Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So you know, my my wife and I have a
shared grocery list app. You know. Yeah, so your day,
i walk into Stop and Shop and I pull up
the list and I'm reading it cream bread cake, meat loaf,
black eyed peas. So I do my shopping. I'm gonna
check out line and I realized read reading my music playlist.
(00:30):
All right, well, uh, here we go. We got some
stories for you kids. The first one is from tech
Radar Pro. This is just amazing to me. Wi Fi
signals could be used to uniquely identify individuals. Who Fi?
Speaker 2 (00:46):
I mean, wasn't this on Batman? It was? No, You're
absolutely right, there was.
Speaker 1 (00:52):
There was no Wi Fi with Batman.
Speaker 2 (00:54):
No, they use cell phones. Yeah, and they turned on
everybody's cell phones and they were able to use it
as radar, use it as a radar to detect everybody
in the book.
Speaker 1 (01:02):
Okay, Batman is a movie? Are you're talking about a movie?
The old TV show.
Speaker 2 (01:06):
Or movie one of the movies?
Speaker 3 (01:08):
Alfred turns on the signal and they hack everybody's phones.
It was a while ago too.
Speaker 2 (01:14):
We're not talking about Adam West. This was not recently.
Speaker 1 (01:17):
So the rest of this headline is who fi w
H o fi compliments, biometrics, prompting privacy fears.
Speaker 2 (01:26):
This is awesome.
Speaker 1 (01:26):
It's got a nice little graph here that the human,
the green human is the input signal, and then an
encoder turns that into US, passes it through a signature model,
and then there's this little formula here F dash norm and.
Speaker 2 (01:43):
Then a lot more of this stuff.
Speaker 1 (01:44):
Then I don't know what S stands for. And then
the signature bbbbb.
Speaker 3 (01:48):
So this is like a side channel attack and there's
going to be a lot more of this with AI.
AI is going to figure out this stuff a lot
more often.
Speaker 1 (01:56):
Agreed, So what happened here? Just explain this to me.
Speaker 2 (02:00):
We all get bathed in radio waves all the time. Yeah, right,
even like good for the skin SCA, it's great for
the complexion. So you know, everything from you know Kiss
one oh eight FM to you know, ham radio signals
to your Bluetooth mouse just broadcasting bluetooth. So Wi Fi
(02:21):
in a building you got two point four gigahertz Wi
Fi just sort of bathing everything. And when radio signals
hit something, they react with it, right, So if it's
a metal something, it may bounce off or it may
you know, go in a different direction or whatever. Right,
So as those radio waves hit you, they refract in
(02:42):
different ways. And what they're saying here is we can
watch those refractions and to a ninety I think they
have it in here is like ninety five ninety five
point five percent accuracy. They can have an AI predict
based on the RF the spurrious signals coming off the person,
right who that person is, which.
Speaker 3 (03:03):
It's really just radar using Wi Fi signals or radio signals.
Speaker 2 (03:07):
Yep, you're absolutely right now. What I don't know and
I read through this article looking for it and a
lot of these researches and they're like listen. They kept
saying like, we don't use cameras. There's no cameras. It's like, okay,
but did you have to put a software defined radio
with an antenna and have four hundred of them around
the room to detect the person accurately? Or was it
like no, I could do it across the street. Right,
(03:30):
So I think this is controlled environment stuff, not just
does Faraday make a suit.
Speaker 3 (03:40):
For those who don't know Faraday is Faraday bags block
radiation and you'd just be a black bob. You'd be
gumby cages.
Speaker 2 (03:49):
Right, you know what's interesting. So it's interesting you say that. Patrick. Okay,
so does Faraday build a suit? If you built a suit,
it would bounce off you probably sharper, let's say, dressed man.
But on top of that, what if you did the opposite,
What if you did the opposite? What if I had
a suit that broadcast out just two point four giga
hurt signals in all random directions. I wonder if you
(04:09):
could cancel so you are invisible. You probably could.
Speaker 3 (04:12):
If you could, you probably could could transmit back the
opposite of.
Speaker 2 (04:15):
Like a cloak of invisibility for Wi Fi we're gonna build.
We should take this offline talk to ours.
Speaker 1 (04:20):
I still don't understand how they get your identity from
your Wi Fi signals.
Speaker 2 (04:26):
So they don't, they don't they can accurately identicy uh, Patrick, Patrick,
Dwayne and Carl walk into a room.
Speaker 1 (04:34):
I've heard this one.
Speaker 2 (04:36):
I've seen this one. So what they'll do is they'll
they'll have Patrick walk in, they'll gauge all the signals,
they'll have me walk in, They'll gauge all the signals.
Speaker 1 (04:45):
So they have to and they have to have a
baseline reading. Okay, well that's yep, that's kind of dumb
right now.
Speaker 2 (04:53):
I mean it could be used once they have your
your personal you know, signature thing. Yeah, exactly, could you
go into a different room, That would be a great question.
I be Okay, now I'm walking around an airport, could
you pick me up?
Speaker 3 (05:06):
So I predict it will and I predict that eventually
this will be used for surveillance and say, well, we
know that this person went into this building because of this.
Speaker 1 (05:17):
Sure, but the person had to have been enrolled in
their data gathering beforehand.
Speaker 2 (05:22):
Had to have been identified somehow poor.
Speaker 1 (05:24):
Yeah, you can't just like, hey, behind building number three,
it's a Russian spot.
Speaker 3 (05:30):
Well, but if they know who they suspect is the Russians,
they know everybody that works at the Russian embassy, they
can catalog them discreetly and then say, sure, we know
you met at the Australian embassy because we had your signature.
Speaker 1 (05:44):
We need your fingerprints.
Speaker 3 (05:46):
Actually, they're not going to tell them. They're either gonna
put them in a black bag and take them to
a dark site, or they're not going to tell them
at all, and it's just going to be intel.
Speaker 1 (05:56):
Yeah, okay, So in other words, I'm not really buying
this as a scare kind of privacy problem.
Speaker 2 (06:02):
Okay, I don't think it is either, that's what they
want you to think. I honestly don't think it is.
I mean, like the other thing is, my Wi Fi
signals in my house are directed in a different way
than might be in another building, So I don't know
how accurate this would be, not in the controlled environment
that they're in. I'm just gonna put that out there, all.
Speaker 1 (06:21):
Right before we move on. I got to read a
text or summarize a text that I got from my
friend today purchased an automatic sprinkler system that made me
download their app from the app store and connect to
my Wi Fi before I can even use it. And
(06:42):
it's made in China.
Speaker 2 (06:43):
That's awesome.
Speaker 1 (06:44):
Should I return it? And I told them the standard stuff,
which is, okay, if you have a guest network and
people who connect to that guest network.
Speaker 2 (06:53):
IoT, will it run in lockdown mode?
Speaker 1 (06:56):
People who connect to that guest network need to know
that that your IoT devices are connected to it, or
you can create another And he went through that whole thing,
and he doesn't have the ability to create an IoT
wow network, so he's sending it back and and just
for fun, I got the website. Oh and the company
(07:17):
is rain Point, and you know they they have all
sorts of automation solutions and sprinkler systems and stuff.
Speaker 2 (07:27):
And they're cheap, Yeah, super cheap. You know what I'd
love to do is I'd love to buy one of
these and tear it down and actually figure out what's
we should do that?
Speaker 1 (07:35):
Oh, you totally should?
Speaker 2 (07:36):
All right, well do I mean we'll announce it here
on the podcast one hundred bucks, you know, Patrick, and
Patrick'll spring Ford. Yep, he's good for it.
Speaker 1 (07:43):
All right, So there you go. I would stay away
from cheap Chinese stuff that requires How does a sprinkler
system require you?
Speaker 2 (07:52):
You'd have to live in a cave.
Speaker 1 (07:54):
To connect it to Wi Fi.
Speaker 3 (07:56):
Why the problem is you'd have to live in a cave.
I have a sprinkler system connect to Wi Fi. But
I try to use a system that's mostly made in the Niceys.
But I'm sure some of the components are made.
Speaker 2 (08:06):
I have a sprinkler system connected to a hose.
Speaker 3 (08:08):
Yeah, yeah, you still have kids at home. You can
tell and move the hose, all right. Yeah, there's only
so much you can do.
Speaker 1 (08:15):
But there's only so much. Yeah, right, So let's move
on to our third story here or a second story. Actually,
Apple patches security flaw exploited in Chrome's zero day attacks.
So Apple and Google in the same story. And that's funny.
So Apple's really security updates to address the high severity
vulnerability that has been exploited in zero day attacks targeting
(08:38):
Google Chrome users. Dwayne, you want to tell me what happened? Here?
Are either of you guys?
Speaker 3 (08:44):
Is this is this on iOS devices or on MacBooks only?
Speaker 2 (08:48):
Now this is on iOS too. I can't confirm or
deny what we're doing on Oh no, I'm only.
Speaker 1 (08:52):
Getting Yeah, it's iOS.
Speaker 2 (08:55):
So yeah, yeah, And so it does say if you're
using if you're using Google Chrome, right, So if you
have an iOS device, they have the Safari browser, right,
but you can download other browsers. I have Chrome on
my iPhone. So if you're using Google Chrome on an
Apple product, and that's iOS, iPad Os tvOS eighteen six,
(09:17):
mac Os, Sequoia fifteen six, iPadOS seventeen dot seven, dot
nine Vision Os, which I'd assume is that their eyeglass.
