? So, uh, should we take
a break now or after this next one? Let's take
a break. Okay, we'll be right back after these very
important messages. Stay tuned and we're back at Security this week.
I'm Carl, let Swayne and Patrick. And just as a reminder,
if you don't want to hear those ads, if you've
(20:42):
heard any ads at all, sometimes you.
Speaker 4 (20:44):
Don't looking at you, looking at you, Cliff, Yeah, you.
Speaker 1 (20:49):
Don't want to hear those ads, you can go to patreon,
dot security this week, dot com for five bucks a month. Jeez.
Talk about sludge. You're never gonna forget that. You can
get an ad free feed. So that's the story.
Speaker 4 (21:05):
So I'll wait, Carl, that's what I should do. If
I steal millions of credit cards, I'll put a subscription
to Security this week on there. Absolutely, So what's a
valid service. That's a great move? Million credit cards? Five
bucks a month will be set.
Speaker 1 (21:19):
That's a dollar a week, dollar and a half, all right.
Next one from Forbes, is this in front of a paywall? No,
it's in front of a shutdown your ad blocker. Well, yeah,
you get four free you get four free articles a
month or something malicious game infects Steam users with info
stealing malware.
Speaker 2 (21:39):
No, it's a free game.
Speaker 1 (21:42):
Yeah, that's right.
Speaker 4 (21:44):
Yeah, they usually are. Honestly, this game is Sniper Phantoms resolution.
So needless to say, there are a lot of really
great games on Steam, but we're starting to see attackers
more and more. You this because you can. You can
develop an app, you can put it up on the store,
you can say it's free, and then there are tons
(22:06):
of people in that marketplace.
Speaker 1 (22:07):
They go, Okay, the pictures look cool. Sure, I'll do
it just right.
Speaker 2 (22:12):
Or it could be a supply chain attack. Where the
developer is absolutely innocent, but they got hacked and someone
added to their source code, right and they didn't have
anything to do with it.
Speaker 1 (22:21):
Yep. Well, Dave, do you want to play the game?
The answer is always no. What's the what's the the
one that Matthew Broderick.
Speaker 2 (22:30):
Was the nuclear war?
Speaker 1 (22:31):
Yeah? What was thermonuclear war? That was? That was war games? Yeah?
War games anyway with Ali Sheety, that's right, I remember correctly.
Speaker 2 (22:40):
The only way to win is not to play.
Speaker 1 (22:43):
Those are the classics war games.
Speaker 2 (22:46):
Yeah, we just lost our demos, our under forty demo.
Speaker 4 (22:50):
I've been telling all the kids, like on the Robotics team,
like you want to see like some real hacky hacked stuff,
go watch Sneakers like Sneakers is all.
Speaker 1 (22:57):
So, is there any way to know when you go
to team and you see a game that you like,
whether you should download it or not?
Speaker 2 (23:03):
I repeat, the only way?
Speaker 1 (23:06):
Yeah.
Speaker 4 (23:07):
The problem here's the problem most of these games, especially
if they're a competitive game. And I'll pick on something
like Call of Duty, which whatever, but call of Duty
there's a lot of exploits out there for Call of Duty,
like the the no aim head shot mode or the
radar mod where it can tell you where all the
people are, and that's sort of stuff. And usually the
(23:28):
developers are really good about shutting those down. And the
way they shut those down is they almost put like
an EDR, like an anti virus on your computer. One
of them is called battle Eye. Battle I installs. When
you install let's say, Call of Duty, Battle IYE installs
at the highest privileges possible on your computer. It installs
almost a kernel level because it's watching everything that happens,
(23:50):
so it can see whether you're running a mod or
running an exploit or running whatever. Right, well, that works
really well to the hackers advantage. Right, Oh, Sniper Elite,
we have competitive play. You're going to have to install
this anti chat system that's going to install under your
anti virus and under so unfortunately, you've got to be
very careful with games because it's not uncommon for a
(24:13):
game to ask for all the privileges on your computer
and you just go yes, yes, yes, yes, yes, play
the game right exactly. Yeah, So that my recommendations here
obviously reputable publishers, so you know, really do go go
a reputable publisher where you're trying to get games there
(24:33):
are plenty of reputable, reputable easy for me to say,
Triple A developers and that sort of stuff, right, So
it's not like, oh, I can only download things from
you know, e A. There are plenty of other publishers
that are really easy to research out there.
Speaker 1 (24:47):
But is there anything is any website where you could
just put in the name of the game and it
will say whether or not this has been reported as malware.
Speaker 2 (24:54):
Or then then if you're the first, you're screwed. I mean, no,
there's a level of risk no matter what I I mean.
One of the best recommendations is unfortunately a very Maria
Antoinette thing to say, which is make sure your gaming
system isn't used for anything else. But a lot of
people can't afford an extra system just for gaming.
Speaker 1 (25:10):
No, right, No.
Speaker 4 (25:12):
But the other thing you can do, and one of
the things I always recommend if you're going to be
downloading free games and playing them is a you know, look,
don't don't download a day one. Wait for those some
of those reviews to come in because a lot of
times if they're developing just as an infostealer, the game's
kind of cruddy anyway, so it's not worth playing. But
(25:32):
you know number two is start. You know, when you're
running a game, you know, try and have other layers
of defense. Like my firewall at my house blocks certain countries,
blocks certain malicious links, blocks, certain infostealers block. Right, So
if my firewall picked that up on my home network,
right then I would know. Okay, you know what, there
(25:53):
was something malicious on this computer?
Speaker 1 (25:54):
Yeah? Yeah, all right, so always use protection. Kids, we're saying,
double wrap the computer. Yeah all right. Yeah. Vault typhoon
hackers were in Massachusetts utilities systems, okay, for ten months.
Ten months.
Speaker 2 (26:12):
They ended up at the DMV all supposed to be
a three hour tour.
Speaker 4 (26:18):
I just I just want to preface this by saying,
I know that they were in the Massachusetts utility system
and just because Patrick and I are near Massachusetts.
Speaker 1 (26:31):
You didn't have anything to do it.
Speaker 4 (26:32):
And I know they also compromised some of the critical
infrastructure in Guam as well, and Patrick and I were
just in Guam.
Speaker 1 (26:41):
It wasn't us, No, it wasn't me. It wasn't us.
Speaker 4 (26:44):
Defense wasn't me. It is weird that the vault Typhoon's
following us around a little bit.
Speaker 1 (26:49):
But yeah, but here's that you know about it because
you were in Guam and it was to Massachusetts. All right,
So apparently they were breach just before Thanksgiving in twenty
twenty three. Yeah, that's more than ten months.
Speaker 4 (27:05):
Yeah, yeah, Well these types of investigations take a while,
so they may have discovered it after ten months and
then went, oh my gosh, now we need to figure
out how deep this goes on.
Speaker 1 (27:13):
That it was breached before Thanksgiving twenty twenty three, but
it wasn't inhabited.
Speaker 4 (27:20):
Right, right, and it's not uncommon. Honestly, that sounds crazy, right,
ten months, but I think on average the statistics are
even getting longer. On average is like twelve to eighteen
months that a hacker can sit in an email system
or on your network without you even knowing it.
Speaker 1 (27:35):
So these are Chinese hackers. So what did they do?
That's a good question.
Speaker 4 (27:40):
So what they're trying to do is dig is deep
into operational technology or we call OT and those are
you know, PLC controllers, things that will control power grids,
that sort of stuff. And these are weird devices, right,
Something that opens a dam, like motors on a dam
is not like you know, a win Windows eleven box
(28:01):
with a USB plug in it seven. Actually, you know
a lot of times it might be it might be
Windows seven or Windows XPPP right where it's like, this
was the last system that was certified to run this
sixteen bit software that controls the dam. And the problem
is a lot of the controllers they're communicating over a
protocol usually like mod bus, which not like a TCPIP protocol.
(28:24):
But those protocols were designed well before any authentication systems
were well designed and that sort of stuff back in
the free and open days of you know, DARPA net
and all that other good stuff. So our our net.
So I'd say, you know what, for the most part,
it's really hard to protect some of this critical infrastructure
(28:44):
just because of how aged it is and really isolating
it's the best. But that's what they're trying to do.
They dig as deep as they can. We've seen this
actually try to get persistence. Yeah, they try and get persistence.
We've seen this before attacks, especially like Russia likes to
use this tactic. Before they attack a place, they start
sneaking into the Not that I'm saying we're going to
(29:06):
get attack by China, but I'm just saying they sneak
into the electrical grids. They sneak into the power treatment
plants and that sort of stuff so that they can
systematically shut things down before they start attacking.
