May 9, 2025 • 32 mins
Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So, guys, I don't know if I told you this,
but before Pope Francis died, I actually met him.
Speaker 2 (00:05):
Well that's cool, Yeah, that's neat.
Speaker 1 (00:06):
It's very cool. Yeah, it was a great, great little interaction.
He gave me a lot of advice. But he said, Carl,
if you only remember one thing, remember this, never name drop. Okay,
(00:32):
let us start with something that's been in the news,
not just the security news, but this whole thing about
Jeff Ulbrich.
Speaker 3 (00:44):
Yes, this is the Deion Sanders' son getting a prank
call during the during the draft, the NFL draft. So
this is the reason we're talking about. This isn't because
we've changed our venue to our genre to a sports show,
because that would be a disaster. A Quidditch is not
a sport.
Speaker 1 (01:03):
This is actually a security story.
Speaker 3 (01:05):
It is it is, and the reason it is is
because the defensive coordinator for the Atlanta Falcons, Jeff Olbrich's son,
called Shador Sanders I don't know if I'm saying that
right on his private phone number and pranked him to
make him think he was being drafted earlier than he was. Right,
And that's a big problem. Not because it's not it's
(01:28):
just a horrendous thing to do. But also because he
got the data from his father's access to it not
off the internet. Now if no matter whose kid did it,
if it's just somebody's random kid did it and they
found it on the dark web, but they found it
on the Internet, or they found it on X or
someplace like that, then yeah, there's still there's still some
(01:49):
stuff there. But because it was technically a breach of
security that the defensive coordinator allowed his son access to
his systems. So a lot of people don't think about this,
but your family's and the data that you share with
them or allow them to get access to, even if
you don't overtly share it to them, is a breach.
And so the Falcons and this defenseve coordinator we're fined
(02:12):
not an insignificant amount, quarter of a million dollars and
one hundred thousand foo old Bridge himself. I think that
kid's grounded for.
Speaker 2 (02:19):
A long time.
Speaker 1 (02:20):
Yeah. Well, I think family members in general, when you
restrict access for them to your data or whatever, they
might get insulted, you know, like, what, you don't trust me,
But that's not it. It's actually for their benefit that they
don't have access. And what I mean by that is,
if let's say I'm a company that has a website
(02:42):
and I'm storing passwords in a database, I have access
to those passwords, and if there's a breach, they're going
to come to me and say, hey, you are a
suspect in this crime because you have ownership of that data.
It's the same way with your kids. Like if I
gave my kids access to all my data and then
(03:04):
somebody breached it and you know, did something with it,
my kids would be suspect. Oh yeah, if they did
not have access to it. All they have to do
is prove that they don't have access and that's it.
So not having access is actually what you want to protective. Yeah,
it protects you. It's for your benefit, right.
Speaker 2 (03:27):
Yeah. It's funny because we use signal, which will actually
foreshadowing or to another signal story. But we use signal
because it's secure and you know, sure enough, you do
get the hairy eyeball from people in the family, like
or are you using a fully encrypted Well I don't
they know what I do, but you know, but I
(03:49):
could see like a normal human getting though, why are
you using a fully encrypted burner? Messaging service, and it's like, well,
you know, for your protection, I can't have anything on
my phone that might be sensitive that you know, leave
your phone out on you know, the counter, and it
something pops up.
Speaker 1 (04:06):
Right.
Speaker 3 (04:06):
The way this kid got the number is his father's
unlocked iPad had the number on it, and he wrote
it down, right, He wrote down the number from his
father's open iPad while visiting his parents home. The kid's
twenty one.
Speaker 2 (04:19):
Oh oh, he's not even a.
Speaker 3 (04:20):
Kid, so he wasn't really a kid.
Speaker 2 (04:22):
I thought he was like a seven year old. And
I'm like, all right, you know what pranks?
Speaker 3 (04:26):
No?
Speaker 1 (04:26):
No, no, So it makes it tricky and maybe it's
good for Apple though some more iPads. But you know,
your dad, can I use your iPad to watch Netflix?
The answer should be no, right, no, right, no, you know.
Speaker 3 (04:37):
I mean, if you're in if you're in an industry
where you have access to this data, you can afford
another device.
Speaker 1 (04:42):
Yeah, or you just don't put it on your freaking iPad,
you know, like.
Speaker 3 (04:47):
Right now, convenience is the enemy of security, that's right.
I haven't said that in five minutes, all right.
Speaker 1 (04:52):
So let's move on. This is from Bleeping Computer SISA
tags broad Calm, fabric os Com fault flaws as exploited
in attacks. So it's not really a story that there's
an exploit, but it's that CISM knows it's out there.
Speaker 3 (05:07):
Well, we're seeing more and more often. Is that we
used to hear, Oh there's a potential vulnerability. You need
to deal with this, and someday it'll be exploited. The
exploitations coming much faster, right, So you know Broadcom has
this problem, but you know we're hearing about it. And oh,
(05:28):
by the way, it's already being exploited. So the time
that you get to patch is getting smaller and smaller
and smaller. We may get to the point where you
have to patch daily in order to keep up with things.
Speaker 2 (05:40):
Honestly, I don't see why you wouldn't patch daily. I mean,
I have all of my devices center now.
Speaker 3 (05:45):
Crowd strike, well.
Speaker 2 (05:50):
That's it called that.
Speaker 1 (05:52):
Yeah, yeah, but it's a good one.
Speaker 2 (05:54):
I mean, hey, how secure were those servers? Nobody can
access someone?
Speaker 3 (05:57):
I know, I know they're like the servers we keep
on the moon.
Speaker 2 (06:00):
You can get to them.
Speaker 1 (06:00):
You should always patch, even though there may be a
risk of another crowd strike, because there will be another
patch coming right after it.
Speaker 3 (06:07):
You know, we agree, but there will be resistance, and
I think we're gonna I think we're probably gonna come
up to I'm not going to make a prediction like
the great Crescin from Johnny Carson.
Speaker 2 (06:17):
Oh my god, Crescin. How old are you?
Speaker 3 (06:20):
I'm very old. I'm very old.
Speaker 1 (06:24):
Wait a minute, here's here's when he holds an envelope
to his head, dippity do and he opens the envelope.
What forms on your dippity overnight?
Speaker 3 (06:37):
So I think we're going to get ai AI control.
Patch management is probably something that's going to have to happen,
because it'll be about a risk assessment of like checking
feeds to see what the likelihood is, what the risk
score is, what, and and then it'll have to do
it based on those riskcores. Because right now it's like
(06:58):
it's Tuesday, let's patch.
Speaker 1 (07:00):
I know there used to be that you could just
listen to security this week and say, ah, that's I
have that. I'll go patch that. But what I really
want is some sort of feed or notification tax notification. Basically,
I want a service where I can put in all
of the things that I use and the versions of them,
and then this thing will come back and say there's
(07:21):
a vulnerability in this, go patch now.
Speaker 3 (07:23):
For you, And that's the S bomb. We need the
S bomb because the problem is if it's LOG four
J or struts or some other library, you don't know
unless you know the contents of the thing.
Speaker 1 (07:34):
Now here's another question. If I can just put my
device models and serial numbers in.
Speaker 3 (07:40):
Or whatever, eventually there'll be a service.
Speaker 1 (07:42):
Is there. Maybe this is where the AI comes in.
But is there something that can then look at all
of the things.
Speaker 3 (07:48):
My Fitness Pal for your devices?
Speaker 1 (07:51):
Yeah, exactly, can it go find out? Can it generate
the S bomb from alicit of devices eventually?
Speaker 3 (07:57):
But we're still struggling with a workable S bomb solutions
right now. Yeah, we're gonna get there. I'll give you
I'll give everybody some food for thought. If suddenly you
found out that ninety percent of the soy listis and
that was produced last week is poison, we'll kill you instantly.
Sofin soy lithisen, it's a it's an ingredient that's in
(08:18):
like a whole bunch of foods.