Speaker 1 (09:29):
So yeah, Apple Vision Pro.
Speaker 2 (09:30):
Yeah, I don't know, it's too expensive for me to
own but year Vision OS two point six or Watch
OS eleven point six, then you could be affected. You
need to go update. So according to this, incorrect validation
of untrusted input from Angle, which is the almost native
graphic layer engine, can lead to injection of commands being
(09:54):
executed on the GPU, potentially allowing them to escape the
browser sandbox.
Speaker 1 (10:00):
Wow.
Speaker 2 (10:01):
So yeah, it's uh, I think this is super niche
I don't know that you're going to see this widely exploited.
I don't think we've seen this in the wild yet. Yeah.
And it's patched, right, Yeah, it's patching. And Apple's really
good because they control most of the landscape on pushing
a lot of those patches down.
Speaker 3 (10:23):
So oh no, it says it is it? They tagged
it as actively exploited in attacks? Right, okay, right, I
stand correctly.
Speaker 1 (10:29):
Well, the Chrome team patched it on July fifteenth. Oh no,
I'm sorry Apple.
Speaker 2 (10:36):
Who patched it?
Speaker 1 (10:37):
Yeah, patched it on July fifteenth and tagged it as
actively exploited in attacks.
Speaker 2 (10:41):
Yeah. Moral of that story. If you have an Apple device,
like we've said a bajillion times, a go patch b
always make sure you have updates. See, you should go
to the app store, And I don't know how many
people do this, but you should go to the app
store and go to the little lap stab and make
sure all of your apps are updated right. And then
on top of that, once a week, what should we do.
(11:02):
Restart the phone, reboot that device? Yep, yeah, replace down No, no, no,
reboot the phone. Make sure that there's nothing sitting resonant memory.
Speaker 1 (11:14):
Well, I read something recently and I can't remember if
we shared it on the show, but that Android is
actually getting a little more savvy to patches and security
than previously reported by us. Anyway, but still, there's no
there's nothing better than a single company, you know, manning
(11:37):
the gates. So that's why we all use iPhones. Yeah,
all right, So next story, Next story, Illumina Incorporated to
pay nine point eight million dollars to resolve false claims
act allegations arising from cybersecurity vulnerabilities in genomic sequencing systems.
Speaker 3 (12:01):
So this is a company that is crazy basically lied
about their their paying paying lip service to security and cybersecurity,
and being proven to be lying through a whistleblower. I'm
hoping that this becomes a trend because we need this
to be punished. We need this to be but it
was even at nine point eight million, it's a bit
(12:22):
of a token punishment.
Speaker 2 (12:24):
Yeah, that's that's almost nothing.
Speaker 3 (12:25):
Well, because because how much they're making, it's it's a
it is a fraction of what they're making from the government,
let alone overall.
Speaker 2 (12:33):
I mean, if they were ransomware, they'd have to play
more than So let.
Speaker 1 (12:36):
Me get this straight. Let me see if I understand here.
And I didn't read the article, so you'll have to
fill me.
Speaker 2 (12:40):
Out in solidarity. I didn't read it either.
Speaker 3 (12:42):
Not just kidding.
Speaker 2 (12:43):
We're with you, buddy, We got you, all right.
Speaker 1 (12:45):
Cool. So when I gather from this is that there's
this genomics sequencing system that crunches the numbers to find
a genome of a of a person's DNA or whatever. Right,
and then it had some cyber vulnerabilities whatever they are
in it, and that was hidden or lied about.
Speaker 3 (13:08):
So they didn't have they didn't do any of the
checks they claimed they did. They didn't do. It wasn't
that there was a vulnerability they missed. They didn't look right.
They were like, oh, yeah, we definitely are we're doing
We're doing all the right things.
Speaker 2 (13:23):
Right, ISO twenty seven O one, and we'd followed the
CSF framework, and you know there's no bugs in that
cereal right right.
Speaker 1 (13:30):
It's like when the mother asked the teenage boy if
he's cleaned his room, he said, yeah, and he's just
shoved everything under the bed.
Speaker 2 (13:37):
Our water has no lead.
Speaker 3 (13:38):
Yeah, And so it was such a you know, it's
such an egregious and they had a whistleblower who was
in a position to prove that they were. It was
a bold faced lie, and so they had to slap
them on the wrist. The problem is they kept them
as a vendor. Sure they're still make it. They probably
made more money that the next week than that fine, yep.
(13:59):
But we're hoping that this becomes a normal part of
operations that if you don't take this seriously, it's kind
of a I was hoping when I read it that
it would be like, yeah, they you know, they only
made three million dollars on the thing, but they got
fine nine point eight that would probably break up the world.
Speaker 2 (14:16):
But it wasn't the case.
Speaker 1 (14:18):
All Right, one more they will take a break Huntress
Threat Advisory.
Speaker 2 (14:23):
This one's big active.
Speaker 1 (14:24):
Exploitation of sonic wall VPNs. So this one Huntress.
Speaker 2 (14:29):
Yeah, let me let me take this one. Actually we
just went up against Huntress anyways, Soress. Huntress is a
security researcher slash. They run a sock They do all
sorts of stuff a sock, a sock scurity operation center.
They'll monitor or network and make sure nobody's doing bad things. So, yeah,
(14:50):
we're constantly tiptoeing around Huntress when we're breaching networks. But
that that aside, a lot of small to medium business
customers are using Sonic Wall. Sonic walls a great little
soho firewall right, small office, home office.
Speaker 1 (15:06):
Thank you Patrick.
Speaker 2 (15:07):
Yeah, so, but it gives you yeah, not not lower Manhattan.
I'm going to throw a lot of the tla's okay,
I don't know you could use it in Lower Manhattan.
Speaker 1 (15:14):
It's fine, we'll be the tl A police. It's three
letter acronym to law.
Speaker 2 (15:20):
So that being said, it's a great little device. You you know,
put it in. It does. It does your firewall, and
it allows you to have access to the Internet. It
also allows you VPN access back to your office. That's
first stuff. So the Sonic wall is actually pretty ubiquitous
and it lets people in off the Internet. That's great,
and it lets randos off the Internet, so it's interesting.
Speaker 1 (15:40):
And it also makes Moco local, right, which is a
nice beef dish local.
Speaker 2 (15:48):
Mocho when the mutton is nice and lean nice and sorry.
Speaker 1 (15:53):
I was just trying to trip you up with some
false acronyms there.
Speaker 2 (15:55):
Oh, thanks for that. So this week I hadn't actually
heard of this story, and I was at Martial Arts
and one of the guys at Martial Arts is he's
an MSP Managed Service provider, and he came out and
he's like, ooh, Sonic Wall thing right, And I was
like what, And he's like, we've been advised to like
shut up, shut down the VPN on all of our
customers firewalls because of a zero day that just came
(16:19):
out that even Sonic Wall can't figure out what's going on. Yeah, right,
And Huntress was like, we have no idea. Everybody should
just shut this off. Come to find out a little
bit more detail has come out today.
Speaker 1 (16:31):
Today's the seventh of we're recording on the seventh. This
story came out yesterday, yeah.
Speaker 2 (16:36):
The sixth, so we have the story from the six
They also put a story in here from the seventh,
which is it appears that what happened is actually customers
didn't follow the advice of Sonic Wall. Do you remember
last year twenty twenty four we mentioned Sonic Wall and
there was some sort of big exploit with Sonic Wall
(16:57):
where just randos on the Internet could attack and information
off your Sonic Wall. Well, when you were doing the
migration to the new operating system, Sonic Wall said, hey,
you should change all those default passwords, like you should
get rid of them, and people said no and just
upgraded to the latest version. And then of course attackers
already now have the user names and passwords that they need.
(17:19):
So this is really you know, I'm going to keep
following this story. There's a long time in the making. Yeah.
It's either Sonic Wall's right and they're like, listen, our
users are users and users didn't follow the right procedure
to upgrade them, or Sonic Walls kind of pushing this
under the rug and they're like, nah, it's on you man,
it's your bad configuration. I'm not really sure yet, but
(17:39):
my gas would be Yeah, it was all the old
accounts were already compromised, and when you upgraded because of
last year's twenty twenty four, forty seven and sixty six CV.
You then came back with you know you had the
same stuff in there.
Speaker 1 (17:53):
So we'll post a link to the updated story that
you were talking about from and it's from Bleeping Computer Sonic.
Weall finds no SSLVPN zero day links ransomware attacks to
twenty twenty four flaw. All right, so there you go.
We'll put that story up there if you want to
(18:14):
follow it to it's and I guess it's time take
a break, so we'll be right back after these very
important messages don't go away, and we're back. You're watching
and listening to Security this Week. I'm Carl Franklin, It's
Dwayne Laflatt and Patrick Hines, and we hear unraveling the
most important stories in security, hacking, vulnerabilities and all that
(18:38):
stuff and how it affects you in your life. Where
doesn't you could not? All right? Who wants this next story? Google?
Go ahead?
Speaker 3 (18:48):
Patrick, So I posted this one because they buried the lead.