Speaker 1 (29:17):
Yikes. Wow, all right, they're not our friends, No they
are not. So this is from the Internet storm Center
in a net store exploit attempts for Cisco Smart Licensing
utility really smart. So what happened here? And is this
just another patchet story? Yeah?
Speaker 4 (29:39):
This was our I think our third go patch it story.
This is if you're running Cisco smart Licensing two dot
two or earlier, you're affected by this, you just need
to actually go and patch it. Attackers exploiting this vulnerability,
we'll send a specially crafted HTTP request to obtain log
(30:00):
files that contain the static admin credentials.
Speaker 1 (30:05):
No kidding, it would love the static admin credentials.
Speaker 4 (30:09):
Yeah, I know, and it You know, I can't tell
you how many times I've seen this, Carl where you
install a piece of software and it's like, oh, here's
your initial admin and password and they put it in
the log file that the set up log file, and
you're like, okay.
Speaker 1 (30:22):
That was dumb alsome. Ye, hey, at least change it
first and then don't log it, right right, yeaware, yep, yep, shoosh.
So that's it, Go pass, that's it all, Go patch.
Speaker 2 (30:34):
That's always the answer.
Speaker 1 (30:35):
We moved on. Crush FTP off bypass vulnerability disclosure mess
leads to attacks.
Speaker 2 (30:43):
Yes, yeah, sp I mean really FTP still yeah.
Speaker 4 (30:51):
I don't know so FTP. So for those of you
that don't use FTP. FTP is a file transfer protocol FTP.
There were a lot of different ways transfer files over networks. Right,
every time you browse a web page, you are transferring
files over a network, right.
Speaker 2 (31:07):
Because the browser is an FTP client, right.
Speaker 4 (31:10):
The images that come down to you are pulling they're
pulling it over HTTP or htps.
Speaker 1 (31:14):
Yeah, not ye FTP. But it's the same idea.
Speaker 4 (31:16):
But you can use it, You're right, Patrick, You can
use a browser to connect to an FTP server and
see files.
Speaker 1 (31:22):
Right. But FTP has an authentication layer R and you
know it does require username and password and uh so.
Speaker 2 (31:32):
It can require so what can can so?
Speaker 4 (31:35):
But here's the interesting thing about this, Like we've seen
servers get you know, have a compromise in the past,
we tell you to patch so on and so forth.
We've done it three times on this podcast already. The
problem with this particular one is the the exploit was
discovered by researchers, they went to responsibly disclose it, and
(31:59):
another team also discovered it and did not responsibly disclose
it and just released a POC. I was like, oh, hey,
look what we found, blah blah blah. So if you
read through this, it says the vulnerability which has a
CVSS score of three point one. We reached out to
miter on a CVE for on the thirteenth of March
twenty twenty five, and we're within the ninety days agreed
(32:23):
upon disclosure period with crush FTP. The plan was to
give users plenty of time to patch before attackers were
alerted of this vulnerability. Unfortunately, other parties have circulated the
news of the vulnerability under a separate CVE without cooperating
with crush FTP. Wow, and then that now that it's
(32:45):
been actually out there, now there's proof of concept in
that sort stuf. So even though one team attempted to
go and do the right thing and wait the three months.
Speaker 2 (32:54):
Which I mean, crush FTP hasn't had enough time to
get a patch yet.
Speaker 4 (32:57):
Yeah, exactly right, so yeah, And according to this, there's
about fifteen hundred vulnerable instances sitting on the Internet right now,
which seems relatively small, but.
Speaker 2 (33:07):
If you're one of them, you should shut that server down.
Speaker 1 (33:09):
Yeah.
Speaker 4 (33:10):
And the other problem is it maybe those are the
ones accessible on the Internet. Like if I breach a
network through fishing, or I breach a network through somebody
picking up a USB driver or whatever it is, and
there's a crush FTP server there exactly, then now okay,
now it's the surface of attack that I can I
can I can attack, So just be careful here. This
is even though it oddly has two CVEs, you're gonna
(33:34):
as soon as there is a patch available, you're gonna
want to go and go patch.
Speaker 2 (33:36):
Well those cancel out, which means it's not vulnerable.
Speaker 1 (33:39):
Right right right, yeah, two wrongs making it right, I guess.
Oh my, oh my, all right, so go patch, go patch,
go patch. This one was interesting, Dwayne. I think you
posted this fast flux a national security threat and this
is from the Defense dot gov h Cybersecurity Authority. It's scary.
(34:03):
What is this?
Speaker 4 (34:05):
I usually take notice when you see, like I'm scrolling
through my LinkedIn or whatever it is and I see
the NSA post something, and then I see SISSA post
the same thing, and then I see the FBI also
post the same thing, and I'm like, who that's uh so,
no good. So what this is is the NSA, the SISA,
(34:26):
so the National Scurity Agency, the Cybersecurity and Infrastructure Security Agency,
the Federal Bureau of INESCATION, the FBI, and the Australian
Signals Defense and the Australian cyber Security Center, the Canadian
Cybersecurity Center, the New Zealand Cybersecurity Center. They've all jointly
released this.
Speaker 2 (34:45):
But again, it's popular. It's popular. Yeah, It's like this
is like channel hopping for command and control.
Speaker 4 (34:54):
Yes, yeah, and it's crazy because I think you know
the way this is a DNS. This is called rapidly
changing DNS or that's why they called it fast flux.
But DNS Domain Naming system or service gives you the
ability to take a name www. Dot Microsoft dot com
and map that to an IP address, which are the
(35:15):
addresses that the Internet uses to actually route traffic.
Speaker 1 (35:19):
The Internet understands numbers.
Speaker 4 (35:20):
Not names exactly right, but people don't do well with
you know, numbers. Although all of us techies seem to
remember four octetsive numbers relatively easily, because I don't.
Speaker 1 (35:30):
Speak for yourself. I don't even know my zip code.
Speaker 4 (35:35):
So what's interesting about this is what the attackers are
doing is they, let's say they have one hundred different
servers out there that allow them to do command and control.
So these right or how's malicious ransomware or something.
Speaker 1 (35:47):
These guys are in control of their own DNS service
because normally you're not like normally, right, you register with
you know that one that rhymes with slow Paddy or whatever,
dot com our DN simple and they manage it. They
have the servers. You can go in there and change
the numbers. But you know, right, and that's not what
(36:09):
these guys are doing. They they own their own service.
Speaker 2 (36:11):
Yeah, they're leveraging a bot now oh absolutely, so they're yeah,
there isn't a bot, so they're changing.
Speaker 4 (36:17):
They're saying, oh, if you want to go to ww
do dot hacker dot com right it Oh it goes
to one dot one dot one dot one. Oh no,
now it goes to two dot two dot two. Now
it goes to three dot three. So they're switching it
between their servers, so it makes it really hard for
forensics to go, oh, we should block one dot one. No, no,
it's not one dot one. We should block two dot two.
Oh no, now it's not two dot two we should right,
So it's now really hard for people to a track
(36:38):
where that commanding control is going b to block it.
You don't know if there's another thousand servers in that
list right right that should be blocked. And they're setting
that time to live super small so they can change
the DNS as fast as possible. Yeah, you're right, absolutely,
this is just code moving DNS names really quickly, and
(36:58):
it's making it difficult to track hackers in ransomware.
Speaker 1 (37:02):
So, so is is the answer to not allow such
low time to live values? And the time to live
value is a number of seconds usually that before.
Speaker 2 (37:14):
During which well the record has to be refractured as.
Speaker 1 (37:16):
Cash during which that time and then it has to
be refreshed, right exactly.
Speaker 2 (37:21):
Yeah, they can go to zero.
Speaker 1 (37:22):
I don't know if you can go zero with Dwayne
and I were looking at that. You can go like
thirty seconds, but.
Speaker 4 (37:27):
Yeah, we were, we were we were pondering that. Yeah,
the Internet, the Internet seems to say thirty seconds is
the lowest safe one. I don't know if that means
you can do that maybe, but.
Speaker 1 (37:37):
I know that if you're using a service, they're never
going to allow you to set it to zero. But
maybe if you own your own DNS server and you
run it yourself, maybe that is a configuration. Heck, you
could write your own DNS server. It's not a proto. Yeah,
you know.
Speaker 4 (37:52):
Nope, no, And that's so it's interesting you say that, like, Okay,
maybe we should force uh, you know, TTLs of an
hour or two hours or twenty four hours, right, But
then then you start running up against all sorts of
other issues, Like there are plenty of times I've changed uh,
you know, domain information for an email. Right, Hey, we're
(38:14):
shifting from you know, Pulsar Security dot com to Pulsar
Security Inc. Dot com or whatever it may be. But
it's the same server, or I need to change IPS
or whatever difference is.