Speaker 1 (08:20):
Yeah I know, yeah, yeah, you just didn't say it, right.
Speaker 3 (08:22):
If you found out that was poisonous, you would have
to go read every label, right, whereas if you had
the S bomb, it would it would say, oh, it's here,
it's over here, it's over here, and you can fix
it that we need to get there. We've been talking
about this for a while. This is another reason that's
going to drive that. So I think I think that's
good news eventually, but there's going to be pain in
the process.
Speaker 1 (08:43):
You know. I've been having this argument with Richard Campbell
for years. He's he's enamored of the idea of the
smart fridge that knows when you should order milk and stuff.
And I've been like, like, dumfridges, Yeah, like you Patrick
shaking your head, like come on, are you seriou? Are
you that lazy? But but and it's just occurs to
me if when I scan you know, my uh, the
(09:04):
products and at the grocery, if I had a list
of those, and then my refrigerator knew what was in
it from that, and then there was a recall on
you know, boar's head turkey.
Speaker 2 (09:18):
Like E cola or yeah, right.
Speaker 3 (09:20):
And then a red light could be shown in the
refrigerator on that product.
Speaker 1 (09:25):
And it connects me and say, hey, the boar's head
turkey that's in your meat drawer is contaminated with.
Speaker 3 (09:32):
Your mother in law, don't eat it yourself.
Speaker 1 (09:34):
So that there's a good application of what we're talking
about here, which is, you know, for developers new get right, right,
it's the same idea you want to feed that gives
you the latest versions of things and tells you about them.
That's right. Yeah, we'll get there, we'll get there.
Speaker 2 (09:52):
Well, yeah, and I think there are some companies already
starting to try and get there. Not that we're supported
by them or anything like that, but they there's a
company I hear about, Ninja Ninja one, I know, so
like Ninja one does have quote unquote AI patching and
discovery and they'll scan automatically on the Internet and find
knowledge bases and that sort of stuff and understand what
you're running in that sort of thing. So good, you know.
(10:13):
I think the market's starting to push that direction.
Speaker 1 (10:16):
Yeah, it's got to, and then we'll be out of business.
Nobody will listened to us because they're.
Speaker 3 (10:20):
Already they'll be Your Android five thousand has got a
defect that.
Speaker 2 (10:25):
I mean really all, yeah, all you need to do
at that point is announced that there's this huge issue,
and then populated on a bunch of websites. The AI
will pick up whatever patch you point out.
Speaker 3 (10:34):
Brought to you by the robots, stars reboard the robotslasteroids.
Speaker 2 (10:41):
For us, that's not that move.
Speaker 1 (10:44):
All right, Let's move on Invariant Labs reports MCP Security
Notification Tool poisoning attacks.
Speaker 3 (10:51):
So we've never mentioned Model Context Protocol or MCP, and
MCP is kind of like a middleware API kind of thing,
so that I'm just trying to.
Speaker 1 (11:02):
Middle really quick.
Speaker 2 (11:07):
Middle Earth people were listeners tune out the example.
Speaker 3 (11:11):
The example I'll give is if I've got an l
M and I want to integrate it with Instagram or
or my Slack. I can wire that up, sure, but
I've got to get I don't have an a p I.
I don't have a middleware that allows Slack to give
me an a p I easily. And and it's brittle.
(11:32):
It's a brittle thing. So think of it like a
SOAP or or a middleware or a driver architecture, or
however you want to think about it.
Speaker 2 (11:41):
Simple object access protocol. Is that what we're talking about? SOAP?
Speaker 1 (11:44):
What is that? Well, nobody knows where that is.
Speaker 2 (11:48):
Can you explain what is this XML for me?
Speaker 3 (11:54):
It's it's a middle man that allows many l l
ms to consume services from many end points without being
custom written. And that's that's the whole idea is to
make it easy for a new l M or an
old LLM to be compatible with your service, your functional,
(12:14):
your your gadget, your gigaw, your dipity.
Speaker 2 (12:18):
Whatever, your diga, your dippity. You are just making stuff
up at this moment. Those are.
Speaker 3 (12:26):
But you know, it's we're seeing that there's a tool
for poisoning these things. So it's it's an immature technology.
It's just starting, but it's something that you're going to
hear more and more about because it's an emerging, uh
solution to a problem that is also emerging.
Speaker 1 (12:41):
Right, so uh so, not nothing that you can do
about it. Just know that these tools are being poisoned, right,
It's not like you have to go watch anything.
Speaker 3 (12:50):
Yeah, it's not like you are operating one of these
right right. It's it's there's a you know, Invariant has
discovered a critical vulnerability in the Model context protocol that
allows for what they term tool poison attacks. This phoneer
bity can lead to sensitive data exfiltration on our models.
So if I have like the Slack example, Let's say
I have an LM and I integrate it with my Slack,
(13:12):
somebody can get into the middle man, which is the MCP,
which is meant to be a middleman, but they can
get into it, and then therefore they can get in
the stream and now they're a man in the middle attack.
Speaker 1 (13:23):
Speaking of such things, did I ever tell you guys
that the hosting service that we use for dot net
rocks was when we started, was only returning the last
one thousand episodes? Wow, that was the max from their
RSS feed, And they changed it because of me.
Speaker 2 (13:44):
Oh nice, Oh wow, look at you.
Speaker 1 (13:47):
Because they never had a customer with more than a thousand.
Speaker 3 (13:51):
L Who would ever need more than six hundred and
forty kilobytes of RAM?
Speaker 2 (13:54):
Right? Right?
Speaker 1 (13:56):
Yeah?
Speaker 3 (13:56):
Okay for those young people, for those two young people
who listen to our podcast, yeah yeah, for both of us.
That was a Bill Gates quote. Bill Gates once famously said,
who would ever need more than six and forty kilobytes
of RAM?
Speaker 1 (14:08):
Right? But you know, IBM famously said, who would need software? Hardware?
Is the real deal. Yeah, all right, so I guess
it's time to take a break. We'll be right back
after these very important messages. Don't you go away? And
we're back. It's Security this Week. I'm Carl, that's Dwayne
and Patrick. And if you don't want to hear those
(14:29):
very important messages, you can get an ad free feed.
It's just five bucks a month. Go to Patreon, dot
Security this Week, dot com okay, and Gadget reports Tell
a Message and this is a good one.
Speaker 3 (14:40):
But yeah, let let let me ask this question first.
What would be worse than the government using signal.
Speaker 2 (14:48):
The gun using a patched, hacked version of signaling.
Speaker 1 (14:53):
Ding ding tell a message? A signal clone the Trump
administration uses has been hacked.
Speaker 3 (15:00):
So signal has not been hacked? Right, No, you know
it's is it vulnerable? Does it have vulnerability? Is it
not a military grade government supervised auto archiving system? Yes,
and for all those reasons, should never be used for
official function.
Speaker 1 (15:14):
Right. Talent Message is an Israeli company that provides moded versions,
modrifted messaging apps. So they get the source code and
they change it and then they start supporting it themselves.
Speaker 3 (15:28):
Yeah, because you know, you really want a smaller company
supporting your most secure software.
Speaker 2 (15:34):
Right right, And what I think is hilarious here and
it says like it was revealed last week that the
former US National Security Advisor Mike Waltzy is tele messages
modified version of Signal to archive messages. The whole point
a lot of US use Signal is to burn messages
so they never come back. And he's like, you know
it'd be great is if I could keep copies.
Speaker 1 (15:54):
Well, that was the only reason they wanted to use signals,
because they didn't want to trail.
Speaker 3 (15:58):
But what they were saying, you can not have disappearing messages.
I have messages in some chassnicle back years.
Speaker 2 (16:05):
No I know, but that Let's say I set up
this super secret conversation with me and Mike Waltz, and
I set the burn to one minute like he sees it,
it goes away, and he's like, I'd like to archive
it because I can't remember it. Like, okay, now you've
circumvented the entire reason why you're using You might as
well just post it on use your eye message.