So Google says it's AI based bug hunter found twenty
security volnaabilities and that's on tech Crunch. Yeah, and when
you read the article, it's it you know, that's very
interesting and they're trying to like see how they can
use ai LLM based vulnerability research or big sleep found
(19:10):
and reported twenty flaws. But as they go down the article,
they talk about the fact that there's a lot of slop,
which is like things that are really aren't reportable, aren't
really to that level, And the concern is that they're
going to find a lot of that low validity vulnerabilities,
like saying that you know, hey, your house is vulnerable
(19:34):
because there's a door, yeah, okay, or your house is
vulnerable because somebody could pick the lock.
Speaker 1 (19:38):
Yeah.
Speaker 3 (19:39):
There's a concern that they're going to fill up open
source and other things with requests to fix bugs that
aren't really bugs.
Speaker 1 (19:46):
How about this one. You should never take vacation photos
and posts that you're on vacation because then people will
know that you're not home and they'll come and rob you.
Speaker 3 (19:55):
M yeah, yeah, but I always keep that shotgun and
that's triggered by the door opening loaded, so it's not
a problem exactly. Just in case you have a security system,
you know, right right, no, I know, cameras, dogs, killer bees, yeah,
or or a good recording of a dog on loop, sharks.
Speaker 4 (20:12):
With laser beams, killer bees, a recording of killer bees, dogs,
machine guns, chains, all of that stuff just on a loop.
Speaker 2 (20:22):
You know how horrifying that would be if you broke
into Patrick's house and you just hear like bees, Like
know what I'm out?
Speaker 3 (20:27):
Subwall First, we know someone who has a lot of snakes.
Speaker 2 (20:35):
Oh my god, to borrow a couple of chest full.
Speaker 3 (20:40):
Anyway, So it's like there's a lot of hype around
AI and AI is gonna be transformational, but you have
to understand that there's problems and we need to understand
it's not a panacea now.
Speaker 2 (20:51):
I mean, you look at the you look at the
title of this article, and like when I was looking
at I was even telling Carl before this, I was like,
you know, we're gonna pack up shot pulsars out, peace out.
If you know AI is just going to find all
the security flaws, that's awesome. We'll go find something else,
do you bet.
Speaker 3 (21:06):
So we had this discussion today where there are people
who are really getting into this AI and using it
a lot, and what they're coming to the conclusion of,
if you have three people doing a job, you might
be able to get rid of two of them. But
you can't not have someone and have AI do a job. Right,
We're not there yet. I don't know that we're going.
Speaker 2 (21:26):
To be there.
Speaker 1 (21:27):
I wouldn't want to be there.
Speaker 2 (21:29):
People are hyping it, but I don't think we're going
to get there anytimes.
Speaker 1 (21:32):
So I wouldn't want to be there. I mean, I
wouldn't want anybody to be completely relying on AI.
Speaker 3 (21:36):
No, but that's the way a lot of the remember
a lot of these companies. There's a phenomenon right now
where a lot of these companies have bet the farm
they need AGI, you know, artificial general intelligence to emerge
in the next four years, or they've missed the bet.
Speaker 1 (21:54):
Yeah.
Speaker 3 (21:54):
Sure, it's literally AGI or bust. And there's a lot
of indicators that they're not going to make it. But
it's up to them to keep the hype going. We're
talking about one hundred billion, four hundred billion dollar valuations
that are just insanement government contracts, and the ten billion
dollar range cats and dogs living together.
Speaker 2 (22:15):
I thank you. I thought you'd liked that.
Speaker 3 (22:18):
But it's in their general interest to play it up
and to say what it could be. Sure, what they
don't say is that it requires like some real big
breakthroughs and some big changes and some things that just
aren't in evidence. So I think it'll be transformative. I
think it'll be as big as the Internet, as big
(22:38):
as the is the personal computer. But it's not going
to I don't think it's going to be like little
consciousness is running around in three years, as many of
them are claiming.
Speaker 1 (22:48):
Well, they might be six year old consciousness with dreams
and hallucinations. You know.
Speaker 3 (22:54):
No. I I constantly have to explain to people that
an LM not only does understand the answer it's providing,
it doesn't understand the question you asked.
Speaker 2 (23:03):
It's just really good. It's like there was a what
doesn't matter? It does like if it can solve logic
problems like code, and it can code akay, but it
doesn't understand the code. What is it?
Speaker 1 (23:16):
All right? We've had this conversation to a blue in
the face. I just went, let's let's read what you've
ladd Leunescue said, he's.
Speaker 2 (23:23):
Co Oh, you listen of lad but not me. I
see how it is.
Speaker 1 (23:26):
A co founder and chief technology officer at run Sibyl,
a startup that develops AI powered bug hunters, told tech
crunch that Big Sleep is a legit project given that
it has quote good design, people behind it know what
they're doing. Project zero has the bug finding experience, and
DeepMind has the firepower and tokens to throw at it.
(23:47):
And then it says there's obviously a lot of promise
with these tools, but also significant downside. Several people who
maintain different software projects that have complained to bug reports
that are actually hallucinations. And then the guy Lonescue said,
that's the problem people are running into is we're getting
a lot of stuff that looks like gold, but it's
actually just crap.
Speaker 3 (24:06):
Yep, I should I should buy a lot of drink.
I agree, you should.
Speaker 2 (24:11):
But that odd owns a company that is a startup
that develops AI powered bug hunting.
Speaker 1 (24:17):
That's right.
Speaker 2 (24:18):
Yeah, and even he's but yet at least he's honest
about the fact that there's.
Speaker 1 (24:21):
A down said he's saying that. Yeah. Crap, crap, says Vlad.
Speaker 2 (24:26):
Thanks for thanks, thanks, Flad, thanks.
Speaker 1 (24:28):
Okay, hacker new says researchers uncover ec scape flaw and
x escape. I don't know how to say that. And
Amazon e c S enabling cross task credential theft no
I don't like the sound of that. No, I do
not one bed. I do not like that at all.
Speaker 2 (24:49):
You'll it's once you explain it. Explain it from escape flaw,
it would be excellent. Listen, it's okay, it's cybersecurity researchers
have demonstrated an end to end privilege escalation chain. Okay,
so let's sort of store that away. We have a
(25:10):
low prive account, so we had to get a low
prive account of some sort, and we do have the
ability to then escalate that account. Okay, excalate what are
we escalating that account on. Well, we're escalating it on
an elastic container in AWS. So if I'm running a
workload in Amazon Web Services and i have a high
(25:31):
privilege workload running in the same container that I have
a low privilege workload running, and the attacker takes over
the low privilege workload, they then can take over the
high privileged workload. So is it important? Yes, But it's
(25:52):
not like saying, oh my god, I was able to
spin up my own ECS instance and then take over
Microsoft's instants running whatever. Right, it's because it's not running
on the same container. It's not part of the same elastic.
You know, service.
Speaker 3 (26:05):
Privileged escalations is I have not I have a water leak.
It's how big the water leak is. You need that
initial entry, so it's it's bad news if they're already
in the wire. It's not bad news if they're not.
Speaker 1 (26:18):
And what direction is the leak going in? That's coot, that's.
Speaker 2 (26:22):
That's always important INTE your electrical system.
Speaker 1 (26:26):
Well, yeah, it's it going out or coming in.
Speaker 2 (26:28):
That's way right. So this one's I don't know what
did they school, but I would just say the only
advice they say is okay, well then don't do that.
Don't don't don't run here's when I do this. Don't
do that. It's the classic advice. They're like, listen, don't
run low privileged tasks on the same container that has
(26:51):
higher privileged tasks. Don't do it the only tasks with tasks.
I mean you could you could isolate it so that
each task run on its own instance of easys. Then
that's fine too.
Speaker 1 (27:02):
So I did a I looked up score and the
only one I found was on fifteen sixty eight, which
is score of an eight point eight.
Speaker 2 (27:11):
What is that on? That's it's enabling unauthorized codes to chromium, mos,
chromium os, chromium, dart and basil.
Speaker 1 (27:22):
Well anyway, so we don't think this is as big
a deal for the general public to panic on, but
it's still bad. And if you are in that situation
on Amazon Aws with container in ECS, check your TLAs.
Speaker 2 (27:41):
Yeah, then make sure you've isolated, you've isolated your tasks.
If you have a high privileged task isolated on its
own easys, that's all right.
Speaker 1 (27:50):
Right, Microsoft Exchange remember that.
Speaker 2 (27:53):
Oh, this one's big.
Speaker 1 (27:54):
Yeah, high severity flaw in hybrid exchange deployments.
Speaker 2 (27:59):
We gave up RID a long time ago.
Speaker 1 (28:01):
So a hybrid exchange deployment is what some on prem
and some in the cloud.
Speaker 2 (28:06):
Yeah, yeah, yeah, So.
Speaker 1 (28:07):
Microsoft warns of a high severity flaw in this kind
of setup. It's what happened.
Speaker 3 (28:13):
So we when we were hosting exchange on prem, it
just became impossible to keep it secure. So we went
fully hosted. But you could like have part of the
solution on on prem, like for better performance and casing
and things like.
Speaker 1 (28:28):
That, file systems or something or yeah.
Speaker 2 (28:31):
Just different roles for the server.