Speaker 1 (38:23):
You're not doing it over and over and over and
over again, exactly. So, just like we have API services
that watch for those denial of service acts.
Speaker 2 (38:32):
Oh, we could get an agent, an AI agent will
do it for me.
Speaker 1 (38:38):
But no, you're right, you're absolutely right. But then again,
if I'm owning my own DNS server, who cares the rules?
Speaker 2 (38:46):
Yeah?
Speaker 4 (38:46):
Right, So this this link to the Defense dot gov
pdf for fast flux.
Speaker 1 (38:53):
This is just all of.
Speaker 4 (38:53):
Those agencies really kind of urging DNS providers public as providers, like, hey, listen,
if you have a client who's switching dns's every thirty seconds, like,
can you not allow them to do that?
Speaker 1 (39:09):
We want their address. We're gonna put them a little
visit me and a wretch, you know what I mean? Yeah,
all right, well I don't know what to do about
that except panic, right, yeah, not mine.
Speaker 2 (39:26):
I think that's the appropriate really.
Speaker 1 (39:28):
Yeah, that's it. Yeah, panic, panic is always the best thing,
all right? Cool? All right, So now this isn't really clickbait,
but this is what you've listened for. Pulsar Security, that's you, guys.
Those guys has put out a free web page which
tells you and just you know, a few lines and pictures. Yeah,
(39:48):
it's a public service announcement how to protect yourself. Patrick
Service announced how to protect yourself from identity theft and
fraud by freezing your credit report. And we talked about
this before, so.
Speaker 2 (39:59):
Let me talk about that. So you've all heard of
LifeLock and the other services, And mainly they do two things.
They do three things. Really they claim to do three.
I don't know if they really do three. One is
they provide insurance against identity theft, and that's a value.
I don't value it at thirty five dollars a month.
I don't really want to pay thirty five dollars a
month for that. The other thing they'll do is they'll
(40:19):
freeze your credit and give you a little app to
unfreeze it when you need to unfreeze it. But you
can do that for yourself, and that's the whole point
of this. And the other thing they claim to do
is monitor the dark web and watch for your that
you're going to have so many false pods. It's like
watching for leaves falling in a forest. So for my money,
(40:40):
I'd rather keep my money and go and take the
trouble of going to the three credit reporting systems, which
is Equifax, Experience and Trends. Is it TransUnion? TransUnion? You
go to those account, you go to those and you
create an account. You have to provide your social security neumwork.
Make sure you go to the right website.
Speaker 1 (41:00):
Okay, so you.
Speaker 2 (41:01):
Go there, you create an account, give it a really
good password, put it in your password manager, and freeze
your account now. While you're doing this, they will do
everything they can. They're like demons trying to keep you
from getting to heaven. They will do everything they can
to get you to sign up for their paid protection
(41:22):
because they have competitors to LifeLock. Do not sign up,
do not pay, do not pass go. Eventually you will
find the freeze button and you can put a freeze
on your credit now. Once your credit is frozen in
all three credit buros, no one can take out credit
in your name. Doesn't mean your credit cards won't work,
doesn't mean your loans get canceled. It means that new credit.
(41:42):
So somebody goes to Macy's and pretends to be you. Denied.
I'm sorry, your credit's frozen. We can't take out a loan.
They go to buy a house in your name. Sorry, denied,
can't do it, buy a car, Nope, denied. Take out
a new mortgage in your house denied. Now, it doesn't
stop them from taking over existing account, but neither does LifeLock.
Neither do any of these other services. As far as
(42:03):
I know. So, I've done it a long time ago,
and we documented it.
Speaker 4 (42:07):
I followed exactly that same PSA that we have out there,
like literally for letter to letter, went and did that and.
Speaker 2 (42:14):
No, and the websites might change, but it's really just
about getting you out there, and you got to do
it for like I did it for myself. I did
it for my wife, my kids, my in laws. Almost
everybody's done it, and I was the attempted victim of
identity theft. I got a message from one of my
credit cards saying we've sent your new credit cards, and
(42:35):
I'm like, no, I don't know. You just got me
new credit cards about two months ago. I don't need
new ones. Called them up and found out that somebody
had called them and convinced them that it was me
and that I had moved to Kansas. How's Kansas and
that I had a new address, but they couldn't change
the other details like my email and my phone number. Luckily,
so I scrubbed all that changed everything, and I basically said, look,
(42:58):
I want to put more security on this account. So
now I have a voice password. Yeah, if someone calls
and pretends to me me, it doesn't matter how much
information they have, they have to have that password or
else they won't advance, they won't can't pass go.
Speaker 1 (43:12):
If they don't say fluffer nut or sandwiches. I wonder,
how'd you know? I say it? Right?
Speaker 2 (43:21):
So I gave them a password. I put that again
in my password manager, and so I have higher level security,
and of course I lock down all my things, and
I'm running my iPhone in lockdown mode. Yes, okay, so
you know I I if you come after me for
a dinnery theft, good luck. We ain't much to get.
Speaker 1 (43:38):
That's great, that's a great challenge.
Speaker 2 (43:41):
But but I recommend this to everybody, especially in light
of that big, big attack that got so many of
the social security numbers. It's just it's probably the it's
it's advice that I would have considered extreme a few
years ago. I now consider it mainstream. Everyone should lock
their credit I agreed.
Speaker 1 (43:58):
I was up visiting my cousin last week up on
Cape Quad and I was telling her about this. You
know that you really should do that, and they didn't
even have a password manager, and I convinced them to
do that. And and the first thing we did is
I went to have I've been poned, putting their email
address and all this, you know, all this stuff came up,
(44:20):
including like their AT and T account, you know, yeah,
and uh so they were convinced and then I then
I convinced them to sign up for bit word and
and how to use it and how easy it is.
Speaker 2 (44:30):
And then you added a five ninety nine charge of
their credit card for every monthing.
Speaker 1 (44:34):
No, I'm not Wayne, Come on, I'm a Security this
week do you think I am? Yeah? So yeah, there
I'm you know, slowly beating the drum. And this isn't
just for you geeks. This is for your friends, your family,
This is for everybody. Real people need to know this stuff, right, Yeah, absolutely,
and it's up to you to educate a macadamam Yeah.
Speaker 2 (44:55):
Amen, amen.
Speaker 4 (44:58):
And if you want to stay up on some of
these things, obviously listening to the podcast, but also join
the discord server. There's a lot of really good discussions
there and answers and questions and chatter and beating up
on AI's. We actually do have now we've been talking
about this for a while. We have the lock picks.
We now have the patches that go on the case
(45:20):
that says Security this week and has this really cool
logo and that's sort of stuff. So those those will
we'll start shipping as giveaways.
Speaker 1 (45:28):
I don't know. Maybe we'll put them on a store somewhere.
So do we If you had to pick one Discord
user to single out and say this person deserves a
lock pick, do you want to give one away? Now?
Speaker 4 (45:37):
Oh, you know what, You've caught me off guard. I
don't even have a Discord on this box. But next week,
next week, we will give one away.
Speaker 1 (45:45):
Yes, all right, so next week we will do that.
And meanwhile, if you're on this and I think you
can just type into a Browserdiscord dot security this week
dot com. But don't put the h GDPs in there
because it's a DNS a u r L DNS entry.
But then go there and sign up and make some noise.
And you know, if you if you give us a
suggestion or story or or something cool or Dwyane likes
(46:08):
you a lot, we'll send you a security this week
lock pick set. All right, guys, thanks, We'll see you
next week
So, guys, I don't know if you knew this, but
Facebook is cracking down on users by implementing some new
rules regarding their profiles. So now if you update your
relationship status more than three times, it automatically changes to unstable.
Is that per day? Well, this is a very special
(00:30):
episode of Security this week. I'm Carl Franklin, That's Patrick Hines,
and that's Dwayne the Flott. Hey, guys, hey, where's it?
Speaker 2 (00:36):
God? I thought you're going to say this is a
very special episode of Blossom. That's what I thought too.
Speaker 3 (00:40):
Like we're all children to be awesome. Oh my god, Yeah,
you're bringing back horrible memories for me, my ambiolic. So
this is Freeze your credit now. And that's because the
last story we're going to talk about is specific steps
that you can take.
Speaker 1 (00:57):
To protect yourself. Super important that and fraud is so important. Yeah,
if you want to just you know, go to securitydoweek
dot com. This is episode one eight and or search
for freezer credit now and you can find the link
will be the last link in the list. Very very important.
You should share it far and wide and everybody. Everybody
should do this, even Grandma Franklin's right.
Speaker 2 (01:18):
So, but before we get to that.