Speaker 1 (16:22):
And the reason all right, let's not let's not forget that.
And I don't want to get political here, But let's
not forget the reason that they wanted to use signal
and not the standard communications prevent archives of the of
the government is so the government won't be snooping on
what they're saying, because they don't want the rest of
the government snooping on what they're saying. Why kids, Yeah.
Speaker 3 (16:47):
So this is this is kind of akin to the
never roll your own encryption.
Speaker 1 (16:52):
Yeah.
Speaker 3 (16:53):
So, you know, there's so many things wrong with this.
It's an Israeli company, Israel is an ally, I get that,
but they're not official government, and they also have other
interests other than ours, and it's just it's just a
bad look. Uh. I think Waltz is already out. He's
he's up for a job as an ambassador the UN.
(17:14):
So we'll see what what what his Uh I'm sure
we'll hear at some point what his message platform of
choice will be.
Speaker 1 (17:20):
Well, you know that this administration has had all sorts
of non security related activity, in other words, just not
thinking about security.
Speaker 3 (17:30):
We're going to have a story eventually about the the
the accumulated data set.
Speaker 4 (17:35):
That DOGE has created. Yeah, and it getting leaked or
hacked some of course. All right, Sky News who are
scattered spider. Oh, how the notorious hackers linked to M
n S cyber attack work.
Speaker 3 (17:50):
This is Marx and Spencer. I was over and I
was in London last week and I went to a
Marx and Spencer and they're like they had a guy
at the door saying excuse me, and say this like
every three minutes if you if you want to pay,
you have to have the card. You can't use a
watch or device, you can't do touchless. They were very specific.
You basically had to insert the card the old fashioned way.
(18:12):
Work great for an old guy like me, but everything
else was down because they had gotten hacked in a
cyber attack.
Speaker 2 (18:19):
Yeah, and this these this article comes from Cliff Off
off the Discord. Nice, thanks CIV so thank you, thank you, Cliff.
Speaker 1 (18:25):
Wait a minute before you before you go further. M
and S is what a department store?
Speaker 3 (18:30):
Marks and Spencer. They they have food chops, but they're
they're known as a department store in the UK.
Speaker 1 (18:38):
All right, So they're grappling with the unfolding impact of
a cyber attack.
Speaker 3 (18:42):
Yes, and it's had it's had long. It's been it's
been well over a week since this has happened. And
they're still recovering.
Speaker 1 (18:49):
Wow.
Speaker 2 (18:50):
So that the group that's claimed responsibility is Scattered Spider, right,
So that's that's why this article says, who are scattered spiders?
Scattered Spider? You know, we've we've about them in the past.
If you guys remember the Caesar's Entertainment and MGM resorts
getting hit that was scattered spider.
Speaker 1 (19:09):
Wow. You know, the the casinos that I go to
would probably be hit by scattered.
Speaker 2 (19:13):
Cockroaches, not so much the tech kind them too.
Speaker 1 (19:20):
Turn on the light, there they go.
Speaker 3 (19:23):
They're English speaking individuals, mainly from the US and the UK.
Speaker 2 (19:26):
They believe okay, it's fine, fine, young lads.
Speaker 3 (19:29):
Just yes, I don't know, as young as sixteen.
Speaker 2 (19:31):
Yeah. So Caesar's actually paid them fifteen million dollars eleven
point two million pounds.
Speaker 3 (19:36):
Oh, I thought you meant our friend Caesar. I'm like,
where do you get that money?
Speaker 1 (19:39):
So? What was the hack and how did the hackers
get in and what did they do it? Was it
a ransomware thing or what? So?
Speaker 2 (19:47):
Yeah, a lot of these, a lot of times when
these are just in the middle of announcing like it
just happened, Like Patrick was there last week and they're
still in the middle of this, you're not going to
get a lot of details. They do talk about a
lot of scattered spiders what they call TTPs. Their tactics, techniques,
and procedures are social engineering.
Speaker 3 (20:07):
Yeah, they're mostly human targets.
Speaker 2 (20:08):
Social engineering and sim swapping, right, So they target humans.
They call people up and pretend to be it, pretend
to be you know, work, a new employee, whatever it
may be, and they garner access that way or sim swapping, right,
they'll swap. They'll con you know, one of the phone
companies into restoring the phone number of one of the
employees to their phone, and at that point then they
(20:30):
can reset user names and passwords using MFA codes and
that sort of stuff.
Speaker 3 (20:34):
So it's and they get good at it.
Speaker 2 (20:36):
Oh yeah.
Speaker 3 (20:36):
It's a scary proposition for most people to think about,
like trying to do a social engineering attach one, but
as you get doing it, you get better at it.
Speaker 2 (20:43):
Sure. Yeah, And just like the con men of your
you know, they get really really good at pretending to
work for an organization. And I can tell you there's
a lot of times even it could be just physically
getting access to places you're not supposed to. Sometimes it's
just putting on a delivery hard hat and walking in
or a delivery seat, or literally just dressing nicely and
(21:03):
walking in like Fletch. Nobody ever broke into a place
in a three piece suit. But you don't know.
Speaker 1 (21:08):
It's like Chevy Chase and Fletch.
Speaker 2 (21:10):
That's right, exactly, yeah, or catch me if you can.
Like there's the rock styles of people. Just you know,
dress nice and talk the part, and you know you
make it in same thing with this next story.
Speaker 1 (21:23):
Well before you before you move to the next story,
I just want to say that sales of utility workers
suits are up at dot.
Speaker 3 (21:35):
Com and clipboards, clipboard, clip sports and hard yeah sipporks
sales are up Amazon.
Speaker 2 (21:42):
And if you do want to break into a place
in a three piece suit, comes to music, it's Amazon
does sell a seventy dollars three piece suit that looks awesome.
Oh okay, just saying you can go buy and throw
in your seat three piece suit.
Speaker 3 (22:00):
Just wear one of those tuxedos T shirts.
Speaker 1 (22:02):
Yeah right, Well, the front desk would have to have
a near sighted vision.
Speaker 3 (22:10):
And but if you wear that and you say you're
a programmer, it'd work true.
Speaker 1 (22:15):
Yeah, sorry, you're right, you wear any T shirt and
see you're a programmer, be carrying a pizza. In that case,
I'm out in dew all right, go ahead.
Speaker 2 (22:26):
So this next story also comes from Cliff. It's just
showing that and this is, uh, this is a co op.
The pictures as welcome to Holborne's co op. But there's
a co op, same type of problem. Right, they're having
an issue with hackers breaking and whatnot and shutting down
the place. So I think we're we're finding is a
lot of retailers at this point are getting targeted, you know,
(22:48):
and and there's some pretty active groups like like Scattered
Spider who honestly they're they're talented at what they do.
So one of the things we talk about here is,
you know, we talk a lot of tech, and we
talk a lot of patching, and the only thing we
can't pa is human beings.
Speaker 1 (23:01):
Right, social engineering?
Speaker 2 (23:03):
Yeah, yeah, yeah, way too. But when we put that
chip in your head and I.
Speaker 1 (23:07):
Got a hammer waiting for yeah, Patrick's waiting for the
taser that the taser packings to patch people with.
Speaker 3 (23:17):
So so in the in the co op, they got
names and contact data, but they didn't get passwords, banks
credit cards. So it's it's a it's not great, but
it's not horrible.
Speaker 2 (23:27):
Either, right, right, But I could see if you were
in the UK and you're watching sky News, and it
seems like every retailer is having issues at this point
with So.
Speaker 3 (23:34):
Actually, can I give you guys a data point? That's interesting?
Speaker 1 (23:36):
Sure?
Speaker 2 (23:36):
I love data points.
Speaker 3 (23:37):
So in the last few weeks, we had a lot
of small plane crashes in the news, right, yeah, And
it's all in the wake of the crash at DCA
Airport where the helicopter hit the plane, and then after
that we saw a bunch of small plane crashes hitting
the national news and so I'm like, wow, this is
all this is a big deal. So I went and
(23:58):
I looked at the data for twenty twenty two in
the United States to find out how many small planes
crash in the average year, And I just picked twenty
twenty two. How many planes do you think crashed in
twenty twenty two small planes?