Speaker 3 (28:33):
I don't know if this is a bell weather for
what's to come, but it would it's difficult to see
this not happening more and more often. And so you know,
the lesson is, if you're going to you're in for
the penny, in for a pound with the cloud. You're
either hosting it there or you're not. I don't know
of really good reasons why you wouldn't go fully hosted,
(28:55):
but this is a good reason too.
Speaker 1 (28:57):
Well, let's say you are in a hybrid situation. So
this this is a vulnerability that can allow attackers to
escalate privileges prevesque and exchange online cloud environments undetected.
Speaker 2 (29:09):
Yeah.
Speaker 3 (29:09):
Yeah, they're getting in on the on prem component and
then they're using that admin access everywhere.
Speaker 2 (29:16):
Okay, right, but according to this, if I've read this correctly,
an attacker first has to compromise the on prem exchanger
and have administrative right. Yeah, so there has to be
a way that a user, some attacker is going to
compromise an exchangeer for on prem right, right, So there
in lies the you know, any complexity still has to happen.
(29:39):
It's not like okay, so it's kind of like the
privilege esk.
Speaker 1 (29:42):
Right, it's a secondary attack. So the first attack is
to your local deployment. They have to get in there,
and once they're in there, they can get in.
Speaker 2 (29:50):
Once they're in there, they can forge a token that
allows them to move into the cloud in its stealthy way.
If if you want to make a small fortune, start
with a large four. So needless to say, this is
but this is a this is an important thing, and uh,
there was just an issued order. SISA has issued an
(30:14):
emergency directive order to all Federal Civilian Executive branches. Easy
for me to say that agencies to migrate to the
critical Exchange Hybrid vulnerability tracked as CVE twenty twenty five
five three seven eighty six by Monday morning at nine am.
So a lot of Federal Civilian Executive branches are going
(30:38):
to be very busy this weekend making sure that they
patch and have the hot fixes for their on prem
exchange overs. So I don't know if that means they've
seen this actively in the wild or they've seen this
targeting federal agencies. But SIS has never taken this strong
of an approach where they're like, hey, you guys specifically
need to go patch right now and by Monday.
Speaker 3 (31:00):
Well there's this that there was something in here about. Yeah,
there's something in here about. For instance, at least ten
hacking groups exploited proxy log on in March twenty twenty one,
including Chinese threat actors as tracked as half Neum and
Silk Typhoon. And so I think I think we're getting
the government's getting basically owned by this whole hybrid thing,
(31:20):
the SharePoint thing that happened a couple a week ago,
two weeks ago. Yeah, so I think we might see
less of that.
Speaker 1 (31:28):
So there's a do you see on the article where
it says total domain compromise? Yeah, so it says SISA
issued a separate advisory addressing the issue and advised network
defenders who want to secure their Exchange hybrid deployments against
potential attacks to install. And I thought this was interesting.
Install Microsoft's April twenty twenty five Exchange server hot fix
(31:49):
updates April it's August. Yeah, So is that does that
mean that's how long the vulnerability has been out there
since April?
Speaker 2 (31:58):
I would I would assume so before. I haven't seen
the details on the interesting Yeah, April twenty twenty five
hot fix. I mean that might just be a like
make sure you've run this, Yeah, not. You're safe if
you've run.
Speaker 1 (32:10):
This okay, yeah yeah, and if all else fails, get
rid of Exchange.
Speaker 2 (32:16):
Yeah. According to the article I was reading, it says
apply the hot fix install April twenty twenty five Exchange
hot fix deployed dedicated hybrid app swich from a shared
service principle to a dedicated exchange hybrid application. Reset any
of your shared credentials, So if you have O ofth
or hybrid shared credentials, if you reset so on and
so forth. So you know, if you're compromised, we always
(32:38):
say the same thing. Lots of people ask us like,
oh I was compromised. I patched it now, am I good?
It's like, well, the attackers could have taken anything, added
user accounts, it's all sorts of stuff that can happen.
Speaker 3 (32:47):
Deployed dedicated exchange hybrid app seems like an extra step
that you might not get in a normal patching. Yes, yeah, exactly,
And so maybe that's this hidden sauce.
Speaker 1 (32:58):
And you know, I said don't use exchange. That's just
a joke, folks. I know that what are you going
to do? You're going to replace it with something else
that you know nothing about, that may have a whole
new host of problems. So it's really about the architecture,
isn't it. And if you're going to do this kind
of hybrid on prem cloud architecture thing, I would want
(33:19):
to use Microsoft stuff because at least they're on top
of it.
Speaker 3 (33:22):
I'm a pretty big fan of Microsoft. But it felt
sure like they were retreating from you just having an
on prem exchange server and making it so that it
was impossible to have an on prem exchange server, not.
Speaker 2 (33:35):
Just an on prem exchange server like on prem anything
Microsoft Office.
Speaker 3 (33:40):
Yeah, and they had a motivation to allow that to
happen or to make that to happen. And so maybe
the same thing is going on here. I mean Microsoft's again,
great products. I love the company. I have a lot
of friends with them.
Speaker 1 (34:00):
My friends friends or Microsoft's people say, again, some of
my best friends are Microsoft.
Speaker 2 (34:07):
Microsoft.
Speaker 1 (34:08):
Yeah, it's true, that's true, actually true.
Speaker 2 (34:11):
We love you Microsoft down well.
Speaker 3 (34:13):
And I was really pissed about that that article the
other day where they were letting, you know, foreign actors
access sensitive networks.
Speaker 2 (34:21):
I haven't forgiven them for that yet. So well, you
better before we go to that conference when we do
that thing.
Speaker 1 (34:27):
Yeah, Oh, that conference.
Speaker 2 (34:29):
Is going to be a lot of Microsoft people there.
I can take them.
Speaker 1 (34:32):
We're we're doing a security this week live at what
is it, cyber Intersection.
Speaker 2 (34:38):
I didn't want to break the news, but you're right.
The dev Intersection conference is cyber Insection Intersection cyber.
Speaker 1 (34:43):
Yeah, the cyber dev Intersection Conference, and I think down
down in Orlando, Michelle's going to join us on stage.
It's going to be just like this but live.
Speaker 2 (34:55):
So if you're at the Dev Intersections cyber Section prints,
join us. Okay, yeah, that'd be awesome. Come over and
watch the live taping of this very show.
Speaker 1 (35:07):
Okay, before we get to the clickbait Twain, anything you
want to say about our discord.
Speaker 2 (35:13):
Server Discord's been awesome. Actually, there are still a lot
of really great conversations, a lot of really good articles
coming in from people. I really appreciate that. That helps
out a ton when we're looking I mean, listen, cybersecurity
news is fast. We're seeing at least thirty or forty
articles the day, and we're trying to pick the top one.
(35:36):
So it's really good for you guys to throw them
in there and let us know what's super important to you.
So by all means like jump in the discord, say hi,
and we'll be there.
Speaker 3 (35:46):
Yeah, we're like gallant getting We're grabbing a five gallon
bucket once a week from a river, and so we
try to pick ones that we can talk about, bring
up things and reinforce stuff.
Speaker 1 (35:57):
Yeah, all right, here we go, folks. Story from Politico.
Federal court filing system hit in sweeping hack. Now that
might just sound like something you can ignore, but check
this out. The identities of confidential court informants are feared
compromised in a series of breaches across multiple US states.
(36:20):
The Administrative Office of the US Courts, which manages the
federal court filing system, along with Justice Department and individual
district courts around the country. They're still trying to determine
the full extent of this incident. Oh my god.
Speaker 3 (36:34):
So in the past, there's been hacks that never showed
up on the dark web. So, for example, the most
famous one I can think of is the Marriotte hack
of years ago, which was then suspected and still suspected.
I believe to have been Chinese government actors because they
wanted the data for their own purposes. I wonder if
this will end up the same way where somebody did
(36:56):
this for their own purposes, and you know they're trying
to get Jackie two coats or whoever the you know,
whoever they're trying to get. That's a nickname we gave
my brother at one point he wore two coats in
a winter to some event and we said, oh, Jackie
two coats.
Speaker 1 (37:12):
But hey, my drummer's name is Tommy five times.
Speaker 3 (37:18):
So it could be that we never know who did this,
or or you know, who did it is is not confirmed,
or this information could end up in the dark weapon
which case it's just some schmuck who decided that they
wanted to do something because they could.
Speaker 1 (37:33):
You know, you think that the government would be able
to protect your identity? Would you? Would you think that?
I don't know, would you really?
Speaker 2 (37:41):
Says says, wait, you didn't, I don't know. Did you
see the hack of the o PM where ye complying
for secret clearance was released.
Speaker 3 (37:50):
I believe we could predict protects, but I don't think
the government can protect.
Speaker 2 (37:56):
No offense to the government. We have a lot of
government friends. We really right, Yeah, yeah, we love you.
Speaker 1 (38:00):
Don't deport us some of my best friends.
Speaker 2 (38:03):
Your government.
Speaker 1 (38:06):
And they weren't for Microsoft.
Speaker 2 (38:09):
Yeah, Microsoft Government best friends.
Speaker 3 (38:11):
I could talk some real trash in a few months
when everybody's retired, though.
Speaker 2 (38:16):
Give it, give it a couple of months.
Speaker 1 (38:17):
All right. Well, I guess that's it for this week.
We will see you next week on Security this week,
good bye, bye, my guys.