Speaker 1 (01:20):
Before we get to that, there's lots of reasons why
you should freeze your credit, including the following stories from
Bleeping Computer. Mozilla warns Windows users of critical Firefox sandbox
escape flaw. For those who don't know, we programmers think
of a sandbox as a sort of a place where
(01:40):
software runs, where it can't reach outside of its little
area and into your computer. And that's what a browser is.
It's a sandbox. And so that's why browsing is generally
considered safe now anyway, it wasn't always.
Speaker 2 (01:57):
So, only by people who don't know.
Speaker 1 (02:00):
Yeah, nothing's safe for Dwayne, right, Gwaine doesn't like sandboxes.
Speaker 2 (02:05):
So this affects the latest versions of Firefox. And there's
a patch available, so as usual patch, right.
Speaker 4 (02:14):
Yeah, yeah, And so the danger of going outside of
a sandbox, though is you guys are absolutely right. A
sandbox is meant to contain code, right, So, like on
your iPhone, each and every app is sandboxed, right, so
app one can't access data from app to It's almost
like virtualization, Yeah, exactly, yeah, very similar virtualization. You're absolutely right,
(02:36):
and you only get access to the underlying system through
API calls and that sort of stuff. So if you
can break outside that sandbox, you can potentially get access
to all sorts of other apps or even in this case,
potentially control the computer.
Speaker 1 (02:50):
So yikes. Yeah, So in a browser that's running on Windows,
let's say, breaking out a sandbox means accessing Windows. In
Windows itself, we have this idea. We have a process
and every and this is just for memory, not disc.
But every application runs in its own process space, so
it can't access the memory of other applications that are running.
(03:11):
It wasn't always that way, not until Windows NT, and
before that we had all these crashes u A E.
Remember u AE user exception I don't know, and before
that even even more. And that's because applications weren't fundamentally
separated from each other, so they occasionally write over each
other's memory. But they can still because their Windows applications,
(03:34):
they can access the DISC. But a browser can't do that.
It's truly a sandbox. It can only play with its
castles and pails and shovel.
Speaker 4 (03:42):
That's what you're going to say, with itself, go blind
that way.
Speaker 1 (03:47):
Say that Harry palms the Harry palms in and yeah, Okay, so.
Speaker 2 (03:56):
This is a classic patch story.
Speaker 1 (03:58):
Yeah. Yeah, we have a couple. We have a couple of.
Speaker 2 (04:00):
Yeah, they have a couple of every day.
Speaker 1 (04:02):
Yeah, all right, So if you using Firefox, get the latest,
it'll tell you too. You run Firefox and it says, hey, dummy,
there's a new version available. You want to download it
now and say, yes, that's it. That's all you can do. Okay,
Oracle Health breach compromises.
Speaker 2 (04:19):
So let's do some foreshadowing here.
Speaker 1 (04:23):
Yes, and foreshadowing.
Speaker 2 (04:24):
So if you're a member of Oracle Health community, you're
going to get a message, a letter from them, probably,
and the letter will say something that we believe your
data might have been breached or it was breached. This
is the kind of information and as a as a
as a recompense for destroying your life, we're going to
offer to give you some third party identity theft protection insurance. Yeah,
(04:50):
it might be LifeLock, it might be something from you know,
Aqua Fax or Experience, but it's it's what they pick,
right and.
Speaker 1 (04:58):
And we should know. But that it's after the fact
your data has already been breached. Oh yeah it is.
Speaker 2 (05:04):
And the reason they're doing this is because now you're
more of a candidate for identity theft. So let's say
Oracle Health. Let's say Carl uses Oracle Health and I
know he doesn't, but let's say he did, and he's
in a breach. And let's say some bad guy. Let's
just pick Dwayne, you know, not for any specific reason,
is the bad guy, and say that Dwayne.
Speaker 1 (05:23):
Now that is so unbelievable.
Speaker 2 (05:25):
D Dwayne now has access to information about Carl. And
you can call Carl up and say, hey, you know,
I'm here with your accountant. I know that you, you know,
living at this address, and I know you're doing this
and that, and you know you had this appointment recently,
and I just want to make sure we're just following
up to make sure that everything worked out all right,
and see if you want to prepay at a lower
(05:46):
rate for the copay for the next visit or something
like that where he can trick you into give you
a credit card. Yeah, it's social engineering. It doesn't even
have to be against Carl. It could be against someone
somewhere else because now I have more information about Carl.
And so these these companies say, well, we're going to
give you some identity theft protection in case in the
next three to six months someone tries to do a
(06:07):
denty theft, even though the risk is forever right, and
the idea is that, Okay, now, now our conscience is clear,
you can't blame us, because in the next five months
someone else will have a problem. You'll have to blame them.
Speaker 1 (06:19):
Right, I'll be there, bro.
Speaker 2 (06:20):
And the problem is all of this is cumulative. The
amount of data on the dark web about everyone, including
their social Security number, is now well established. So this
is one of those things where it's the end of privacy.
The private end of privacy was a long time ago.
Let's just go to acceptance of that.
Speaker 1 (06:36):
Now we have to accept that your stuff is out
there and Dwayne can find it. He could always find it,
but now now Dwayne's sun could find it, right right,
little Dwayne Junior.
Speaker 2 (06:47):
Actually Dwane sound's pretty smart. The stupid kid in Dwayne's class,
Dwayne's kids class.
Speaker 1 (06:53):
Now we should also mention that it's probably still a
good idea to go to have I been poned, put
in your email address and see if you your data
has been breached. But that doesn't mean that somebody has
got your social Security number.
Speaker 2 (07:09):
I just saw an article from our friend about our
friend Troy, where he admitted he got he got phished.
Speaker 1 (07:15):
He did, ye saw that.
Speaker 2 (07:18):
Don't be so happy.
Speaker 5 (07:19):
Dwayne's like, I've been trying to get that guy forever.
I mean, he finally clicked it worked, But you know
it was more of a like, hey, this can happen
even to someone who's like, you know, really well versed
in this stuff. Sure was a mail Chimp email saying
that he was being accused of of spamming, and he's like,
(07:42):
oh no.
Speaker 2 (07:42):
And it looked so legit he clicked on it. What
he should have done is he should have gone to
his mail chip account seeing if there's any notifications and
delve it that way instead of clicking on the link
right now.
Speaker 4 (07:52):
According to the article which he responded to, he was
tired and jet lagged and that's why he clicked on it.
Speaker 1 (07:58):
Well, he lives in Australia, and the rest the world
doesn't live in Australia, so you know he's traveling a
lot and far.
Speaker 2 (08:05):
He's not even in Sydney. He's like up on the
Gold Ghost.
Speaker 1 (08:07):
I think, wait out there yet. So but the thing
that I want to mention is that you know there's
there's two prongs to your security. One is use a
password manager number one hundred percent, change your passwords. Go
to have I been poned whatever those accounts are. Those
are the ones you definitely need to change your password
for and use use something like bitworden or one pass
(08:29):
I think is the one you guys use right, one
m M yeah, I love one password. It's a password.
And then you know, then you have to lock your credit,
which is what we're going to talk about at the
end of the show. But this is the perfect example
of why you shouldn't because you know what, every show,
it's like every show, somebody there's a breach and millions
(08:49):
of records are leaked, and many of them contain social
security numbers.
Speaker 2 (08:54):
If even one of them, it's becoming redundant.
Speaker 1 (08:56):
It contains your information with a social security number. Now
the whole dark web has your social Security number. Yeah,
associated with your name, an address or whatever.
Speaker 2 (09:05):
Yeah, it's just CUMU. It's just it's it's starting to
become redundant.
Speaker 1 (09:09):
Now. Now Oracle. Oddly enough, Oracle has been in the
news quite a bit. Recently.
Speaker 4 (09:15):
Oracles had some pretty major breaches and we've afforded we
haven't talked about them much, but.
Speaker 2 (09:20):
They deny the Yeah, Oracle, the shaggy defense continues to
have the shaggy defense.
Speaker 1 (09:27):
They're constantly like, no, that wasn't us. And then there
were Oracle customers.
Speaker 4 (09:31):
Who came out were like, but that's our data, that's
my user name and password, and they were like, yeah, yeah,
but we said it was an Oracle Cloud. What that
looks like, that's Oracle Legacy Cloud. Did you get the
different and not Oracle Cloud?
Speaker 2 (09:44):
And we're like, no, what dude, it's the same data.
Speaker 4 (09:47):
Yeah. So, needless to say, Oracle has been hammered.
Speaker 1 (09:51):
Well, the listening they have in common. The thing they
have in common is the name Oracle, right, and Cloud
like come on? Yeah? Uh no boy? All right, So
this this next story is pretty interesting to me because
we all know that when AI comes along, you can
either be afraid of it or you know, you could
use it, right, And so here's Microsoft using AI to
(10:14):
go after cybersecurity threats. Yeah, this one's interesting. Microsoft launches
AI agents to automate cybersecurity amid rising.