Speaker 1 (24:07):
I would say more than twenty twenty four.
Speaker 3 (24:10):
Well, give me a number.
Speaker 1 (24:11):
Twenty five, one hundred and fifty two.
Speaker 3 (24:14):
Thousand and seven, what almost three a day. It's not
an unusual thing for a small plane to crash in
the United States.
Speaker 1 (24:22):
So it's a matter of media reporting it because.
Speaker 3 (24:26):
Exactly and if you go back one more example, remember
when the Palestine I think was Palestine, Ohio they had
the train wreck where yes, after that, they kept reporting
day after day that the same operator train operator, which
is a big national operator, had another derailment, and another
derailment and another derailment. There are thousands of train derailments
(24:49):
in the United States every year. The average large producer
has one a day. And so again it's like and
I don't think it's I don't think it's necessarily malicious.
I think it's just like it catches the eye. Oh
oh they had another one, and it becomes.
Speaker 1 (25:02):
News what we're focused on. Yeah.
Speaker 3 (25:04):
Yeah, But what you need to do, and this is
why I'm bringing this up, you need to stop and
look at the bigger picture, because if you didn't know
that breaches happened every day, you'd be like, oh my god,
Marks and Spencer, they're an unreliable company, and I shouldn't.
It happens to almost every company. We have to take
this into perspective, and unfortunately the news isn't going to
(25:25):
live that perspective.
Speaker 1 (25:26):
But it is interesting that a lot of these UK
stores are being hit like boom boom boom. Yes, so
obviously they must. Maybe I'm conjecturing here, maybe they're all
using the same POS system that has a flaw in it.
Speaker 3 (25:38):
Yeah, that's possible. But if you think about it that
they're a significant country of size and we have multiple
hacks per day and we don't think about them being related,
it could just be that again, the news is like, hey,
this little co op got hit too, and they're also
a you know, a retail location. We should report on
that as well. So it could be that bias in
(25:59):
the media. Oh I just saw a duck. I should
report on these other ducks I'm seeing.
Speaker 1 (26:04):
Yes, all right, and uh, let's get to the clickbait story,
shall we.
Speaker 2 (26:11):
He's so good.
Speaker 1 (26:12):
It's awesome. Apple airborne flaws can lead to zero click
airplay remote control execution attacks.
Speaker 3 (26:22):
So good your favorite kind of attack too?
Speaker 2 (26:24):
Oh my god, so good. This is probably going to
be one of the biggest i'd say issues we're gonna
hear maybe this year, although I'm holding out hope for
a bigger one. But this one's pretty big.
Speaker 3 (26:34):
So if you don't use air pods, if you don't
use wireless headphones. I assume this is not something that's on.
Speaker 2 (26:43):
Well, and if you don't use a smart TV, and
if you don't use a so, no's to me speaker system,
and if you don't use like anything that supports airplay.
Speaker 3 (26:54):
Oh, so just supporting. It's not necessarily you using it.
Speaker 2 (26:57):
No, it's just it's just supporting. It's the airplay protocol,
so I could be. And the only saving grades here
is it usually has to be done on your local network.
But if I'm on your local Wi Fi, I've gotten
access to the Wi Fi in some particular way, which
we've already talked about plenty of times, not that hard.
When I'm on your network, I can exploit your smart
TV with this protocol issue, okay, and I can gain
(27:19):
full control over the smart TV with a zero click,
zero touch, zero notification code on your TV.
Speaker 1 (27:26):
My first response is, who cares? So you get to
watch you know, Netflix.
Speaker 3 (27:31):
Well, we've breached companies through TV.
Speaker 1 (27:33):
The fact is is, well, yeah, That's what I'm saying
is that the TV is connected to your network. The
network is connected to the hip bone, bone connected to
the footbone.
Speaker 3 (27:45):
Connected to the bank account. Yeah, so this goes back
to our advice that devices like TVs and Sonos and
you know, speakers and things smart speakers should be on
an IoT work. Yeah, it's still not a great look.
It's still not good that they can get into the
TV and then get into your video camera systems. But
(28:07):
it's better than them getting into your databases and your
email systems.
Speaker 2 (28:11):
But like your Roku devices, Yeah, support Apple Apple TV
device is obviously Apple.
Speaker 1 (28:17):
For the confused out there, let's disambiguit between airplay and
air drop, right, because Apple and the air pods, like
air is like the big word at Apple right for market.
But air drop is when you want to share files
with another iPhone. It's that's not what we're talking. It's
near field connectivity whatever it is, near whatever, near proximity. Yeah,
(28:38):
so that's not it. Airplay is like casting is casting
audio and video from one device to another.
Speaker 3 (28:45):
And as Dwayne pointed out, it's not that you're doing it,
it's that the device allows it that brings the vulnerability.
So even though I don't.
Speaker 2 (28:54):
Do that, Yeah, if airplay is on on your TV,
the protocol is enabled, right, so I can think of
it like buffer overflowing that protocol, dropping some code on
that TV and then take over it. And what they're
saying is the big risk is twofold. If I'm on
your TV, have you ever used your TV to log
into a streaming service, log into you know, something that
(29:15):
may have your Google account, whatever it may be. Right,
there's a lot of sensitive data that may be on
your TV or on your streaming device, whether it's an
Apple TV device or a Rokie device or whatever. But
then I also can put code on that TV because
TV's Android usually just runs an APK, just throw it
up there. That gives me not only access to your
network all the time, but then to be able to
(29:35):
laterally move around the network. Right, So at this point,
is your work laptop on your home network? Is your like,
you know, your personal phone on the network where I
can then try and man in the middle and start
doing some weird stuff there.
Speaker 1 (29:49):
So so first of all, two questions. First of all,
is their patch?
Speaker 2 (29:53):
Yes, all right, yep, there's a patch apples Apple, as
you can imagine, jumped right on this.
Speaker 3 (29:58):
When's the last time you read but you repatched your Euroku.
Speaker 2 (30:02):
I know, right, yeah? Or your TV or your toaster.
But that's an interesting question. Patrick. It's like the exploit
here on a TV. It's obviously not an Apple device,
but the TV itself. The Airplay protocol or apkre app
that's being used there was designed with the Apple SDK,
which means it needs a patch of some sort so
(30:24):
that I don't know, It depends on the device. You're
just going to have to go find out if your
device supports the Airplay and then go out and find
see if there's a patch.
Speaker 1 (30:32):
And in the meantime, the obvious prescription is if you
don't use Airplay, turn it.
Speaker 2 (30:39):
Off, an app off exactly. Hey, that's going to be
our advice for everything. If you don't use it, shut
it off, shut it up. But according to this story,
there are two point three five billion active devices around
the world right now, would them.
Speaker 1 (30:56):
That might be exploitable, and so it's all about remote
control exqus. So somebody can get into your device and
because they can execute code, they can get everywhere else
in your network.
Speaker 2 (31:08):
Oh, I didn't even think about car play that actually
supports airplay in your car.
Speaker 1 (31:15):
Car Play is airplane Yeah, well not if you plug
in with the USB, right, you can still do I
like to charge at the same time, I have car
plays oh man. Yeah, I'll turn airplay.
Speaker 2 (31:30):
Off so good. As soon as we find a POC
for this.
Speaker 3 (31:33):
Don't break your car, Dwayne testing this.
Speaker 2 (31:36):
Yeah, hey Patrick, I need any car.
Speaker 1 (31:37):
It's going to be laid for dinner. We're going to
have dinner after later on.
Speaker 2 (31:44):
Yeah, we are looking all.
Speaker 1 (31:48):
Right, guys. I think that's it all right, awesome all right,
So on that happy note, we'll see you next week.