So you know, my my wife and I have a
shared grocery list app. You know. Yeah, so your day,
i walk into Stop and Shop and I pull up
the list and I'm reading it cream bread cake, meat loaf,
black eyed peas. So I do my shopping. I'm gonna
check out line and I realized read reading my music playlist.
(00:30):
All right, well, uh, here we go. We got some
stories for you kids. The first one is from tech
Radar Pro. This is just amazing to me. Wi Fi
signals could be used to uniquely identify individuals. Who Fi?
Speaker 2 (00:46):
I mean, wasn't this on Batman? It was? No, You're
absolutely right, there was.
Speaker 1 (00:52):
There was no Wi Fi with Batman.
Speaker 2 (00:54):
No, they use cell phones. Yeah, and they turned on
everybody's cell phones and they were able to use it
as radar, use it as a radar to detect everybody
in the book.
Speaker 1 (01:02):
Okay, Batman is a movie? Are you're talking about a movie?
The old TV show.
Speaker 2 (01:06):
Or movie one of the movies?
Speaker 3 (01:08):
Alfred turns on the signal and they hack everybody's phones.
It was a while ago too.
Speaker 2 (01:14):
We're not talking about Adam West. This was not recently.
Speaker 1 (01:17):
So the rest of this headline is who fi w
H o fi compliments, biometrics, prompting privacy fears.
Speaker 2 (01:26):
This is awesome.
Speaker 1 (01:26):
It's got a nice little graph here that the human,
the green human is the input signal, and then an
encoder turns that into US, passes it through a signature model,
and then there's this little formula here F dash norm and.
Speaker 2 (01:43):
Then a lot more of this stuff.
Speaker 1 (01:44):
Then I don't know what S stands for. And then
the signature bbbbb.
Speaker 3 (01:48):
So this is like a side channel attack and there's
going to be a lot more of this with AI.
AI is going to figure out this stuff a lot
more often.
Speaker 1 (01:56):
Agreed, So what happened here? Just explain this to me.
Speaker 2 (02:00):
We all get bathed in radio waves all the time. Yeah, right,
even like good for the skin SCA, it's great for
the complexion. So you know, everything from you know Kiss
one oh eight FM to you know, ham radio signals
to your Bluetooth mouse just broadcasting bluetooth. So Wi Fi
(02:21):
in a building you got two point four gigahertz Wi
Fi just sort of bathing everything. And when radio signals
hit something, they react with it, right, So if it's
a metal something, it may bounce off or it may
you know, go in a different direction or whatever. Right,
So as those radio waves hit you, they refract in
(02:42):
different ways. And what they're saying here is we can
watch those refractions and to a ninety I think they
have it in here is like ninety five ninety five
point five percent accuracy. They can have an AI predict
based on the RF the spurrious signals coming off the person,
right who that person is, which.
Speaker 3 (03:03):
It's really just radar using Wi Fi signals or radio signals.
Speaker 2 (03:07):
Yep, you're absolutely right now. What I don't know and
I read through this article looking for it and a
lot of these researches and they're like listen. They kept
saying like, we don't use cameras. There's no cameras. It's like, okay,
but did you have to put a software defined radio
with an antenna and have four hundred of them around
the room to detect the person accurately? Or was it
like no, I could do it across the street. Right,
(03:30):
So I think this is controlled environment stuff, not just
does Faraday make a suit.
Speaker 3 (03:40):
For those who don't know Faraday is Faraday bags block
radiation and you'd just be a black bob. You'd be
gumby cages.
Speaker 2 (03:49):
Right, you know what's interesting. So it's interesting you say that. Patrick. Okay,
so does Faraday build a suit? If you built a suit,
it would bounce off you probably sharper, let's say, dressed man.
But on top of that, what if you did the opposite,
What if you did the opposite? What if I had
a suit that broadcast out just two point four giga
hurt signals in all random directions. I wonder if you
(04:09):
could cancel so you are invisible. You probably could.
Speaker 3 (04:12):
If you could, you probably could could transmit back the
opposite of.
Speaker 2 (04:15):
Like a cloak of invisibility for Wi Fi we're gonna build.
We should take this offline talk to ours.
Speaker 1 (04:20):
I still don't understand how they get your identity from
your Wi Fi signals.
Speaker 2 (04:26):
So they don't, they don't they can accurately identicy uh, Patrick, Patrick,
Dwayne and Carl walk into a room.
Speaker 1 (04:34):
I've heard this one.
Speaker 2 (04:36):
I've seen this one. So what they'll do is they'll
they'll have Patrick walk in, they'll gauge all the signals,
they'll have me walk in, They'll gauge all the signals.
Speaker 1 (04:45):
So they have to and they have to have a
baseline reading. Okay, well that's yep, that's kind of dumb
right now.
Speaker 2 (04:53):
I mean it could be used once they have your
your personal you know, signature thing. Yeah, exactly, could you
go into a different room, That would be a great question.
I be Okay, now I'm walking around an airport, could
you pick me up?
Speaker 3 (05:06):
So I predict it will and I predict that eventually
this will be used for surveillance and say, well, we
know that this person went into this building because of this.
Speaker 1 (05:17):
Sure, but the person had to have been enrolled in
their data gathering beforehand.
Speaker 2 (05:22):
Had to have been identified somehow poor.
Speaker 1 (05:24):
Yeah, you can't just like, hey, behind building number three,
it's a Russian spot.
Speaker 3 (05:30):
Well, but if they know who they suspect is the Russians,
they know everybody that works at the Russian embassy, they
can catalog them discreetly and then say, sure, we know
you met at the Australian embassy because we had your signature.
Speaker 1 (05:44):
We need your fingerprints.
Speaker 3 (05:46):
Actually, they're not going to tell them. They're either gonna
put them in a black bag and take them to
a dark site, or they're not going to tell them
at all, and it's just going to be intel.
Speaker 1 (05:56):
Yeah, okay, So in other words, I'm not really buying
this as a scare kind of privacy problem.
Speaker 2 (06:02):
Okay, I don't think it is either, that's what they
want you to think. I honestly don't think it is.
I mean, like the other thing is, my Wi Fi
signals in my house are directed in a different way
than might be in another building, So I don't know
how accurate this would be, not in the controlled environment
that they're in. I'm just gonna put that out there, all.
Speaker 1 (06:21):
Right before we move on. I got to read a
text or summarize a text that I got from my
friend today purchased an automatic sprinkler system that made me
download their app from the app store and connect to
my Wi Fi before I can even use it. And
(06:42):
it's made in China.
Speaker 2 (06:43):
That's awesome.
Speaker 1 (06:44):
Should I return it? And I told them the standard stuff,
which is, okay, if you have a guest network and
people who connect to that guest network.
Speaker 2 (06:53):
IoT, will it run in lockdown mode?
Speaker 1 (06:56):
People who connect to that guest network need to know
that that your IoT devices are connected to it, or
you can create another And he went through that whole thing,
and he doesn't have the ability to create an IoT
wow network, so he's sending it back and and just
for fun, I got the website. Oh and the company
(07:17):
is rain Point, and you know they they have all
sorts of automation solutions and sprinkler systems and stuff.
Speaker 2 (07:27):
And they're cheap, Yeah, super cheap. You know what I'd
love to do is I'd love to buy one of
these and tear it down and actually figure out what's
we should do that?
Speaker 1 (07:35):
Oh, you totally should?
Speaker 2 (07:36):
All right, well do I mean we'll announce it here
on the podcast one hundred bucks, you know, Patrick, and
Patrick'll spring Ford. Yep, he's good for it.
Speaker 1 (07:43):
All right, So there you go. I would stay away
from cheap Chinese stuff that requires How does a sprinkler
system require you?
Speaker 2 (07:52):
You'd have to live in a cave.
Speaker 1 (07:54):
To connect it to Wi Fi.
Speaker 3 (07:56):
Why the problem is you'd have to live in a cave.
I have a sprinkler system connect to Wi Fi. But
I try to use a system that's mostly made in the Niceys.
But I'm sure some of the components are made.
Speaker 2 (08:06):
I have a sprinkler system connected to a hose.
Speaker 3 (08:08):
Yeah, yeah, you still have kids at home. You can
tell and move the hose, all right. Yeah, there's only
so much you can do.
Speaker 1 (08:15):
But there's only so much. Yeah, right, So let's move
on to our third story here or a second story. Actually,
Apple patches security flaw exploited in Chrome's zero day attacks.
So Apple and Google in the same story. And that's funny.
So Apple's really security updates to address the high severity
vulnerability that has been exploited in zero day attacks targeting
(08:38):
Google Chrome users. Dwayne, you want to tell me what happened? Here?
Are either of you guys?
Speaker 3 (08:44):
Is this is this on iOS devices or on MacBooks only?
Speaker 2 (08:48):
Now this is on iOS too. I can't confirm or
deny what we're doing on Oh no, I'm only.
Speaker 1 (08:52):
Getting Yeah, it's iOS.
Speaker 2 (08:55):
So yeah, yeah, And so it does say if you're
using if you're using Google Chrome, right, So if you
have an iOS device, they have the Safari browser, right,
but you can download other browsers. I have Chrome on
my iPhone. So if you're using Google Chrome on an
Apple product, and that's iOS, iPad Os tvOS eighteen six,
(09:17):
mac Os, Sequoia fifteen six, iPadOS seventeen dot seven, dot
nine Vision Os, which I'd assume is that their eyeglass.