Speaker 4 (10:24):
I think it's fine if it's identifying. No, so get
this agents agent? When when you start talking about agents
for those of you haven't dug into the sort of
gend the AI world. They have agency when you have
agents that yeah, exactly, Carl, they have agency. They can
do things on your behalf.
Speaker 1 (10:44):
Yeah.
Speaker 4 (10:45):
So like one of the things that these agents will
do is automatically detect phishing and then calling it up
for you.
Speaker 2 (10:52):
Yeah, and then where's my DOCU sign that I needed
to sign to buy my new house.
Speaker 1 (10:56):
Clearly, that's the problem.
Speaker 2 (11:01):
I think we're coming to that nanny state where I
don't want a tool to prevent prevent me from harm.
I wanted to warn me from harm. If I don't
want to take kids and never let them get near
a street because then if they ever get out, they're dead.
I want to teach them how to cross the street.
I want them to understand what the risks are. And
(11:21):
that's I think that's a problem we have right now.
We're trying to protect users from things where eventually something's
going to get through and then the and we get
this fatigue of you know, warning fatigue or God, this
is the sixth email this week that was valid that
I didn't get because it blocked it.
Speaker 4 (11:40):
So, according to the article, they'll have automated phishing detection,
which will autonomously handle routine fishing alerts, allowing security teams
to focus on more complex threats. Enhance data protection. These
agents help safeguard sensitivity of information by automating data protection tasks.
Improved identity management AI agent's assistant managing and securing user identities,
(12:05):
reduced manual workload by automating high volume tasks, and security
proactive threat response. The agents use AD to detect, investigate,
and respond to security incidents, respond to incidents and overall threats,
and then seamless integration with Defender and triv I think.
Speaker 2 (12:25):
We have to get used to I'm sorry, Dave, I
can't do that exactly right.
Speaker 4 (12:30):
I was thinking the same thing, like when it shuts
all the servers off and it's like, I thought there
was a virus there, And they're.
Speaker 1 (12:35):
Like, we've we've heard stories in the news of people
who are using these agents to go out on their
behalf and do things like cancel or fund. This was
a good one to find an airline ticket at the
best price. The guys said, hey, go find me a
flight to you know, Honolulu.
Speaker 2 (12:55):
And bought it.
Speaker 1 (12:56):
And the next two and it actually bought it and
get this. It wasn't a good so to add insult
to injury, not only did I not ask you to
buy it, but you bought it at a terrible price.
Speaker 4 (13:07):
It's it's like giving a kid your credit card. Yeah,
go find a good flight for you that.
Speaker 1 (13:11):
But I was I was thinking about this because I
was listening to Freakonomics radio podcast, which is a great podcast,
by the way, and the books are great. So episode
six hundred and twenty seven and six hundred and twenty
eight twenty eight being the latest one they're out there. Yeah,
is on sludge, and sludge is a new term for
(13:32):
red tape or bureaucratic entanglements appropriate.
Speaker 2 (13:36):
Yeah, you young kids have your own language.
Speaker 1 (13:39):
Well, basically what it is is it's all of the
things that you've signed up for subscription wise that you
forgot about and they still come around every year and
they charge you, like, oh, what's this three hundred dollars charge? Oh,
well this is that thing, right, And so I've heard
of people using AI agents to go find those things.
That's awesome and cancel them. But how do you but
(14:02):
how do you know which ones to cant? I didn't
I don't want to cancel that.
Speaker 4 (14:05):
The only way I could figure to do this easily
is cancel my credit cards, all of them, and they
just get to see. Eventually there'll be a service like
I won't have lights on in the house, and they'll
be like, you.
Speaker 2 (14:17):
May still be obligated under the auto renew to pay
ith true, and so you might have that last year
of you know, you got to keep track of what
you're what you're doing. It's it's no, yeah, just because
the digital ages here doesn't mean you don't have responsibility.
Speaker 1 (14:30):
Well, I look through my bank statements every month and
I look and see and try to identify what everything is.
And when there's something I don't understand, I map that too.
And all right, let's be honest. My wife does this right,
She's great at it. And she says, Carl, what the
heck is this three hundred dollars charge. It just happened
to me a while ago, and it was a service
that I had bought that I hadn't used in a year,
(14:52):
and I basically emailed them and said, look, I know
I signed up for this, it's been over a year
since I've used it. You can check and see my usage,
and I would really like to cancel. It's not that
I didn't like it, it's just that they have no
use for it now. And great they did, they just
canceled it.
Speaker 2 (15:09):
Yeah, some of them are very reasonable. Yeah.
Speaker 4 (15:11):
Yeah, well, and you could go down that entire other path.
My sister actually has notifications on her credit cards for
every purchase. Wow, every purchase. Like her phone's going off constantly.
She's like, oh okay, oh okay.
Speaker 2 (15:26):
She's a bit obsessive.
Speaker 4 (15:27):
I was like, wow, that's I was like, what did like,
is somebody buying big things? She's like, no, no, no, no,
that was like a candy bar across the street. I
was like, holy crap, like impressive.
Speaker 1 (15:37):
But she doesn't have to approve or disapprove it, right, No,
she doesn't. She just knows.
Speaker 4 (15:42):
So's the nice thing about that is is if she
saw something come in like it, maybe it's only like
a nineteen dollars service or hell. You know, I've always thought, listen,
if I were to go out and steal a bunch
of credit cards.
Speaker 1 (15:54):
Which you've probably done again, what I would do.
Speaker 4 (15:58):
What I would do is I would set up a
recurring charge once a month, and each of those credit
cards for like ninety nine cents, and I would call
it something like, uh, you know, I don't know, electric
service or insurance, yeah exactly, whatever wouldn't matter. Not a
lot of money, not ninety nine cents. Nobody's going to
go and track it down and figure out what the
hell it is. But you steal a million credit cards
(16:18):
and you're raking in the dough every month, and nobody's ever.
Speaker 1 (16:21):
Going to know except when they do when they jail. Right,
then there's the jail time. Could could you do this
podcast from jail? Dwayne? Oh? Yeah? Is that? Yeah?
Speaker 2 (16:30):
But I'm sure Commissary would be so full good buy
your safety with cigarettes so.
Speaker 1 (16:39):
So Microsoft thing. Who knows. But it's a little bit scary,
and I'm not going to be enlisting any agents to
do anything on my behalf anytime soon except maybe let
me know what's going on.
Speaker 2 (16:51):
I'm sure this will be as as successful as the
you know, the dotness servers and Hailstorm and any of
the other uh, you know, really great initiatives of Microsoft. Eventually,
something good will come out of this. But if this
is throwing because things against the wall and seeing what sticks.
Speaker 4 (17:09):
Yeah, although honestly I'm and this is good like counterintuitive
to what you might think. But I am super excited
about Hey, I agents, I am.
Speaker 2 (17:18):
Because you can manipulate them, well, you know how to hack.
Speaker 4 (17:21):
I want I want agents who have that. I want
AI that has agency that can go do things.
Speaker 2 (17:28):
Well, you don't want to do your bidding on other
people's systems, right.
Speaker 4 (17:32):
But who doesn't want like the Tony Stark, you know,
Jarvis system where you're like, hey, go analyze this or
particularly that, or what do you think of this?
Speaker 1 (17:40):
Or I agree with Dwayne. I just want to be awesome.
I just wanted to obey my rules. And if it
doesn't obey my rules, some you know, heads are gonna.
Speaker 2 (17:50):
Roll, Yes, your head probably, Yeah, No, I mean yeah,
I get the idea of the you know, the digit,
the personal assistant, the jarvist that doesn't remember that movie
that came on later about Jarvis and how he didn't
like workout. So I think another part of it is
that you really want to be able to hack these
agents because they won't have any of the defenses that
(18:12):
we've taught people to have. Oh.
Speaker 1 (18:13):
Absolutely, yeah.
Speaker 2 (18:14):
So there's gonna be a learning phase and things are
gonna get worse.
Speaker 4 (18:17):
Social social engineering of agents we got to come up
with a term for that.
Speaker 1 (18:21):
But yes, stagings agents. I like that. That's kind of
like shittiot's.
Speaker 2 (18:32):
All right, let's talk about Ingress nightmare.
Speaker 1 (18:34):
Yeah, let's talk about Ingress. What is Ingress and what
happened here? Uh?