Speaker 3 (31:54):
Thanks everybody, Thanks
Speaker 2 (32:05):
O tr
So, guys, I don't know if I told you this,
but before Pope Francis died, I actually met him.
Speaker 2 (00:05):
Well that's cool, Yeah, that's neat.
Speaker 1 (00:06):
It's very cool. Yeah, it was a great, great little interaction.
He gave me a lot of advice. But he said, Carl,
if you only remember one thing, remember this, never name drop. Okay,
(00:32):
let us start with something that's been in the news,
not just the security news, but this whole thing about
Jeff Ulbrich.
Speaker 3 (00:44):
Yes, this is the Deion Sanders' son getting a prank
call during the during the draft, the NFL draft. So
this is the reason we're talking about. This isn't because
we've changed our venue to our genre to a sports show,
because that would be a disaster. A Quidditch is not
a sport.
Speaker 1 (01:03):
This is actually a security story.
Speaker 3 (01:05):
It is it is, and the reason it is is
because the defensive coordinator for the Atlanta Falcons, Jeff Olbrich's son,
called Shador Sanders I don't know if I'm saying that
right on his private phone number and pranked him to
make him think he was being drafted earlier than he was. Right,
And that's a big problem. Not because it's not it's
(01:28):
just a horrendous thing to do. But also because he
got the data from his father's access to it not
off the internet. Now if no matter whose kid did it,
if it's just somebody's random kid did it and they
found it on the dark web, but they found it
on the Internet, or they found it on X or
someplace like that, then yeah, there's still there's still some
(01:49):
stuff there. But because it was technically a breach of
security that the defensive coordinator allowed his son access to
his systems. So a lot of people don't think about this,
but your family's and the data that you share with
them or allow them to get access to, even if
you don't overtly share it to them, is a breach.
And so the Falcons and this defenseve coordinator we're fined
(02:12):
not an insignificant amount, quarter of a million dollars and
one hundred thousand foo old Bridge himself. I think that
kid's grounded for.
Speaker 2 (02:19):
A long time.
Speaker 1 (02:20):
Yeah. Well, I think family members in general, when you
restrict access for them to your data or whatever, they
might get insulted, you know, like, what, you don't trust me,
But that's not it. It's actually for their benefit that they
don't have access. And what I mean by that is,
if let's say I'm a company that has a website
(02:42):
and I'm storing passwords in a database, I have access
to those passwords, and if there's a breach, they're going
to come to me and say, hey, you are a
suspect in this crime because you have ownership of that data.
It's the same way with your kids. Like if I
gave my kids access to all my data and then
(03:04):
somebody breached it and you know, did something with it,
my kids would be suspect. Oh yeah, if they did
not have access to it. All they have to do
is prove that they don't have access and that's it.
So not having access is actually what you want to protective. Yeah,
it protects you. It's for your benefit, right.
Speaker 2 (03:27):
Yeah. It's funny because we use signal, which will actually
foreshadowing or to another signal story. But we use signal
because it's secure and you know, sure enough, you do
get the hairy eyeball from people in the family, like
or are you using a fully encrypted Well I don't
they know what I do, but you know, but I
(03:49):
could see like a normal human getting though, why are
you using a fully encrypted burner? Messaging service, and it's like, well,
you know, for your protection, I can't have anything on
my phone that might be sensitive that you know, leave
your phone out on you know, the counter, and it
something pops up.
Speaker 1 (04:06):
Right.
Speaker 3 (04:06):
The way this kid got the number is his father's
unlocked iPad had the number on it, and he wrote
it down, right, He wrote down the number from his
father's open iPad while visiting his parents home. The kid's
twenty one.
Speaker 2 (04:19):
Oh oh, he's not even a.
Speaker 3 (04:20):
Kid, so he wasn't really a kid.
Speaker 2 (04:22):
I thought he was like a seven year old. And
I'm like, all right, you know what pranks?
Speaker 3 (04:26):
No?
Speaker 1 (04:26):
No, no, So it makes it tricky and maybe it's
good for Apple though some more iPads. But you know,
your dad, can I use your iPad to watch Netflix?
The answer should be no, right, no, right, no, you know.
Speaker 3 (04:37):
I mean, if you're in if you're in an industry
where you have access to this data, you can afford
another device.
Speaker 1 (04:42):
Yeah, or you just don't put it on your freaking iPad,
you know, like.
Speaker 3 (04:47):
Right now, convenience is the enemy of security, that's right.
I haven't said that in five minutes, all right.
Speaker 1 (04:52):
So let's move on. This is from Bleeping Computer SISA
tags broad Calm, fabric os Com fault flaws as exploited
in attacks. So it's not really a story that there's
an exploit, but it's that CISM knows it's out there.
Speaker 3 (05:07):
Well, we're seeing more and more often. Is that we
used to hear, Oh there's a potential vulnerability. You need
to deal with this, and someday it'll be exploited. The
exploitations coming much faster, right, So you know Broadcom has
this problem, but you know we're hearing about it. And oh,
(05:28):
by the way, it's already being exploited. So the time
that you get to patch is getting smaller and smaller
and smaller. We may get to the point where you
have to patch daily in order to keep up with things.
Speaker 2 (05:40):
Honestly, I don't see why you wouldn't patch daily. I mean,
I have all of my devices center now.
Speaker 3 (05:45):
Crowd strike, well.
Speaker 2 (05:50):
That's it called that.
Speaker 1 (05:52):
Yeah, yeah, but it's a good one.
Speaker 2 (05:54):
I mean, hey, how secure were those servers? Nobody can
access someone?
Speaker 3 (05:57):
I know, I know they're like the servers we keep
on the moon.
Speaker 2 (06:00):
You can get to them.
Speaker 1 (06:00):
You should always patch, even though there may be a
risk of another crowd strike, because there will be another
patch coming right after it.
Speaker 3 (06:07):
You know, we agree, but there will be resistance, and
I think we're gonna I think we're probably gonna come
up to I'm not going to make a prediction like
the great Crescin from Johnny Carson.
Speaker 2 (06:17):
Oh my god, Crescin. How old are you?
Speaker 3 (06:20):
I'm very old. I'm very old.
Speaker 1 (06:24):
Wait a minute, here's here's when he holds an envelope
to his head, dippity do and he opens the envelope.
What forms on your dippity overnight?
Speaker 3 (06:37):
So I think we're going to get ai AI control.
Patch management is probably something that's going to have to happen,
because it'll be about a risk assessment of like checking
feeds to see what the likelihood is, what the risk
score is, what, and and then it'll have to do
it based on those riskcores. Because right now it's like
(06:58):
it's Tuesday, let's patch.
Speaker 1 (07:00):
I know there used to be that you could just
listen to security this week and say, ah, that's I
have that. I'll go patch that. But what I really
want is some sort of feed or notification tax notification. Basically,
I want a service where I can put in all
of the things that I use and the versions of them,
and then this thing will come back and say there's
(07:21):
a vulnerability in this, go patch now.
Speaker 3 (07:23):
For you, And that's the S bomb. We need the
S bomb because the problem is if it's LOG four
J or struts or some other library, you don't know
unless you know the contents of the thing.
Speaker 1 (07:34):
Now here's another question. If I can just put my
device models and serial numbers in.
Speaker 3 (07:40):
Or whatever, eventually there'll be a service.
Speaker 1 (07:42):
Is there. Maybe this is where the AI comes in.
But is there something that can then look at all
of the things.
Speaker 3 (07:48):
My Fitness Pal for your devices?
Speaker 1 (07:51):
Yeah, exactly, can it go find out? Can it generate
the S bomb from alicit of devices eventually?
Speaker 3 (07:57):
But we're still struggling with a workable S bomb solutions
right now. Yeah, we're gonna get there. I'll give you
I'll give everybody some food for thought. If suddenly you
found out that ninety percent of the soy listis and
that was produced last week is poison, we'll kill you instantly.
Sofin soy lithisen, it's a it's an ingredient that's in
(08:18):
like a whole bunch of foods.