Speaker 1 (09:29):
So yeah, Apple Vision Pro.
Speaker 2 (09:30):
Yeah, I don't know, it's too expensive for me to
own but year Vision OS two point six or Watch
OS eleven point six, then you could be affected. You
need to go update. So according to this, incorrect validation
of untrusted input from Angle, which is the almost native
graphic layer engine, can lead to injection of commands being
(09:54):
executed on the GPU, potentially allowing them to escape the
browser sandbox.
Speaker 1 (10:00):
Wow.
Speaker 2 (10:01):
So yeah, it's uh, I think this is super niche
I don't know that you're going to see this widely exploited.
I don't think we've seen this in the wild yet. Yeah.
And it's patched, right, Yeah, it's patching. And Apple's really
good because they control most of the landscape on pushing
a lot of those patches down.
Speaker 3 (10:23):
So oh no, it says it is it? They tagged
it as actively exploited in attacks? Right, okay, right, I
stand correctly.
Speaker 1 (10:29):
Well, the Chrome team patched it on July fifteenth. Oh no,
I'm sorry Apple.
Speaker 2 (10:36):
Who patched it?
Speaker 1 (10:37):
Yeah, patched it on July fifteenth and tagged it as
actively exploited in attacks.
Speaker 2 (10:41):
Yeah. Moral of that story. If you have an Apple device,
like we've said a bajillion times, a go patch b
always make sure you have updates. See, you should go
to the app store, And I don't know how many
people do this, but you should go to the app
store and go to the little lap stab and make
sure all of your apps are updated right. And then
on top of that, once a week, what should we do.
(11:02):
Restart the phone, reboot that device? Yep, yeah, replace down No, no, no,
reboot the phone. Make sure that there's nothing sitting resonant memory.
Speaker 1 (11:14):
Well, I read something recently and I can't remember if
we shared it on the show, but that Android is
actually getting a little more savvy to patches and security
than previously reported by us. Anyway, but still, there's no
there's nothing better than a single company, you know, manning
(11:37):
the gates. So that's why we all use iPhones. Yeah,
all right, So next story, Next story, Illumina Incorporated to
pay nine point eight million dollars to resolve false claims
act allegations arising from cybersecurity vulnerabilities in genomic sequencing systems.
Speaker 3 (12:01):
So this is a company that is crazy basically lied
about their their paying paying lip service to security and cybersecurity,
and being proven to be lying through a whistleblower. I'm
hoping that this becomes a trend because we need this
to be punished. We need this to be but it
was even at nine point eight million, it's a bit
(12:22):
of a token punishment.
Speaker 2 (12:24):
Yeah, that's that's almost nothing.
Speaker 3 (12:25):
Well, because because how much they're making, it's it's a
it is a fraction of what they're making from the government,
let alone overall.
Speaker 2 (12:33):
I mean, if they were ransomware, they'd have to play
more than So let.
Speaker 1 (12:36):
Me get this straight. Let me see if I understand here.
And I didn't read the article, so you'll have to
fill me.
Speaker 2 (12:40):
Out in solidarity. I didn't read it either.
Speaker 3 (12:42):
Not just kidding.
Speaker 2 (12:43):
We're with you, buddy, We got you, all right.
Speaker 1 (12:45):
Cool. So when I gather from this is that there's
this genomics sequencing system that crunches the numbers to find
a genome of a of a person's DNA or whatever. Right,
and then it had some cyber vulnerabilities whatever they are
in it, and that was hidden or lied about.
Speaker 3 (13:08):
So they didn't have they didn't do any of the
checks they claimed they did. They didn't do. It wasn't
that there was a vulnerability they missed. They didn't look right.
They were like, oh, yeah, we definitely are we're doing
We're doing all the right things.
Speaker 2 (13:23):
Right, ISO twenty seven O one, and we'd followed the
CSF framework, and you know there's no bugs in that
cereal right right.
Speaker 1 (13:30):
It's like when the mother asked the teenage boy if
he's cleaned his room, he said, yeah, and he's just
shoved everything under the bed.
Speaker 2 (13:37):
Our water has no lead.
Speaker 3 (13:38):
Yeah, And so it was such a you know, it's
such an egregious and they had a whistleblower who was
in a position to prove that they were. It was
a bold faced lie, and so they had to slap
them on the wrist. The problem is they kept them
as a vendor. Sure they're still make it. They probably
made more money that the next week than that fine, yep.
(13:59):
But we're hoping that this becomes a normal part of
operations that if you don't take this seriously, it's kind
of a I was hoping when I read it that
it would be like, yeah, they you know, they only
made three million dollars on the thing, but they got
fine nine point eight that would probably break up the world.
Speaker 2 (14:16):
But it wasn't the case.
Speaker 1 (14:18):
All Right, one more they will take a break Huntress
Threat Advisory.
Speaker 2 (14:23):
This one's big active.
Speaker 1 (14:24):
Exploitation of sonic wall VPNs. So this one Huntress.
Speaker 2 (14:29):
Yeah, let me let me take this one. Actually we
just went up against Huntress anyways, Soress. Huntress is a
security researcher slash. They run a sock They do all
sorts of stuff a sock, a sock scurity operation center.
They'll monitor or network and make sure nobody's doing bad things. So, yeah,
(14:50):
we're constantly tiptoeing around Huntress when we're breaching networks. But
that that aside, a lot of small to medium business
customers are using Sonic Wall. Sonic walls a great little
soho firewall right, small office, home office.
Speaker 1 (15:06):
Thank you Patrick.
Speaker 2 (15:07):
Yeah, so, but it gives you yeah, not not lower Manhattan.
I'm going to throw a lot of the tla's okay,
I don't know you could use it in Lower Manhattan.
Speaker 1 (15:14):
It's fine, we'll be the tl A police. It's three
letter acronym to law.
Speaker 2 (15:20):
So that being said, it's a great little device. You you know,
put it in. It does. It does your firewall, and
it allows you to have access to the Internet. It
also allows you VPN access back to your office. That's
first stuff. So the Sonic wall is actually pretty ubiquitous
and it lets people in off the Internet. That's great,
and it lets randos off the Internet, so it's interesting.
Speaker 1 (15:40):
And it also makes Moco local, right, which is a
nice beef dish local.
Speaker 2 (15:48):
Mocho when the mutton is nice and lean nice and sorry.
Speaker 1 (15:53):
I was just trying to trip you up with some
false acronyms there.
Speaker 2 (15:55):
Oh, thanks for that. So this week I hadn't actually
heard of this story, and I was at Martial Arts
and one of the guys at Martial Arts is he's
an MSP Managed Service provider, and he came out and
he's like, ooh, Sonic Wall thing right, And I was
like what, And he's like, we've been advised to like
shut up, shut down the VPN on all of our
customers firewalls because of a zero day that just came
(16:19):
out that even Sonic Wall can't figure out what's going on. Yeah, right,
And Huntress was like, we have no idea. Everybody should
just shut this off. Come to find out a little
bit more detail has come out today.
Speaker 1 (16:31):
Today's the seventh of we're recording on the seventh. This
story came out yesterday, yeah.
Speaker 2 (16:36):
The sixth, so we have the story from the six
They also put a story in here from the seventh,
which is it appears that what happened is actually customers
didn't follow the advice of Sonic Wall. Do you remember
last year twenty twenty four we mentioned Sonic Wall and
there was some sort of big exploit with Sonic Wall
(16:57):
where just randos on the Internet could attack and information
off your Sonic Wall. Well, when you were doing the
migration to the new operating system, Sonic Wall said, hey,
you should change all those default passwords, like you should
get rid of them, and people said no and just
upgraded to the latest version. And then of course attackers
already now have the user names and passwords that they need.
(17:19):
So this is really you know, I'm going to keep
following this story. There's a long time in the making. Yeah.
It's either Sonic Wall's right and they're like, listen, our
users are users and users didn't follow the right procedure
to upgrade them, or Sonic Walls kind of pushing this
under the rug and they're like, nah, it's on you man,
it's your bad configuration. I'm not really sure yet, but
(17:39):
my gas would be Yeah, it was all the old
accounts were already compromised, and when you upgraded because of
last year's twenty twenty four, forty seven and sixty six CV.
You then came back with you know you had the
same stuff in there.
Speaker 1 (17:53):
So we'll post a link to the updated story that
you were talking about from and it's from Bleeping Computer Sonic.
Weall finds no SSLVPN zero day links ransomware attacks to
twenty twenty four flaw. All right, so there you go.
We'll put that story up there if you want to
(18:14):
follow it to it's and I guess it's time take
a break, so we'll be right back after these very
important messages don't go away, and we're back. You're watching
and listening to Security this Week. I'm Carl Franklin, It's
Dwayne Laflatt and Patrick Hines, and we hear unraveling the
most important stories in security, hacking, vulnerabilities and all that
(18:38):
stuff and how it affects you in your life. Where
doesn't you could not? All right? Who wants this next story? Google?
Go ahead?
Speaker 3 (18:48):
Patrick, So I posted this one because they buried the lead.