Speaker 4 (18:39):
Yeah, so here Ingress is think like, so the Ingress
ENGINEX controller specifically for Kubernetes. So Kubernetes is a you know,
virtual containerization, containerization software, managed fleet management. Yeah, so think
about it as in, I want to run a small
piece of code. I don't necessarily want an entire virtual
(19:01):
machine there. I wanted just to do its particular function
to go away, very doctor like, right. The problem is
to manage all of those you need to have some
form of controller, something that orchestrates it all. And one
of the most popular controllers is this Ingress Engine X
controller that will help orchestrate and manage your Kupernetes. There
(19:24):
was just researchers have discovered that there was there is
a remote code execution flaw. So if you this is
one of those patch stories. If you do have Ingress
Engine X managing your Kubernetes year and I want to
go out and patch.
Speaker 1 (19:40):
That and Engine x is a web server. It's an
open source, high performance, very lightweight web server yep. And
that's used as usually as a riverse proxy load balancer
HTB cash. But it's very scalable and very efficient, and
it is usually the web browser I'm sorry, the web
server of choice in a doctor container, right, yeah.
Speaker 4 (20:03):
And associated with this are several CVEs. This isn't just one,
so you'll if you look at the article that we
we attached to this this particular podcast, you'll see there's
a couple of two, three, four different cvs here that
are patched. So you definitely want to go patch.
Speaker 1 (20:21):
All right, patcha patch patch? So, uh, should we take
a break now or after this next one? Let's take
a break. Okay, we'll be right back after these very
important messages. Stay tuned and we're back at Security this week.
I'm Carl, let Swayne and Patrick. And just as a reminder,
if you don't want to hear those ads, if you've
(20:42):
heard any ads at all, sometimes you.
Speaker 4 (20:44):
Don't looking at you, looking at you, Cliff, Yeah, you.
Speaker 1 (20:49):
Don't want to hear those ads, you can go to patreon,
dot security this week, dot com for five bucks a month. Jeez.
Talk about sludge. You're never gonna forget that. You can
get an ad free feed. So that's the story.
Speaker 4 (21:05):
So I'll wait, Carl, that's what I should do. If
I steal millions of credit cards, I'll put a subscription
to Security this week on there. Absolutely, So what's a
valid service. That's a great move? Million credit cards? Five
bucks a month will be set.
Speaker 1 (21:19):
That's a dollar a week, dollar and a half, all right.
Next one from Forbes, is this in front of a paywall? No,
it's in front of a shutdown your ad blocker. Well, yeah,
you get four free you get four free articles a
month or something malicious game infects Steam users with info
stealing malware.
Speaker 2 (21:39):
No, it's a free game.
Speaker 1 (21:42):
Yeah, that's right.
Speaker 4 (21:44):
Yeah, they usually are. Honestly, this game is Sniper Phantoms resolution.
So needless to say, there are a lot of really
great games on Steam, but we're starting to see attackers
more and more. You this because you can. You can
develop an app, you can put it up on the store,
you can say it's free, and then there are tons
(22:06):
of people in that marketplace.
Speaker 1 (22:07):
They go, Okay, the pictures look cool. Sure, I'll do
it just right.
Speaker 2 (22:12):
Or it could be a supply chain attack. Where the
developer is absolutely innocent, but they got hacked and someone
added to their source code, right and they didn't have
anything to do with it.
Speaker 1 (22:21):
Yep. Well, Dave, do you want to play the game?
The answer is always no. What's the what's the the
one that Matthew Broderick.
Speaker 2 (22:30):
Was the nuclear war?
Speaker 1 (22:31):
Yeah? What was thermonuclear war? That was? That was war games? Yeah?
War games anyway with Ali Sheety, that's right, I remember correctly.
Speaker 2 (22:40):
The only way to win is not to play.
Speaker 1 (22:43):
Those are the classics war games.
Speaker 2 (22:46):
Yeah, we just lost our demos, our under forty demo.
Speaker 4 (22:50):
I've been telling all the kids, like on the Robotics team,
like you want to see like some real hacky hacked stuff,
go watch Sneakers like Sneakers is all.
Speaker 1 (22:57):
So, is there any way to know when you go
to team and you see a game that you like,
whether you should download it or not?
Speaker 2 (23:03):
I repeat, the only way?
Speaker 1 (23:06):
Yeah.
Speaker 4 (23:07):
The problem here's the problem most of these games, especially
if they're a competitive game. And I'll pick on something
like Call of Duty, which whatever, but call of Duty
there's a lot of exploits out there for Call of Duty,
like the the no aim head shot mode or the
radar mod where it can tell you where all the
people are, and that's sort of stuff. And usually the
(23:28):
developers are really good about shutting those down. And the
way they shut those down is they almost put like
an EDR, like an anti virus on your computer. One
of them is called battle Eye. Battle I installs. When
you install let's say, Call of Duty, Battle IYE installs
at the highest privileges possible on your computer. It installs
almost a kernel level because it's watching everything that happens,
(23:50):
so it can see whether you're running a mod or
running an exploit or running whatever. Right, well, that works
really well to the hackers advantage. Right, Oh, Sniper Elite,
we have competitive play. You're going to have to install
this anti chat system that's going to install under your
anti virus and under so unfortunately, you've got to be
very careful with games because it's not uncommon for a
(24:13):
game to ask for all the privileges on your computer
and you just go yes, yes, yes, yes, yes, play
the game right exactly. Yeah, So that my recommendations here
obviously reputable publishers, so you know, really do go go
a reputable publisher where you're trying to get games there
(24:33):
are plenty of reputable, reputable easy for me to say,
Triple A developers and that sort of stuff, right, So
it's not like, oh, I can only download things from
you know, e A. There are plenty of other publishers
that are really easy to research out there.
Speaker 1 (24:47):
But is there anything is any website where you could
just put in the name of the game and it
will say whether or not this has been reported as malware.
Speaker 2 (24:54):
Or then then if you're the first, you're screwed. I mean, no,
there's a level of risk no matter what I I mean.
One of the best recommendations is unfortunately a very Maria
Antoinette thing to say, which is make sure your gaming
system isn't used for anything else. But a lot of
people can't afford an extra system just for gaming.
Speaker 1 (25:10):
No, right, No.
Speaker 4 (25:12):
But the other thing you can do, and one of
the things I always recommend if you're going to be
downloading free games and playing them is a you know, look,
don't don't download a day one. Wait for those some
of those reviews to come in because a lot of
times if they're developing just as an infostealer, the game's
kind of cruddy anyway, so it's not worth playing. But
(25:32):
you know number two is start. You know, when you're
running a game, you know, try and have other layers
of defense. Like my firewall at my house blocks certain countries,
blocks certain malicious links, blocks, certain infostealers block. Right, So
if my firewall picked that up on my home network,
right then I would know. Okay, you know what, there
(25:53):
was something malicious on this computer?
Speaker 1 (25:54):
Yeah? Yeah, all right, so always use protection. Kids, we're saying,
double wrap the computer. Yeah all right. Yeah. Vault typhoon
hackers were in Massachusetts utilities systems, okay, for ten months.
Ten months.
Speaker 2 (26:12):
They ended up at the DMV all supposed to be
a three hour tour.
Speaker 4 (26:18):
I just I just want to preface this by saying,
I know that they were in the Massachusetts utility system
and just because Patrick and I are near Massachusetts.
Speaker 1 (26:31):
You didn't have anything to do it.
Speaker 4 (26:32):
And I know they also compromised some of the critical
infrastructure in Guam as well, and Patrick and I were
just in Guam.
Speaker 1 (26:41):
It wasn't us, No, it wasn't me. It wasn't us.
Speaker 4 (26:44):
Defense wasn't me. It is weird that the vault Typhoon's
following us around a little bit.
Speaker 1 (26:49):
But yeah, but here's that you know about it because
you were in Guam and it was to Massachusetts. All right,
So apparently they were breach just before Thanksgiving in twenty
twenty three. Yeah, that's more than ten months.
Speaker 4 (27:05):
Yeah, yeah, Well these types of investigations take a while,
so they may have discovered it after ten months and
then went, oh my gosh, now we need to figure
out how deep this goes on.
Speaker 1 (27:13):
That it was breached before Thanksgiving twenty twenty three, but
it wasn't inhabited.
Speaker 4 (27:20):
Right, right, and it's not uncommon. Honestly, that sounds crazy, right,
ten months, but I think on average the statistics are
even getting longer. On average is like twelve to eighteen
months that a hacker can sit in an email system
or on your network without you even knowing it.
Speaker 1 (27:35):
So these are Chinese hackers. So what did they do?
That's a good question.