Speaker 1 (08:20):
Yeah I know, yeah, yeah, you just didn't say it, right.
Speaker 3 (08:22):
If you found out that was poisonous, you would have
to go read every label, right, whereas if you had
the S bomb, it would it would say, oh, it's here,
it's over here, it's over here, and you can fix
it that we need to get there. We've been talking
about this for a while. This is another reason that's
going to drive that. So I think I think that's
good news eventually, but there's going to be pain in
the process.
Speaker 1 (08:43):
You know. I've been having this argument with Richard Campbell
for years. He's he's enamored of the idea of the
smart fridge that knows when you should order milk and stuff.
And I've been like, like, dumfridges, Yeah, like you Patrick
shaking your head, like come on, are you seriou? Are
you that lazy? But but and it's just occurs to
me if when I scan you know, my uh, the
(09:04):
products and at the grocery, if I had a list
of those, and then my refrigerator knew what was in
it from that, and then there was a recall on
you know, boar's head turkey.
Speaker 2 (09:18):
Like E cola or yeah, right.
Speaker 3 (09:20):
And then a red light could be shown in the
refrigerator on that product.
Speaker 1 (09:25):
And it connects me and say, hey, the boar's head
turkey that's in your meat drawer is contaminated with.
Speaker 3 (09:32):
Your mother in law, don't eat it yourself.
Speaker 1 (09:34):
So that there's a good application of what we're talking
about here, which is, you know, for developers new get right, right,
it's the same idea you want to feed that gives
you the latest versions of things and tells you about them.
That's right. Yeah, we'll get there, we'll get there.
Speaker 2 (09:52):
Well, yeah, and I think there are some companies already
starting to try and get there. Not that we're supported
by them or anything like that, but they there's a
company I hear about, Ninja Ninja one, I know, so
like Ninja one does have quote unquote AI patching and
discovery and they'll scan automatically on the Internet and find
knowledge bases and that sort of stuff and understand what
you're running in that sort of thing. So good, you know.
(10:13):
I think the market's starting to push that direction.
Speaker 1 (10:16):
Yeah, it's got to, and then we'll be out of business.
Nobody will listened to us because they're.
Speaker 3 (10:20):
Already they'll be Your Android five thousand has got a
defect that.
Speaker 2 (10:25):
I mean really all, yeah, all you need to do
at that point is announced that there's this huge issue,
and then populated on a bunch of websites. The AI
will pick up whatever patch you point out.
Speaker 3 (10:34):
Brought to you by the robots, stars reboard the robotslasteroids.
Speaker 2 (10:41):
For us, that's not that move.
Speaker 1 (10:44):
All right, Let's move on Invariant Labs reports MCP Security
Notification Tool poisoning attacks.
Speaker 3 (10:51):
So we've never mentioned Model Context Protocol or MCP, and
MCP is kind of like a middleware API kind of thing,
so that I'm just trying to.
Speaker 1 (11:02):
Middle really quick.
Speaker 2 (11:07):
Middle Earth people were listeners tune out the example.
Speaker 3 (11:11):
The example I'll give is if I've got an l
M and I want to integrate it with Instagram or
or my Slack. I can wire that up, sure, but
I've got to get I don't have an a p I.
I don't have a middleware that allows Slack to give
me an a p I easily. And and it's brittle.
(11:32):
It's a brittle thing. So think of it like a
SOAP or or a middleware or a driver architecture, or
however you want to think about it.
Speaker 2 (11:41):
Simple object access protocol. Is that what we're talking about? SOAP?
Speaker 1 (11:44):
What is that? Well, nobody knows where that is.
Speaker 2 (11:48):
Can you explain what is this XML for me?
Speaker 3 (11:54):
It's it's a middle man that allows many l l
ms to consume services from many end points without being
custom written. And that's that's the whole idea is to
make it easy for a new l M or an
old LLM to be compatible with your service, your functional,
(12:14):
your your gadget, your gigaw, your dipity.
Speaker 2 (12:18):
Whatever, your diga, your dippity. You are just making stuff
up at this moment. Those are.
Speaker 3 (12:26):
But you know, it's we're seeing that there's a tool
for poisoning these things. So it's it's an immature technology.
It's just starting, but it's something that you're going to
hear more and more about because it's an emerging, uh
solution to a problem that is also emerging.
Speaker 1 (12:41):
Right, so uh so, not nothing that you can do
about it. Just know that these tools are being poisoned, right,
It's not like you have to go watch anything.
Speaker 3 (12:50):
Yeah, it's not like you are operating one of these
right right. It's it's there's a you know, Invariant has
discovered a critical vulnerability in the Model context protocol that
allows for what they term tool poison attacks. This phoneer
bity can lead to sensitive data exfiltration on our models.
So if I have like the Slack example, Let's say
I have an LM and I integrate it with my Slack,
(13:12):
somebody can get into the middle man, which is the MCP,
which is meant to be a middleman, but they can
get into it, and then therefore they can get in
the stream and now they're a man in the middle attack.
Speaker 1 (13:23):
Speaking of such things, did I ever tell you guys
that the hosting service that we use for dot net
rocks was when we started, was only returning the last
one thousand episodes? Wow, that was the max from their
RSS feed, And they changed it because of me.
Speaker 2 (13:44):
Oh nice, Oh wow, look at you.
Speaker 1 (13:47):
Because they never had a customer with more than a thousand.
Speaker 3 (13:51):
L Who would ever need more than six hundred and
forty kilobytes of RAM?
Speaker 2 (13:54):
Right? Right?
Speaker 1 (13:56):
Yeah?
Speaker 3 (13:56):
Okay for those young people, for those two young people
who listen to our podcast, yeah yeah, for both of us.
That was a Bill Gates quote. Bill Gates once famously said,
who would ever need more than six and forty kilobytes
of RAM?
Speaker 1 (14:08):
Right? But you know, IBM famously said, who would need software? Hardware?
Is the real deal. Yeah, all right, so I guess
it's time to take a break. We'll be right back
after these very important messages. Don't you go away? And
we're back. It's Security this Week. I'm Carl, that's Dwayne
and Patrick. And if you don't want to hear those
(14:29):
very important messages, you can get an ad free feed.
It's just five bucks a month. Go to Patreon, dot
Security this Week, dot com okay, and Gadget reports Tell
a Message and this is a good one.
Speaker 3 (14:40):
But yeah, let let let me ask this question first.
What would be worse than the government using signal.
Speaker 2 (14:48):
The gun using a patched, hacked version of signaling.
Speaker 1 (14:53):
Ding ding tell a message? A signal clone the Trump
administration uses has been hacked.
Speaker 3 (15:00):
So signal has not been hacked? Right, No, you know
it's is it vulnerable? Does it have vulnerability? Is it
not a military grade government supervised auto archiving system? Yes,
and for all those reasons, should never be used for
official function.
Speaker 1 (15:14):
Right. Talent Message is an Israeli company that provides moded versions,
modrifted messaging apps. So they get the source code and
they change it and then they start supporting it themselves.
Speaker 3 (15:28):
Yeah, because you know, you really want a smaller company
supporting your most secure software.
Speaker 2 (15:34):
Right right, And what I think is hilarious here and
it says like it was revealed last week that the
former US National Security Advisor Mike Waltzy is tele messages
modified version of Signal to archive messages. The whole point
a lot of US use Signal is to burn messages
so they never come back. And he's like, you know
it'd be great is if I could keep copies.
Speaker 1 (15:54):
Well, that was the only reason they wanted to use signals,
because they didn't want to trail.
Speaker 3 (15:58):
But what they were saying, you can not have disappearing messages.
I have messages in some chassnicle back years.
Speaker 2 (16:05):
No I know, but that Let's say I set up
this super secret conversation with me and Mike Waltz, and
I set the burn to one minute like he sees it,
it goes away, and he's like, I'd like to archive
it because I can't remember it. Like, okay, now you've
circumvented the entire reason why you're using You might as
well just post it on use your eye message.