So Google says it's AI based bug hunter found twenty
security volnaabilities and that's on tech Crunch. Yeah, and when
you read the article, it's it you know, that's very
interesting and they're trying to like see how they can
use ai LLM based vulnerability research or big sleep found
(19:10):
and reported twenty flaws. But as they go down the article,
they talk about the fact that there's a lot of slop,
which is like things that are really aren't reportable, aren't
really to that level, And the concern is that they're
going to find a lot of that low validity vulnerabilities,
like saying that you know, hey, your house is vulnerable
(19:34):
because there's a door, yeah, okay, or your house is
vulnerable because somebody could pick the lock.
Speaker 1 (19:38):
Yeah.
Speaker 3 (19:39):
There's a concern that they're going to fill up open
source and other things with requests to fix bugs that
aren't really bugs.
Speaker 1 (19:46):
How about this one. You should never take vacation photos
and posts that you're on vacation because then people will
know that you're not home and they'll come and rob you.
Speaker 3 (19:55):
M yeah, yeah, but I always keep that shotgun and
that's triggered by the door opening loaded, so it's not
a problem exactly. Just in case you have a security system,
you know, right right, no, I know, cameras, dogs, killer bees, yeah,
or or a good recording of a dog on loop, sharks.
Speaker 4 (20:12):
With laser beams, killer bees, a recording of killer bees, dogs,
machine guns, chains, all of that stuff just on a loop.
Speaker 2 (20:22):
You know how horrifying that would be if you broke
into Patrick's house and you just hear like bees, Like
know what I'm out?
Speaker 3 (20:27):
Subwall First, we know someone who has a lot of snakes.
Speaker 2 (20:35):
Oh my god, to borrow a couple of chest full.
Speaker 3 (20:40):
Anyway, So it's like there's a lot of hype around
AI and AI is gonna be transformational, but you have
to understand that there's problems and we need to understand
it's not a panacea now.
Speaker 2 (20:51):
I mean, you look at the you look at the
title of this article, and like when I was looking
at I was even telling Carl before this, I was like,
you know, we're gonna pack up shot pulsars out, peace out.
If you know AI is just going to find all
the security flaws, that's awesome. We'll go find something else,
do you bet.
Speaker 3 (21:06):
So we had this discussion today where there are people
who are really getting into this AI and using it
a lot, and what they're coming to the conclusion of,
if you have three people doing a job, you might
be able to get rid of two of them. But
you can't not have someone and have AI do a job. Right,
We're not there yet. I don't know that we're going.
Speaker 2 (21:26):
To be there.
Speaker 1 (21:27):
I wouldn't want to be there.
Speaker 2 (21:29):
People are hyping it, but I don't think we're going
to get there anytimes.
Speaker 1 (21:32):
So I wouldn't want to be there. I mean, I
wouldn't want anybody to be completely relying on AI.
Speaker 3 (21:36):
No, but that's the way a lot of the remember
a lot of these companies. There's a phenomenon right now
where a lot of these companies have bet the farm
they need AGI, you know, artificial general intelligence to emerge
in the next four years, or they've missed the bet.
Speaker 1 (21:54):
Yeah.
Speaker 3 (21:54):
Sure, it's literally AGI or bust. And there's a lot
of indicators that they're not going to make it. But
it's up to them to keep the hype going. We're
talking about one hundred billion, four hundred billion dollar valuations
that are just insanement government contracts, and the ten billion
dollar range cats and dogs living together.
Speaker 2 (22:15):
I thank you. I thought you'd liked that.
Speaker 3 (22:18):
But it's in their general interest to play it up
and to say what it could be. Sure, what they
don't say is that it requires like some real big
breakthroughs and some big changes and some things that just
aren't in evidence. So I think it'll be transformative. I
think it'll be as big as the Internet, as big
(22:38):
as the is the personal computer. But it's not going
to I don't think it's going to be like little
consciousness is running around in three years, as many of
them are claiming.
Speaker 1 (22:48):
Well, they might be six year old consciousness with dreams
and hallucinations. You know.
Speaker 3 (22:54):
No. I I constantly have to explain to people that
an LM not only does understand the answer it's providing,
it doesn't understand the question you asked.
Speaker 2 (23:03):
It's just really good. It's like there was a what
doesn't matter? It does like if it can solve logic
problems like code, and it can code akay, but it
doesn't understand the code. What is it?
Speaker 1 (23:16):
All right? We've had this conversation to a blue in
the face. I just went, let's let's read what you've
ladd Leunescue said, he's.
Speaker 2 (23:23):
Co Oh, you listen of lad but not me. I
see how it is.
Speaker 1 (23:26):
A co founder and chief technology officer at run Sibyl,
a startup that develops AI powered bug hunters, told tech
crunch that Big Sleep is a legit project given that
it has quote good design, people behind it know what
they're doing. Project zero has the bug finding experience, and
DeepMind has the firepower and tokens to throw at it.
(23:47):
And then it says there's obviously a lot of promise
with these tools, but also significant downside. Several people who
maintain different software projects that have complained to bug reports
that are actually hallucinations. And then the guy Lonescue said,
that's the problem people are running into is we're getting
a lot of stuff that looks like gold, but it's
actually just crap.
Speaker 3 (24:06):
Yep, I should I should buy a lot of drink.
I agree, you should.
Speaker 2 (24:11):
But that odd owns a company that is a startup
that develops AI powered bug hunting.
Speaker 1 (24:17):
That's right.
Speaker 2 (24:18):
Yeah, and even he's but yet at least he's honest
about the fact that there's.
Speaker 1 (24:21):
A down said he's saying that. Yeah. Crap, crap, says Vlad.
Speaker 2 (24:26):
Thanks for thanks, thanks, Flad, thanks.
Speaker 1 (24:28):
Okay, hacker new says researchers uncover ec scape flaw and
x escape. I don't know how to say that. And
Amazon e c S enabling cross task credential theft no
I don't like the sound of that. No, I do
not one bed. I do not like that at all.
Speaker 2 (24:49):
You'll it's once you explain it. Explain it from escape flaw,
it would be excellent. Listen, it's okay, it's cybersecurity researchers
have demonstrated an end to end privilege escalation chain. Okay,
so let's sort of store that away. We have a
(25:10):
low prive account, so we had to get a low
prive account of some sort, and we do have the
ability to then escalate that account. Okay, excalate what are
we escalating that account on. Well, we're escalating it on
an elastic container in AWS. So if I'm running a
workload in Amazon Web Services and i have a high
(25:31):
privilege workload running in the same container that I have
a low privilege workload running, and the attacker takes over
the low privilege workload, they then can take over the
high privileged workload. So is it important? Yes, But it's
(25:52):
not like saying, oh my god, I was able to
spin up my own ECS instance and then take over
Microsoft's instants running whatever. Right, it's because it's not running
on the same container. It's not part of the same elastic.
You know, service.
Speaker 3 (26:05):
Privileged escalations is I have not I have a water leak.
It's how big the water leak is. You need that
initial entry, so it's it's bad news if they're already
in the wire. It's not bad news if they're not.
Speaker 1 (26:18):
And what direction is the leak going in? That's coot, that's.
Speaker 2 (26:22):
That's always important INTE your electrical system.
Speaker 1 (26:26):
Well, yeah, it's it going out or coming in.
Speaker 2 (26:28):
That's way right. So this one's I don't know what
did they school, but I would just say the only
advice they say is okay, well then don't do that.
Don't don't don't run here's when I do this. Don't
do that. It's the classic advice. They're like, listen, don't
run low privileged tasks on the same container that has
(26:51):
higher privileged tasks. Don't do it the only tasks with tasks.
I mean you could you could isolate it so that
each task run on its own instance of easys. Then
that's fine too.
Speaker 1 (27:02):
So I did a I looked up score and the
only one I found was on fifteen sixty eight, which
is score of an eight point eight.
Speaker 2 (27:11):
What is that on? That's it's enabling unauthorized codes to chromium, mos,
chromium os, chromium, dart and basil.
Speaker 1 (27:22):
Well anyway, so we don't think this is as big
a deal for the general public to panic on, but
it's still bad. And if you are in that situation
on Amazon Aws with container in ECS, check your TLAs.
Speaker 2 (27:41):
Yeah, then make sure you've isolated, you've isolated your tasks.
If you have a high privileged task isolated on its
own easys, that's all right.
Speaker 1 (27:50):
Right, Microsoft Exchange remember that.
Speaker 2 (27:53):
Oh, this one's big.
Speaker 1 (27:54):
Yeah, high severity flaw in hybrid exchange deployments.
Speaker 2 (27:59):
We gave up RID a long time ago.
Speaker 1 (28:01):
So a hybrid exchange deployment is what some on prem
and some in the cloud.
Speaker 2 (28:06):
Yeah, yeah, yeah, So.
Speaker 1 (28:07):
Microsoft warns of a high severity flaw in this kind
of setup. It's what happened.
Speaker 3 (28:13):
So we when we were hosting exchange on prem, it
just became impossible to keep it secure. So we went
fully hosted. But you could like have part of the
solution on on prem, like for better performance and casing
and things like.
Speaker 1 (28:28):
That, file systems or something or yeah.
Speaker 2 (28:31):
Just different roles for the server.