Speaker 4 (27:40):
So what they're trying to do is dig is deep
into operational technology or we call OT and those are
you know, PLC controllers, things that will control power grids,
that sort of stuff. And these are weird devices, right,
Something that opens a dam, like motors on a dam
is not like you know, a win Windows eleven box
(28:01):
with a USB plug in it seven. Actually, you know
a lot of times it might be it might be
Windows seven or Windows XPPP right where it's like, this
was the last system that was certified to run this
sixteen bit software that controls the dam. And the problem
is a lot of the controllers they're communicating over a
protocol usually like mod bus, which not like a TCPIP protocol.
(28:24):
But those protocols were designed well before any authentication systems
were well designed and that sort of stuff back in
the free and open days of you know, DARPA net
and all that other good stuff. So our our net.
So I'd say, you know what, for the most part,
it's really hard to protect some of this critical infrastructure
(28:44):
just because of how aged it is and really isolating
it's the best. But that's what they're trying to do.
They dig as deep as they can. We've seen this
actually try to get persistence. Yeah, they try and get persistence.
We've seen this before attacks, especially like Russia likes to
use this tactic. Before they attack a place, they start
sneaking into the Not that I'm saying we're going to
(29:06):
get attack by China, but I'm just saying they sneak
into the electrical grids. They sneak into the power treatment
plants and that sort of stuff so that they can
systematically shut things down before they start attacking.
Speaker 1 (29:17):
Yikes. Wow, all right, they're not our friends, No they
are not. So this is from the Internet storm Center
in a net store exploit attempts for Cisco Smart Licensing
utility really smart. So what happened here? And is this
just another patchet story? Yeah?
Speaker 4 (29:39):
This was our I think our third go patch it story.
This is if you're running Cisco smart Licensing two dot
two or earlier, you're affected by this, you just need
to actually go and patch it. Attackers exploiting this vulnerability,
we'll send a specially crafted HTTP request to obtain log
(30:00):
files that contain the static admin credentials.
Speaker 1 (30:05):
No kidding, it would love the static admin credentials.
Speaker 4 (30:09):
Yeah, I know, and it You know, I can't tell
you how many times I've seen this, Carl where you
install a piece of software and it's like, oh, here's
your initial admin and password and they put it in
the log file that the set up log file, and
you're like, okay.
Speaker 1 (30:22):
That was dumb alsome. Ye, hey, at least change it
first and then don't log it, right right, yeaware, yep, yep, shoosh.
So that's it, Go pass, that's it all, Go patch.
Speaker 2 (30:34):
That's always the answer.
Speaker 1 (30:35):
We moved on. Crush FTP off bypass vulnerability disclosure mess
leads to attacks.
Speaker 2 (30:43):
Yes, yeah, sp I mean really FTP still yeah.
Speaker 4 (30:51):
I don't know so FTP. So for those of you
that don't use FTP. FTP is a file transfer protocol FTP.
There were a lot of different ways transfer files over networks. Right,
every time you browse a web page, you are transferring
files over a network, right.
Speaker 2 (31:07):
Because the browser is an FTP client, right.
Speaker 4 (31:10):
The images that come down to you are pulling they're
pulling it over HTTP or htps.
Speaker 1 (31:14):
Yeah, not ye FTP. But it's the same idea.
Speaker 4 (31:16):
But you can use it, You're right, Patrick, You can
use a browser to connect to an FTP server and
see files.
Speaker 1 (31:22):
Right. But FTP has an authentication layer R and you
know it does require username and password and uh so.
Speaker 2 (31:32):
It can require so what can can so?
Speaker 4 (31:35):
But here's the interesting thing about this, Like we've seen
servers get you know, have a compromise in the past,
we tell you to patch so on and so forth.
We've done it three times on this podcast already. The
problem with this particular one is the the exploit was
discovered by researchers, they went to responsibly disclose it, and
(31:59):
another team also discovered it and did not responsibly disclose
it and just released a POC. I was like, oh, hey,
look what we found, blah blah blah. So if you
read through this, it says the vulnerability which has a
CVSS score of three point one. We reached out to
miter on a CVE for on the thirteenth of March
twenty twenty five, and we're within the ninety days agreed
(32:23):
upon disclosure period with crush FTP. The plan was to
give users plenty of time to patch before attackers were
alerted of this vulnerability. Unfortunately, other parties have circulated the
news of the vulnerability under a separate CVE without cooperating
with crush FTP. Wow, and then that now that it's
(32:45):
been actually out there, now there's proof of concept in
that sort stuf. So even though one team attempted to
go and do the right thing and wait the three months.
Speaker 2 (32:54):
Which I mean, crush FTP hasn't had enough time to
get a patch yet.
Speaker 4 (32:57):
Yeah, exactly right, so yeah, And according to this, there's
about fifteen hundred vulnerable instances sitting on the Internet right now,
which seems relatively small, but.
Speaker 2 (33:07):
If you're one of them, you should shut that server down.
Speaker 1 (33:09):
Yeah.
Speaker 4 (33:10):
And the other problem is it maybe those are the
ones accessible on the Internet. Like if I breach a
network through fishing, or I breach a network through somebody
picking up a USB driver or whatever it is, and
there's a crush FTP server there exactly, then now okay,
now it's the surface of attack that I can I
can I can attack, So just be careful here. This
is even though it oddly has two CVEs, you're gonna
(33:34):
as soon as there is a patch available, you're gonna
want to go and go patch.
Speaker 2 (33:36):
Well those cancel out, which means it's not vulnerable.
Speaker 1 (33:39):
Right right right, yeah, two wrongs making it right, I guess.
Oh my, oh my, all right, so go patch, go patch,
go patch. This one was interesting, Dwayne. I think you
posted this fast flux a national security threat and this
is from the Defense dot gov h Cybersecurity Authority. It's scary.
(34:03):
What is this?
Speaker 4 (34:05):
I usually take notice when you see, like I'm scrolling
through my LinkedIn or whatever it is and I see
the NSA post something, and then I see SISSA post
the same thing, and then I see the FBI also
post the same thing, and I'm like, who that's uh so,
no good. So what this is is the NSA, the SISA,
(34:26):
so the National Scurity Agency, the Cybersecurity and Infrastructure Security Agency,
the Federal Bureau of INESCATION, the FBI, and the Australian
Signals Defense and the Australian cyber Security Center, the Canadian
Cybersecurity Center, the New Zealand Cybersecurity Center. They've all jointly
released this.
Speaker 2 (34:45):
But again, it's popular. It's popular. Yeah, It's like this
is like channel hopping for command and control.
Speaker 4 (34:54):
Yes, yeah, and it's crazy because I think you know
the way this is a DNS. This is called rapidly
changing DNS or that's why they called it fast flux.
But DNS Domain Naming system or service gives you the
ability to take a name www. Dot Microsoft dot com
and map that to an IP address, which are the
(35:15):
addresses that the Internet uses to actually route traffic.
Speaker 1 (35:19):
The Internet understands numbers.
Speaker 4 (35:20):
Not names exactly right, but people don't do well with
you know, numbers. Although all of us techies seem to
remember four octetsive numbers relatively easily, because I don't.
Speaker 1 (35:30):
Speak for yourself. I don't even know my zip code.
Speaker 4 (35:35):
So what's interesting about this is what the attackers are
doing is they, let's say they have one hundred different
servers out there that allow them to do command and control.
So these right or how's malicious ransomware or something.
Speaker 1 (35:47):
These guys are in control of their own DNS service
because normally you're not like normally, right, you register with
you know that one that rhymes with slow Paddy or whatever,
dot com our DN simple and they manage it. They
have the servers. You can go in there and change
the numbers. But you know, right, and that's not what
(36:09):
these guys are doing. They they own their own service.
Speaker 2 (36:11):
Yeah, they're leveraging a bot now oh absolutely, so they're yeah,
there isn't a bot, so they're changing.
Speaker 4 (36:17):
They're saying, oh, if you want to go to ww
do dot hacker dot com right it Oh it goes
to one dot one dot one dot one. Oh no,
now it goes to two dot two dot two. Now
it goes to three dot three. So they're switching it
between their servers, so it makes it really hard for
forensics to go, oh, we should block one dot one. No, no,
it's not one dot one. We should block two dot two.
Oh no, now it's not two dot two we should right,
So it's now really hard for people to a track
(36:38):
where that commanding control is going b to block it.
You don't know if there's another thousand servers in that
list right right that should be blocked. And they're setting
that time to live super small so they can change
the DNS as fast as possible. Yeah, you're right, absolutely,
this is just code moving DNS names really quickly, and
(36:58):
it's making it difficult to track hackers in ransomware.
Speaker 1 (37:02):
So, so is is the answer to not allow such
low time to live values? And the time to live
value is a number of seconds usually that before.
Speaker 2 (37:14):
During which well the record has to be refractured as.
Speaker 1 (37:16):
Cash during which that time and then it has to
be refreshed, right exactly.