Speaker 1 (16:22):
And the reason all right, let's not let's not forget that.
And I don't want to get political here, But let's
not forget the reason that they wanted to use signal
and not the standard communications prevent archives of the of
the government is so the government won't be snooping on
what they're saying, because they don't want the rest of
the government snooping on what they're saying. Why kids, Yeah.
Speaker 3 (16:47):
So this is this is kind of akin to the
never roll your own encryption.
Speaker 1 (16:52):
Yeah.
Speaker 3 (16:53):
So, you know, there's so many things wrong with this.
It's an Israeli company, Israel is an ally, I get that,
but they're not official government, and they also have other
interests other than ours, and it's just it's just a
bad look. Uh. I think Waltz is already out. He's
he's up for a job as an ambassador the UN.
(17:14):
So we'll see what what what his Uh I'm sure
we'll hear at some point what his message platform of
choice will be.
Speaker 1 (17:20):
Well, you know that this administration has had all sorts
of non security related activity, in other words, just not
thinking about security.
Speaker 3 (17:30):
We're going to have a story eventually about the the
the accumulated data set.
Speaker 4 (17:35):
That DOGE has created. Yeah, and it getting leaked or
hacked some of course. All right, Sky News who are
scattered spider. Oh, how the notorious hackers linked to M
n S cyber attack work.
Speaker 3 (17:50):
This is Marx and Spencer. I was over and I
was in London last week and I went to a
Marx and Spencer and they're like they had a guy
at the door saying excuse me, and say this like
every three minutes if you if you want to pay,
you have to have the card. You can't use a
watch or device, you can't do touchless. They were very specific.
You basically had to insert the card the old fashioned way.
(18:12):
Work great for an old guy like me, but everything
else was down because they had gotten hacked in a
cyber attack.
Speaker 2 (18:19):
Yeah, and this these this article comes from Cliff Off
off the Discord. Nice, thanks CIV so thank you, thank you, Cliff.
Speaker 1 (18:25):
Wait a minute before you before you go further. M
and S is what a department store?
Speaker 3 (18:30):
Marks and Spencer. They they have food chops, but they're
they're known as a department store in the UK.
Speaker 1 (18:38):
All right, So they're grappling with the unfolding impact of
a cyber attack.
Speaker 3 (18:42):
Yes, and it's had it's had long. It's been it's
been well over a week since this has happened. And
they're still recovering.
Speaker 1 (18:49):
Wow.
Speaker 2 (18:50):
So that the group that's claimed responsibility is Scattered Spider, right,
So that's that's why this article says, who are scattered spiders?
Scattered Spider? You know, we've we've about them in the past.
If you guys remember the Caesar's Entertainment and MGM resorts
getting hit that was scattered spider.
Speaker 1 (19:09):
Wow. You know, the the casinos that I go to
would probably be hit by scattered.
Speaker 2 (19:13):
Cockroaches, not so much the tech kind them too.
Speaker 1 (19:20):
Turn on the light, there they go.
Speaker 3 (19:23):
They're English speaking individuals, mainly from the US and the UK.
Speaker 2 (19:26):
They believe okay, it's fine, fine, young lads.
Speaker 3 (19:29):
Just yes, I don't know, as young as sixteen.
Speaker 2 (19:31):
Yeah. So Caesar's actually paid them fifteen million dollars eleven
point two million pounds.
Speaker 3 (19:36):
Oh, I thought you meant our friend Caesar. I'm like,
where do you get that money?
Speaker 1 (19:39):
So? What was the hack and how did the hackers
get in and what did they do it? Was it
a ransomware thing or what? So?
Speaker 2 (19:47):
Yeah, a lot of these, a lot of times when
these are just in the middle of announcing like it
just happened, Like Patrick was there last week and they're
still in the middle of this, you're not going to
get a lot of details. They do talk about a
lot of scattered spiders what they call TTPs. Their tactics, techniques,
and procedures are social engineering.
Speaker 3 (20:07):
Yeah, they're mostly human targets.
Speaker 2 (20:08):
Social engineering and sim swapping, right, So they target humans.
They call people up and pretend to be it, pretend
to be you know, work, a new employee, whatever it
may be, and they garner access that way or sim swapping, right,
they'll swap. They'll con you know, one of the phone
companies into restoring the phone number of one of the
employees to their phone, and at that point then they
(20:30):
can reset user names and passwords using MFA codes and
that sort of stuff.
Speaker 3 (20:34):
So it's and they get good at it.
Speaker 2 (20:36):
Oh yeah.
Speaker 3 (20:36):
It's a scary proposition for most people to think about,
like trying to do a social engineering attach one, but
as you get doing it, you get better at it.
Speaker 2 (20:43):
Sure. Yeah, And just like the con men of your
you know, they get really really good at pretending to
work for an organization. And I can tell you there's
a lot of times even it could be just physically
getting access to places you're not supposed to. Sometimes it's
just putting on a delivery hard hat and walking in
or a delivery seat, or literally just dressing nicely and
(21:03):
walking in like Fletch. Nobody ever broke into a place
in a three piece suit. But you don't know.
Speaker 1 (21:08):
It's like Chevy Chase and Fletch.
Speaker 2 (21:10):
That's right, exactly, yeah, or catch me if you can.
Like there's the rock styles of people. Just you know,
dress nice and talk the part, and you know you
make it in same thing with this next story.
Speaker 1 (21:23):
Well before you before you move to the next story,
I just want to say that sales of utility workers
suits are up at dot.
Speaker 3 (21:35):
Com and clipboards, clipboard, clip sports and hard yeah sipporks
sales are up Amazon.
Speaker 2 (21:42):
And if you do want to break into a place
in a three piece suit, comes to music, it's Amazon
does sell a seventy dollars three piece suit that looks awesome.
Oh okay, just saying you can go buy and throw
in your seat three piece suit.
Speaker 3 (22:00):
Just wear one of those tuxedos T shirts.
Speaker 1 (22:02):
Yeah right, Well, the front desk would have to have
a near sighted vision.
Speaker 3 (22:10):
And but if you wear that and you say you're
a programmer, it'd work true.
Speaker 1 (22:15):
Yeah, sorry, you're right, you wear any T shirt and
see you're a programmer, be carrying a pizza. In that case,
I'm out in dew all right, go ahead.
Speaker 2 (22:26):
So this next story also comes from Cliff. It's just
showing that and this is, uh, this is a co op.
The pictures as welcome to Holborne's co op. But there's
a co op, same type of problem. Right, they're having
an issue with hackers breaking and whatnot and shutting down
the place. So I think we're we're finding is a
lot of retailers at this point are getting targeted, you know,
(22:48):
and and there's some pretty active groups like like Scattered
Spider who honestly they're they're talented at what they do.
So one of the things we talk about here is,
you know, we talk a lot of tech, and we
talk a lot of patching, and the only thing we
can't pa is human beings.
Speaker 1 (23:01):
Right, social engineering?
Speaker 2 (23:03):
Yeah, yeah, yeah, way too. But when we put that
chip in your head and I.
Speaker 1 (23:07):
Got a hammer waiting for yeah, Patrick's waiting for the
taser that the taser packings to patch people with.
Speaker 3 (23:17):
So so in the in the co op, they got
names and contact data, but they didn't get passwords, banks
credit cards. So it's it's a it's not great, but
it's not horrible.
Speaker 2 (23:27):
Either, right, right, But I could see if you were
in the UK and you're watching sky News, and it
seems like every retailer is having issues at this point
with So.
Speaker 3 (23:34):
Actually, can I give you guys a data point? That's interesting?
Speaker 1 (23:36):
Sure?
Speaker 2 (23:36):
I love data points.
Speaker 3 (23:37):
So in the last few weeks, we had a lot
of small plane crashes in the news, right, yeah, And
it's all in the wake of the crash at DCA
Airport where the helicopter hit the plane, and then after
that we saw a bunch of small plane crashes hitting
the national news and so I'm like, wow, this is
all this is a big deal. So I went and
(23:58):
I looked at the data for twenty twenty two in
the United States to find out how many small planes
crash in the average year, And I just picked twenty
twenty two. How many planes do you think crashed in
twenty twenty two small planes?