Speaker 3 (28:33):
I don't know if this is a bell weather for
what's to come, but it would it's difficult to see
this not happening more and more often. And so you know,
the lesson is, if you're going to you're in for
the penny, in for a pound with the cloud. You're
either hosting it there or you're not. I don't know
of really good reasons why you wouldn't go fully hosted,
(28:55):
but this is a good reason too.
Speaker 1 (28:57):
Well, let's say you are in a hybrid situation. So
this this is a vulnerability that can allow attackers to
escalate privileges prevesque and exchange online cloud environments undetected.
Speaker 2 (29:09):
Yeah.
Speaker 3 (29:09):
Yeah, they're getting in on the on prem component and
then they're using that admin access everywhere.
Speaker 2 (29:16):
Okay, right, but according to this, if I've read this correctly,
an attacker first has to compromise the on prem exchanger
and have administrative right. Yeah, so there has to be
a way that a user, some attacker is going to
compromise an exchangeer for on prem right, right, So there
in lies the you know, any complexity still has to happen.
(29:39):
It's not like okay, so it's kind of like the
privilege esk.
Speaker 1 (29:42):
Right, it's a secondary attack. So the first attack is
to your local deployment. They have to get in there,
and once they're in there, they can get in.
Speaker 2 (29:50):
Once they're in there, they can forge a token that
allows them to move into the cloud in its stealthy way.
If if you want to make a small fortune, start
with a large four. So needless to say, this is
but this is a this is an important thing, and uh,
there was just an issued order. SISA has issued an
(30:14):
emergency directive order to all Federal Civilian Executive branches. Easy
for me to say that agencies to migrate to the
critical Exchange Hybrid vulnerability tracked as CVE twenty twenty five
five three seven eighty six by Monday morning at nine am.
So a lot of Federal Civilian Executive branches are going
(30:38):
to be very busy this weekend making sure that they
patch and have the hot fixes for their on prem
exchange overs. So I don't know if that means they've
seen this actively in the wild or they've seen this
targeting federal agencies. But SIS has never taken this strong
of an approach where they're like, hey, you guys specifically
need to go patch right now and by Monday.
Speaker 3 (31:00):
Well there's this that there was something in here about. Yeah,
there's something in here about. For instance, at least ten
hacking groups exploited proxy log on in March twenty twenty one,
including Chinese threat actors as tracked as half Neum and
Silk Typhoon. And so I think I think we're getting
the government's getting basically owned by this whole hybrid thing,
(31:20):
the SharePoint thing that happened a couple a week ago,
two weeks ago. Yeah, so I think we might see
less of that.
Speaker 1 (31:28):
So there's a do you see on the article where
it says total domain compromise? Yeah, so it says SISA
issued a separate advisory addressing the issue and advised network
defenders who want to secure their Exchange hybrid deployments against
potential attacks to install. And I thought this was interesting.
Install Microsoft's April twenty twenty five Exchange server hot fix
(31:49):
updates April it's August. Yeah, So is that does that
mean that's how long the vulnerability has been out there
since April?
Speaker 2 (31:58):
I would I would assume so before. I haven't seen
the details on the interesting Yeah, April twenty twenty five
hot fix. I mean that might just be a like
make sure you've run this, Yeah, not. You're safe if
you've run.
Speaker 1 (32:10):
This okay, yeah yeah, and if all else fails, get
rid of Exchange.
Speaker 2 (32:16):
Yeah. According to the article I was reading, it says
apply the hot fix install April twenty twenty five Exchange
hot fix deployed dedicated hybrid app swich from a shared
service principle to a dedicated exchange hybrid application. Reset any
of your shared credentials, So if you have O ofth
or hybrid shared credentials, if you reset so on and
so forth. So you know, if you're compromised, we always
(32:38):
say the same thing. Lots of people ask us like,
oh I was compromised. I patched it now, am I good?
It's like, well, the attackers could have taken anything, added
user accounts, it's all sorts of stuff that can happen.
Speaker 3 (32:47):
Deployed dedicated exchange hybrid app seems like an extra step
that you might not get in a normal patching. Yes, yeah, exactly,
And so maybe that's this hidden sauce.
Speaker 1 (32:58):
And you know, I said don't use exchange. That's just
a joke, folks. I know that what are you going
to do? You're going to replace it with something else
that you know nothing about, that may have a whole
new host of problems. So it's really about the architecture,
isn't it. And if you're going to do this kind
of hybrid on prem cloud architecture thing, I would want
(33:19):
to use Microsoft stuff because at least they're on top
of it.
Speaker 3 (33:22):
I'm a pretty big fan of Microsoft. But it felt
sure like they were retreating from you just having an
on prem exchange server and making it so that it
was impossible to have an on prem exchange server, not.
Speaker 2 (33:35):
Just an on prem exchange server like on prem anything
Microsoft Office.
Speaker 3 (33:40):
Yeah, and they had a motivation to allow that to
happen or to make that to happen. And so maybe
the same thing is going on here. I mean Microsoft's again,
great products. I love the company. I have a lot
of friends with them.
Speaker 1 (34:00):
My friends friends or Microsoft's people say, again, some of
my best friends are Microsoft.
Speaker 2 (34:07):
Microsoft.
Speaker 1 (34:08):
Yeah, it's true, that's true, actually true.
Speaker 2 (34:11):
We love you Microsoft down well.
Speaker 3 (34:13):
And I was really pissed about that that article the
other day where they were letting, you know, foreign actors
access sensitive networks.
Speaker 2 (34:21):
I haven't forgiven them for that yet. So well, you
better before we go to that conference when we do
that thing.
Speaker 1 (34:27):
Yeah, Oh, that conference.
Speaker 2 (34:29):
Is going to be a lot of Microsoft people there.
I can take them.
Speaker 1 (34:32):
We're we're doing a security this week live at what
is it, cyber Intersection.
Speaker 2 (34:38):
I didn't want to break the news, but you're right.
The dev Intersection conference is cyber Insection Intersection cyber.
Speaker 1 (34:43):
Yeah, the cyber dev Intersection Conference, and I think down
down in Orlando, Michelle's going to join us on stage.
It's going to be just like this but live.
Speaker 2 (34:55):
So if you're at the Dev Intersections cyber Section prints,
join us. Okay, yeah, that'd be awesome. Come over and
watch the live taping of this very show.
Speaker 1 (35:07):
Okay, before we get to the clickbait Twain, anything you
want to say about our discord.
Speaker 2 (35:13):
Server Discord's been awesome. Actually, there are still a lot
of really great conversations, a lot of really good articles
coming in from people. I really appreciate that. That helps
out a ton when we're looking I mean, listen, cybersecurity
news is fast. We're seeing at least thirty or forty
articles the day, and we're trying to pick the top one.
(35:36):
So it's really good for you guys to throw them
in there and let us know what's super important to you.
So by all means like jump in the discord, say hi,
and we'll be there.
Speaker 3 (35:46):
Yeah, we're like gallant getting We're grabbing a five gallon
bucket once a week from a river, and so we
try to pick ones that we can talk about, bring
up things and reinforce stuff.
Speaker 1 (35:57):
Yeah, all right, here we go, folks. Story from Politico.
Federal court filing system hit in sweeping hack. Now that
might just sound like something you can ignore, but check
this out. The identities of confidential court informants are feared
compromised in a series of breaches across multiple US states.
(36:20):
The Administrative Office of the US Courts, which manages the
federal court filing system, along with Justice Department and individual
district courts around the country. They're still trying to determine
the full extent of this incident. Oh my god.
Speaker 3 (36:34):
So in the past, there's been hacks that never showed
up on the dark web. So, for example, the most
famous one I can think of is the Marriotte hack
of years ago, which was then suspected and still suspected.
I believe to have been Chinese government actors because they
wanted the data for their own purposes. I wonder if
this will end up the same way where somebody did
(36:56):
this for their own purposes, and you know they're trying
to get Jackie two coats or whoever the you know,
whoever they're trying to get. That's a nickname we gave
my brother at one point he wore two coats in
a winter to some event and we said, oh, Jackie
two coats.
Speaker 1 (37:12):
But hey, my drummer's name is Tommy five times.
Speaker 3 (37:18):
So it could be that we never know who did this,
or or you know, who did it is is not confirmed,
or this information could end up in the dark weapon
which case it's just some schmuck who decided that they
wanted to do something because they could.
Speaker 1 (37:33):
You know, you think that the government would be able
to protect your identity? Would you? Would you think that?
I don't know, would you really?
Speaker 2 (37:41):
Says says, wait, you didn't, I don't know. Did you
see the hack of the o PM where ye complying
for secret clearance was released.
Speaker 3 (37:50):
I believe we could predict protects, but I don't think
the government can protect.
Speaker 2 (37:56):
No offense to the government. We have a lot of
government friends. We really right, Yeah, yeah, we love you.
Speaker 1 (38:00):
Don't deport us some of my best friends.
Speaker 2 (38:03):
Your government.
Speaker 1 (38:06):
And they weren't for Microsoft.
Speaker 2 (38:09):
Yeah, Microsoft Government best friends.
Speaker 3 (38:11):
I could talk some real trash in a few months
when everybody's retired, though.
Speaker 2 (38:16):
Give it, give it a couple of months.
Speaker 1 (38:17):
All right. Well, I guess that's it for this week.
We will see you next week on Security this week,
good bye, bye, my guys.
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.