Speaker 2 (37:21):
Yeah, they can go to zero.
Speaker 1 (37:22):
I don't know if you can go zero with Dwayne
and I were looking at that. You can go like
thirty seconds, but.
Speaker 4 (37:27):
Yeah, we were, we were we were pondering that. Yeah,
the Internet, the Internet seems to say thirty seconds is
the lowest safe one. I don't know if that means
you can do that maybe, but.
Speaker 1 (37:37):
I know that if you're using a service, they're never
going to allow you to set it to zero. But
maybe if you own your own DNS server and you
run it yourself, maybe that is a configuration. Heck, you
could write your own DNS server. It's not a proto. Yeah,
you know.
Speaker 4 (37:52):
Nope, no, And that's so it's interesting you say that, like, Okay,
maybe we should force uh, you know, TTLs of an
hour or two hours or twenty four hours, right, But
then then you start running up against all sorts of
other issues, Like there are plenty of times I've changed uh,
you know, domain information for an email. Right, Hey, we're
(38:14):
shifting from you know, Pulsar Security dot com to Pulsar
Security Inc. Dot com or whatever it may be. But
it's the same server, or I need to change IPS
or whatever difference is.
Speaker 1 (38:23):
You're not doing it over and over and over and
over again, exactly. So, just like we have API services
that watch for those denial of service acts.
Speaker 2 (38:32):
Oh, we could get an agent, an AI agent will
do it for me.
Speaker 1 (38:38):
But no, you're right, you're absolutely right. But then again,
if I'm owning my own DNS server, who cares the rules?
Speaker 2 (38:46):
Yeah?
Speaker 4 (38:46):
Right, So this this link to the Defense dot gov
pdf for fast flux.
Speaker 1 (38:53):
This is just all of.
Speaker 4 (38:53):
Those agencies really kind of urging DNS providers public as providers, like, hey, listen,
if you have a client who's switching dns's every thirty seconds, like,
can you not allow them to do that?
Speaker 1 (39:09):
We want their address. We're gonna put them a little
visit me and a wretch, you know what I mean? Yeah,
all right, well I don't know what to do about
that except panic, right, yeah, not mine.
Speaker 2 (39:26):
I think that's the appropriate really.
Speaker 1 (39:28):
Yeah, that's it. Yeah, panic, panic is always the best thing,
all right? Cool? All right, So now this isn't really clickbait,
but this is what you've listened for. Pulsar Security, that's you, guys.
Those guys has put out a free web page which
tells you and just you know, a few lines and pictures. Yeah,
(39:48):
it's a public service announcement how to protect yourself. Patrick
Service announced how to protect yourself from identity theft and
fraud by freezing your credit report. And we talked about
this before, so.
Speaker 2 (39:59):
Let me talk about that. So you've all heard of
LifeLock and the other services, And mainly they do two things.
They do three things. Really they claim to do three.
I don't know if they really do three. One is
they provide insurance against identity theft, and that's a value.
I don't value it at thirty five dollars a month.
I don't really want to pay thirty five dollars a
month for that. The other thing they'll do is they'll
(40:19):
freeze your credit and give you a little app to
unfreeze it when you need to unfreeze it. But you
can do that for yourself, and that's the whole point
of this. And the other thing they claim to do
is monitor the dark web and watch for your that
you're going to have so many false pods. It's like
watching for leaves falling in a forest. So for my money,
(40:40):
I'd rather keep my money and go and take the
trouble of going to the three credit reporting systems, which
is Equifax, Experience and Trends. Is it TransUnion? TransUnion? You
go to those account, you go to those and you
create an account. You have to provide your social security neumwork.
Make sure you go to the right website.
Speaker 1 (41:00):
Okay, so you.
Speaker 2 (41:01):
Go there, you create an account, give it a really
good password, put it in your password manager, and freeze
your account now. While you're doing this, they will do
everything they can. They're like demons trying to keep you
from getting to heaven. They will do everything they can
to get you to sign up for their paid protection
(41:22):
because they have competitors to LifeLock. Do not sign up,
do not pay, do not pass go. Eventually you will
find the freeze button and you can put a freeze
on your credit now. Once your credit is frozen in
all three credit buros, no one can take out credit
in your name. Doesn't mean your credit cards won't work,
doesn't mean your loans get canceled. It means that new credit.
(41:42):
So somebody goes to Macy's and pretends to be you. Denied.
I'm sorry, your credit's frozen. We can't take out a loan.
They go to buy a house in your name. Sorry, denied,
can't do it, buy a car, Nope, denied. Take out
a new mortgage in your house denied. Now, it doesn't
stop them from taking over existing account, but neither does LifeLock.
Neither do any of these other services. As far as
(42:03):
I know. So, I've done it a long time ago,
and we documented it.
Speaker 4 (42:07):
I followed exactly that same PSA that we have out there,
like literally for letter to letter, went and did that and.
Speaker 2 (42:14):
No, and the websites might change, but it's really just
about getting you out there, and you got to do
it for like I did it for myself. I did
it for my wife, my kids, my in laws. Almost
everybody's done it, and I was the attempted victim of
identity theft. I got a message from one of my
credit cards saying we've sent your new credit cards, and
(42:35):
I'm like, no, I don't know. You just got me
new credit cards about two months ago. I don't need
new ones. Called them up and found out that somebody
had called them and convinced them that it was me
and that I had moved to Kansas. How's Kansas and
that I had a new address, but they couldn't change
the other details like my email and my phone number. Luckily,
so I scrubbed all that changed everything, and I basically said, look,
(42:58):
I want to put more security on this account. So
now I have a voice password. Yeah, if someone calls
and pretends to me me, it doesn't matter how much
information they have, they have to have that password or
else they won't advance, they won't can't pass go.
Speaker 1 (43:12):
If they don't say fluffer nut or sandwiches. I wonder,
how'd you know? I say it? Right?
Speaker 2 (43:21):
So I gave them a password. I put that again
in my password manager, and so I have higher level security,
and of course I lock down all my things, and
I'm running my iPhone in lockdown mode. Yes, okay, so
you know I I if you come after me for
a dinnery theft, good luck. We ain't much to get.
Speaker 1 (43:38):
That's great, that's a great challenge.
Speaker 2 (43:41):
But but I recommend this to everybody, especially in light
of that big, big attack that got so many of
the social security numbers. It's just it's probably the it's
it's advice that I would have considered extreme a few
years ago. I now consider it mainstream. Everyone should lock
their credit I agreed.
Speaker 1 (43:58):
I was up visiting my cousin last week up on
Cape Quad and I was telling her about this. You
know that you really should do that, and they didn't
even have a password manager, and I convinced them to
do that. And and the first thing we did is
I went to have I've been poned, putting their email
address and all this, you know, all this stuff came up,
(44:20):
including like their AT and T account, you know, yeah,
and uh so they were convinced and then I then
I convinced them to sign up for bit word and
and how to use it and how easy it is.
Speaker 2 (44:30):
And then you added a five ninety nine charge of
their credit card for every monthing.
Speaker 1 (44:34):
No, I'm not Wayne, Come on, I'm a Security this
week do you think I am? Yeah? So yeah, there
I'm you know, slowly beating the drum. And this isn't
just for you geeks. This is for your friends, your family,
This is for everybody. Real people need to know this stuff, right, Yeah, absolutely,
and it's up to you to educate a macadamam Yeah.
Speaker 2 (44:55):
Amen, amen.
Speaker 4 (44:58):
And if you want to stay up on some of
these things, obviously listening to the podcast, but also join
the discord server. There's a lot of really good discussions
there and answers and questions and chatter and beating up
on AI's. We actually do have now we've been talking
about this for a while. We have the lock picks.
We now have the patches that go on the case
(45:20):
that says Security this week and has this really cool
logo and that's sort of stuff. So those those will
we'll start shipping as giveaways.
Speaker 1 (45:28):
I don't know. Maybe we'll put them on a store somewhere.
So do we If you had to pick one Discord
user to single out and say this person deserves a
lock pick, do you want to give one away? Now?
Speaker 4 (45:37):
Oh, you know what, You've caught me off guard. I
don't even have a Discord on this box. But next week,
next week, we will give one away.
Speaker 1 (45:45):
Yes, all right, so next week we will do that.
And meanwhile, if you're on this and I think you
can just type into a Browserdiscord dot security this week
dot com. But don't put the h GDPs in there
because it's a DNS a u r L DNS entry.
But then go there and sign up and make some noise.
And you know, if you if you give us a
suggestion or story or or something cool or Dwyane likes
(46:08):
you a lot, we'll send you a security this week
lock pick set. All right, guys, thanks, We'll see you
next week
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.