Speaker 1 (24:07):
I would say more than twenty twenty four.
Speaker 3 (24:10):
Well, give me a number.
Speaker 1 (24:11):
Twenty five, one hundred and fifty two.
Speaker 3 (24:14):
Thousand and seven, what almost three a day. It's not
an unusual thing for a small plane to crash in
the United States.
Speaker 1 (24:22):
So it's a matter of media reporting it because.
Speaker 3 (24:26):
Exactly and if you go back one more example, remember
when the Palestine I think was Palestine, Ohio they had
the train wreck where yes, after that, they kept reporting
day after day that the same operator train operator, which
is a big national operator, had another derailment, and another
derailment and another derailment. There are thousands of train derailments
(24:49):
in the United States every year. The average large producer
has one a day. And so again it's like and
I don't think it's I don't think it's necessarily malicious.
I think it's just like it catches the eye. Oh
oh they had another one, and it becomes.
Speaker 1 (25:02):
News what we're focused on. Yeah.
Speaker 3 (25:04):
Yeah, But what you need to do, and this is
why I'm bringing this up, you need to stop and
look at the bigger picture, because if you didn't know
that breaches happened every day, you'd be like, oh my god,
Marks and Spencer, they're an unreliable company, and I shouldn't.
It happens to almost every company. We have to take
this into perspective, and unfortunately the news isn't going to
(25:25):
live that perspective.
Speaker 1 (25:26):
But it is interesting that a lot of these UK
stores are being hit like boom boom boom. Yes, so
obviously they must. Maybe I'm conjecturing here, maybe they're all
using the same POS system that has a flaw in it.
Speaker 3 (25:38):
Yeah, that's possible. But if you think about it that
they're a significant country of size and we have multiple
hacks per day and we don't think about them being related,
it could just be that again, the news is like, hey,
this little co op got hit too, and they're also
a you know, a retail location. We should report on
that as well. So it could be that bias in
(25:59):
the media. Oh I just saw a duck. I should
report on these other ducks I'm seeing.
Speaker 1 (26:04):
Yes, all right, and uh, let's get to the clickbait story,
shall we.
Speaker 2 (26:11):
He's so good.
Speaker 1 (26:12):
It's awesome. Apple airborne flaws can lead to zero click
airplay remote control execution attacks.
Speaker 3 (26:22):
So good your favorite kind of attack too?
Speaker 2 (26:24):
Oh my god, so good. This is probably going to
be one of the biggest i'd say issues we're gonna
hear maybe this year, although I'm holding out hope for
a bigger one. But this one's pretty big.
Speaker 3 (26:34):
So if you don't use air pods, if you don't
use wireless headphones. I assume this is not something that's on.
Speaker 2 (26:43):
Well, and if you don't use a smart TV, and
if you don't use a so, no's to me speaker system,
and if you don't use like anything that supports airplay.
Speaker 3 (26:54):
Oh, so just supporting. It's not necessarily you using it.
Speaker 2 (26:57):
No, it's just it's just supporting. It's the airplay protocol,
so I could be. And the only saving grades here
is it usually has to be done on your local network.
But if I'm on your local Wi Fi, I've gotten
access to the Wi Fi in some particular way, which
we've already talked about plenty of times, not that hard.
When I'm on your network, I can exploit your smart
TV with this protocol issue, okay, and I can gain
(27:19):
full control over the smart TV with a zero click,
zero touch, zero notification code on your TV.
Speaker 1 (27:26):
My first response is, who cares? So you get to
watch you know, Netflix.
Speaker 3 (27:31):
Well, we've breached companies through TV.
Speaker 1 (27:33):
The fact is is, well, yeah, That's what I'm saying
is that the TV is connected to your network. The
network is connected to the hip bone, bone connected to
the footbone.
Speaker 3 (27:45):
Connected to the bank account. Yeah, so this goes back
to our advice that devices like TVs and Sonos and
you know, speakers and things smart speakers should be on
an IoT work. Yeah, it's still not a great look.
It's still not good that they can get into the
TV and then get into your video camera systems. But
(28:07):
it's better than them getting into your databases and your
email systems.
Speaker 2 (28:11):
But like your Roku devices, Yeah, support Apple Apple TV
device is obviously Apple.
Speaker 1 (28:17):
For the confused out there, let's disambiguit between airplay and
air drop, right, because Apple and the air pods, like
air is like the big word at Apple right for market.
But air drop is when you want to share files
with another iPhone. It's that's not what we're talking. It's
near field connectivity whatever it is, near whatever, near proximity. Yeah,
(28:38):
so that's not it. Airplay is like casting is casting
audio and video from one device to another.
Speaker 3 (28:45):
And as Dwayne pointed out, it's not that you're doing it,
it's that the device allows it that brings the vulnerability.
So even though I don't.
Speaker 2 (28:54):
Do that, Yeah, if airplay is on on your TV,
the protocol is enabled, right, so I can think of
it like buffer overflowing that protocol, dropping some code on
that TV and then take over it. And what they're
saying is the big risk is twofold. If I'm on
your TV, have you ever used your TV to log
into a streaming service, log into you know, something that
(29:15):
may have your Google account, whatever it may be. Right,
there's a lot of sensitive data that may be on
your TV or on your streaming device, whether it's an
Apple TV device or a Rokie device or whatever. But
then I also can put code on that TV because
TV's Android usually just runs an APK, just throw it
up there. That gives me not only access to your
network all the time, but then to be able to
(29:35):
laterally move around the network. Right, So at this point,
is your work laptop on your home network? Is your like,
you know, your personal phone on the network where I
can then try and man in the middle and start
doing some weird stuff there.
Speaker 1 (29:49):
So so first of all, two questions. First of all,
is their patch?
Speaker 2 (29:53):
Yes, all right, yep, there's a patch apples Apple, as
you can imagine, jumped right on this.
Speaker 3 (29:58):
When's the last time you read but you repatched your Euroku.
Speaker 2 (30:02):
I know, right, yeah? Or your TV or your toaster.
But that's an interesting question. Patrick. It's like the exploit
here on a TV. It's obviously not an Apple device,
but the TV itself. The Airplay protocol or apkre app
that's being used there was designed with the Apple SDK,
which means it needs a patch of some sort so
(30:24):
that I don't know, It depends on the device. You're
just going to have to go find out if your
device supports the Airplay and then go out and find
see if there's a patch.
Speaker 1 (30:32):
And in the meantime, the obvious prescription is if you
don't use Airplay, turn it.
Speaker 2 (30:39):
Off, an app off exactly. Hey, that's going to be
our advice for everything. If you don't use it, shut
it off, shut it up. But according to this story,
there are two point three five billion active devices around
the world right now, would them.
Speaker 1 (30:56):
That might be exploitable, and so it's all about remote
control exqus. So somebody can get into your device and
because they can execute code, they can get everywhere else
in your network.
Speaker 2 (31:08):
Oh, I didn't even think about car play that actually
supports airplay in your car.
Speaker 1 (31:15):
Car Play is airplane Yeah, well not if you plug
in with the USB, right, you can still do I
like to charge at the same time, I have car
plays oh man. Yeah, I'll turn airplay.
Speaker 2 (31:30):
Off so good. As soon as we find a POC
for this.
Speaker 3 (31:33):
Don't break your car, Dwayne testing this.
Speaker 2 (31:36):
Yeah, hey Patrick, I need any car.
Speaker 1 (31:37):
It's going to be laid for dinner. We're going to
have dinner after later on.
Speaker 2 (31:44):
Yeah, we are looking all.
Speaker 1 (31:48):
Right, guys. I think that's it all right, awesome all right,
So on that happy note, we'll see you next week.
Speaker 3 (31:54):
Thanks everybody, Thanks
Speaker 2 (32:05):
O tr
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.